Windows
Analysis Report
Set-up.exe
Overview
General Information
Detection
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
- System is w10x64
- Set-up.exe (PID: 7328 cmdline:
"C:\Users\ user\Deskt op\Set-up. exe" MD5: FF8B81C5BDBB09987A4ED216AE0010C2) - service123.exe (PID: 7856 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\servic e123.exe" MD5: 62CC0B5676AC91389084FEE3D683DC68) - schtasks.exe (PID: 7876 cmdline:
"C:\Window s\System32 \schtasks. exe" /crea te /tn "Se rviceData4 " /tr "C:\ Users\user \AppData\L ocal\Temp\ /service12 3.exe" /st 00:01 /du 9800:59 / sc once /r i 1 /f MD5: 48C2FE20575769DE916F48EF0676A965) - conhost.exe (PID: 7884 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
- service123.exe (PID: 7936 cmdline:
C:\Users\u ser\AppDat a\Local\Te mp\/servic e123.exe MD5: 62CC0B5676AC91389084FEE3D683DC68)
- service123.exe (PID: 4432 cmdline:
C:\Users\u ser\AppDat a\Local\Te mp\/servic e123.exe MD5: 62CC0B5676AC91389084FEE3D683DC68)
- cleanup
{"C2 list": ["analforeverlovyu.top", "+twelvevh12pt.top", "twelvevh12pt.top"]}
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Clipboard_Hijacker_5 | Yara detected Clipboard Hijacker | Joe Security | ||
JoeSecurity_Clipboard_Hijacker_5 | Yara detected Clipboard Hijacker | Joe Security | ||
JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
JoeSecurity_Cryptbot | Yara detected Cryptbot | Joe Security | ||
JoeSecurity_Clipboard_Hijacker_5 | Yara detected Clipboard Hijacker | Joe Security |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Clipboard_Hijacker_5 | Yara detected Clipboard Hijacker | Joe Security |
System Summary |
---|
Source: | Author: Florian Roth (Nextron Systems): |
Source: | Author: Florian Roth (Nextron Systems): |
Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
---|---|---|---|---|---|---|---|---|
2024-09-28T00:09:09.374047+0200 | 2054350 | 1 | A Network Trojan was detected | 192.168.2.4 | 49730 | 185.244.181.140 | 80 | TCP |
2024-09-28T00:09:12.931853+0200 | 2054350 | 1 | A Network Trojan was detected | 192.168.2.4 | 49731 | 185.244.181.140 | 80 | TCP |
2024-09-28T00:09:18.000992+0200 | 2054350 | 1 | A Network Trojan was detected | 192.168.2.4 | 49733 | 185.244.181.140 | 80 | TCP |
Click to jump to signature section
AV Detection |
---|
Source: | Malware Configuration Extractor: |
Source: | ReversingLabs: |
Source: | Integrated Neural Analysis Model: |
Source: | Code function: | 4_2_004B15D0 | |
Source: | Code function: | 4_2_6C2F14E0 |
Source: | Static PE information: |
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior |
Source: | Code function: | 4_2_004B8320 | |
Source: | Code function: | 4_2_6C3B6C50 | |
Source: | Code function: | 4_2_6C3B6C50 | |
Source: | Code function: | 4_2_6C310C40 | |
Source: | Code function: | 4_2_6C2FED09 | |
Source: | Code function: | 4_2_6C3BAE90 | |
Source: | Code function: | 4_2_6C3BAE90 | |
Source: | Code function: | 4_2_6C3BAE90 | |
Source: | Code function: | 4_2_6C3BAE90 | |
Source: | Code function: | 4_2_6C2FEE80 | |
Source: | Code function: | 4_2_6C366E80 | |
Source: | Code function: | 4_2_6C366FE0 | |
Source: | Code function: | 4_2_6C2F285F | |
Source: | Code function: | 4_2_6C2FE8E0 | |
Source: | Code function: | 4_2_6C312910 | |
Source: | Code function: | 4_2_6C320971 | |
Source: | Code function: | 4_2_6C320971 | |
Source: | Code function: | 4_2_6C320971 | |
Source: | Code function: | 4_2_6C2F297F | |
Source: | Code function: | 4_2_6C2F29BE | |
Source: | Code function: | 4_2_6C2F29FD | |
Source: | Code function: | 4_2_6C31E9D0 | |
Source: | Code function: | 4_2_6C340A30 | |
Source: | Code function: | 4_2_6C2F2A3C | |
Source: | Code function: | 4_2_6C2FEA31 | |
Source: | Code function: | 4_2_6C320A1C | |
Source: | Code function: | 4_2_6C2FEA97 | |
Source: | Code function: | 4_2_6C2F2AF1 | |
Source: | Code function: | 4_2_6C320ACC | |
Source: | Code function: | 4_2_6C2F2B30 | |
Source: | Code function: | 4_2_6C2F2B6F | |
Source: | Code function: | 4_2_6C320B7C | |
Source: | Code function: | 4_2_6C2FCB40 | |
Source: | Code function: | 4_2_6C2FEB80 | |
Source: | Code function: | 4_2_6C348BE0 | |
Source: | Code function: | 4_2_6C2F2BD3 | |
Source: | Code function: | 4_2_6C30C470 | |
Source: | Code function: | 4_2_6C31C470 | |
Source: | Code function: | 4_2_6C31C50C | |
Source: | Code function: | 4_2_6C2FE510 | |
Source: | Code function: | 4_2_6C31C540 | |
Source: | Code function: | 4_2_6C31C540 | |
Source: | Code function: | 4_2_6C36A5B0 | |
Source: | Code function: | 4_2_6C31C5DC | |
Source: | Code function: | 4_2_6C368640 | |
Source: | Code function: | 4_2_6C368640 | |
Source: | Code function: | 4_2_6C368640 | |
Source: | Code function: | 4_2_6C31C68C | |
Source: | Code function: | 4_2_6C2FE700 | |
Source: | Code function: | 4_2_6C2FE7B0 | |
Source: | Code function: | 4_2_6C3127F0 | |
Source: | Code function: | 4_2_6C3AA030 | |
Source: | Code function: | 4_2_6C31C02C | |
Source: | Code function: | 4_2_6C2FC070 | |
Source: | Code function: | 4_2_6C31C0DC | |
Source: | Code function: | 4_2_6C3680C0 | |
Source: | Code function: | 4_2_6C35C11E | |
Source: | Code function: | 4_2_6C35C11A | |
Source: | Code function: | 4_2_6C31C240 | |
Source: | Code function: | 4_2_6C35C2DE | |
Source: | Code function: | 4_2_6C31C2DC | |
Source: | Code function: | 4_2_6C35C2DA | |
Source: | Code function: | 4_2_6C312340 | |
Source: | Code function: | 4_2_6C2FC380 | |
Source: | Code function: | 4_2_6C2F2390 | |
Source: | Code function: | 4_2_6C2FBC33 | |
Source: | Code function: | 4_2_6C2FDC60 | |
Source: | Code function: | 4_2_6C2FBC7E | |
Source: | Code function: | 4_2_6C2FBC58 | |
Source: | Code function: | 4_2_6C30DCA0 | |
Source: | Code function: | 4_2_6C2FBCB5 | |
Source: | Code function: | 4_2_6C31BC90 | |
Source: | Code function: | 4_2_6C2FBC9F | |
Source: | Code function: | 4_2_6C31DCE0 | |
Source: | Code function: | 4_2_6C2FBCC7 | |
Source: | Code function: | 4_2_6C31BD2C | |
Source: | Code function: | 4_2_6C363D10 | |
Source: | Code function: | 4_2_6C2FBD06 | |
Source: | Code function: | 4_2_6C38BD70 | |
Source: | Code function: | 4_2_6C2FBDFF | |
Source: | Code function: | 4_2_6C367DE0 | |
Source: | Code function: | 4_2_6C2FDEE0 | |
Source: | Code function: | 4_2_6C31BEC0 | |
Source: | Code function: | 4_2_6C2FBED2 | |
Source: | Code function: | 4_2_6C31BF5C | |
Source: | Code function: | 4_2_6C31BF90 | |
Source: | Code function: | 4_2_6C31BF90 | |
Source: | Code function: | 4_2_6C2FD8A0 | |
Source: | Code function: | 4_2_6C2FF880 | |
Source: | Code function: | 4_2_6C3598F3 | |
Source: | Code function: | 4_2_6C2FB8E0 | |
Source: | Code function: | 4_2_6C3638C0 | |
Source: | Code function: | 4_2_6C38B970 | |
Source: | Code function: | 4_2_6C311960 | |
Source: | Code function: | 4_2_6C2FBA80 | |
Source: | Code function: | 4_2_6C2FDAF0 | |
Source: | Code function: | 4_2_6C2FBAD0 | |
Source: | Code function: | 4_2_6C38FB20 | |
Source: | Code function: | 4_2_6C2FBB7B | |
Source: | Code function: | 4_2_6C367B50 | |
Source: | Code function: | 4_2_6C2FDB90 | |
Source: | Code function: | 4_2_6C2FBBF8 | |
Source: | Code function: | 4_2_6C2FBBC4 | |
Source: | Code function: | 4_2_6C35F430 | |
Source: | Code function: | 4_2_6C2FD4C0 | |
Source: | Code function: | 4_2_6C33F5A0 | |
Source: | Code function: | 4_2_6C3575E0 | |
Source: | Code function: | 4_2_6C35F610 | |
Source: | Code function: | 4_2_6C35D67E | |
Source: | Code function: | 4_2_6C35D67A | |
Source: | Code function: | 4_2_6C2FD645 | |
