Edit tour
Windows
Analysis Report
Set-up.exe
Overview
General Information
| Sample name: | Set-up.exe |
| Analysis ID: | 1520814 |
| MD5: | ff8b81c5bdbb09987a4ed216ae0010c2 |
| SHA1: | 1d5edf417a676e8e04a69dd94dac6a2a934cdfa6 |
| SHA256: | d6a055bee4a39f5879ff522099df86cd0a0001228cac589b3f07449a5a822fef |
| Tags: | Cryptbotexeuser-4k95m |
| Infos: |   |
 | |
Detection
Clipboard Hijacker, Cryptbot
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Found malware configuration
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Clipboard Hijacker
Yara detected Cryptbot
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Drops large PE files
Found evasive API chain (may stop execution after checking mutex)
Found many strings related to Crypto-Wallets (likely being stolen)
Found stalling execution ending in API Sleep call
Sigma detected: Suspicious Scheduled Task Creation Involving Temp Folder
Tries to harvest and steal browser information (history, passwords, etc)
Uses schtasks.exe or at.exe to add and modify task schedules
Contains capabilities to detect virtual machines
Contains functionality for read data from the clipboard
Contains functionality to dynamically determine API calls
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to read the clipboard data
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries information about the installed CPU (vendor, model number etc)
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Suspicious Schtasks From Env Var Folder
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Classification
- System is w10x64
Set-up.exe (PID: 7328 cmdline: "C:\Users\ user\Deskt op\Set-up. exe" MD5: FF8B81C5BDBB09987A4ED216AE0010C2) - service123.exe (PID: 7856 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\servic e123.exe" MD5: 62CC0B5676AC91389084FEE3D683DC68) - schtasks.exe (PID: 7876 cmdline:
"C:\Window s\System32 \schtasks. exe" /crea te /tn "Se rviceData4 " /tr "C:\ Users\user \AppData\L ocal\Temp\ /service12 3.exe" /st 00:01 /du 9800:59 / sc once /r i 1 /f MD5: 48C2FE20575769DE916F48EF0676A965) 
conhost.exe (PID: 7884 cmdline: C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
- service123.exe (PID: 7936 cmdline:
C:\Users\u ser\AppDat a\Local\Te mp\/servic e123.exe MD5: 62CC0B5676AC91389084FEE3D683DC68)
- service123.exe (PID: 4432 cmdline:
C:\Users\u ser\AppDat a\Local\Te mp\/servic e123.exe MD5: 62CC0B5676AC91389084FEE3D683DC68)
- cleanup
{"C2 list": ["analforeverlovyu.top", "+twelvevh12pt.top", "twelvevh12pt.top"]}| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_Clipboard_Hijacker_5 | Yara detected Clipboard Hijacker | Joe Security | ||
| JoeSecurity_Clipboard_Hijacker_5 | Yara detected Clipboard Hijacker | Joe Security | ||
| JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
| JoeSecurity_Cryptbot | Yara detected Cryptbot | Joe Security | ||
| JoeSecurity_Clipboard_Hijacker_5 | Yara detected Clipboard Hijacker | Joe Security |
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_Clipboard_Hijacker_5 | Yara detected Clipboard Hijacker | Joe Security |
System Summary |   |
|---|
| Source: | Author: Florian Roth (Nextron Systems): | ||
| Source: | Author: Florian Roth (Nextron Systems): | ||
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-09-28T00:09:09.374047+0200 | 2054350 | 1 | A Network Trojan was detected | 192.168.2.4 | 49730 | 185.244.181.140 | 80 | TCP |
| 2024-09-28T00:09:12.931853+0200 | 2054350 | 1 | A Network Trojan was detected | 192.168.2.4 | 49731 | 185.244.181.140 | 80 | TCP |
| 2024-09-28T00:09:18.000992+0200 | 2054350 | 1 | A Network Trojan was detected | 192.168.2.4 | 49733 | 185.244.181.140 | 80 | TCP |
Click to jump to signature section
Show All Signature Results
AV Detection | |
|---|
| Source: | Malware Configuration Extractor: | ||
| Source: | ReversingLabs: | ||
| Source: | Integrated Neural Analysis Model: | ||
| Source: | Code function: | 4_2_004B15D0 | |
| Source: | Code function: | 4_2_6C2F14E0 | |
| Source: | Static PE information: | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | Code function: | 4_2_004B8320 | |
| Source: | Code function: | 4_2_6C3B6C50 | |
| Source: | Code function: | 4_2_6C3B6C50 | |
| Source: | Code function: | 4_2_6C310C40 | |
| Source: | Code function: | 4_2_6C2FED09 | |
| Source: | Code function: | 4_2_6C3BAE90 | |
| Source: | Code function: | 4_2_6C3BAE90 | |
| Source: | Code function: | 4_2_6C3BAE90 | |
| Source: | Code function: | 4_2_6C3BAE90 | |
| Source: | Code function: | 4_2_6C2FEE80 | |
| Source: | Code function: | 4_2_6C366E80 | |
| Source: | Code function: | 4_2_6C366FE0 | |
| Source: | Code function: | 4_2_6C2F285F | |
| Source: | Code function: | 4_2_6C2FE8E0 | |
| Source: | Code function: | 4_2_6C312910 | |
| Source: | Code function: | 4_2_6C320971 | |
| Source: | Code function: | 4_2_6C320971 | |
| Source: | Code function: | 4_2_6C320971 | |
| Source: | Code function: | 4_2_6C2F297F | |
| Source: | Code function: | 4_2_6C2F29BE | |
| Source: | Code function: | 4_2_6C2F29FD | |
| Source: | Code function: | 4_2_6C31E9D0 | |
| Source: | Code function: | 4_2_6C340A30 | |
| Source: | Code function: | 4_2_6C2F2A3C | |
| Source: | Code function: | 4_2_6C2FEA31 | |
| Source: | Code function: | 4_2_6C320A1C | |
| Source: | Code function: | 4_2_6C2FEA97 | |
| Source: | Code function: | 4_2_6C2F2AF1 | |
| Source: | Code function: | 4_2_6C320ACC | |
| Source: | Code function: | 4_2_6C2F2B30 | |
| Source: | Code function: | 4_2_6C2F2B6F | |
| Source: | Code function: | 4_2_6C320B7C | |
| Source: | Code function: | 4_2_6C2FCB40 | |
| Source: | Code function: | 4_2_6C2FEB80 | |
| Source: | Code function: | 4_2_6C348BE0 | |
| Source: | Code function: | 4_2_6C2F2BD3 | |
| Source: | Code function: | 4_2_6C30C470 | |
| Source: | Code function: | 4_2_6C31C470 | |
| Source: | Code function: | 4_2_6C31C50C | |
| Source: | Code function: | 4_2_6C2FE510 | |
| Source: | Code function: | 4_2_6C31C540 | |
| Source: | Code function: | 4_2_6C31C540 | |
| Source: | Code function: | 4_2_6C36A5B0 | |
| Source: | Code function: | 4_2_6C31C5DC | |
| Source: | Code function: | 4_2_6C368640 | |
| Source: | Code function: | 4_2_6C368640 | |
| Source: | Code function: | 4_2_6C368640 | |
| Source: | Code function: | 4_2_6C31C68C | |
| Source: | Code function: | 4_2_6C2FE700 | |
| Source: | Code function: | 4_2_6C2FE7B0 | |
| Source: | Code function: | 4_2_6C3127F0 | |
| Source: | Code function: | 4_2_6C3AA030 | |
| Source: | Code function: | 4_2_6C31C02C | |
| Source: | Code function: | 4_2_6C2FC070 | |
| Source: | Code function: | 4_2_6C31C0DC | |
| Source: | Code function: | 4_2_6C3680C0 | |
| Source: | Code function: | 4_2_6C35C11E | |
| Source: | Code function: | 4_2_6C35C11A | |
| Source: | Code function: | 4_2_6C31C240 | |
| Source: | Code function: | 4_2_6C35C2DE | |
| Source: | Code function: | 4_2_6C31C2DC | |
| Source: | Code function: | 4_2_6C35C2DA | |
| Source: | Code function: | 4_2_6C312340 | |
| Source: | Code function: | 4_2_6C2FC380 | |
| Source: | Code function: | 4_2_6C2F2390 | |
| Source: | Code function: | 4_2_6C2FBC33 | |
| Source: | Code function: | 4_2_6C2FDC60 | |
| Source: | Code function: | 4_2_6C2FBC7E | |
| Source: | Code function: | 4_2_6C2FBC58 | |
| Source: | Code function: | 4_2_6C30DCA0 | |
| Source: | Code function: | 4_2_6C2FBCB5 | |
| Source: | Code function: | 4_2_6C31BC90 | |
| Source: | Code function: | 4_2_6C2FBC9F | |
| Source: | Code function: | 4_2_6C31DCE0 | |
| Source: | Code function: | 4_2_6C2FBCC7 | |
| Source: | Code function: | 4_2_6C31BD2C | |
| Source: | Code function: | 4_2_6C363D10 | |
| Source: | Code function: | 4_2_6C2FBD06 | |
| Source: | Code function: | 4_2_6C38BD70 | |
| Source: | Code function: | 4_2_6C2FBDFF | |
| Source: | Code function: | 4_2_6C367DE0 | |
| Source: | Code function: | 4_2_6C2FDEE0 | |
| Source: | Code function: | 4_2_6C31BEC0 | |
| Source: | Code function: | 4_2_6C2FBED2 | |
| Source: | Code function: | 4_2_6C31BF5C | |
| Source: | Code function: | 4_2_6C31BF90 | |
| Source: | Code function: | 4_2_6C31BF90 | |
| Source: | Code function: | 4_2_6C2FD8A0 | |
| Source: | Code function: | 4_2_6C2FF880 | |
| Source: | Code function: | 4_2_6C3598F3 | |
| Source: | Code function: | 4_2_6C2FB8E0 | |
| Source: | Code function: | 4_2_6C3638C0 | |
| Source: | Code function: | 4_2_6C38B970 | |
