Windows
Analysis Report
https://maninhocontabilidade.com.br/pop/Webmail-iinet.zip
Overview
General Information
Detection
Score: | 48 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
- System is w10x64
- cmd.exe (PID: 6824 cmdline:
C:\Windows \system32\ cmd.exe /c wget -t 2 -v -T 60 -P "C:\Use rs\user\De sktop\down load" --no -check-cer tificate - -content-d isposition --user-ag ent="Mozil la/5.0 (Wi ndows NT 6 .1; WOW64; Trident/7 .0; AS; rv :11.0) lik e Gecko" " https://ma ninhoconta bilidade.c om.br/pop/ Webmail-ii net.zip" > cmdline.o ut 2>&1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 6860 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - wget.exe (PID: 4180 cmdline:
wget -t 2 -v -T 60 - P "C:\User s\user\Des ktop\downl oad" --no- check-cert ificate -- content-di sposition --user-age nt="Mozill a/5.0 (Win dows NT 6. 1; WOW64; Trident/7. 0; AS; rv: 11.0) like Gecko" "h ttps://man inhocontab ilidade.co m.br/pop/W ebmail-iin et.zip" MD5: 3DADB6E2ECE9C4B3E1E322E617658B60)
- 7za.exe (PID: 2108 cmdline:
7za x -y - pinfected -o"C:\User s\user\Des ktop\extra ct" "C:\Us ers\user\D esktop\dow nload\Webm ail-iinet. zip" MD5: 77E556CDFDC5C592F5C46DB4127C6F4C) - conhost.exe (PID: 5472 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
- unarchiver.exe (PID: 5084 cmdline:
"C:\Window s\SysWOW64 \unarchive r.exe" "C: \Users\use r\Desktop\ download\W ebmail-iin et.zip" MD5: 16FF3CC6CC330A08EED70CBC1D35F5D2) - 7za.exe (PID: 1704 cmdline:
"C:\Window s\System32 \7za.exe" x -pinfect ed -y -o"C :\Users\us er\AppData \Local\Tem p\nwe5galq .xcu" "C:\ Users\user \Desktop\d ownload\We bmail-iine t.zip" MD5: 77E556CDFDC5C592F5C46DB4127C6F4C) - conhost.exe (PID: 5296 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
- cleanup
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_HtmlPhish_10 | Yara detected HtmlPhish_10 | Joe Security | ||
JoeSecurity_HtmlPhish_10 | Yara detected HtmlPhish_10 | Joe Security |
Source: | Author: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: |
Click to jump to signature section
Phishing |
---|
Source: | File source: | ||
Source: | File source: |
Source: | File opened: | Jump to behavior |
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: |
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: |
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: |
Source: | DNS traffic detected: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: |
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: |
Source: | Classification label: |
Source: | File created: | Jump to behavior |
Source: | Mutant created: | ||
Source: | Mutant created: | ||
Source: | Mutant created: | ||
Source: | Mutant created: |
Source: | File created: | Jump to behavior |
Source: | Key opened: | Jump to behavior |
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior |
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior |
Source: | Key value queried: | Jump to behavior |
Source: | Window detected: |
Source: | File opened: | Jump to behavior |
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior |
Source: | Memory allocated: | Jump to behavior | ||
Source: | Memory allocated: | Jump to behavior | ||
Source: | Memory allocated: | Jump to behavior |
Source: | Thread delayed: | Jump to behavior |
Source: | Thread sleep time: | Jump to behavior |
Source: | Last function: | ||
Source: | Last function: |
Source: | Code function: | 6_2_00D4B1D6 |
Source: | Thread delayed: | Jump to behavior |
Source: | Binary or memory string: |
Source: | Memory allocated: | Jump to behavior |
Source: | Process created: | Jump to behavior |
Source: | Process created: |
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior |
Source: | Key value queried: | Jump to behavior |
Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | 1 Command and Scripting Interpreter | 1 DLL Side-Loading | 11 Process Injection | 1 Masquerading | OS Credential Dumping | 1 Security Software Discovery | Remote Services | Data from Local System | 1 Encrypted Channel | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
Credentials | Domains | Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | 1 DLL Side-Loading | 1 Disable or Modify Tools | LSASS Memory | 32 Virtualization/Sandbox Evasion | Remote Desktop Protocol | Data from Removable Media | 2 Non-Application Layer Protocol | Exfiltration Over Bluetooth | Network Denial of Service |
Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | Logon Script (Windows) | 32 Virtualization/Sandbox Evasion | Security Account Manager | 13 System Information Discovery | SMB/Windows Admin Shares | Data from Network Shared Drive | 3 Application Layer Protocol | Automated Exfiltration | Data Encrypted for Impact |
Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | 11 Process Injection | NTDS | System Network Configuration Discovery | Distributed Component Object Model | Input Capture | 1 Ingress Tool Transfer | Traffic Duplication | Data Destruction |
Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | 1 DLL Side-Loading | LSA Secrets | Internet Connection Discovery | SSH | Keylogging | Fallback Channels | Scheduled Transfer | Data Encrypted for Impact |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | Virustotal | Browse | ||
0% | Virustotal | Browse | ||
0% | Virustotal | Browse |
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | Virustotal | Browse | ||
0% | Virustotal | Browse | ||
0% | Virustotal | Browse | ||
0% | Virustotal | Browse | ||
0% | Virustotal | Browse | ||
0% | Virustotal | Browse | ||
0% | Virustotal | Browse |
Name | IP | Active | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|---|
bg.microsoft.map.fastly.net | 199.232.210.172 | true | false |
| unknown |
maninhocontabilidade.com.br | 191.37.38.39 | true | false |
| unknown |
fp2e7a.wpc.phicdn.net | 192.229.221.95 | true | false |
| unknown |
Name | Malicious | Antivirus Detection | Reputation |
---|---|---|---|
false | unknown |
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false | unknown | |||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false | unknown |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
191.37.38.39 | maninhocontabilidade.com.br | Brazil | 263347 | CEDNETPROVEDORINTERNETBR | false |
Joe Sandbox version: | 41.0.0 Charoite |
Analysis ID: | 1523880 |
Start date and time: | 2024-10-02 06:34:42 +02:00 |
Joe Sandbox product: | CloudBasic |
Overall analysis duration: | 0h 2m 0s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Cookbook file name: | urldownload.jbs |
Sample URL: | https://maninhocontabilidade.com.br/pop/Webmail-iinet.zip |
Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
Number of analysed new started processes analysed: | 9 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Detection: | MAL |
Classification: | mal48.phis.win@10/18@2/1 |
EGA Information: |
|
HCA Information: |
|
Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): dllhost.exe
- Excluded IPs from analysis (whitelisted): 4.245.163.56, 52.165.164.15
- Excluded domains from analysis (whitelisted): fe3.delivery.mp.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, ocsp.edge.digicert.com, glb.cws.prod.dcat.dsp.trafficmanager.net, sls.update.microsoft.com, ctldl.windowsupdate.com, wu-b-net.trafficmanager.net, glb.sls.prod.dcat.dsp.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
- Not all processes where analyzed, report is missing behavior information
- Report size getting too big, too many NtQueryValueKey calls found.
- Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
C:\Users\user\AppData\Local\Temp\nwe5galq.xcu\Webmail-iinet\css\app-059cd76ea4a5433e14ff6151a432ee48.css
Download File
Process: | C:\Windows\SysWOW64\7za.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 226191 |
Entropy (8bit): | 5.170931573371693 |
Encrypted: | false |
SSDEEP: | 6144:NfSCmdDzfyt+dDzf6lS+vRnNEyIYQE0d+wlK0X0k7lyKe4VyfcH:NfSCmdDzfyMdDzf6hvRnNEyIYQE0d+w9 |
MD5: | 059CD76EA4A5433E14FF6151A432EE48 |
SHA1: | C886FE4CA2649B2FC7F917A936901BBF806D47C7 |
SHA-256: | F111F6F660B6F2759FC036A25681BBFF08811ED1EF2A0C9B436191B52539A4D3 |
SHA-512: | 305F4ADF9F4A009529FC3B149CBB3DC18D7B69F95AD024F793C3C98C49D55C3245D5C8DB85D93DD2691B9FD873884B76035E804166387432D3075FA60165CC90 |
Malicious: | false |
Reputation: | low |
Preview: |
C:\Users\user\AppData\Local\Temp\nwe5galq.xcu\Webmail-iinet\css\cb3cc3fa3480964080588c52478ae092-login.png
Download File
Process: | C:\Windows\SysWOW64\7za.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 73869 |
Entropy (8bit): | 7.986259137032153 |
Encrypted: | false |
SSDEEP: | 1536:UAZ8jV8xF1pkc8mRr5wlHxZmfn6Xo4dl2qlwZ2KpxAt0Ok2tQ16Wzoo:zZIV8xPpRFwRZm/Odr6XpCtqVtD |
MD5: | 9DA0C8CB46C052736D2AB7868AD46A93 |
SHA1: | 9B1D2A89EEC68C5D9F857D7FBD28886A1770BFEE |
SHA-256: | 13C4D0269B4149CED9162B84892CDDA75F469F45E24052F8FD047D7E6DDFD74E |
SHA-512: | 07D1F9FBB19285FD001D24885FE0016E66D5B11261DED1CAC9DFFD35FAB0668F50DF1DD388C2CE0EC21479C12BA6FA4A9FCCD5C111611D3099074843D18CEBCE |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Windows\SysWOW64\7za.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 94 |
Entropy (8bit): | 4.843226921458293 |
Encrypted: | false |
SSDEEP: | 3:JZtEzHLGCIE2KHedySLIVY:dEzHLVIqSLIe |
MD5: | 69BFECCE7D4C8696C17087D376E11FDB |
SHA1: | 0B5CB177D0977D181090A1C5E46AF6335E703C06 |
SHA-256: | 1F2A3FCDFCC879EC238546E84C1D9A1B455C724CE85C1310D281EC810FCA433E |
SHA-512: | D9F158F96FABE511742045755E4180D38A4D323D010EEAA1C9BB81B0CF2505593A65A39FCDB1802C1AB66D9109B2F064751D76D0147556BB4206B60AFC890016 |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Windows\SysWOW64\7za.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 7111 |
Entropy (8bit): | 7.559608060506345 |
Encrypted: | false |
SSDEEP: | 192:RLOG++/tXf4KN42CRTO0cvATCUe82UHLOGB:9OG+8Pa2CRTO0fRp2UHLOGB |
MD5: | 8D68F26A48057C3A61870C43CFC86F54 |
SHA1: | FFF9EC6159F2FDF21F2DE1F519746AC8E90B01CA |
SHA-256: | 7A79F28CB73F4C9AE72A306925718313360C8E628A2C08AE85CE1762CC752282 |
SHA-512: | F9FC997E27808510441D729F246DF53A4CC2ACD79A33B2589AF14FB41D9AB4A5E4E684F4D3A3AA05D51BEEBC61C85ABDE7B62954008F40D9AAFACD0615D43CD9 |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Windows\SysWOW64\7za.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 29981 |
Entropy (8bit): | 7.978588134614221 |
Encrypted: | false |
SSDEEP: | 768:hRTBV2bfxVZQTJeCn+iJKDulQT7rwINswPRs23:hZTExvwTnbgulu/3 |
MD5: | 713A50170266749ED63B48014015E845 |
SHA1: | 052AA58A4F7FCEDA80AB7C9324F3C3455E357932 |
SHA-256: | 55622C1F5A7E3DCA7070BDDB0FA4F7CE6A926FC4D584A2EEC5FF43D894AB48AF |
SHA-512: | 7357704FD9952C01500EEE7AA282969C51F92082CE4133ACF725EAEB7F24CCD511EC199031CBFD65BB1F5BF73C720F9E9A7186FA01F8E71F7832745A74D783F8 |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Windows\SysWOW64\7za.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 34446 |
Entropy (8bit): | 5.206104283504241 |
Encrypted: | false |
SSDEEP: | 768:c8jqyTo3u/dwLLHwl7yrCwGFTlikG8o6XvdUCpcnxi1:zjBc3ywLLHwl7yrR2TliCoyvd0+ |
MD5: | 235CD965BF540FC8E08FE6CCD3DCD57D |
SHA1: | 3D512A98C6DBFB23A4EBCEE7681D129B9D3FA3DA |
SHA-256: | 4087CCD33D029BBE65EB06C3B15CFA5C184919EA8639B2F3DF5CF6A4BC942A26 |
SHA-512: | C8F98F6D13C141F8110EC85454C5AD9E34AF1FDF0DC4158421F6915EC36249166D7C4074E3467B135025024D6BB1A0A212D7BE3BF2C97A4D2127CACED0C757BD |
Malicious: | true |
Yara Hits: |
|
Reputation: | low |
Preview: |
Process: | C:\Windows\SysWOW64\7za.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 1091 |