Source: | Code function: | 4_2_6C31F6B0 | |
Source: | Code function: | 4_2_6C2FD6B0 | |
Source: | Code function: | 4_2_6C2FB750 | |
Source: | Code function: | 4_2_6C2FD1A0 | |
Source: | Code function: | 4_2_6C2FD3A0 | |
Source: | Code function: | 4_2_6C3573D0 |
Networking |
---|
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: |
Source: | URLs: | ||
Source: | URLs: | ||
Source: | URLs: |
Source: | IP Address: |
Source: | ASN Name: |
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: |
Source: | UDP traffic detected without corresponding DNS query: |
Source: | DNS traffic detected: |
Source: | HTTP traffic detected: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | Code function: | 4_2_6C30ADD6 |
Source: | Code function: | 4_2_6C30AE52 | |
Source: | Code function: | 4_2_6C30AF41 |
Source: | Code function: | 4_2_6C30ADD6 |
System Summary |
---|
Source: | File dump: | Jump to dropped file |
Source: | Code function: | 4_2_004B3E80 | |
Source: | Code function: | 4_2_004B5140 | |
Source: | Code function: | 4_2_6C332E93 | |
Source: | Code function: | 4_2_6C2FEE80 | |
Source: | Code function: | 4_2_6C300F20 | |
Source: | Code function: | 4_2_6C326830 | |
Source: | Code function: | 4_2_6C352870 | |
Source: | Code function: | 4_2_6C350AA0 | |
Source: | Code function: | 4_2_6C306B10 | |
Source: | Code function: | 4_2_6C2FCB40 | |
Source: | Code function: | 4_2_6C33EB90 | |
Source: | Code function: | 4_2_6C340020 | |
Source: | Code function: | 4_2_6C3BE230 | |
Source: | Code function: | 4_2_6C308260 | |
Source: | Code function: | 4_2_6C332245 | |
Source: | Code function: | 4_2_6C333C50 | |
Source: | Code function: | 4_2_6C2F3D20 | |
Source: | Code function: | 4_2_6C2FFDC0 | |
Source: | Code function: | 4_2_6C305850 | |
Source: | Code function: | 4_2_6C34B850 | |
Source: | Code function: | 4_2_6C3038B0 | |
Source: | Code function: | 4_2_6C337AB0 | |
Source: | Code function: | 4_2_6C3B7520 | |
Source: | Code function: | 4_2_6C2F3580 | |
Source: | Code function: | 4_2_6C3535D0 | |
Source: | Code function: | 4_2_6C2F9790 | |
Source: | Code function: | 4_2_6C3517F0 | |
Source: | Code function: | 4_2_6C323180 |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Classification label: |
Source: | File created: | Jump to behavior |
Source: | Mutant created: | ||
Source: | Mutant created: |
Source: | File created: | Jump to behavior |
Source: | Static PE information: |
Source: | File read: | Jump to behavior |
Source: | Key opened: | Jump to behavior |
Source: | ReversingLabs: |
Source: | String found in binary or memory: |
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior |
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior |
Source: | Key value queried: | Jump to behavior |
Source: | Static PE information: |
Source: | Static file information: |
Source: | Static PE information: |
Source: | Code function: | 4_2_004B8370 |
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Code function: | 4_2_004BB171 | |
Source: | Code function: | 4_2_6C360E46 | |
Source: | Code function: | 4_2_6C3C0FCF | |
Source: | Code function: | 4_2_6C37B19B | |
Source: | Code function: | 4_2_6C36D180 | |
Source: | Code function: | 4_2_6C36D19A | |
Source: | Code function: | 4_2_6C354FA7 | |
Source: | Code function: | 4_2_6C3555D7 | |
Source: | Code function: | 4_2_6C35285B | |
Source: | Code function: | 4_2_6C3BF741 | |
Source: | Code function: | 4_2_6C354FA7 | |
Source: | Code function: | 4_2_6C3BF741 | |
Source: | Code function: | 4_2_6C340A44 | |
Source: | Code function: | 4_2_6C3C0B12 | |
Source: | Code function: | 4_2_6C3C0B12 | |
Source: | Code function: | 4_2_6C342AFC | |
Source: | Code function: | 4_2_6C3C0B12 | |
Source: | Code function: | 4_2_6C36A59D | |
Source: | Code function: | 4_2_6C34448D | |
Source: | Code function: | 4_2_6C3809D2 | |
Source: | Code function: | 4_2_6C3544C1 | |
Source: | Code function: | 4_2_6C338498 | |
Source: | Code function: | 4_2_6C352505 | |
Source: | Code function: | 4_2_6C352505 | |
Source: | Code function: | 4_2_6C3565D8 | |
Source: | Code function: | 4_2_6C3545EB | |
Source: | Code function: | 4_2_6C33667B | |
Source: | Code function: | 4_2_6C34467D | |
Source: | Code function: | 4_2_6C352742 | |
Source: | Code function: | 4_2_6C3BF741 | |
Source: | Code function: | 4_2_6C3583DF |
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file |
Boot Survival |
---|
Source: | Process created: |
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior |
Malware Analysis System Evasion |
---|
Source: | Evasive API call chain: | graph_4-163233 |
Source: | Stalling execution: | graph_4-163234 |
Source: | Registry key queried: | Jump to behavior |
Source: | Window / User API: | Jump to behavior |
Source: | API coverage: |
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep count: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior |
Source: | Last function: | ||
Source: | Last function: | ||
Source: | Last function: |
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Code function: | 4_2_004B8370 |
Source: | Code function: | 4_2_004B117C | |
Source: | Code function: | 4_2_004B1170 | |
Source: | Code function: | 4_2_004B13D1 | |
Source: | Code function: | 4_2_004B11B3 |
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior |
Source: | Code function: | 4_2_6C374010 |
Source: | Registry key value queried: | Jump to behavior |
Source: | Key value queried: | Jump to behavior |
Stealing of Sensitive Information |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Source: | File source: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior |
Source: | File source: |
Remote Access Functionality |
---|
Source: | File source: |
Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | 2 Command and Scripting Interpreter | 1 Scheduled Task/Job | 11 Process Injection | 1 Masquerading | 1 OS Credential Dumping | 11 Security Software Discovery | Remote Services | 1 Archive Collected Data | 2 Encrypted Channel | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
Credentials | Domains | Default Accounts | 1 Scheduled Task/Job | 1 DLL Side-Loading | 1 Scheduled Task/Job | 2 Virtualization/Sandbox Evasion | LSASS Memory | 2 Virtualization/Sandbox Evasion | Remote Desktop Protocol | 2 Data from Local System | 2 Non-Application Layer Protocol | Exfiltration Over Bluetooth | Network Denial of Service |
Email Addresses | DNS Server | Domain Accounts | 11 Native API | Logon Script (Windows) | 1 DLL Side-Loading | 11 Process Injection | Security Account Manager | 1 Application Window Discovery | SMB/Windows Admin Shares | 3 Clipboard Data | 112 Application Layer Protocol | Automated Exfiltration | Data Encrypted for Impact |
Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | 1 Deobfuscate/Decode Files or Information | NTDS | 2 File and Directory Discovery | Distributed Component Object Model | Input Capture | Protocol Impersonation | Traffic Duplication | Data Destruction |
Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | 3 Obfuscated Files or Information | LSA Secrets | 22 System Information Discovery | SSH | Keylogging | Fallback Channels | Scheduled Transfer | Data Encrypted for Impact |
Domain Properties | Botnet | Replication Through Removable Media | Scheduled Task | RC Scripts | RC Scripts | 1 DLL Side-Loading | Cached Domain Credentials | Wi-Fi Discovery | VNC | GUI Input Capture | Multiband Communication | Data Transfer Size Limits | Service Stop |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