| Source: | Code function: | 4_2_6C311960 | |
| Source: | Code function: | 4_2_6C2FBA80 | |
| Source: | Code function: | 4_2_6C2FDAF0 | |
| Source: | Code function: | 4_2_6C2FBAD0 | |
| Source: | Code function: | 4_2_6C38FB20 | |
| Source: | Code function: | 4_2_6C2FBB7B | |
| Source: | Code function: | 4_2_6C367B50 | |
| Source: | Code function: | 4_2_6C2FDB90 | |
| Source: | Code function: | 4_2_6C2FBBF8 | |
| Source: | Code function: | 4_2_6C2FBBC4 | |
| Source: | Code function: | 4_2_6C35F430 | |
| Source: | Code function: | 4_2_6C2FD4C0 | |
| Source: | Code function: | 4_2_6C33F5A0 | |
| Source: | Code function: | 4_2_6C3575E0 | |
| Source: | Code function: | 4_2_6C35F610 | |
| Source: | Code function: | 4_2_6C35D67E | |
| Source: | Code function: | 4_2_6C35D67A | |
| Source: | Code function: | 4_2_6C2FD645 | |
| Source: | Code function: | 4_2_6C31F6B0 | |
| Source: | Code function: | 4_2_6C2FD6B0 | |
| Source: | Code function: | 4_2_6C2FB750 | |
| Source: | Code function: | 4_2_6C2FD1A0 | |
| Source: | Code function: | 4_2_6C2FD3A0 | |
| Source: | Code function: | 4_2_6C3573D0 | |
Networking | |
|---|
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | IP Address: | ||
| Source: | ASN Name: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | DNS traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | Code function: | 4_2_6C30ADD6 | |
| Source: | Code function: | 4_2_6C30AE52 | |
| Source: | Code function: | 4_2_6C30AF41 | |
| Source: | Code function: | 4_2_6C30ADD6 | |
System Summary | |
|---|
| Source: | File dump: | Jump to dropped file | ||
| Source: | Code function: | 4_2_004B3E80 | |
| Source: | Code function: | 4_2_004B5140 | |
| Source: | Code function: | 4_2_6C332E93 | |
| Source: | Code function: | 4_2_6C2FEE80 | |
| Source: | Code function: | 4_2_6C300F20 | |
| Source: | Code function: | 4_2_6C326830 | |
| Source: | Code function: | 4_2_6C352870 | |
| Source: | Code function: | 4_2_6C350AA0 | |
| Source: | Code function: | 4_2_6C306B10 | |
| Source: | Code function: | 4_2_6C2FCB40 | |
| Source: | Code function: | 4_2_6C33EB90 | |
| Source: | Code function: | 4_2_6C340020 | |
| Source: | Code function: | 4_2_6C3BE230 | |
| Source: | Code function: | 4_2_6C308260 | |
| Source: | Code function: | 4_2_6C332245 | |
| Source: | Code function: | 4_2_6C333C50 | |
| Source: | Code function: | 4_2_6C2F3D20 | |
| Source: | Code function: | 4_2_6C2FFDC0 | |
| Source: | Code function: | 4_2_6C305850 | |
| Source: | Code function: | 4_2_6C34B850 | |
| Source: | Code function: | 4_2_6C3038B0 | |
| Source: | Code function: | 4_2_6C337AB0 | |
| Source: | Code function: | 4_2_6C3B7520 | |
| Source: | Code function: | 4_2_6C2F3580 | |
| Source: | Code function: | 4_2_6C3535D0 | |
| Source: | Code function: | 4_2_6C2F9790 | |
| Source: | Code function: | 4_2_6C3517F0 | |
| Source: | Code function: | 4_2_6C323180 | |
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Classification label: | ||
| Source: | File created: | Jump to behavior | ||
| Source: | Mutant created: | ||
| Source: | Mutant created: | ||
| Source: | File created: | Jump to behavior | ||
| Source: | Static PE information: | ||
| Source: | File read: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | ReversingLabs: | ||
| Source: | String found in binary or memory: | ||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Key value queried: | Jump to behavior | ||
| Source: | Static PE information: | ||
| Source: | Static file information: | ||
| Source: | Static PE information: | ||
| Source: | Code function: | 4_2_004B8370 | |
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Code function: | 4_2_004BB171 | |
| Source: | Code function: | 4_2_6C360E46 | |
| Source: | Code function: | 4_2_6C3C0FCF | |
| Source: | Code function: | 4_2_6C37B19B | |
| Source: | Code function: | 4_2_6C36D180 | |
| Source: | Code function: | 4_2_6C36D19A | |
| Source: | Code function: | 4_2_6C354FA7 | |
| Source: | Code function: | 4_2_6C3555D7 | |
| Source: | Code function: | 4_2_6C35285B | |
| Source: | Code function: | 4_2_6C3BF741 | |
| Source: | Code function: | 4_2_6C354FA7 | |
| Source: | Code function: | 4_2_6C3BF741 | |
| Source: | Code function: | 4_2_6C340A44 | |
| Source: | Code function: | 4_2_6C3C0B12 | |
| Source: | Code function: | 4_2_6C3C0B12 | |
| Source: | Code function: | 4_2_6C342AFC | |
| Source: | Code function: | 4_2_6C3C0B12 | |
| Source: | Code function: | 4_2_6C36A59D | |
| Source: | Code function: | 4_2_6C34448D | |
| Source: | Code function: | 4_2_6C3809D2 | |
| Source: | Code function: | 4_2_6C3544C1 | |
| Source: | Code function: | 4_2_6C338498 | |
| Source: | Code function: | 4_2_6C352505 | |
| Source: | Code function: | 4_2_6C352505 | |
| Source: | Code function: | 4_2_6C3565D8 | |
| Source: | Code function: | 4_2_6C3545EB | |
| Source: | Code function: | 4_2_6C33667B | |
| Source: | Code function: | 4_2_6C34467D | |
| Source: | Code function: | 4_2_6C352742 | |
| Source: | Code function: | 4_2_6C3BF741 | |
| Source: | Code function: | 4_2_6C3583DF | |
| Source: | File created: | Jump to dropped file | ||
| Source: | File created: | Jump to dropped file | ||
Boot Survival | |
|---|
| Source: | Process created: | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
Malware Analysis System Evasion | |
|---|
| Source: | Evasive API call chain: | graph_4-163233 | ||
| Source: | Stalling execution: | graph_4-163234 | ||
| Source: | Registry key queried: | Jump to behavior | ||
| Source: | Window / User API: | Jump to behavior | ||
| Source: | API coverage: | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep count: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Last function: | ||
| Source: | Last function: | ||
| Source: | Last function: | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Code function: | 4_2_004B8370 | |
| Source: | Code function: | 4_2_004B117C | |
| Source: | Code function: | 4_2_004B1170 | |
| Source: | Code function: | 4_2_004B13D1 | |
| Source: | Code function: | 4_2_004B11B3 | |
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Code function: | 4_2_6C374010 | |
| Source: | Registry key value queried: | Jump to behavior | ||
| Source: | Key value queried: | Jump to behavior | ||
Stealing of Sensitive Information | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File source: | ||
Remote Access Functionality | |
|---|
| Source: | File source: | ||
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | 2 Command and Scripting Interpreter | 1 Scheduled Task/Job | 11 Process Injection | 1 Masquerading | 1 OS Credential Dumping | 11 Security Software Discovery | Remote Services | 1 Archive Collected Data | 2 Encrypted Channel | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
| Credentials | Domains | Default Accounts | 1 Scheduled Task/Job | 1 DLL Side-Loading | 1 Scheduled Task/Job | 2 Virtualization/Sandbox Evasion | LSASS Memory | 2 Virtualization/Sandbox Evasion | Remote Desktop Protocol | 2 Data from Local System | 2 Non-Application Layer Protocol | Exfiltration Over Bluetooth | Network Denial of Service |
| Email Addresses | DNS Server | Domain Accounts | 11 Native API | Logon Script (Windows) | 1 DLL Side-Loading | 11 Process Injection | Security Account Manager | 1 Application Window Discovery | SMB/Windows Admin Shares | 3 Clipboard Data | 112 Application Layer Protocol | Automated Exfiltration | Data Encrypted for Impact |
| Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | 1 Deobfuscate/Decode Files or Information | NTDS | 2 File and Directory Discovery | Distributed Component Object Model | Input Capture | Protocol Impersonation | Traffic Duplication | Data Destruction |
| Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | 3 Obfuscated Files or Information | LSA Secrets | 22 System Information Discovery | SSH | Keylogging | Fallback Channels | Scheduled Transfer | Data Encrypted for Impact |
| Domain Properties | Botnet | Replication Through Removable Media | Scheduled Task | RC Scripts | RC Scripts | 1 DLL Side-Loading | Cached Domain Credentials | Wi-Fi Discovery | VNC | GUI Input Capture | Multiband Communication | Data Transfer Size Limits | Service Stop |
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetThis section contains all screenshots as thumbnails, including those not shown in the slideshow.