Entropy (8bit): | 5.130575721157786 |
Encrypted: | false |
SSDEEP: | 24:lhP/XC2WkYFKgG0JN77gVB91mZgATV14g+IDV:lhPfvfdokKVsi |
MD5: | D7DA5B7BEA5E2423ED2BFE3A508C1B3A |
SHA1: | 380E84DF4B63891D66D09490229F8A01545AC5D8 |
SHA-256: | 52EAE2164AACE96AD5E190C24281A1B79930B3507204A32DC6E8E2FE22FF7682 |
SHA-512: | 1E19DD788FC7C3A7E7D5FD2F1F40BCDB1369A4D622AEC5B689F84C00A2BE4C00C49AA54671CCA7DA08C1452A1B63F589716497FC1B53B66B0F84630C03FAF63F |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Windows\SysWOW64\unarchiver.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 2032 |
Entropy (8bit): | 5.211487300056362 |
Encrypted: | false |
SSDEEP: | 48:CWGQchGthGbthGthGp/hGqZkhGthGp0hGbLhGPhGVhGUhGthGohGthGQhG3hGAhR:+YnpQ/v7 |
MD5: | F60F385B5FD9F82B9B8281CED6E8D0D9 |
SHA1: | 55602538758450D3EA35FC8E2BC16D441F293A15 |
SHA-256: | 77A4CC5CA3544011F034465C845E5E10E672A4FED8C4B70AF1409FB310FD8D1B |
SHA-512: | CF41DD59C92A8ABF4ECB0A1B62E246DDEA44FE436DD0DA1527D86B8AAE502724081C82EE49D18032D501E20DDA707DD276FD79AE7F203B67FB6483F236680306 |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Windows\SysWOW64\cmd.exe |
File Type: | |
Category: | modified |
Size (bytes): | 1432 |
Entropy (8bit): | 4.97037621590896 |
Encrypted: | false |
SSDEEP: | 24:xP/8mwWXWhxePgwUbHoRQ/y8m2E398XWhxePjJbUbHMV6C2fIvKbHZ:SWXWhGUbIRCFe3UWhadUbsMfgvKb5 |
MD5: | 3AFC337159C3ED7514DEC9B665EFDBEB |
SHA1: | 31D65F66616A75BE5E33E74DB65160031EAA8874 |
SHA-256: | C899EAEE1CBC923FB45B989DDAFDC4AEE0195DE48DA18BC06930E42840FE99CD |
SHA-512: | 860013803A3B0783383B07C5B22AF95934C6618C229A027A07830D50198005D9D9C21D6A1D3D8BC6EDD01F117B88C7FAEA6E8124711B285835EB896C5045F45F |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Windows\SysWOW64\wget.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 156013 |
Entropy (8bit): | 7.99610269325873 |
Encrypted: | true |
SSDEEP: | 3072:LfBskiW7AxKVXWxFFwRZm/idr6Xp5ViRxuu0sJVaoz8WhRF/yq5SBRmKLs:jB/VXW/FwGaCieu0s/aoIWhrD5SnLs |
MD5: | 05D45851016732596BB76FC852928AA5 |
SHA1: | 1715020D7B5BB7EFCC929A99ABA8B7F7B9F8F70A |
SHA-256: | 095FDD7E03075B4FFCA7F3BDFD516E51FD5FFAC25A274C74F9DEEB11C39FFCF1 |
SHA-512: | 466E24182CE94F04EEA971C4F6338DB841F937D9BE1D2F8E3A3B3F338E7C3E553F383074C8CF11122ED8E92A5660D3F3DDBC90712E9A3C360C81778684E9097E |
Malicious: | false |
Reputation: | low |
Preview: |
C:\Users\user\Desktop\extract\Webmail-iinet\css\app-059cd76ea4a5433e14ff6151a432ee48.css
Download File
Process: | C:\Windows\SysWOW64\7za.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 226191 |
Entropy (8bit): | 5.170931573371693 |
Encrypted: | false |
SSDEEP: | 6144:NfSCmdDzfyt+dDzf6lS+vRnNEyIYQE0d+wlK0X0k7lyKe4VyfcH:NfSCmdDzfyMdDzf6hvRnNEyIYQE0d+w9 |
MD5: | 059CD76EA4A5433E14FF6151A432EE48 |
SHA1: | C886FE4CA2649B2FC7F917A936901BBF806D47C7 |
SHA-256: | F111F6F660B6F2759FC036A25681BBFF08811ED1EF2A0C9B436191B52539A4D3 |
SHA-512: | 305F4ADF9F4A009529FC3B149CBB3DC18D7B69F95AD024F793C3C98C49D55C3245D5C8DB85D93DD2691B9FD873884B76035E804166387432D3075FA60165CC90 |
Malicious: | false |
Reputation: | low |
Preview: |
C:\Users\user\Desktop\extract\Webmail-iinet\css\cb3cc3fa3480964080588c52478ae092-login.png
Download File
Process: | C:\Windows\SysWOW64\7za.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 73869 |
Entropy (8bit): | 7.986259137032153 |
Encrypted: | false |
SSDEEP: | 1536:UAZ8jV8xF1pkc8mRr5wlHxZmfn6Xo4dl2qlwZ2KpxAt0Ok2tQ16Wzoo:zZIV8xPpRFwRZm/Odr6XpCtqVtD |
MD5: | 9DA0C8CB46C052736D2AB7868AD46A93 |
SHA1: | 9B1D2A89EEC68C5D9F857D7FBD28886A1770BFEE |
SHA-256: | 13C4D0269B4149CED9162B84892CDDA75F469F45E24052F8FD047D7E6DDFD74E |
SHA-512: | 07D1F9FBB19285FD001D24885FE0016E66D5B11261DED1CAC9DFFD35FAB0668F50DF1DD388C2CE0EC21479C12BA6FA4A9FCCD5C111611D3099074843D18CEBCE |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Windows\SysWOW64\7za.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 94 |
Entropy (8bit): | 4.843226921458293 |
Encrypted: | false |
SSDEEP: | 3:JZtEzHLGCIE2KHedySLIVY:dEzHLVIqSLIe |