42% | ReversingLabs | Win32.Trojan.CryptBot |
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe |
Name | IP | Active | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|---|
twelvevh12pt.top | 185.244.181.140 | true | true | unknown |
Name | Malicious | Antivirus Detection | Reputation |
---|---|---|---|
true |
| unknown | |
true | unknown | ||
true | unknown |
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false |
| unknown | ||
false |
| unknown | ||
false | unknown | |||
false |
| unknown | ||
false | unknown | |||
false | unknown | |||
false | unknown | |||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false | unknown | |||
false |
| unknown | ||
false |
| unknown | ||
false | unknown |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
185.244.181.140 | twelvevh12pt.top | Russian Federation | 44901 | BELCLOUDBG | true |
Joe Sandbox version: | 41.0.0 Charoite |
Analysis ID: | 1520814 |
Start date and time: | 2024-09-28 00:08:09 +02:00 |
Joe Sandbox product: | CloudBasic |
Overall analysis duration: | 0h 7m 23s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
Number of analysed new started processes analysed: | 10 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Sample name: | Set-up.exe |
Detection: | MAL |
Classification: | mal100.troj.spyw.evad.winEXE@8/2@1/1 |
EGA Information: |
|
HCA Information: |
|
Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
- Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
- Not all processes where analyzed, report is missing behavior information
- Report size getting too big, too many NtOpenKeyEx calls found.
- Report size getting too big, too many NtQueryValueKey calls found.
- Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
- VT rate limit hit for: Set-up.exe
Time | Type | Description |
---|---|---|
18:09:08 | API Interceptor | |
18:10:32 | API Interceptor | |
23:10:00 | Task Scheduler |
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
185.244.181.140 | Get hash | malicious | Clipboard Hijacker, Cryptbot | Browse |
| |
Get hash | malicious | Clipboard Hijacker, Cryptbot | Browse |
| ||
Get hash | malicious | Clipboard Hijacker, Cryptbot | Browse |
| ||
Get hash | malicious | Clipboard Hijacker, Cryptbot | Browse |
| ||
Get hash | malicious | Clipboard Hijacker, Cryptbot | Browse |
| ||
Get hash | malicious | Clipboard Hijacker, Cryptbot | Browse |
| ||
Get hash | malicious | Clipboard Hijacker, Cryptbot | Browse |
| ||
Get hash | malicious | Clipboard Hijacker, Cryptbot | Browse |
| ||
Get hash | malicious | Clipboard Hijacker, Cryptbot | Browse |
| ||
Get hash | malicious | Clipboard Hijacker, Cryptbot | Browse |
|
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
twelvevh12pt.top | Get hash | malicious | Clipboard Hijacker, Cryptbot | Browse |
|
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
BELCLOUDBG | Get hash | malicious | Clipboard Hijacker, Cryptbot | Browse |
| |
Get hash | malicious | Clipboard Hijacker, Cryptbot | Browse |
| ||
Get hash | malicious | Clipboard Hijacker, Cryptbot | Browse |
| ||
Get hash | malicious | Clipboard Hijacker, Cryptbot | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Clipboard Hijacker, Cryptbot | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Clipboard Hijacker, Cryptbot | Browse |
| ||
Get hash | malicious | Clipboard Hijacker, Cryptbot | Browse |
| ||
Get hash | malicious | Clipboard Hijacker, Cryptbot | Browse |
|
Process: | C:\Users\user\Desktop\Set-up.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 315771904 |
Entropy (8bit): | 0.05300296695813313 |
Encrypted: | false |
SSDEEP: | 24576:rvFnL2romyzEHeDRuO1Q1tc5P3mt/a+qqMOO:rvI+DRuOOEy/a+q |
MD5: | 3DA963ED83B031CED52EB474AB2E3C09 |
SHA1: | ACBAC9D33F145A985AD9B1269431A9C9F405A300 |
SHA-256: | 14279D900A6D1BA0B98F2C41453FE6A2605B6F019D5C76D6F520E4CAFC276B17 |
SHA-512: | 8939A09142B4EE3364D6EEBC053D9FCA3D0E7A241AA23BDBB2533492D7257227BEA5BB0263B407A0104D0C1961483F3D9DDD57F2D39511553DCB59245138DC0B |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Users\user\Desktop\Set-up.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 314613760 |
Entropy (8bit): | 0.0021512794930136233 |
Encrypted: | false |
SSDEEP: | |
MD5: | 62CC0B5676AC91389084FEE3D683DC68 |
SHA1: | 1B4305F2E2D7950C0363739AA80C919841B16D20 |
SHA-256: | F743296CF48577C3F6EBE023B3A8B1613E902D248160F71E998B503B0318097F |
SHA-512: | A05E4F907A92A3DD1429F0644ACA160134C558346B625B828BCCB5731CAAB0BE263E15468DD8DA2EF713E33A54C16170B63580CD57A93137E1596D0D7ADCB3AA |
Malicious: | true |
Reputation: | low |
Preview: |
File type: | |
Entropy (8bit): | 6.6236305211780095 |
TrID: |
|
File name: | Set-up.exe |
File size: | 6'614'719 bytes |
MD5: | ff8b81c5bdbb09987a4ed216ae0010c2 |
SHA1: | 1d5edf417a676e8e04a69dd94dac6a2a934cdfa6 |
SHA256: | d6a055bee4a39f5879ff522099df86cd0a0001228cac589b3f07449a5a822fef |
SHA512: | 9bad1fed2170e923e65f57e8ccbbfbe33fd8f01423469fa8e3d7a4c93c8c97fb84ea98df33901a11fdf8915dc7d9955046faf5c4f9ccf38d8606ccc2b91615fe |
SSDEEP: | 49152:4pVubXslypSy5wT96CHhbhiwOfHLaorKt5LJ8Vx2jaV9hIaDzNZMV/tIsQ:/jazH7iwOf/rKt38VC49hIMrMH5Q |
TLSH: | 5B66283B9A4355C8C13AB57ADC827F3FF8186AE443E9892B6C0508FCA755791E86D313 |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f..^..&.........#.fG...Y...f...........G...@...................................e....... .........................B.. |
Icon Hash: | 90cececece8e8eb0 |
Entrypoint: | 0x4014b0 |
Entrypoint Section: | .text |
Digitally signed: | false |
Imagebase: | 0x400000 |
Subsystem: | windows gui |
Image File Characteristics: | EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, 32BIT_MACHINE |
DLL Characteristics: | |
Time Stamp: | 0x66F6DB9A [Fri Sep 27 16:21:46 2024 UTC] |
TLS Callbacks: | 0x868fc0, 0x868f70 |
CLR (.Net) Version: | |
OS Version Major: | 4 |
OS Version Minor: | 0 |
File Version Major: | 4 |
File Version Minor: | 0 |
Subsystem Version Major: | 4 |
Subsystem Version Minor: | 0 |
Import Hash: | 92a00f4d0a4448266e9c638fdb1341b9 |
Instruction |
---|
mov dword ptr [00F2B34Ch], 00000001h |
jmp 00007FD3E4BBCDD6h |
nop |
mov dword ptr [00F2B34Ch], 00000000h |
jmp 00007FD3E4BBCDC6h |
nop |
sub esp, 1Ch |
mov eax, dword ptr [esp+20h] |
mov dword ptr [esp], eax |
call 00007FD3E503226Eh |
test eax, eax |
sete al |
add esp, 1Ch |
movzx eax, al |
neg eax |
ret |
nop |
nop |
nop |
push ebp |
mov ebp, esp |
push edi |
push esi |
push ebx |
sub esp, 1Ch |
mov dword ptr [esp], 0087A000h |
call dword ptr [00F2D1F0h] |
sub esp, 04h |
test eax, eax |
je 00007FD3E4BBD195h |
mov ebx, eax |
mov dword ptr [esp], 0087A000h |
call dword ptr [00F2D210h] |
mov edi, dword ptr [00F2D1F8h] |
sub esp, 04h |
mov dword ptr [008BF028h], eax |
mov dword ptr [esp+04h], 0087A013h |
mov dword ptr [esp], ebx |
call edi |
sub esp, 08h |
mov esi, eax |
mov dword ptr [esp+04h], 0087A029h |
mov dword ptr [esp], ebx |
call edi |
mov dword ptr [00878004h], eax |
sub esp, 08h |
test esi, esi |
je 00007FD3E4BBD133h |
mov dword ptr [esp+04h], 008BF02Ch |
mov dword ptr [esp], 00884000h |
call esi |
mov dword ptr [esp], 004015A0h |
call 00007FD3E4BBD083h |
lea esp, dword ptr [ebp-0Ch] |
pop ebx |
pop esi |
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0xb2c000 | 0x42 | .edata |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0xb2d000 | 0x9e4 | .idata |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0xb30000 | 0xdfe28 | .reloc |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x4829f4 | 0x18 | .rdata |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0xb2d1e0 | 0x190 | .idata |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|---|