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 42% | ReversingLabs | Win32.Trojan.CryptBot |
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe |
| Name | IP | Active | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|---|
| twelvevh12pt.top | 185.244.181.140 | true | true | unknown |
| Name | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|
| true |
| unknown | |
| true | unknown | ||
| true | unknown |
| Name | Source | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|
| false |
| unknown | ||
| false |
| unknown | ||
| false | unknown | |||
| false |
| unknown | ||
| false | unknown | |||
| false | unknown | |||
| false | unknown | |||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false | unknown | |||
| false |
| unknown | ||
| false |
| unknown | ||
| false | unknown |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
| IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
|---|---|---|---|---|---|---|
| 185.244.181.140 | twelvevh12pt.top | Russian Federation | 44901 | BELCLOUDBG | true |
| Joe Sandbox version: | 41.0.0 Charoite |
| Analysis ID: | 1520814 |
| Start date and time: | 2024-09-28 00:08:09 +02:00 |
| Joe Sandbox product: | CloudBasic |
| Overall analysis duration: | 0h 7m 23s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
| Number of analysed new started processes analysed: | 10 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Sample name: | Set-up.exe |
| Detection: | MAL |
| Classification: | mal100.troj.spyw.evad.winEXE@8/2@1/1 |
| EGA Information: |
|
| HCA Information: |
|
| Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
- Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
- Not all processes where analyzed, report is missing behavior information
- Report size getting too big, too many NtOpenKeyEx calls found.
- Report size getting too big, too many NtQueryValueKey calls found.
- Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
- VT rate limit hit for: Set-up.exe
| Time | Type | Description |
|---|---|---|
| 18:09:08 | API Interceptor | |
| 18:10:32 | API Interceptor | |
| 23:10:00 | Task Scheduler |
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| 185.244.181.140 | Get hash | malicious | Clipboard Hijacker, Cryptbot | Browse |
| |
| Get hash | malicious | Clipboard Hijacker, Cryptbot | Browse |
| ||
| Get hash | malicious | Clipboard Hijacker, Cryptbot | Browse |
| ||
| Get hash | malicious | Clipboard Hijacker, Cryptbot | Browse |
| ||
| Get hash | malicious | Clipboard Hijacker, Cryptbot | Browse |
| ||
| Get hash | malicious | Clipboard Hijacker, Cryptbot | Browse |
| ||
| Get hash | malicious | Clipboard Hijacker, Cryptbot | Browse |
| ||
| Get hash | malicious | Clipboard Hijacker, Cryptbot | Browse |
| ||
| Get hash | malicious | Clipboard Hijacker, Cryptbot | Browse |
| ||
| Get hash | malicious | Clipboard Hijacker, Cryptbot | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| twelvevh12pt.top | Get hash | malicious | Clipboard Hijacker, Cryptbot | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| BELCLOUDBG | Get hash | malicious | Clipboard Hijacker, Cryptbot | Browse |
| |
| Get hash | malicious | Clipboard Hijacker, Cryptbot | Browse |
| ||
| Get hash | malicious | Clipboard Hijacker, Cryptbot | Browse |
| ||
| Get hash | malicious | Clipboard Hijacker, Cryptbot | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Clipboard Hijacker, Cryptbot | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Clipboard Hijacker, Cryptbot | Browse |
| ||
| Get hash | malicious | Clipboard Hijacker, Cryptbot | Browse |
| ||
| Get hash | malicious | Clipboard Hijacker, Cryptbot | Browse |
|
⊘No context
⊘No context
| Process: | C:\Users\user\Desktop\Set-up.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 315771904 |
| Entropy (8bit): | 0.05300296695813313 |
| Encrypted: | false |
| SSDEEP: | 24576:rvFnL2romyzEHeDRuO1Q1tc5P3mt/a+qqMOO:rvI+DRuOOEy/a+q |
| MD5: | 3DA963ED83B031CED52EB474AB2E3C09 |
| SHA1: | ACBAC9D33F145A985AD9B1269431A9C9F405A300 |
| SHA-256: | 14279D900A6D1BA0B98F2C41453FE6A2605B6F019D5C76D6F520E4CAFC276B17 |
| SHA-512: | 8939A09142B4EE3364D6EEBC053D9FCA3D0E7A241AA23BDBB2533492D7257227BEA5BB0263B407A0104D0C1961483F3D9DDD57F2D39511553DCB59245138DC0B |
| Malicious: | false |
| Reputation: | low |
| Preview: |
| Process: | C:\Users\user\Desktop\Set-up.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 314613760 |
| Entropy (8bit): | 0.0021512794930136233 |
| Encrypted: | false |
| SSDEEP: | |
| MD5: | 62CC0B5676AC91389084FEE3D683DC68 |
| SHA1: | 1B4305F2E2D7950C0363739AA80C919841B16D20 |
| SHA-256: | F743296CF48577C3F6EBE023B3A8B1613E902D248160F71E998B503B0318097F |
| SHA-512: | A05E4F907A92A3DD1429F0644ACA160134C558346B625B828BCCB5731CAAB0BE263E15468DD8DA2EF713E33A54C16170B63580CD57A93137E1596D0D7ADCB3AA |
| Malicious: | true |
| Reputation: | low |
| Preview: |
| File type: | |
| Entropy (8bit): | 6.6236305211780095 |
| TrID: |
|
| File name: | Set-up.exe |
| File size: | 6'614'719 bytes |
| MD5: | ff8b81c5bdbb09987a4ed216ae0010c2 |
| SHA1: | 1d5edf417a676e8e04a69dd94dac6a2a934cdfa6 |
| SHA256: | d6a055bee4a39f5879ff522099df86cd0a0001228cac589b3f07449a5a822fef |
| SHA512: | 9bad1fed2170e923e65f57e8ccbbfbe33fd8f01423469fa8e3d7a4c93c8c97fb84ea98df33901a11fdf8915dc7d9955046faf5c4f9ccf38d8606ccc2b91615fe |
| SSDEEP: | 49152:4pVubXslypSy5wT96CHhbhiwOfHLaorKt5LJ8Vx2jaV9hIaDzNZMV/tIsQ:/jazH7iwOf/rKt38VC49hIMrMH5Q |
| TLSH: | 5B66283B9A4355C8C13AB57ADC827F3FF8186AE443E9892B6C0508FCA755791E86D313 |
| File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f..^..&.........#.fG...Y...f...........G...@...................................e....... .........................B.. |
 | |
| Icon Hash: | 90cececece8e8eb0 |
| Entrypoint: | 0x4014b0 |
| Entrypoint Section: | .text |
| Digitally signed: | false |
| Imagebase: | 0x400000 |
| Subsystem: | windows gui |
| Image File Characteristics: | EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, 32BIT_MACHINE |
| DLL Characteristics: | |
| Time Stamp: | 0x66F6DB9A [Fri Sep 27 16:21:46 2024 UTC] |
| TLS Callbacks: | 0x868fc0, 0x868f70 |
| CLR (.Net) Version: | |
| OS Version Major: | 4 |
| OS Version Minor: | 0 |
| File Version Major: | 4 |
| File Version Minor: | 0 |
| Subsystem Version Major: | 4 |
| Subsystem Version Minor: | 0 |
| Import Hash: | 92a00f4d0a4448266e9c638fdb1341b9 |
| Instruction |
|---|
| mov dword ptr [00F2B34Ch], 00000001h |
| jmp 00007FD3E4BBCDD6h |
| nop |
| mov dword ptr [00F2B34Ch], 00000000h |
| jmp 00007FD3E4BBCDC6h |
| nop |
| sub esp, 1Ch |
| mov eax, dword ptr [esp+20h] |
| mov dword ptr [esp], eax |
| call 00007FD3E503226Eh |
| test eax, eax |
| sete al |
| add esp, 1Ch |
| movzx eax, al |
| neg eax |
| ret |
| nop |
| nop |
| nop |
| push ebp |
| mov ebp, esp |
| push edi |
| push esi |
| push ebx |
| sub esp, 1Ch |
| mov dword ptr [esp], 0087A000h |
| call dword ptr [00F2D1F0h] |
| sub esp, 04h |
| test eax, eax |
| je 00007FD3E4BBD195h |
| mov ebx, eax |
| mov dword ptr [esp], 0087A000h |
| call dword ptr [00F2D210h] |
| mov edi, dword ptr [00F2D1F8h] |
| sub esp, 04h |
| mov dword ptr [008BF028h], eax |
| mov dword ptr [esp+04h], 0087A013h |
| mov dword ptr [esp], ebx |
| call edi |
| sub esp, 08h |
| mov esi, eax |
| mov dword ptr [esp+04h], 0087A029h |
| mov dword ptr [esp], ebx |
| call edi |
| mov dword ptr [00878004h], eax |
| sub esp, 08h |
| test esi, esi |
| je 00007FD3E4BBD133h |
| mov dword ptr [esp+04h], 008BF02Ch |
| mov dword ptr [esp], 00884000h |
| call esi |
| mov dword ptr [esp], 004015A0h |