MD5: | 69BFECCE7D4C8696C17087D376E11FDB |
SHA1: | 0B5CB177D0977D181090A1C5E46AF6335E703C06 |
SHA-256: | 1F2A3FCDFCC879EC238546E84C1D9A1B455C724CE85C1310D281EC810FCA433E |
SHA-512: | D9F158F96FABE511742045755E4180D38A4D323D010EEAA1C9BB81B0CF2505593A65A39FCDB1802C1AB66D9109B2F064751D76D0147556BB4206B60AFC890016 |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Windows\SysWOW64\7za.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 7111 |
Entropy (8bit): | 7.559608060506345 |
Encrypted: | false |
SSDEEP: | 192:RLOG++/tXf4KN42CRTO0cvATCUe82UHLOGB:9OG+8Pa2CRTO0fRp2UHLOGB |
MD5: | 8D68F26A48057C3A61870C43CFC86F54 |
SHA1: | FFF9EC6159F2FDF21F2DE1F519746AC8E90B01CA |
SHA-256: | 7A79F28CB73F4C9AE72A306925718313360C8E628A2C08AE85CE1762CC752282 |
SHA-512: | F9FC997E27808510441D729F246DF53A4CC2ACD79A33B2589AF14FB41D9AB4A5E4E684F4D3A3AA05D51BEEBC61C85ABDE7B62954008F40D9AAFACD0615D43CD9 |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Windows\SysWOW64\7za.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 29981 |
Entropy (8bit): | 7.978588134614221 |
Encrypted: | false |
SSDEEP: | 768:hRTBV2bfxVZQTJeCn+iJKDulQT7rwINswPRs23:hZTExvwTnbgulu/3 |
MD5: | 713A50170266749ED63B48014015E845 |
SHA1: | 052AA58A4F7FCEDA80AB7C9324F3C3455E357932 |
SHA-256: | 55622C1F5A7E3DCA7070BDDB0FA4F7CE6A926FC4D584A2EEC5FF43D894AB48AF |
SHA-512: | 7357704FD9952C01500EEE7AA282969C51F92082CE4133ACF725EAEB7F24CCD511EC199031CBFD65BB1F5BF73C720F9E9A7186FA01F8E71F7832745A74D783F8 |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Windows\SysWOW64\7za.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 34446 |
Entropy (8bit): | 5.206104283504241 |
Encrypted: | false |
SSDEEP: | 768:c8jqyTo3u/dwLLHwl7yrCwGFTlikG8o6XvdUCpcnxi1:zjBc3ywLLHwl7yrR2TliCoyvd0+ |
MD5: | 235CD965BF540FC8E08FE6CCD3DCD57D |
SHA1: | 3D512A98C6DBFB23A4EBCEE7681D129B9D3FA3DA |
SHA-256: | 4087CCD33D029BBE65EB06C3B15CFA5C184919EA8639B2F3DF5CF6A4BC942A26 |
SHA-512: | C8F98F6D13C141F8110EC85454C5AD9E34AF1FDF0DC4158421F6915EC36249166D7C4074E3467B135025024D6BB1A0A212D7BE3BF2C97A4D2127CACED0C757BD |
Malicious: | true |
Yara Hits: |
|
Reputation: | low |
Preview: |
Process: | C:\Windows\SysWOW64\7za.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 1091 |
Entropy (8bit): | 5.130575721157786 |
Encrypted: | false |
SSDEEP: | 24:lhP/XC2WkYFKgG0JN77gVB91mZgATV14g+IDV:lhPfvfdokKVsi |
MD5: | D7DA5B7BEA5E2423ED2BFE3A508C1B3A |
SHA1: | 380E84DF4B63891D66D09490229F8A01545AC5D8 |
SHA-256: | 52EAE2164AACE96AD5E190C24281A1B79930B3507204A32DC6E8E2FE22FF7682 |
SHA-512: | 1E19DD788FC7C3A7E7D5FD2F1F40BCDB1369A4D622AEC5B689F84C00A2BE4C00C49AA54671CCA7DA08C1452A1B63F589716497FC1B53B66B0F84630C03FAF63F |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Windows\SysWOW64\7za.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 491 |
Entropy (8bit): | 5.051940482075793 |
Encrypted: | false |
SSDEEP: | 12:pMd1DiIiRwshIvyTAhOLuFyYhOL0+JAIkz1GNqY6:piWI4wshKyTAhkuThk0+JAIFm |
MD5: | EA2E379093E36440B10EB3EE013EACC9 |
SHA1: | 975853F8D3919F1E3EDE75EE7CA309D6046E835D |
SHA-256: | 759E27C62D61E8D6C98AB7D6E707475DF52F9A2E35BA11287ED0C3E25C9BE720 |
SHA-512: | 78482531019295D0BB6BD7CEA5A95763A1ED149575F391EA05DED34C293982A15A66A5BBBD2362F7C6EF794B1BEB0188354EF22AE7F2C1511E1801778F289D6F |
Malicious: | false |
Reputation: | low |
Preview: |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Oct 2, 2024 06:35:32.479908943 CEST | 49730 | 443 | 192.168.2.4 | 191.37.38.39 |
Oct 2, 2024 06:35:32.479950905 CEST | 443 | 49730 | 191.37.38.39 | 192.168.2.4 |
Oct 2, 2024 06:35:32.480050087 CEST | 49730 | 443 | 192.168.2.4 | 191.37.38.39 |
Oct 2, 2024 06:35:32.481890917 CEST | 49730 | 443 | 192.168.2.4 | 191.37.38.39 |
Oct 2, 2024 06:35:32.481905937 CEST | 443 | 49730 | 191.37.38.39 | 192.168.2.4 |
Oct 2, 2024 06:35:33.272294044 CEST | 443 | 49730 | 191.37.38.39 | 192.168.2.4 |
Oct 2, 2024 06:35:33.272531986 CEST | 49730 | 443 | 192.168.2.4 | 191.37.38.39 |
Oct 2, 2024 06:35:33.274494886 CEST | 49730 | 443 | 192.168.2.4 | 191.37.38.39 |