.text | 0x1000 | 0x4764a4 | 0x476600 | c5007517b2a111f1b6215df95d541e9e | unknown | unknown | unknown | unknown | IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
.data | 0x478000 | 0x1708 | 0x1800 | 2f895630c6e8a3f54079d53c7db88431 | False | 0.6139322916666666 | dBase III DBT, version number 0, next free block index 10, 1st item "}\212A" | 5.684371285661909 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.rdata | 0x47a000 | 0x9c18 | 0x9e00 | e6538e7ad2d6bc0f8089b04602d659f5 | False | 0.372206289556962 | data | 4.360263309483147 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ |
/4 | 0x484000 | 0x3aa5c | 0x3ac00 | 882a17157402d7201a35321e395be61b | False | 0.2441156914893617 | data | 5.087938296942671 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ |
.bss | 0x4bf000 | 0x66ce54 | 0x0 | d41d8cd98f00b204e9800998ecf8427e | unknown | unknown | unknown | unknown | IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.edata | 0xb2c000 | 0x42 | 0x200 | 87a5e2519f843965227ee5f3c8599c81 | False | 0.123046875 | data | 0.7233135926899718 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ |
.idata | 0xb2d000 | 0x9e4 | 0xa00 | 07759335905d0c4cf96824b7fb4353c8 | False | 0.4296875 | data | 5.144871576549617 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.CRT | 0xb2e000 | 0x34 | 0x200 | bc151dc2cece8ca6c75d536b3276281c | False | 0.0703125 | Matlab v4 mat-file (little endian) P\217\206, numeric, rows 4198704, columns 0 | 0.27892677800628285 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.tls | 0xb2f000 | 0x8 | 0x200 | bf619eac0cdf3f68d496ea9344137e8b | False | 0.02734375 | data | 0.0 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.reloc | 0xb30000 | 0xdfe28 | 0xe0000 | bc79fb7113991d3c8d2c806164250269 | False | 0.046024867466517856 | data | 6.841583720841163 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
/14 | 0xc10000 | 0x690 | 0x800 | 7ad7f16fcd6c5ff774fcdcf49b733ca0 | False | 0.26513671875 | Matlab v4 mat-file (little endian) \355\004, rows 2, columns 262144 | 2.169293257842307 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
/29 | 0xc11000 | 0x1a7c4 | 0x1a800 | dcde74953af45acc7cab073a1f49bb89 | False | 0.4239018278301887 | data | 6.076839380462319 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
/41 | 0xc2c000 | 0x4c58 | 0x4e00 | c272f07e704eb90e2b6c4c9bad844e11 | False | 0.1761318108974359 | data | 4.711442500030027 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
/55 | 0xc31000 | 0xe342 | 0xe400 | ba9609b0acef1481719bb4e00f4bef84 | False | 0.47640830592105265 | data | 5.285114187967561 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
/67 | 0xc40000 | 0x1d54 | 0x1e00 | 51c0f44ac1c43c82112ef18aecdf7783 | False | 0.334375 | data | 4.878570677353131 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
/80 | 0xc42000 | 0x961 | 0xa00 | 9109961d3d1231997c8aa80b9ef91e44 | False | 0.381640625 | data | 4.6390012281106685 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
/91 | 0xc43000 | 0x18b05 | 0x18c00 | 3b5f4e3673df00d43d032639a56fe615 | False | 0.3387192234848485 | data | 4.160374229151645 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
/102 | 0xc5c000 | 0x11c0 | 0x1200 | acb9037b7b793eae32ab82637f1d257e | False | 0.3736979166666667 | Matlab v4 mat-file (little endian) \360, rows 16, columns 19, imaginary | 3.383708098291067 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
DLL | Import |
---|---|
KERNEL32.dll | DeleteCriticalSection, EnterCriticalSection, FreeLibrary, GetLastError, GetModuleHandleA, GetModuleHandleW, GetProcAddress, GetStartupInfoA, GetTempPathA, InitializeCriticalSection, IsDBCSLeadByteEx, LeaveCriticalSection, LoadLibraryA, MultiByteToWideChar, SetUnhandledExceptionFilter, Sleep, TlsGetValue, VirtualProtect, VirtualQuery, WideCharToMultiByte, lstrlenA |
msvcrt.dll | __getmainargs, __initenv, __lconv_init, __mb_cur_max, __p__acmdln, __p__commode, __p__fmode, __set_app_type, __setusermatherr, _amsg_exit, _assert, _cexit, _errno, _chsize, _filelengthi64, _fileno, _initterm, _iob, _lock, _onexit, _unlock, abort, atoi, calloc, exit, fclose, fflush, fgetpos, fopen, fputc, fread, free, freopen, fsetpos, fwrite, getc, islower, isspace, isupper, isxdigit, localeconv, malloc, memcmp, memcpy, memmove, memset, mktime, localtime, difftime, _mkdir, perror, puts, realloc, remove, setlocale, signal, strchr, strcmp, strcpy, strerror, strlen, strncmp, strncpy, strtol, strtoul, tolower, ungetc, vfprintf, time, wcslen, wcstombs, _stat, _utime, _fileno, _chmod |
SHELL32.dll | ShellExecuteA |
Name | Ordinal | Address |
---|---|---|
main | 1 | 0x4b6602 |
Timestamp | SID | Signature | Severity | Source IP | Source Port | Dest IP | Dest Port | Protocol |
---|---|---|---|---|---|---|---|---|
2024-09-28T00:09:09.374047+0200 | 2054350 | ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4 | 1 | 192.168.2.4 | 49730 | 185.244.181.140 | 80 | TCP |
2024-09-28T00:09:12.931853+0200 | 2054350 | ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4 | 1 | 192.168.2.4 | 49731 | 185.244.181.140 | 80 | TCP |
2024-09-28T00:09:18.000992+0200 | 2054350 | ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4 | 1 | 192.168.2.4 | 49733 | 185.244.181.140 | 80 | TCP |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Sep 28, 2024 00:09:08.680787086 CEST | 49730 | 80 | 192.168.2.4 | 185.244.181.140 |
Sep 28, 2024 00:09:08.685847044 CEST | 80 | 49730 | 185.244.181.140 | 192.168.2.4 |
Sep 28, 2024 00:09:08.685935020 CEST | 49730 | 80 | 192.168.2.4 | 185.244.181.140 |
Sep 28, 2024 00:09:08.686074972 CEST | 49730 | 80 | 192.168.2.4 | 185.244.181.140 |
Sep 28, 2024 00:09:08.686099052 CEST | 49730 | 80 | 192.168.2.4 | 185.244.181.140 |
Sep 28, 2024 00:09:08.690963984 CEST | 80 | 49730 | 185.244.181.140 | 192.168.2.4 |
Sep 28, 2024 00:09:08.691008091 CEST | 80 | 49730 | 185.244.181.140 | 192.168.2.4 |
Sep 28, 2024 00:09:09.373891115 CEST | 80 | 49730 | 185.244.181.140 | 192.168.2.4 |
Sep 28, 2024 00:09:09.374047041 CEST | 80 | 49730 | 185.244.181.140 | 192.168.2.4 |
Sep 28, 2024 00:09:09.374047041 CEST | 49730 | 80 | 192.168.2.4 | 185.244.181.140 |
Sep 28, 2024 00:09:09.374105930 CEST | 49730 | 80 | 192.168.2.4 | 185.244.181.140 |
Sep 28, 2024 00:09:09.379664898 CEST | 80 | 49730 | 185.244.181.140 | 192.168.2.4 |
Sep 28, 2024 00:09:12.870305061 CEST | 49731 | 80 | 192.168.2.4 | 185.244.181.140 |
Sep 28, 2024 00:09:12.875617981 CEST | 80 | 49731 | 185.244.181.140 | 192.168.2.4 |
Sep 28, 2024 00:09:12.875727892 CEST | 49731 | 80 | 192.168.2.4 | 185.244.181.140 |
Sep 28, 2024 00:09:12.875874043 CEST | 49731 | 80 | 192.168.2.4 | 185.244.181.140 |
Sep 28, 2024 00:09:12.875936985 CEST | 49731 | 80 | 192.168.2.4 | 185.244.181.140 |
Sep 28, 2024 00:09:12.881803036 CEST | 80 | 49731 | 185.244.181.140 | 192.168.2.4 |
Sep 28, 2024 00:09:12.881851912 CEST | 80 | 49731 | 185.244.181.140 | 192.168.2.4 |
Sep 28, 2024 00:09:12.881860018 CEST | 49731 | 80 | 192.168.2.4 | 185.244.181.140 |
Sep 28, 2024 00:09:12.881885052 CEST | 80 | 49731 | 185.244.181.140 | 192.168.2.4 |
Sep 28, 2024 00:09:12.881900072 CEST | 49731 | 80 | 192.168.2.4 | 185.244.181.140 |
Sep 28, 2024 00:09:12.881912947 CEST | 80 | 49731 | 185.244.181.140 | 192.168.2.4 |
Sep 28, 2024 00:09:12.881942034 CEST | 49731 | 80 | 192.168.2.4 | 185.244.181.140 |