| call 00007FD3E4BBD083h |
| lea esp, dword ptr [ebp-0Ch] |
| pop ebx |
| pop esi |
| Name | Virtual Address | Virtual Size | Is in Section |
|---|---|---|---|
| IMAGE_DIRECTORY_ENTRY_EXPORT | 0xb2c000 | 0x42 | .edata |
| IMAGE_DIRECTORY_ENTRY_IMPORT | 0xb2d000 | 0x9e4 | .idata |
| IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BASERELOC | 0xb30000 | 0xdfe28 | .reloc |
| IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_TLS | 0x4829f4 | 0x18 | .rdata |
| IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IAT | 0xb2d1e0 | 0x190 | .idata |
| IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
| Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
|---|---|---|---|---|---|---|---|---|---|
| .text | 0x1000 | 0x4764a4 | 0x476600 | c5007517b2a111f1b6215df95d541e9e | unknown | unknown | unknown | unknown | IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
| .data | 0x478000 | 0x1708 | 0x1800 | 2f895630c6e8a3f54079d53c7db88431 | False | 0.6139322916666666 | dBase III DBT, version number 0, next free block index 10, 1st item "}\212A" | 5.684371285661909 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .rdata | 0x47a000 | 0x9c18 | 0x9e00 | e6538e7ad2d6bc0f8089b04602d659f5 | False | 0.372206289556962 | data | 4.360263309483147 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ |
| /4 | 0x484000 | 0x3aa5c | 0x3ac00 | 882a17157402d7201a35321e395be61b | False | 0.2441156914893617 | data | 5.087938296942671 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ |
| .bss | 0x4bf000 | 0x66ce54 | 0x0 | d41d8cd98f00b204e9800998ecf8427e | unknown | unknown | unknown | unknown | IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .edata | 0xb2c000 | 0x42 | 0x200 | 87a5e2519f843965227ee5f3c8599c81 | False | 0.123046875 | data | 0.7233135926899718 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ |
| .idata | 0xb2d000 | 0x9e4 | 0xa00 | 07759335905d0c4cf96824b7fb4353c8 | False | 0.4296875 | data | 5.144871576549617 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .CRT | 0xb2e000 | 0x34 | 0x200 | bc151dc2cece8ca6c75d536b3276281c | False | 0.0703125 | Matlab v4 mat-file (little endian) P\217\206, numeric, rows 4198704, columns 0 | 0.27892677800628285 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .tls | 0xb2f000 | 0x8 | 0x200 | bf619eac0cdf3f68d496ea9344137e8b | False | 0.02734375 | data | 0.0 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .reloc | 0xb30000 | 0xdfe28 | 0xe0000 | bc79fb7113991d3c8d2c806164250269 | False | 0.046024867466517856 | data | 6.841583720841163 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
| /14 | 0xc10000 | 0x690 | 0x800 | 7ad7f16fcd6c5ff774fcdcf49b733ca0 | False | 0.26513671875 | Matlab v4 mat-file (little endian) \355\004, rows 2, columns 262144 | 2.169293257842307 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
| /29 | 0xc11000 | 0x1a7c4 | 0x1a800 | dcde74953af45acc7cab073a1f49bb89 | False | 0.4239018278301887 | data | 6.076839380462319 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
| /41 | 0xc2c000 | 0x4c58 | 0x4e00 | c272f07e704eb90e2b6c4c9bad844e11 | False | 0.1761318108974359 | data | 4.711442500030027 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
| /55 | 0xc31000 | 0xe342 | 0xe400 | ba9609b0acef1481719bb4e00f4bef84 | False | 0.47640830592105265 | data | 5.285114187967561 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
| /67 | 0xc40000 | 0x1d54 | 0x1e00 | 51c0f44ac1c43c82112ef18aecdf7783 | False | 0.334375 | data | 4.878570677353131 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
| /80 | 0xc42000 | 0x961 | 0xa00 | 9109961d3d1231997c8aa80b9ef91e44 | False | 0.381640625 | data | 4.6390012281106685 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
| /91 | 0xc43000 | 0x18b05 | 0x18c00 | 3b5f4e3673df00d43d032639a56fe615 | False | 0.3387192234848485 | data | 4.160374229151645 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
| /102 | 0xc5c000 | 0x11c0 | 0x1200 | acb9037b7b793eae32ab82637f1d257e | False | 0.3736979166666667 | Matlab v4 mat-file (little endian) \360, rows 16, columns 19, imaginary | 3.383708098291067 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
| DLL | Import |
|---|---|
| KERNEL32.dll | DeleteCriticalSection, EnterCriticalSection, FreeLibrary, GetLastError, GetModuleHandleA, GetModuleHandleW, GetProcAddress, GetStartupInfoA, GetTempPathA, InitializeCriticalSection, IsDBCSLeadByteEx, LeaveCriticalSection, LoadLibraryA, MultiByteToWideChar, SetUnhandledExceptionFilter, Sleep, TlsGetValue, VirtualProtect, VirtualQuery, WideCharToMultiByte, lstrlenA |
| msvcrt.dll | __getmainargs, __initenv, __lconv_init, __mb_cur_max, __p__acmdln, __p__commode, __p__fmode, __set_app_type, __setusermatherr, _amsg_exit, _assert, _cexit, _errno, _chsize, _filelengthi64, _fileno, _initterm, _iob, _lock, _onexit, _unlock, abort, atoi, calloc, exit, fclose, fflush, fgetpos, fopen, fputc, fread, free, freopen, fsetpos, fwrite, getc, islower, isspace, isupper, isxdigit, localeconv, malloc, memcmp, memcpy, memmove, memset, mktime, localtime, difftime, _mkdir, perror, puts, realloc, remove, setlocale, signal, strchr, strcmp, strcpy, strerror, strlen, strncmp, strncpy, strtol, strtoul, tolower, ungetc, vfprintf, time, wcslen, wcstombs, _stat, _utime, _fileno, _chmod |
| SHELL32.dll | ShellExecuteA |
| Name | Ordinal | Address |
|---|---|---|
| main | 1 | 0x4b6602 |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library Node| Timestamp | SID | Signature | Severity | Source IP | Source Port | Dest IP | Dest Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-09-28T00:09:09.374047+0200 | 2054350 | ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4 | 1 | 192.168.2.4 | 49730 | 185.244.181.140 | 80 | TCP |
| 2024-09-28T00:09:12.931853+0200 | 2054350 | ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4 | 1 | 192.168.2.4 | 49731 | 185.244.181.140 | 80 | TCP |
| 2024-09-28T00:09:18.000992+0200 | 2054350 | ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4 | 1 | 192.168.2.4 | 49733 | 185.244.181.140 | 80 | TCP |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Sep 28, 2024 00:09:08.680787086 CEST | 49730 | 80 | 192.168.2.4 | 185.244.181.140 |
| Sep 28, 2024 00:09:08.685847044 CEST | 80 | 49730 | 185.244.181.140 | 192.168.2.4 |
| Sep 28, 2024 00:09:08.685935020 CEST | 49730 | 80 | 192.168.2.4 | 185.244.181.140 |
| Sep 28, 2024 00:09:08.686074972 CEST | 49730 | 80 | 192.168.2.4 | 185.244.181.140 |
| Sep 28, 2024 00:09:08.686099052 CEST | 49730 | 80 | 192.168.2.4 | 185.244.181.140 |
| Sep 28, 2024 00:09:08.690963984 CEST | 80 | 49730 | 185.244.181.140 | 192.168.2.4 |
| Sep 28, 2024 00:09:08.691008091 CEST | 80 | 49730 | 185.244.181.140 | 192.168.2.4 |
| Sep 28, 2024 00:09:09.373891115 CEST | 80 | 49730 | 185.244.181.140 | 192.168.2.4 |
| Sep 28, 2024 00:09:09.374047041 CEST | 80 | 49730 | 185.244.181.140 | 192.168.2.4 |
| Sep 28, 2024 00:09:09.374047041 CEST | 49730 | 80 | 192.168.2.4 | 185.244.181.140 |
| Sep 28, 2024 00:09:09.374105930 CEST | 49730 | 80 | 192.168.2.4 | 185.244.181.140 |
| Sep 28, 2024 00:09:09.379664898 CEST | 80 | 49730 | 185.244.181.140 | 192.168.2.4 |
| Sep 28, 2024 00:09:12.870305061 CEST | 49731 | 80 | 192.168.2.4 | 185.244.181.140 |
| Sep 28, 2024 00:09:12.875617981 CEST | 80 | 49731 | 185.244.181.140 | 192.168.2.4 |
| Sep 28, 2024 00:09:12.875727892 CEST | 49731 | 80 | 192.168.2.4 | 185.244.181.140 |
| Sep 28, 2024 00:09:12.875874043 CEST | 49731 | 80 | 192.168.2.4 | 185.244.181.140 |
| Sep 28, 2024 00:09:12.875936985 CEST | 49731 | 80 | 192.168.2.4 | 185.244.181.140 |