Oct 2, 2024 06:35:33.274509907 CEST | 443 | 49730 | 191.37.38.39 | 192.168.2.4 |
Oct 2, 2024 06:35:33.274749041 CEST | 443 | 49730 | 191.37.38.39 | 192.168.2.4 |
Oct 2, 2024 06:35:33.275738955 CEST | 49730 | 443 | 192.168.2.4 | 191.37.38.39 |
Oct 2, 2024 06:35:33.319427967 CEST | 443 | 49730 | 191.37.38.39 | 192.168.2.4 |
Oct 2, 2024 06:35:33.603569031 CEST | 443 | 49730 | 191.37.38.39 | 192.168.2.4 |
Oct 2, 2024 06:35:33.603595018 CEST | 443 | 49730 | 191.37.38.39 | 192.168.2.4 |
Oct 2, 2024 06:35:33.603698015 CEST | 49730 | 443 | 192.168.2.4 | 191.37.38.39 |
Oct 2, 2024 06:35:33.603725910 CEST | 443 | 49730 | 191.37.38.39 | 192.168.2.4 |
Oct 2, 2024 06:35:33.649992943 CEST | 49730 | 443 | 192.168.2.4 | 191.37.38.39 |
Oct 2, 2024 06:35:33.725455046 CEST | 443 | 49730 | 191.37.38.39 | 192.168.2.4 |
Oct 2, 2024 06:35:33.725466013 CEST | 443 | 49730 | 191.37.38.39 | 192.168.2.4 |
Oct 2, 2024 06:35:33.725559950 CEST | 49730 | 443 | 192.168.2.4 | 191.37.38.39 |
Oct 2, 2024 06:35:33.726010084 CEST | 443 | 49730 | 191.37.38.39 | 192.168.2.4 |
Oct 2, 2024 06:35:33.726016998 CEST | 443 | 49730 | 191.37.38.39 | 192.168.2.4 |
Oct 2, 2024 06:35:33.726069927 CEST | 49730 | 443 | 192.168.2.4 | 191.37.38.39 |
Oct 2, 2024 06:35:33.727016926 CEST | 443 | 49730 | 191.37.38.39 | 192.168.2.4 |
Oct 2, 2024 06:35:33.727072954 CEST | 49730 | 443 | 192.168.2.4 | 191.37.38.39 |
Oct 2, 2024 06:35:33.770226002 CEST | 443 | 49730 | 191.37.38.39 | 192.168.2.4 |
Oct 2, 2024 06:35:33.770381927 CEST | 49730 | 443 | 192.168.2.4 | 191.37.38.39 |
Oct 2, 2024 06:35:33.848448992 CEST | 443 | 49730 | 191.37.38.39 | 192.168.2.4 |
Oct 2, 2024 06:35:33.848570108 CEST | 49730 | 443 | 192.168.2.4 | 191.37.38.39 |
Oct 2, 2024 06:35:33.849472046 CEST | 443 | 49730 | 191.37.38.39 | 192.168.2.4 |
Oct 2, 2024 06:35:33.849535942 CEST | 49730 | 443 | 192.168.2.4 | 191.37.38.39 |
Oct 2, 2024 06:35:33.849775076 CEST | 443 | 49730 | 191.37.38.39 | 192.168.2.4 |
Oct 2, 2024 06:35:33.849829912 CEST | 49730 | 443 | 192.168.2.4 | 191.37.38.39 |
Oct 2, 2024 06:35:33.850626945 CEST | 443 | 49730 | 191.37.38.39 | 192.168.2.4 |
Oct 2, 2024 06:35:33.850692987 CEST | 49730 | 443 | 192.168.2.4 | 191.37.38.39 |
Oct 2, 2024 06:35:33.851571083 CEST | 443 | 49730 | 191.37.38.39 | 192.168.2.4 |
Oct 2, 2024 06:35:33.851634979 CEST | 49730 | 443 | 192.168.2.4 | 191.37.38.39 |
Oct 2, 2024 06:35:33.851741076 CEST | 443 | 49730 | 191.37.38.39 | 192.168.2.4 |
Oct 2, 2024 06:35:33.851810932 CEST | 49730 | 443 | 192.168.2.4 | 191.37.38.39 |
Oct 2, 2024 06:35:33.892956018 CEST | 443 | 49730 | 191.37.38.39 | 192.168.2.4 |
Oct 2, 2024 06:35:33.893047094 CEST | 49730 | 443 | 192.168.2.4 | 191.37.38.39 |
Oct 2, 2024 06:35:33.904295921 CEST | 443 | 49730 | 191.37.38.39 | 192.168.2.4 |
Oct 2, 2024 06:35:33.904382944 CEST | 49730 | 443 | 192.168.2.4 | 191.37.38.39 |
Oct 2, 2024 06:35:33.970752954 CEST | 443 | 49730 | 191.37.38.39 | 192.168.2.4 |
Oct 2, 2024 06:35:33.970822096 CEST | 49730 | 443 | 192.168.2.4 | 191.37.38.39 |
Oct 2, 2024 06:35:33.971072912 CEST | 443 | 49730 | 191.37.38.39 | 192.168.2.4 |
Oct 2, 2024 06:35:33.971124887 CEST | 49730 | 443 | 192.168.2.4 | 191.37.38.39 |
Oct 2, 2024 06:35:33.972203016 CEST | 443 | 49730 | 191.37.38.39 | 192.168.2.4 |
Oct 2, 2024 06:35:33.972251892 CEST | 49730 | 443 | 192.168.2.4 | 191.37.38.39 |
Oct 2, 2024 06:35:33.973015070 CEST | 443 | 49730 | 191.37.38.39 | 192.168.2.4 |
Oct 2, 2024 06:35:33.973064899 CEST | 49730 | 443 | 192.168.2.4 | 191.37.38.39 |
Oct 2, 2024 06:35:33.973823071 CEST | 443 | 49730 | 191.37.38.39 | 192.168.2.4 |
Oct 2, 2024 06:35:33.973889112 CEST | 49730 | 443 | 192.168.2.4 | 191.37.38.39 |
Oct 2, 2024 06:35:33.974231958 CEST | 443 | 49730 | 191.37.38.39 | 192.168.2.4 |
Oct 2, 2024 06:35:33.974289894 CEST | 49730 | 443 | 192.168.2.4 | 191.37.38.39 |
Oct 2, 2024 06:35:33.974945068 CEST | 443 | 49730 | 191.37.38.39 | 192.168.2.4 |