Sep 28, 2024 00:09:12.881951094 CEST | 49731 | 80 | 192.168.2.4 | 185.244.181.140 |
Sep 28, 2024 00:09:12.881990910 CEST | 80 | 49731 | 185.244.181.140 | 192.168.2.4 |
Sep 28, 2024 00:09:12.882019043 CEST | 80 | 49731 | 185.244.181.140 | 192.168.2.4 |
Sep 28, 2024 00:09:12.882038116 CEST | 49731 | 80 | 192.168.2.4 | 185.244.181.140 |
Sep 28, 2024 00:09:12.882046938 CEST | 80 | 49731 | 185.244.181.140 | 192.168.2.4 |
Sep 28, 2024 00:09:12.882066011 CEST | 49731 | 80 | 192.168.2.4 | 185.244.181.140 |
Sep 28, 2024 00:09:12.882074118 CEST | 80 | 49731 | 185.244.181.140 | 192.168.2.4 |
Sep 28, 2024 00:09:12.882092953 CEST | 49731 | 80 | 192.168.2.4 | 185.244.181.140 |
Sep 28, 2024 00:09:12.882102013 CEST | 80 | 49731 | 185.244.181.140 | 192.168.2.4 |
Sep 28, 2024 00:09:12.882122993 CEST | 49731 | 80 | 192.168.2.4 | 185.244.181.140 |
Sep 28, 2024 00:09:12.882158995 CEST | 49731 | 80 | 192.168.2.4 | 185.244.181.140 |
Sep 28, 2024 00:09:12.886945963 CEST | 80 | 49731 | 185.244.181.140 | 192.168.2.4 |
Sep 28, 2024 00:09:12.887003899 CEST | 49731 | 80 | 192.168.2.4 | 185.244.181.140 |
Sep 28, 2024 00:09:12.887624025 CEST | 80 | 49731 | 185.244.181.140 | 192.168.2.4 |
Sep 28, 2024 00:09:12.887680054 CEST | 49731 | 80 | 192.168.2.4 | 185.244.181.140 |
Sep 28, 2024 00:09:12.887866974 CEST | 80 | 49731 | 185.244.181.140 | 192.168.2.4 |
Sep 28, 2024 00:09:12.887893915 CEST | 80 | 49731 | 185.244.181.140 | 192.168.2.4 |
Sep 28, 2024 00:09:12.887922049 CEST | 80 | 49731 | 185.244.181.140 | 192.168.2.4 |
Sep 28, 2024 00:09:12.887923002 CEST | 49731 | 80 | 192.168.2.4 | 185.244.181.140 |
Sep 28, 2024 00:09:12.887943029 CEST | 49731 | 80 | 192.168.2.4 | 185.244.181.140 |
Sep 28, 2024 00:09:12.887969971 CEST | 80 | 49731 | 185.244.181.140 | 192.168.2.4 |
Sep 28, 2024 00:09:12.887970924 CEST | 49731 | 80 | 192.168.2.4 | 185.244.181.140 |
Sep 28, 2024 00:09:12.887995958 CEST | 80 | 49731 | 185.244.181.140 | 192.168.2.4 |
Sep 28, 2024 00:09:12.888020039 CEST | 49731 | 80 | 192.168.2.4 | 185.244.181.140 |
Sep 28, 2024 00:09:12.888031960 CEST | 49731 | 80 | 192.168.2.4 | 185.244.181.140 |
Sep 28, 2024 00:09:12.931732893 CEST | 80 | 49731 | 185.244.181.140 | 192.168.2.4 |
Sep 28, 2024 00:09:12.931853056 CEST | 49731 | 80 | 192.168.2.4 | 185.244.181.140 |
Sep 28, 2024 00:09:12.983730078 CEST | 80 | 49731 | 185.244.181.140 | 192.168.2.4 |
Sep 28, 2024 00:09:12.983783960 CEST | 49731 | 80 | 192.168.2.4 | 185.244.181.140 |
Sep 28, 2024 00:09:13.035759926 CEST | 80 | 49731 | 185.244.181.140 | 192.168.2.4 |
Sep 28, 2024 00:09:13.035823107 CEST | 49731 | 80 | 192.168.2.4 | 185.244.181.140 |
Sep 28, 2024 00:09:13.083875895 CEST | 80 | 49731 | 185.244.181.140 | 192.168.2.4 |
Sep 28, 2024 00:09:13.083941936 CEST | 49731 | 80 | 192.168.2.4 | 185.244.181.140 |
Sep 28, 2024 00:09:13.135771036 CEST | 80 | 49731 | 185.244.181.140 | 192.168.2.4 |
Sep 28, 2024 00:09:13.371515036 CEST | 80 | 49731 | 185.244.181.140 | 192.168.2.4 |
Sep 28, 2024 00:09:13.958046913 CEST | 80 | 49731 | 185.244.181.140 | 192.168.2.4 |
Sep 28, 2024 00:09:13.958233118 CEST | 49731 | 80 | 192.168.2.4 | 185.244.181.140 |
Sep 28, 2024 00:09:13.958365917 CEST | 80 | 49731 | 185.244.181.140 | 192.168.2.4 |
Sep 28, 2024 00:09:13.958431005 CEST | 49731 | 80 | 192.168.2.4 | 185.244.181.140 |
Sep 28, 2024 00:09:13.958625078 CEST | 80 | 49731 | 185.244.181.140 | 192.168.2.4 |
Sep 28, 2024 00:09:13.958683968 CEST | 49731 | 80 | 192.168.2.4 | 185.244.181.140 |
Sep 28, 2024 00:09:13.963378906 CEST | 80 | 49731 | 185.244.181.140 | 192.168.2.4 |
Sep 28, 2024 00:09:17.152173996 CEST | 49733 | 80 | 192.168.2.4 | 185.244.181.140 |
Sep 28, 2024 00:09:17.161010027 CEST | 80 | 49733 | 185.244.181.140 | 192.168.2.4 |
Sep 28, 2024 00:09:17.161155939 CEST | 49733 | 80 | 192.168.2.4 | 185.244.181.140 |
Sep 28, 2024 00:09:17.162060976 CEST | 49733 | 80 | 192.168.2.4 | 185.244.181.140 |
Sep 28, 2024 00:09:17.162157059 CEST | 49733 | 80 | 192.168.2.4 | 185.244.181.140 |
Sep 28, 2024 00:09:17.169024944 CEST | 80 | 49733 | 185.244.181.140 | 192.168.2.4 |
Sep 28, 2024 00:09:17.169126034 CEST | 49733 | 80 | 192.168.2.4 | 185.244.181.140 |
Sep 28, 2024 00:09:17.169198036 CEST | 80 | 49733 | 185.244.181.140 | 192.168.2.4 |
Sep 28, 2024 00:09:17.169228077 CEST | 80 | 49733 | 185.244.181.140 | 192.168.2.4 |
Sep 28, 2024 00:09:17.169255972 CEST | 80 | 49733 | 185.244.181.140 | 192.168.2.4 |
Sep 28, 2024 00:09:17.169281960 CEST | 80 | 49733 | 185.244.181.140 | 192.168.2.4 |
Sep 28, 2024 00:09:17.169281960 CEST | 49733 | 80 | 192.168.2.4 | 185.244.181.140 |
Sep 28, 2024 00:09:17.169313908 CEST | 49733 | 80 | 192.168.2.4 | 185.244.181.140 |
Sep 28, 2024 00:09:17.169320107 CEST | 80 | 49733 | 185.244.181.140 | 192.168.2.4 |
Sep 28, 2024 00:09:17.169348001 CEST | 80 | 49733 | 185.244.181.140 | 192.168.2.4 |
Sep 28, 2024 00:09:17.169348955 CEST | 49733 | 80 | 192.168.2.4 | 185.244.181.140 |
Sep 28, 2024 00:09:17.169373989 CEST | 49733 | 80 | 192.168.2.4 | 185.244.181.140 |
Sep 28, 2024 00:09:17.169393063 CEST | 49733 | 80 | 192.168.2.4 | 185.244.181.140 |
Sep 28, 2024 00:09:17.169395924 CEST | 80 | 49733 | 185.244.181.140 | 192.168.2.4 |
Sep 28, 2024 00:09:17.169444084 CEST | 49733 | 80 | 192.168.2.4 | 185.244.181.140 |
Sep 28, 2024 00:09:17.169447899 CEST | 80 | 49733 | 185.244.181.140 | 192.168.2.4 |
Sep 28, 2024 00:09:17.169492960 CEST | 49733 | 80 | 192.168.2.4 | 185.244.181.140 |
Sep 28, 2024 00:09:17.173892975 CEST | 80 | 49733 | 185.244.181.140 | 192.168.2.4 |
Sep 28, 2024 00:09:17.174431086 CEST | 80 | 49733 | 185.244.181.140 | 192.168.2.4 |
Sep 28, 2024 00:09:17.174458027 CEST | 80 | 49733 | 185.244.181.140 | 192.168.2.4 |
Sep 28, 2024 00:09:17.174485922 CEST | 80 | 49733 | 185.244.181.140 | 192.168.2.4 |
Sep 28, 2024 00:09:17.174535036 CEST | 80 | 49733 | 185.244.181.140 | 192.168.2.4 |
Sep 28, 2024 00:09:17.174562931 CEST | 80 | 49733 | 185.244.181.140 | 192.168.2.4 |
Sep 28, 2024 00:09:17.174591064 CEST | 80 | 49733 | 185.244.181.140 | 192.168.2.4 |
Sep 28, 2024 00:09:17.212182999 CEST | 49733 | 80 | 192.168.2.4 | 185.244.181.140 |
Sep 28, 2024 00:09:17.218384981 CEST | 80 | 49733 | 185.244.181.140 | 192.168.2.4 |
Sep 28, 2024 00:09:18.000324011 CEST | 80 | 49733 | 185.244.181.140 | 192.168.2.4 |
Sep 28, 2024 00:09:18.000819921 CEST | 80 | 49733 | 185.244.181.140 | 192.168.2.4 |
Sep 28, 2024 00:09:18.000992060 CEST | 49733 | 80 | 192.168.2.4 | 185.244.181.140 |
Sep 28, 2024 00:09:18.008359909 CEST | 49733 | 80 | 192.168.2.4 | 185.244.181.140 |
Sep 28, 2024 00:09:18.013286114 CEST | 80 | 49733 | 185.244.181.140 | 192.168.2.4 |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Sep 28, 2024 00:09:08.091965914 CEST | 56988 | 53 | 192.168.2.4 | 1.1.1.1 |
Sep 28, 2024 00:09:08.675534964 CEST | 53 | 56988 | 1.1.1.1 | 192.168.2.4 |
Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
---|---|---|---|---|---|---|---|---|
Sep 28, 2024 00:09:08.091965914 CEST | 192.168.2.4 | 1.1.1.1 | 0xce69 | Standard query (0) | A (IP address) | IN (0x0001) | false |
Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
---|---|---|---|---|---|---|---|---|---|---|
Sep 28, 2024 00:09:08.675534964 CEST | 1.1.1.1 | 192.168.2.4 | 0xce69 | No error (0) | 185.244.181.140 | A (IP address) | IN (0x0001) | false |
|
Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
---|---|---|---|---|---|---|
0 | 192.168.2.4 | 49730 | 185.244.181.140 | 80 | 7328 | C:\Users\user\Desktop\Set-up.exe |
Timestamp | Bytes transferred | Direction | Data |
---|---|---|---|