| Sep 28, 2024 00:09:12.881803036 CEST | 80 | 49731 | 185.244.181.140 | 192.168.2.4 |
| Sep 28, 2024 00:09:12.881851912 CEST | 80 | 49731 | 185.244.181.140 | 192.168.2.4 |
| Sep 28, 2024 00:09:12.881860018 CEST | 49731 | 80 | 192.168.2.4 | 185.244.181.140 |
| Sep 28, 2024 00:09:12.881885052 CEST | 80 | 49731 | 185.244.181.140 | 192.168.2.4 |
| Sep 28, 2024 00:09:12.881900072 CEST | 49731 | 80 | 192.168.2.4 | 185.244.181.140 |
| Sep 28, 2024 00:09:12.881912947 CEST | 80 | 49731 | 185.244.181.140 | 192.168.2.4 |
| Sep 28, 2024 00:09:12.881942034 CEST | 49731 | 80 | 192.168.2.4 | 185.244.181.140 |
| Sep 28, 2024 00:09:12.881951094 CEST | 49731 | 80 | 192.168.2.4 | 185.244.181.140 |
| Sep 28, 2024 00:09:12.881990910 CEST | 80 | 49731 | 185.244.181.140 | 192.168.2.4 |
| Sep 28, 2024 00:09:12.882019043 CEST | 80 | 49731 | 185.244.181.140 | 192.168.2.4 |
| Sep 28, 2024 00:09:12.882038116 CEST | 49731 | 80 | 192.168.2.4 | 185.244.181.140 |
| Sep 28, 2024 00:09:12.882046938 CEST | 80 | 49731 | 185.244.181.140 | 192.168.2.4 |
| Sep 28, 2024 00:09:12.882066011 CEST | 49731 | 80 | 192.168.2.4 | 185.244.181.140 |
| Sep 28, 2024 00:09:12.882074118 CEST | 80 | 49731 | 185.244.181.140 | 192.168.2.4 |
| Sep 28, 2024 00:09:12.882092953 CEST | 49731 | 80 | 192.168.2.4 | 185.244.181.140 |
| Sep 28, 2024 00:09:12.882102013 CEST | 80 | 49731 | 185.244.181.140 | 192.168.2.4 |
| Sep 28, 2024 00:09:12.882122993 CEST | 49731 | 80 | 192.168.2.4 | 185.244.181.140 |
| Sep 28, 2024 00:09:12.882158995 CEST | 49731 | 80 | 192.168.2.4 | 185.244.181.140 |
| Sep 28, 2024 00:09:12.886945963 CEST | 80 | 49731 | 185.244.181.140 | 192.168.2.4 |
| Sep 28, 2024 00:09:12.887003899 CEST | 49731 | 80 | 192.168.2.4 | 185.244.181.140 |
| Sep 28, 2024 00:09:12.887624025 CEST | 80 | 49731 | 185.244.181.140 | 192.168.2.4 |
| Sep 28, 2024 00:09:12.887680054 CEST | 49731 | 80 | 192.168.2.4 | 185.244.181.140 |
| Sep 28, 2024 00:09:12.887866974 CEST | 80 | 49731 | 185.244.181.140 | 192.168.2.4 |
| Sep 28, 2024 00:09:12.887893915 CEST | 80 | 49731 | 185.244.181.140 | 192.168.2.4 |
| Sep 28, 2024 00:09:12.887922049 CEST | 80 | 49731 | 185.244.181.140 | 192.168.2.4 |
| Sep 28, 2024 00:09:12.887923002 CEST | 49731 | 80 | 192.168.2.4 | 185.244.181.140 |
| Sep 28, 2024 00:09:12.887943029 CEST | 49731 | 80 | 192.168.2.4 | 185.244.181.140 |
| Sep 28, 2024 00:09:12.887969971 CEST | 80 | 49731 | 185.244.181.140 | 192.168.2.4 |
| Sep 28, 2024 00:09:12.887970924 CEST | 49731 | 80 | 192.168.2.4 | 185.244.181.140 |
| Sep 28, 2024 00:09:12.887995958 CEST | 80 | 49731 | 185.244.181.140 | 192.168.2.4 |
| Sep 28, 2024 00:09:12.888020039 CEST | 49731 | 80 | 192.168.2.4 | 185.244.181.140 |
| Sep 28, 2024 00:09:12.888031960 CEST | 49731 | 80 | 192.168.2.4 | 185.244.181.140 |
| Sep 28, 2024 00:09:12.931732893 CEST | 80 | 49731 | 185.244.181.140 | 192.168.2.4 |
| Sep 28, 2024 00:09:12.931853056 CEST | 49731 | 80 | 192.168.2.4 | 185.244.181.140 |
| Sep 28, 2024 00:09:12.983730078 CEST | 80 | 49731 | 185.244.181.140 | 192.168.2.4 |
| Sep 28, 2024 00:09:12.983783960 CEST | 49731 | 80 | 192.168.2.4 | 185.244.181.140 |
| Sep 28, 2024 00:09:13.035759926 CEST | 80 | 49731 | 185.244.181.140 | 192.168.2.4 |
| Sep 28, 2024 00:09:13.035823107 CEST | 49731 | 80 | 192.168.2.4 | 185.244.181.140 |
| Sep 28, 2024 00:09:13.083875895 CEST | 80 | 49731 | 185.244.181.140 | 192.168.2.4 |
| Sep 28, 2024 00:09:13.083941936 CEST | 49731 | 80 | 192.168.2.4 | 185.244.181.140 |
| Sep 28, 2024 00:09:13.135771036 CEST | 80 | 49731 | 185.244.181.140 | 192.168.2.4 |
| Sep 28, 2024 00:09:13.371515036 CEST | 80 | 49731 | 185.244.181.140 | 192.168.2.4 |
| Sep 28, 2024 00:09:13.958046913 CEST | 80 | 49731 | 185.244.181.140 | 192.168.2.4 |
| Sep 28, 2024 00:09:13.958233118 CEST | 49731 | 80 | 192.168.2.4 | 185.244.181.140 |
| Sep 28, 2024 00:09:13.958365917 CEST | 80 | 49731 | 185.244.181.140 | 192.168.2.4 |
| Sep 28, 2024 00:09:13.958431005 CEST | 49731 | 80 | 192.168.2.4 | 185.244.181.140 |
| Sep 28, 2024 00:09:13.958625078 CEST | 80 | 49731 | 185.244.181.140 | 192.168.2.4 |
| Sep 28, 2024 00:09:13.958683968 CEST | 49731 | 80 | 192.168.2.4 | 185.244.181.140 |
| Sep 28, 2024 00:09:13.963378906 CEST | 80 | 49731 | 185.244.181.140 | 192.168.2.4 |
| Sep 28, 2024 00:09:17.152173996 CEST | 49733 | 80 | 192.168.2.4 | 185.244.181.140 |
| Sep 28, 2024 00:09:17.161010027 CEST | 80 | 49733 | 185.244.181.140 | 192.168.2.4 |
| Sep 28, 2024 00:09:17.161155939 CEST | 49733 | 80 | 192.168.2.4 | 185.244.181.140 |
| Sep 28, 2024 00:09:17.162060976 CEST | 49733 | 80 | 192.168.2.4 | 185.244.181.140 |
| Sep 28, 2024 00:09:17.162157059 CEST | 49733 | 80 | 192.168.2.4 | 185.244.181.140 |
| Sep 28, 2024 00:09:17.169024944 CEST | 80 | 49733 | 185.244.181.140 | 192.168.2.4 |
| Sep 28, 2024 00:09:17.169126034 CEST | 49733 | 80 | 192.168.2.4 | 185.244.181.140 |
| Sep 28, 2024 00:09:17.169198036 CEST | 80 | 49733 | 185.244.181.140 | 192.168.2.4 |
| Sep 28, 2024 00:09:17.169228077 CEST | 80 | 49733 | 185.244.181.140 | 192.168.2.4 |
| Sep 28, 2024 00:09:17.169255972 CEST | 80 | 49733 | 185.244.181.140 | 192.168.2.4 |
| Sep 28, 2024 00:09:17.169281960 CEST | 80 | 49733 | 185.244.181.140 | 192.168.2.4 |
| Sep 28, 2024 00:09:17.169281960 CEST | 49733 | 80 | 192.168.2.4 | 185.244.181.140 |
| Sep 28, 2024 00:09:17.169313908 CEST | 49733 | 80 | 192.168.2.4 | 185.244.181.140 |
| Sep 28, 2024 00:09:17.169320107 CEST | 80 | 49733 | 185.244.181.140 | 192.168.2.4 |
| Sep 28, 2024 00:09:17.169348001 CEST | 80 | 49733 | 185.244.181.140 | 192.168.2.4 |
| Sep 28, 2024 00:09:17.169348955 CEST | 49733 | 80 | 192.168.2.4 | 185.244.181.140 |
| Sep 28, 2024 00:09:17.169373989 CEST | 49733 | 80 | 192.168.2.4 | 185.244.181.140 |
| Sep 28, 2024 00:09:17.169393063 CEST | 49733 | 80 | 192.168.2.4 | 185.244.181.140 |
| Sep 28, 2024 00:09:17.169395924 CEST | 80 | 49733 | 185.244.181.140 | 192.168.2.4 |
| Sep 28, 2024 00:09:17.169444084 CEST | 49733 | 80 | 192.168.2.4 | 185.244.181.140 |
| Sep 28, 2024 00:09:17.169447899 CEST | 80 | 49733 | 185.244.181.140 | 192.168.2.4 |
| Sep 28, 2024 00:09:17.169492960 CEST | 49733 | 80 | 192.168.2.4 | 185.244.181.140 |
| Sep 28, 2024 00:09:17.173892975 CEST | 80 | 49733 | 185.244.181.140 | 192.168.2.4 |
| Sep 28, 2024 00:09:17.174431086 CEST | 80 | 49733 | 185.244.181.140 | 192.168.2.4 |
| Sep 28, 2024 00:09:17.174458027 CEST | 80 | 49733 | 185.244.181.140 | 192.168.2.4 |
| Sep 28, 2024 00:09:17.174485922 CEST | 80 | 49733 | 185.244.181.140 | 192.168.2.4 |
| Sep 28, 2024 00:09:17.174535036 CEST | 80 | 49733 | 185.244.181.140 | 192.168.2.4 |
| Sep 28, 2024 00:09:17.174562931 CEST | 80 | 49733 | 185.244.181.140 | 192.168.2.4 |
| Sep 28, 2024 00:09:17.174591064 CEST | 80 | 49733 | 185.244.181.140 | 192.168.2.4 |
| Sep 28, 2024 00:09:17.212182999 CEST | 49733 | 80 | 192.168.2.4 | 185.244.181.140 |
| Sep 28, 2024 00:09:17.218384981 CEST | 80 | 49733 | 185.244.181.140 | 192.168.2.4 |
| Sep 28, 2024 00:09:18.000324011 CEST | 80 | 49733 | 185.244.181.140 | 192.168.2.4 |
| Sep 28, 2024 00:09:18.000819921 CEST | 80 | 49733 | 185.244.181.140 | 192.168.2.4 |
| Sep 28, 2024 00:09:18.000992060 CEST | 49733 | 80 | 192.168.2.4 | 185.244.181.140 |
| Sep 28, 2024 00:09:18.008359909 CEST | 49733 | 80 | 192.168.2.4 | 185.244.181.140 |
| Sep 28, 2024 00:09:18.013286114 CEST | 80 | 49733 | 185.244.181.140 | 192.168.2.4 |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Sep 28, 2024 00:09:08.091965914 CEST | 56988 | 53 | 192.168.2.4 | 1.1.1.1 |
| Sep 28, 2024 00:09:08.675534964 CEST | 53 | 56988 | 1.1.1.1 | 192.168.2.4 |
| Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|
| Sep 28, 2024 00:09:08.091965914 CEST | 192.168.2.4 | 1.1.1.1 | 0xce69 | Standard query (0) | A (IP address) | IN (0x0001) | false |
| Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|---|---|
| Sep 28, 2024 00:09:08.675534964 CEST | 1.1.1.1 | 192.168.2.4 | 0xce69 | No error (0) | 185.244.181.140 | A (IP address) | IN (0x0001) | false |
|
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 0 | 192.168.2.4 | 49730 | 185.244.181.140 | 80 | 7328 | C:\Users\user\Desktop\Set-up.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| Sep 28, 2024 00:09:08.686074972 CEST | 335 | OUT | |
| Sep 28, 2024 00:09:08.686099052 CEST | 413 | OUT | |
| Sep 28, 2024 00:09:09.373891115 CEST | 209 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 1 | 192.168.2.4 | 49731 | 185.244.181.140 | 80 | 7328 | C:\Users\user\Desktop\Set-up.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| Sep 28, 2024 00:09:12.875874043 CEST | 337 | OUT | |
| Sep 28, 2024 00:09:12.875936985 CEST | 11124 | OUT | |
| Sep 28, 2024 00:09:12.881860018 CEST | 1236 | OUT | |
| Sep 28, 2024 00:09:12.881900072 CEST | 2472 | OUT | |
| Sep 28, 2024 00:09:12.881942034 CEST | 2472 | OUT | |
| Sep 28, 2024 00:09:12.881951094 CEST | 2472 | OUT | |
| Sep 28, 2024 00:09:12.882038116 CEST | 2472 | OUT | |
| Sep 28, 2024 00:09:12.882066011 CEST | 2472 | OUT | |
| Sep 28, 2024 00:09:12.882092953 CEST | 2472 | OUT | |
| Sep 28, 2024 00:09:12.882122993 CEST | 2472 | OUT | |
| Sep 28, 2024 00:09:12.882158995 CEST | 2472 | OUT | |
| Sep 28, 2024 00:09:13.958046913 CEST | 209 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 2 | 192.168.2.4 | 49733 | 185.244.181.140 | 80 | 7328 | C:\Users\user\Desktop\Set-up.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| Sep 28, 2024 00:09:17.162060976 CEST | 337 | OUT | |
| Sep 28, 2024 00:09:17.162157059 CEST | 11124 | OUT | |
| Sep 28, 2024 00:09:17.169126034 CEST | 1236 | OUT | |
| Sep 28, 2024 00:09:17.169281960 CEST | 4944 | OUT | |
| Sep 28, 2024 00:09:17.169313908 CEST | 2472 | OUT | |
| Sep 28, 2024 00:09:17.169348955 CEST | 2472 | OUT | |
| Sep 28, 2024 00:09:17.169373989 CEST | 2472 | OUT | |
| Sep 28, 2024 00:09:17.169393063 CEST | 2472 | OUT | |
| Sep 28, 2024 00:09:17.169444084 CEST | 2472 | OUT | |
| Sep 28, 2024 00:09:17.169492960 CEST | 2257 | OUT | |
| Sep 28, 2024 00:09:17.212182999 CEST | 1236 | OUT | |
| Sep 28, 2024 00:09:18.000324011 CEST | 209 | IN |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
| Target ID: | 0 |
| Start time: | 18:08:58 |
| Start date: | 27/09/2024 |
| Path: | C:\Users\user\Desktop\Set-up.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x400000 |
| File size: | 6'614'719 bytes |
| MD5 hash: | FF8B81C5BDBB09987A4ED216AE0010C2 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Yara matches: |
|
| Reputation: | low |
| Has exited: | true |
| Target ID: | 4 |
| Start time: | 18:09:58 |
| Start date: | 27/09/2024 |
| Path: | C:\Users\user\AppData\Local\Temp\service123.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x4b0000 |
| File size: | 314'613'760 bytes |
| MD5 hash: | 62CC0B5676AC91389084FEE3D683DC68 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | low |
| Has exited: | false |
| Target ID: | 5 |
| Start time: | 18:09:58 |
| Start date: | 27/09/2024 |
| Path: | C:\Windows\SysWOW64\schtasks.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x130000 |
| File size: | 187'904 bytes |
| MD5 hash: | 48C2FE20575769DE916F48EF0676A965 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 6 |
| Start time: | 18:09:59 |
| Start date: | 27/09/2024 |
| Path: | C:\Windows\System32\conhost.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff7699e0000 |
| File size: | 862'208 bytes |
| MD5 hash: | 0D698AF330FD17BEE3BF90011D49251D |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 7 |
| Start time: | 18:10:01 |
| Start date: | 27/09/2024 |
| Path: | C:\Users\user\AppData\Local\Temp\service123.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x4b0000 |
| File size: | 314'613'760 bytes |
| MD5 hash: | 62CC0B5676AC91389084FEE3D683DC68 |
| Has elevated privileges: | false |
| Has administrator privileges: | false |
| Programmed in: | C, C++ or other language |
| Reputation: | low |
| Has exited: | true |
| Target ID: | 9 |
| Start time: | 18:11:01 |
| Start date: | 27/09/2024 |
| Path: | C:\Users\user\AppData\Local\Temp\service123.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x4b0000 |
| File size: | 314'613'760 bytes |
| MD5 hash: | 62CC0B5676AC91389084FEE3D683DC68 |
| Has elevated privileges: | false |
| Has administrator privileges: | false |
| Programmed in: | C, C++ or other language |
| Reputation: | low |
| Has exited: | true |
Execution Graph
| Execution Coverage: | 0.1% |
| Dynamic/Decrypted Code Coverage: | 0% |
| Signature Coverage: | 42.6% |
| Total number of Nodes: | 108 |
| Total number of Limit Nodes: | 3 |
Graph
Function 004B8320 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 101libraryloaderCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004B8370 Relevance: 21.1, APIs: 4, Strings: 8, Instructions: 52libraryloaderCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C30AE52 Relevance: 15.1, APIs: 10, Instructions: 110sleepclipboardCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C30ADA0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 32sleepsynchronizationclipboardCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004B12A6 Relevance: 5.1, APIs: 4, Instructions: 79stringCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004B13C3 Relevance: 5.1, APIs: 4, Instructions: 65stringCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C2F2390 Relevance: 38.0, APIs: 25, Instructions: 466COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C2FB750 Relevance: 37.7, APIs: 25, Instructions: 155COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C2F285F Relevance: 37.6, APIs: 25, Instructions: 112COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C2F2BD3 Relevance: 37.6, APIs: 25, Instructions: 84COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C2F2AF1 Relevance: 37.6, APIs: 25, Instructions: 81COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C2F29FD Relevance: 37.6, APIs: 25, Instructions: 78COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C2F297F Relevance: 37.6, APIs: 25, Instructions: 73COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C2F29BE Relevance: 37.6, APIs: 25, Instructions: 70COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C2F2B6F Relevance: 37.6, APIs: 25, Instructions: 67COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C2F2A3C Relevance: 37.6, APIs: 25, Instructions: 64COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C2F2B30 Relevance: 37.6, APIs: 25, Instructions: 61COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C2FBA80 Relevance: 34.6, APIs: 23, Instructions: 110COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C2FBBF8 Relevance: 34.6, APIs: 23, Instructions: 97COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C2FBBC4 Relevance: 34.6, APIs: 23, Instructions: 63COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C2FBAD0 Relevance: 33.1, APIs: 22, Instructions: 140COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C2FBDFF Relevance: 33.1, APIs: 22, Instructions: 77COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C2FBB7B Relevance: 33.1, APIs: 22, Instructions: 62COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C2FBED2 Relevance: 33.1, APIs: 22, Instructions: 57COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C2FBD06 Relevance: 33.0, APIs: 22, Instructions: 45COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C2FBC33 Relevance: 33.0, APIs: 22, Instructions: 42COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C2FBC7E Relevance: 33.0, APIs: 22, Instructions: 40COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C2FBC58 Relevance: 33.0, APIs: 22, Instructions: 40COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C2FBC9F Relevance: 33.0, APIs: 22, Instructions: 36COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C2FBCC7 Relevance: 33.0, APIs: 22, Instructions: 36COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C2FBCB5 Relevance: 33.0, APIs: 22, Instructions: 35COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C2FC380 Relevance: 28.6, APIs: 19, Instructions: 148COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C2FD3A0 Relevance: 24.1, APIs: 16, Instructions: 105COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C2FD4C0 Relevance: 22.6, APIs: 15, Instructions: 127COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C300F20 Relevance: 22.6, APIs: 8, Strings: 4, Instructions: 1586stringCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C2FFDC0 Relevance: 21.7, APIs: 7, Strings: 5, Instructions: 659stringCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C2FD645 Relevance: 21.0, APIs: 14, Instructions: 42COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C2FD6B0 Relevance: 19.5, APIs: 13, Instructions: 44COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C2FD8A0 Relevance: 18.1, APIs: 12, Instructions: 126COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C2FDAF0 Relevance: 16.6, APIs: 11, Instructions: 68COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C2FDB90 Relevance: 15.1, APIs: 10, Instructions: 71COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C374010 Relevance: 13.9, Strings: 11, Instructions: 136COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C2FDEE0 Relevance: 12.1, APIs: 8, Instructions: 91COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C30AF41 Relevance: 12.0, APIs: 8, Instructions: 46clipboardmemorystringCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C2F9790 Relevance: 10.8, APIs: 3, Strings: 4, Instructions: 336stringCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C312910 Relevance: 10.7, APIs: 5, Strings: 2, Instructions: 214stringCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C31DCE0 Relevance: 10.7, APIs: 5, Strings: 2, Instructions: 198stringCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C320971 Relevance: 10.7, APIs: 6, Strings: 1, Instructions: 196stringCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C2FE510 Relevance: 10.6, APIs: 7, Instructions: 145COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C2FE700 Relevance: 9.1, APIs: 6, Instructions: 66COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C308260 Relevance: 8.2, APIs: 5, Instructions: 664COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C2FEE80 Relevance: 8.0, APIs: 5, Instructions: 483COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C305850 Relevance: 7.9, Strings: 6, Instructions: 424COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004B3E80 Relevance: 7.9, Strings: 6, Instructions: 424COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C31C540 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 119stringCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C31BF90 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 119stringCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C2FE7B0 Relevance: 7.6, APIs: 5, Instructions: 90COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C2FE8E0 Relevance: 6.2, APIs: 4, Instructions: 180COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C2FEA31 Relevance: 6.0, APIs: 4, Instructions: 14COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C2FEA97 Relevance: 6.0, APIs: 4, Instructions: 14COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C2FEB80 Relevance: 4.7, APIs: 3, Instructions: 200COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C31C240 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 66stringCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C31BC90 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 66stringCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C31C470 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 61stringCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C31BEC0 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 61stringCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C2FED09 Relevance: 4.5, APIs: 3, Instructions: 13COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C320A1C Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 39stringCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C320ACC Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 39stringCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C31C5DC Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 39stringCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C31C02C Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 39stringCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C2F3580 Relevance: 2.9, Strings: 2, Instructions: 398COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C31E9D0 Relevance: 2.5, Strings: 2, Instructions: 42COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C3127F0 Relevance: 2.5, Strings: 2, Instructions: 42COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C332E93 Relevance: 2.2, APIs: 1, Instructions: 923COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C333C50 Relevance: 2.2, APIs: 1, Instructions: 907COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C3535D0 Relevance: 2.1, Strings: 1, Instructions: 874COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C352870 Relevance: 2.1, Strings: 1, Instructions: 873COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C332245 Relevance: 2.1, APIs: 1, Instructions: 816COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C3BE230 Relevance: 2.0, APIs: 1, Instructions: 487COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C337AB0 Relevance: 1.9, APIs: 1, Instructions: 665COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C2F3D20 Relevance: 1.7, Strings: 1, Instructions: 410COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C3AA030 Relevance: 1.6, Strings: 1, Instructions: 392COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C323180 Relevance: 1.6, APIs: 1, Instructions: 357COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C326830 Relevance: 1.6, APIs: 1, Instructions: 354COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C34B850 Relevance: 1.6, APIs: 1, Instructions: 320COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C3038B0 Relevance: 1.5, Strings: 1, Instructions: 233COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C36A5B0 Relevance: 1.4, Strings: 1, Instructions: 123COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C310C40 Relevance: 1.3, Strings: 1, Instructions: 23COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C312340 Relevance: 1.3, Strings: 1, Instructions: 20COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C320B7C Relevance: 1.3, Strings: 1, Instructions: 14COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C31C2DC Relevance: 1.3, Strings: 1, Instructions: 14COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C31BD2C Relevance: 1.3, Strings: 1, Instructions: 14COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C31C50C Relevance: 1.3, Strings: 1, Instructions: 10COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C31C68C Relevance: 1.3, Strings: 1, Instructions: 10COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C31C0DC Relevance: 1.3, Strings: 1, Instructions: 10COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C31BF5C Relevance: 1.3, Strings: 1, Instructions: 10COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C340020 Relevance: .7, Instructions: 670COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C33EB90 Relevance: .7, Instructions: 669COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C3B7520 Relevance: .3, Instructions: 342COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C3B6C50 Relevance: .3, Instructions: 289COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C367B50 Relevance: .2, Instructions: 249COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C33F5A0 Relevance: .2, Instructions: 180COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C340A30 Relevance: .2, Instructions: 178COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C367DE0 Relevance: .2, Instructions: 155COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C366E80 Relevance: .1, Instructions: 120COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C3BAE90 Relevance: .1, Instructions: 118COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C35C2DA Relevance: .1, Instructions: 97COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C348BE0 Relevance: .1, Instructions: 75COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C31F6B0 Relevance: .1, Instructions: 70COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C366FE0 Relevance: .1, Instructions: 67COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C3680C0 Relevance: .1, Instructions: 58COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C35C11A Relevance: .1, Instructions: 54COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C35C11E Relevance: .1, Instructions: 51COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C3598F3 Relevance: .0, Instructions: 50COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C35D67A Relevance: .0, Instructions: 49COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C35D67E Relevance: .0, Instructions: 46COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C30DCA0 Relevance: .0, Instructions: 39COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C3638C0 Relevance: .0, Instructions: 37COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C35C2DE Relevance: .0, Instructions: 33COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C363D10 Relevance: .0, Instructions: 33COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C30C470 Relevance: .0, Instructions: 13COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C30E500 Relevance: 24.6, APIs: 10, Strings: 4, Instructions: 130fileCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C2FA570 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 129fileCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004B1970 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 129fileCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C30ABD1 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 33libraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C319510 Relevance: 13.7, APIs: 6, Strings: 3, Instructions: 243stringCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C2F1400 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 43libraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004B14F0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 43libraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004B1E20 Relevance: 12.1, APIs: 8, Instructions: 90COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C319880 Relevance: 10.7, APIs: 6, Strings: 1, Instructions: 185stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C2FE300 Relevance: 10.6, APIs: 7, Instructions: 120synchronizationCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004B8000 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36libraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C30ACC1 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 35libraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C30C310 Relevance: 9.2, APIs: 6, Instructions: 153COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C2F1020 Relevance: 9.1, APIs: 6, Instructions: 108sleepCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C3141B0 Relevance: 9.0, APIs: 6, Instructions: 50stringCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C313F10 Relevance: 9.0, APIs: 6, Instructions: 49stringCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C2F9B53 Relevance: 7.7, APIs: 3, Strings: 2, Instructions: 177stringCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C2F9B0B Relevance: 7.7, APIs: 3, Strings: 2, Instructions: 172stringCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C3B1C60 Relevance: 7.6, APIs: 5, Instructions: 78stringCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C3B1D80 Relevance: 7.6, APIs: 5, Instructions: 75stringCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C3B1EA0 Relevance: 7.6, APIs: 5, Instructions: 71stringCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C3B28D0 Relevance: 7.6, APIs: 5, Instructions: 64stringCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C30A840 Relevance: 7.6, APIs: 5, Instructions: 61COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C30FEE0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63stringCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C30AC78 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 19stringCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004B7FB8 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 19stringCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C30AC23 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C301D23 Relevance: 6.4, APIs: 4, Instructions: 415COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C2FA220 Relevance: 6.3, APIs: 5, Instructions: 98stringCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C301C18 Relevance: 6.3, APIs: 4, Instructions: 276COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C30A470 Relevance: 6.1, APIs: 4, Instructions: 102COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004B78E0 Relevance: 6.1, APIs: 4, Instructions: 102COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C320D70 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 88stringCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004B1001 Relevance: 6.1, APIs: 4, Instructions: 60COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C3804B0 Relevance: 5.4, APIs: 4, Instructions: 412stringCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C37FC30 Relevance: 5.4, APIs: 4, Instructions: 412stringCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C37EA70 Relevance: 5.4, APIs: 4, Instructions: 391stringCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C37F350 Relevance: 5.4, APIs: 4, Instructions: 391stringCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C309230 Relevance: 5.1, APIs: 4, Instructions: 55sleepCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004B69E0 Relevance: 5.1, APIs: 4, Instructions: 55sleepCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C2FA9B0 Relevance: 5.0, APIs: 4, Instructions: 39COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004B1FD0 Relevance: 5.0, APIs: 4, Instructions: 39COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|