Oct 2, 2024 06:35:33.974993944 CEST | 443 | 49730 | 191.37.38.39 | 192.168.2.4 |
Oct 2, 2024 06:35:33.975033998 CEST | 49730 | 443 | 192.168.2.4 | 191.37.38.39 |
Oct 2, 2024 06:35:34.046006918 CEST | 49730 | 443 | 192.168.2.4 | 191.37.38.39 |
Oct 2, 2024 06:35:34.046036959 CEST | 443 | 49730 | 191.37.38.39 | 192.168.2.4 |
Oct 2, 2024 06:35:35.104846954 CEST | 49731 | 443 | 192.168.2.4 | 191.37.38.39 |
Oct 2, 2024 06:35:35.104899883 CEST | 443 | 49731 | 191.37.38.39 | 192.168.2.4 |
Oct 2, 2024 06:35:35.105057955 CEST | 49731 | 443 | 192.168.2.4 | 191.37.38.39 |
Oct 2, 2024 06:35:35.106307030 CEST | 49731 | 443 | 192.168.2.4 | 191.37.38.39 |
Oct 2, 2024 06:35:35.106333971 CEST | 443 | 49731 | 191.37.38.39 | 192.168.2.4 |
Oct 2, 2024 06:35:35.915211916 CEST | 443 | 49731 | 191.37.38.39 | 192.168.2.4 |
Oct 2, 2024 06:35:35.915328979 CEST | 49731 | 443 | 192.168.2.4 | 191.37.38.39 |
Oct 2, 2024 06:35:35.916799068 CEST | 49731 | 443 | 192.168.2.4 | 191.37.38.39 |
Oct 2, 2024 06:35:35.916815996 CEST | 443 | 49731 | 191.37.38.39 | 192.168.2.4 |
Oct 2, 2024 06:35:35.917022943 CEST | 443 | 49731 | 191.37.38.39 | 192.168.2.4 |
Oct 2, 2024 06:35:35.917895079 CEST | 49731 | 443 | 192.168.2.4 | 191.37.38.39 |
Oct 2, 2024 06:35:35.959407091 CEST | 443 | 49731 | 191.37.38.39 | 192.168.2.4 |
Oct 2, 2024 06:35:36.259473085 CEST | 443 | 49731 | 191.37.38.39 | 192.168.2.4 |
Oct 2, 2024 06:35:36.259500027 CEST | 443 | 49731 | 191.37.38.39 | 192.168.2.4 |
Oct 2, 2024 06:35:36.259551048 CEST | 443 | 49731 | 191.37.38.39 | 192.168.2.4 |
Oct 2, 2024 06:35:36.259582043 CEST | 49731 | 443 | 192.168.2.4 | 191.37.38.39 |
Oct 2, 2024 06:35:36.259617090 CEST | 49731 | 443 | 192.168.2.4 | 191.37.38.39 |
Oct 2, 2024 06:35:36.264318943 CEST | 49731 | 443 | 192.168.2.4 | 191.37.38.39 |
Oct 2, 2024 06:35:36.264342070 CEST | 443 | 49731 | 191.37.38.39 | 192.168.2.4 |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Oct 2, 2024 06:35:31.217333078 CEST | 50449 | 53 | 192.168.2.4 | 1.1.1.1 |
Oct 2, 2024 06:35:32.212730885 CEST | 50449 | 53 | 192.168.2.4 | 1.1.1.1 |
Oct 2, 2024 06:35:32.475234032 CEST | 53 | 50449 | 1.1.1.1 | 192.168.2.4 |
Oct 2, 2024 06:35:32.475250959 CEST | 53 | 50449 | 1.1.1.1 | 192.168.2.4 |
Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
---|---|---|---|---|---|---|---|---|
Oct 2, 2024 06:35:31.217333078 CEST | 192.168.2.4 | 1.1.1.1 | 0x7320 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
Oct 2, 2024 06:35:32.212730885 CEST | 192.168.2.4 | 1.1.1.1 | 0x7320 | Standard query (0) | A (IP address) | IN (0x0001) | false |
Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
---|---|---|---|---|---|---|---|---|---|---|
Oct 2, 2024 06:35:32.475234032 CEST | 1.1.1.1 | 192.168.2.4 | 0x7320 | No error (0) | 191.37.38.39 | A (IP address) | IN (0x0001) | false | ||
Oct 2, 2024 06:35:32.475250959 CEST | 1.1.1.1 | 192.168.2.4 | 0x7320 | No error (0) | 191.37.38.39 | A (IP address) | IN (0x0001) | false | ||
Oct 2, 2024 06:35:50.302865028 CEST | 1.1.1.1 | 192.168.2.4 | 0x2d09 | No error (0) | 199.232.210.172 | A (IP address) | IN (0x0001) | false | ||
Oct 2, 2024 06:35:50.302865028 CEST | 1.1.1.1 | 192.168.2.4 | 0x2d09 | No error (0) | 199.232.214.172 | A (IP address) | IN (0x0001) | false | ||
Oct 2, 2024 06:35:50.792437077 CEST | 1.1.1.1 | 192.168.2.4 | 0x37eb | No error (0) | fp2e7a.wpc.phicdn.net | CNAME (Canonical name) | IN (0x0001) | false | ||
Oct 2, 2024 06:35:50.792437077 CEST | 1.1.1.1 | 192.168.2.4 | 0x37eb | No error (0) | 192.229.221.95 | A (IP address) | IN (0x0001) | false |
|
Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
---|---|---|---|---|---|---|
0 | 192.168.2.4 | 49730 | 191.37.38.39 | 443 | 4180 | C:\Windows\SysWOW64\wget.exe |
Timestamp | Bytes transferred | Direction | Data |
---|---|---|---|
2024-10-02 04:35:33 UTC | 224 | OUT | |
2024-10-02 04:35:33 UTC | 214 | IN | |
2024-10-02 04:35:33 UTC | 7978 | IN | |
2024-10-02 04:35:33 UTC | 8000 | IN | |
2024-10-02 04:35:33 UTC | 8000 | IN | |
2024-10-02 04:35:33 UTC | 8000 | IN | |