Sep 28, 2024 00:09:08.686074972 CEST | 335 | OUT | |
Sep 28, 2024 00:09:08.686099052 CEST | 413 | OUT | |
Sep 28, 2024 00:09:09.373891115 CEST | 209 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
---|---|---|---|---|---|---|
1 | 192.168.2.4 | 49731 | 185.244.181.140 | 80 | 7328 | C:\Users\user\Desktop\Set-up.exe |
Timestamp | Bytes transferred | Direction | Data |
---|---|---|---|
Sep 28, 2024 00:09:12.875874043 CEST | 337 | OUT | |
Sep 28, 2024 00:09:12.875936985 CEST | 11124 | OUT | |
Sep 28, 2024 00:09:12.881860018 CEST | 1236 | OUT | |
Sep 28, 2024 00:09:12.881900072 CEST | 2472 | OUT | |
Sep 28, 2024 00:09:12.881942034 CEST | 2472 | OUT | |
Sep 28, 2024 00:09:12.881951094 CEST | 2472 | OUT | |
Sep 28, 2024 00:09:12.882038116 CEST | 2472 | OUT | |
Sep 28, 2024 00:09:12.882066011 CEST | 2472 | OUT | |
Sep 28, 2024 00:09:12.882092953 CEST | 2472 | OUT | |
Sep 28, 2024 00:09:12.882122993 CEST | 2472 | OUT | |
Sep 28, 2024 00:09:12.882158995 CEST | 2472 | OUT | |
Sep 28, 2024 00:09:13.958046913 CEST | 209 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
---|---|---|---|---|---|---|
2 | 192.168.2.4 | 49733 | 185.244.181.140 | 80 | 7328 | C:\Users\user\Desktop\Set-up.exe |
Timestamp | Bytes transferred | Direction | Data |
---|---|---|---|
Sep 28, 2024 00:09:17.162060976 CEST | 337 | OUT | |
Sep 28, 2024 00:09:17.162157059 CEST | 11124 | OUT | |
Sep 28, 2024 00:09:17.169126034 CEST | 1236 | OUT | |
Sep 28, 2024 00:09:17.169281960 CEST | 4944 | OUT | |
Sep 28, 2024 00:09:17.169313908 CEST | 2472 | OUT | |
Sep 28, 2024 00:09:17.169348955 CEST | 2472 | OUT | |
Sep 28, 2024 00:09:17.169373989 CEST | 2472 | OUT | |
Sep 28, 2024 00:09:17.169393063 CEST | 2472 | OUT | |
Sep 28, 2024 00:09:17.169444084 CEST | 2472 | OUT | |
Sep 28, 2024 00:09:17.169492960 CEST | 2257 | OUT | |
Sep 28, 2024 00:09:17.212182999 CEST | 1236 | OUT | |
Sep 28, 2024 00:09:18.000324011 CEST | 209 | IN |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
Target ID: | 0 |
Start time: | 18:08:58 |
Start date: | 27/09/2024 |
Path: | C:\Users\user\Desktop\Set-up.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x400000 |
File size: | 6'614'719 bytes |
MD5 hash: | FF8B81C5BDBB09987A4ED216AE0010C2 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Yara matches: |
|
Reputation: | low |
Has exited: | true |
Target ID: | 4 |
Start time: | 18:09:58 |
Start date: | 27/09/2024 |
Path: | C:\Users\user\AppData\Local\Temp\service123.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x4b0000 |
File size: | 314'613'760 bytes |
MD5 hash: | 62CC0B5676AC91389084FEE3D683DC68 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | low |
Has exited: | false |
Target ID: | 5 |
Start time: | 18:09:58 |
Start date: | 27/09/2024 |
Path: | C:\Windows\SysWOW64\schtasks.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x130000 |
File size: | 187'904 bytes |
MD5 hash: | 48C2FE20575769DE916F48EF0676A965 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Target ID: | 6 |
Start time: | 18:09:59 |
Start date: | 27/09/2024 |
Path: | C:\Windows\System32\conhost.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff7699e0000 |
File size: | 862'208 bytes |
MD5 hash: | 0D698AF330FD17BEE3BF90011D49251D |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Target ID: | 7 |
Start time: | 18:10:01 |
Start date: | 27/09/2024 |
Path: | C:\Users\user\AppData\Local\Temp\service123.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x4b0000 |
File size: | 314'613'760 bytes |
MD5 hash: | 62CC0B5676AC91389084FEE3D683DC68 |
Has elevated privileges: | false |
Has administrator privileges: | false |
Programmed in: | C, C++ or other language |
Reputation: | low |
Has exited: | true |
Target ID: | 9 |
Start time: | 18:11:01 |
Start date: | 27/09/2024 |
Path: | C:\Users\user\AppData\Local\Temp\service123.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x4b0000 |
File size: | 314'613'760 bytes |
MD5 hash: | 62CC0B5676AC91389084FEE3D683DC68 |
Has elevated privileges: | false |
Has administrator privileges: | false |
Programmed in: | C, C++ or other language |
Reputation: | low |
Has exited: | true |
Execution Graph
Execution Coverage: | 0.1% |
Dynamic/Decrypted Code Coverage: | 0% |
Signature Coverage: | 42.6% |
Total number of Nodes: | 108 |
Total number of Limit Nodes: | 3 |
Graph
Function 004B8320 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 101libraryloaderCOMMON
Control-flow Graph
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004B8370 Relevance: 21.1, APIs: 4, Strings: 8, Instructions: 52libraryloaderCOMMON
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C30AE52 Relevance: 15.1, APIs: 10, Instructions: 110sleepclipboardCOMMON
Control-flow Graph
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C30ADA0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 32sleepsynchronizationclipboardCOMMON
Control-flow Graph
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004B12A6 Relevance: 5.1, APIs: 4, Instructions: 79stringCOMMON
Control-flow Graph
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004B13C3 Relevance: 5.1, APIs: 4, Instructions: 65stringCOMMON
Control-flow Graph
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C2F2390 Relevance: 38.0, APIs: 25, Instructions: 466COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C2FB750 Relevance: 37.7, APIs: 25, Instructions: 155COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C2F285F Relevance: 37.6, APIs: 25, Instructions: 112COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C2F2BD3 Relevance: 37.6, APIs: 25, Instructions: 84COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C2F2AF1 Relevance: 37.6, APIs: 25, Instructions: 81COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C2F29FD Relevance: 37.6, APIs: 25, Instructions: 78COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C2F297F Relevance: 37.6, APIs: 25, Instructions: 73COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C2F29BE Relevance: 37.6, APIs: 25, Instructions: 70COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C2F2B6F Relevance: 37.6, APIs: 25, Instructions: 67COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C2F2A3C Relevance: 37.6, APIs: 25, Instructions: 64COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C2F2B30 Relevance: 37.6, APIs: 25, Instructions: 61COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C2FBA80 Relevance: 34.6, APIs: 23, Instructions: 110COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C2FBBF8 Relevance: 34.6, APIs: 23, Instructions: 97COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C2FBBC4 Relevance: 34.6, APIs: 23, Instructions: 63COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C2FBAD0 Relevance: 33.1, APIs: 22, Instructions: 140COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C2FBDFF Relevance: 33.1, APIs: 22, Instructions: 77COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C2FBB7B Relevance: 33.1, APIs: 22, Instructions: 62COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C2FBED2 Relevance: 33.1, APIs: 22, Instructions: 57COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C2FBD06 Relevance: 33.0, APIs: 22, Instructions: 45COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C2FBC33 Relevance: 33.0, APIs: 22, Instructions: 42COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C2FBC7E Relevance: 33.0, APIs: 22, Instructions: 40COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C2FBC58 Relevance: 33.0, APIs: 22, Instructions: 40COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C2FBC9F Relevance: 33.0, APIs: 22, Instructions: 36COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C2FBCC7 Relevance: 33.0, APIs: 22, Instructions: 36COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C2FBCB5 Relevance: 33.0, APIs: 22, Instructions: 35COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C2FC380 Relevance: 28.6, APIs: 19, Instructions: 148COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C2FD3A0 Relevance: 24.1, APIs: 16, Instructions: 105COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C2FD4C0 Relevance: 22.6, APIs: 15, Instructions: 127COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C300F20 Relevance: 22.6, APIs: 8, Strings: 4, Instructions: 1586stringCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C2FFDC0 Relevance: 21.7, APIs: 7, Strings: 5, Instructions: 659stringCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C2FD645 Relevance: 21.0, APIs: 14, Instructions: 42COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C2FD6B0 Relevance: 19.5, APIs: 13, Instructions: 44COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C2FD8A0 Relevance: 18.1, APIs: 12, Instructions: 126COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C2FDAF0 Relevance: 16.6, APIs: 11, Instructions: 68COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C2FDB90 Relevance: 15.1, APIs: 10, Instructions: 71COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C374010 Relevance: 13.9, Strings: 11, Instructions: 136COMMON
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C2FDEE0 Relevance: 12.1, APIs: 8, Instructions: 91COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C30AF41 Relevance: 12.0, APIs: 8, Instructions: 46clipboardmemorystringCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C2F9790 Relevance: 10.8, APIs: 3, Strings: 4, Instructions: 336stringCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C312910 Relevance: 10.7, APIs: 5, Strings: 2, Instructions: 214stringCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C31DCE0 Relevance: 10.7, APIs: 5, Strings: 2, Instructions: 198stringCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C320971 Relevance: 10.7, APIs: 6, Strings: 1, Instructions: 196stringCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C2FE510 Relevance: 10.6, APIs: 7, Instructions: 145COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C2FE700 Relevance: 9.1, APIs: 6, Instructions: 66COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C308260 Relevance: 8.2, APIs: 5, Instructions: 664COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C2FEE80 Relevance: 8.0, APIs: 5, Instructions: 483COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C305850 Relevance: 7.9, Strings: 6, Instructions: 424COMMON
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004B3E80 Relevance: 7.9, Strings: 6, Instructions: 424COMMON
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C31C540 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 119stringCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C31BF90 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 119stringCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C2FE7B0 Relevance: 7.6, APIs: 5, Instructions: 90COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C2FE8E0 Relevance: 6.2, APIs: 4, Instructions: 180COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C2FEA31 Relevance: 6.0, APIs: 4, Instructions: 14COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C2FEA97 Relevance: 6.0, APIs: 4, Instructions: 14COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C2FEB80 Relevance: 4.7, APIs: 3, Instructions: 200COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C31C240 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 66stringCOMMON
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C31BC90 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 66stringCOMMON
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C31C470 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 61stringCOMMON
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C31BEC0 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 61stringCOMMON
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C2FED09 Relevance: 4.5, APIs: 3, Instructions: 13COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C320A1C Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 39stringCOMMON
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C320ACC Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 39stringCOMMON
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C31C5DC Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 39stringCOMMON
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C31C02C Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 39stringCOMMON
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C2F3580 Relevance: 2.9, Strings: 2, Instructions: 398COMMON
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C31E9D0 Relevance: 2.5, Strings: 2, Instructions: 42COMMON
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C3127F0 Relevance: 2.5, Strings: 2, Instructions: 42COMMON
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C332E93 Relevance: 2.2, APIs: 1, Instructions: 923COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C333C50 Relevance: 2.2, APIs: 1, Instructions: 907COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C3535D0 Relevance: 2.1, Strings: 1, Instructions: 874COMMON
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C352870 Relevance: 2.1, Strings: 1, Instructions: 873COMMON
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C332245 Relevance: 2.1, APIs: 1, Instructions: 816COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C3BE230 Relevance: 2.0, APIs: 1, Instructions: 487COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C337AB0 Relevance: 1.9, APIs: 1, Instructions: 665COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C2F3D20 Relevance: 1.7, Strings: 1, Instructions: 410COMMON
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C3AA030 Relevance: 1.6, Strings: 1, Instructions: 392COMMON
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C323180 Relevance: 1.6, APIs: 1, Instructions: 357COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C326830 Relevance: 1.6, APIs: 1, Instructions: 354COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C34B850 Relevance: 1.6, APIs: 1, Instructions: 320COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C3038B0 Relevance: 1.5, Strings: 1, Instructions: 233COMMON
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C36A5B0 Relevance: 1.4, Strings: 1, Instructions: 123COMMON
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C310C40 Relevance: 1.3, Strings: 1, Instructions: 23COMMON
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C312340 Relevance: 1.3, Strings: 1, Instructions: 20COMMON
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C320B7C Relevance: 1.3, Strings: 1, Instructions: 14COMMON
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C31C2DC Relevance: 1.3, Strings: 1, Instructions: 14COMMON
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C31BD2C Relevance: 1.3, Strings: 1, Instructions: 14COMMON
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C31C50C Relevance: 1.3, Strings: 1, Instructions: 10COMMON
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C31C68C Relevance: 1.3, Strings: 1, Instructions: 10COMMON