2024-10-02 04:35:33 UTC | 8000 | IN | |
2024-10-02 04:35:33 UTC | 8000 | IN | |
2024-10-02 04:35:33 UTC | 8000 | IN | |
2024-10-02 04:35:33 UTC | 8000 | IN | |
2024-10-02 04:35:33 UTC | 8000 | IN | |
2024-10-02 04:35:33 UTC | 8000 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
---|---|---|---|---|---|---|
1 | 192.168.2.4 | 49731 | 191.37.38.39 | 443 | 4180 | C:\Windows\SysWOW64\wget.exe |
Timestamp | Bytes transferred | Direction | Data |
---|---|---|---|
2024-10-02 04:35:35 UTC | 246 | OUT | |
2024-10-02 04:35:36 UTC | 268 | IN | |
2024-10-02 04:35:36 UTC | 4035 | IN |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
Target ID: | 0 |
Start time: | 00:35:29 |
Start date: | 02/10/2024 |
Path: | C:\Windows\SysWOW64\cmd.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x240000 |
File size: | 236'544 bytes |
MD5 hash: | D0FCE3AFA6AA1D58CE9FA336CC2B675B |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | low |
Has exited: | true |
Target ID: | 1 |
Start time: | 00:35:29 |
Start date: | 02/10/2024 |
Path: | C:\Windows\System32\conhost.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff7699e0000 |
File size: | 862'208 bytes |
MD5 hash: | 0D698AF330FD17BEE3BF90011D49251D |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | low |
Has exited: | true |
Target ID: | 2 |
Start time: | 00:35:29 |
Start date: | 02/10/2024 |
Path: | C:\Windows\SysWOW64\wget.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x400000 |
File size: | 3'895'184 bytes |
MD5 hash: | 3DADB6E2ECE9C4B3E1E322E617658B60 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | low |
Has exited: | true |
Target ID: | 3 |
Start time: | 00:35:35 |
Start date: | 02/10/2024 |
Path: | C:\Windows\SysWOW64\7za.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x610000 |
File size: | 289'792 bytes |
MD5 hash: | 77E556CDFDC5C592F5C46DB4127C6F4C |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | low |
Has exited: | true |
Target ID: | 4 |
Start time: | 00:35:35 |
Start date: | 02/10/2024 |
Path: | C:\Windows\System32\conhost.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff7699e0000 |
File size: | 862'208 bytes |
MD5 hash: | 0D698AF330FD17BEE3BF90011D49251D |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | low |
Has exited: | true |
Target ID: | 6 |
Start time: | 00:35:36 |
Start date: | 02/10/2024 |
Path: | C:\Windows\SysWOW64\unarchiver.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x840000 |
File size: | 12'800 bytes |
MD5 hash: | 16FF3CC6CC330A08EED70CBC1D35F5D2 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | low |
Has exited: | true |
Target ID: | 7 |
Start time: | 00:35:36 |
Start date: | 02/10/2024 |
Path: | C:\Windows\SysWOW64\7za.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x610000 |
File size: | 289'792 bytes |
MD5 hash: | 77E556CDFDC5C592F5C46DB4127C6F4C |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | low |
Has exited: | true |
Target ID: | 8 |
Start time: | 00:35:36 |
Start date: | 02/10/2024 |
Path: | C:\Windows\System32\conhost.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0xb10000 |
File size: | 862'208 bytes |
MD5 hash: | 0D698AF330FD17BEE3BF90011D49251D |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | low |
Has exited: | true |
Execution Graph
Execution Coverage: | 20.2% |
Dynamic/Decrypted Code Coverage: | 100% |
Signature Coverage: | 5.5% |
Total number of Nodes: | 73 |
Total number of Limit Nodes: | 4 |
Graph
Callgraph
Function 00D4B1D6 Relevance: 1.5, APIs: 1, Instructions: 39COMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 01400C99 Relevance: 2.6, Strings: 2, Instructions: 86COMMON
Control-flow Graph
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 01400CA8 Relevance: 2.6, Strings: 2, Instructions: 82COMMON
Control-flow Graph
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00D4B246 Relevance: 1.6, APIs: 1, Instructions: 101COMMON
Control-flow Graph
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00D4AD04 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
Control-flow Graph
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00D4AB76 Relevance: 1.6, APIs: 1, Instructions: 94pipeCOMMON
Control-flow Graph
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00D4A5DC Relevance: 1.6, APIs: 1, Instructions: 90fileCOMMON
Control-flow Graph
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00D4A120 Relevance: 1.6, APIs: 1, Instructions: 83fileCOMMON
Control-flow Graph
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00D4B276 Relevance: 1.6, APIs: 1, Instructions: 80COMMON
Control-flow Graph
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00D4AD2A Relevance: 1.6, APIs: 1, Instructions: 80COMMON
Control-flow Graph
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00D4A850 Relevance: 1.6, APIs: 1, Instructions: 78COMMON
Control-flow Graph
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00D4A933 Relevance: 1.6, APIs: 1, Instructions: 77fileCOMMON
Control-flow Graph
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00D4A5FE Relevance: 1.6, APIs: 1, Instructions: 76fileCOMMON
Control-flow Graph
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00D4A78F Relevance: 1.6, APIs: 1, Instructions: 73COMMON
Control-flow Graph
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00D4AA0B Relevance: 1.6, APIs: 1, Instructions: 70COMMON
Control-flow Graph
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00D4A962 Relevance: 1.6, APIs: 1, Instructions: 60fileCOMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00D4A882 Relevance: 1.6, APIs: 1, Instructions: 59COMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00D4A2AE Relevance: 1.6, APIs: 1, Instructions: 53COMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00D4AA46 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00D4A7C2 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00D4AF8B Relevance: 1.6, APIs: 1, Instructions: 52COMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00D4B1B4 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00D4A172 Relevance: 1.5, APIs: 1, Instructions: 47fileCOMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00D4ABE6 Relevance: 1.5, APIs: 1, Instructions: 47pipeCOMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00D4AFB2 Relevance: 1.5, APIs: 1, Instructions: 39COMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00D4A2DA Relevance: 1.5, APIs: 1, Instructions: 35COMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 01400799 Relevance: 1.5, Strings: 1, Instructions: 284COMMON
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00D4A6D4 Relevance: 1.3, APIs: 1, Instructions: 71COMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00D4A716 Relevance: 1.3, APIs: 1, Instructions: 43COMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 014002C0 Relevance: .3, Instructions: 285COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 01400BA0 Relevance: .1, Instructions: 60COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 01420807 Relevance: .0, Instructions: 48COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 014205DF Relevance: .0, Instructions: 44COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0142082E Relevance: .0, Instructions: 34COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 01400C50 Relevance: .0, Instructions: 27COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 01420606 Relevance: .0, Instructions: 27COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 01400C60 Relevance: .0, Instructions: 22COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 01400DD1 Relevance: .0, Instructions: 21COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00D423F4 Relevance: .0, Instructions: 15COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00D423BC Relevance: .0, Instructions: 14COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 01400DE0 Relevance: .0, Instructions: 12COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|