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C31C0DC Relevance: 1.3, Strings: 1, Instructions: 10COMMON
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C31BF5C Relevance: 1.3, Strings: 1, Instructions: 10COMMON
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C340020 Relevance: .7, Instructions: 670COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C33EB90 Relevance: .7, Instructions: 669COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C3B7520 Relevance: .3, Instructions: 342COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C3B6C50 Relevance: .3, Instructions: 289COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C367B50 Relevance: .2, Instructions: 249COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C33F5A0 Relevance: .2, Instructions: 180COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C340A30 Relevance: .2, Instructions: 178COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C367DE0 Relevance: .2, Instructions: 155COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C366E80 Relevance: .1, Instructions: 120COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C3BAE90 Relevance: .1, Instructions: 118COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C35C2DA Relevance: .1, Instructions: 97COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C348BE0 Relevance: .1, Instructions: 75COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C31F6B0 Relevance: .1, Instructions: 70COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C366FE0 Relevance: .1, Instructions: 67COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C3680C0 Relevance: .1, Instructions: 58COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C35C11A Relevance: .1, Instructions: 54COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C35C11E Relevance: .1, Instructions: 51COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C3598F3 Relevance: .0, Instructions: 50COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C35D67A Relevance: .0, Instructions: 49COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C35D67E Relevance: .0, Instructions: 46COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C30DCA0 Relevance: .0, Instructions: 39COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C3638C0 Relevance: .0, Instructions: 37COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C35C2DE Relevance: .0, Instructions: 33COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C363D10 Relevance: .0, Instructions: 33COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C30C470 Relevance: .0, Instructions: 13COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C30E500 Relevance: 24.6, APIs: 10, Strings: 4, Instructions: 130fileCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C2FA570 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 129fileCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004B1970 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 129fileCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C30ABD1 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 33libraryloaderCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C319510 Relevance: 13.7, APIs: 6, Strings: 3, Instructions: 243stringCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C2F1400 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 43libraryloaderCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004B14F0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 43libraryloaderCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004B1E20 Relevance: 12.1, APIs: 8, Instructions: 90COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C319880 Relevance: 10.7, APIs: 6, Strings: 1, Instructions: 185stringCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C2FE300 Relevance: 10.6, APIs: 7, Instructions: 120synchronizationCOMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004B8000 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36libraryloaderCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C30ACC1 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 35libraryloaderCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C30C310 Relevance: 9.2, APIs: 6, Instructions: 153COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C2F1020 Relevance: 9.1, APIs: 6, Instructions: 108sleepCOMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C3141B0 Relevance: 9.0, APIs: 6, Instructions: 50stringCOMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C313F10 Relevance: 9.0, APIs: 6, Instructions: 49stringCOMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C2F9B53 Relevance: 7.7, APIs: 3, Strings: 2, Instructions: 177stringCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C2F9B0B Relevance: 7.7, APIs: 3, Strings: 2, Instructions: 172stringCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C3B1C60 Relevance: 7.6, APIs: 5, Instructions: 78stringCOMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C3B1D80 Relevance: 7.6, APIs: 5, Instructions: 75stringCOMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C3B1EA0 Relevance: 7.6, APIs: 5, Instructions: 71stringCOMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C3B28D0 Relevance: 7.6, APIs: 5, Instructions: 64stringCOMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C30A840 Relevance: 7.6, APIs: 5, Instructions: 61COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C30FEE0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63stringCOMMON
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C30AC78 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 19stringCOMMON
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004B7FB8 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 19stringCOMMON
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C30AC23 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C301D23 Relevance: 6.4, APIs: 4, Instructions: 415COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C2FA220 Relevance: 6.3, APIs: 5, Instructions: 98stringCOMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C301C18 Relevance: 6.3, APIs: 4, Instructions: 276COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C30A470 Relevance: 6.1, APIs: 4, Instructions: 102COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004B78E0 Relevance: 6.1, APIs: 4, Instructions: 102COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C320D70 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 88stringCOMMON
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004B1001 Relevance: 6.1, APIs: 4, Instructions: 60COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C3804B0 Relevance: 5.4, APIs: 4, Instructions: 412stringCOMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C37FC30 Relevance: 5.4, APIs: 4, Instructions: 412stringCOMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C37EA70 Relevance: 5.4, APIs: 4, Instructions: 391stringCOMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C37F350 Relevance: 5.4, APIs: 4, Instructions: 391stringCOMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C309230 Relevance: 5.1, APIs: 4, Instructions: 55sleepCOMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004B69E0 Relevance: 5.1, APIs: 4, Instructions: 55sleepCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C2FA9B0 Relevance: 5.0, APIs: 4, Instructions: 39COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004B1FD0 Relevance: 5.0, APIs: 4, Instructions: 39COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|