Windows
Analysis Report
file.exe
Overview
General Information
Detection
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
- System is w10x64
- file.exe (PID: 7432 cmdline:
"C:\Users\ user\Deskt op\file.ex e" MD5: 7105A2BA8C897B6C2072A6AB0BDECDF1) - service123.exe (PID: 8016 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\servic e123.exe" MD5: C7DE705DEE7C918329739835EB2FFF15) - schtasks.exe (PID: 8040 cmdline:
"C:\Window s\System32 \schtasks. exe" /crea te /tn "Se rviceData4 " /tr "C:\ Users\user \AppData\L ocal\Temp\ /service12 3.exe" /st 00:01 /du 9800:59 / sc once /r i 1 /f MD5: 48C2FE20575769DE916F48EF0676A965) - conhost.exe (PID: 8048 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
- service123.exe (PID: 8100 cmdline:
C:\Users\u ser\AppDat a\Local\Te mp\/servic e123.exe MD5: C7DE705DEE7C918329739835EB2FFF15)
- service123.exe (PID: 3180 cmdline:
C:\Users\u ser\AppDat a\Local\Te mp\/servic e123.exe MD5: C7DE705DEE7C918329739835EB2FFF15)
- cleanup
Name | Description | Attribution | Blogpost URLs | Link |
---|---|---|---|---|
CryptBot | A typical infostealer, capable of obtaining credentials for browsers, crypto currency wallets, browser cookies, credit cards, and creates screenshots of the infected system. All stolen data is bundled into a zip-file that is uploaded to the c2. | No Attribution |
{"C2 list": ["analforeverlovyu.top", "pn.top", "n.top", "0asevtbv17pn.top", "+sevtbv17pn.top", "@sevtbv17pn.top", "sevtbv17pn.top"]}
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Clipboard_Hijacker_5 | Yara detected Clipboard Hijacker | Joe Security | ||
JoeSecurity_Clipboard_Hijacker_5 | Yara detected Clipboard Hijacker | Joe Security | ||
JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
JoeSecurity_Cryptbot | Yara detected Cryptbot | Joe Security | ||
JoeSecurity_Clipboard_Hijacker_5 | Yara detected Clipboard Hijacker | Joe Security |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Clipboard_Hijacker_5 | Yara detected Clipboard Hijacker | Joe Security |
System Summary |
---|
Source: | Author: Florian Roth (Nextron Systems): |
Source: | Author: Florian Roth (Nextron Systems): |
Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
---|---|---|---|---|---|---|---|---|
2024-10-14T09:15:10.390655+0200 | 2054350 | 1 | A Network Trojan was detected | 192.168.2.4 | 49730 | 80.66.81.78 | 80 | TCP |
2024-10-14T09:15:14.041830+0200 | 2054350 | 1 | A Network Trojan was detected | 192.168.2.4 | 49731 | 80.66.81.78 | 80 | TCP |
2024-10-14T09:15:19.548678+0200 | 2054350 | 1 | A Network Trojan was detected | 192.168.2.4 | 49734 | 80.66.81.78 | 80 | TCP |
Click to jump to signature section
AV Detection |
---|
Source: | Malware Configuration Extractor: |
Source: | ReversingLabs: |
Source: | Integrated Neural Analysis Model: |
Source: | Code function: | 4_2_005315B0 | |
Source: | Code function: | 4_2_6C2F14B0 |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior |
Source: | Code function: | 4_2_005381E0 | |
Source: | Code function: | 4_2_6C36AC70 | |
Source: | Code function: | 4_2_6C36AD20 | |
Source: | Code function: | 4_2_6C36AD20 | |
Source: | Code function: | 4_2_6C392EF0 | |
Source: | Code function: | 4_2_6C30AF80 | |
Source: | Code function: | 4_2_6C30E8C0 | |
Source: | Code function: | 4_2_6C31E490 | |
Source: | Code function: | 4_2_6C31E490 | |
Source: | Code function: | 4_2_6C3104F0 | |
Source: | Code function: | 4_2_6C3904E0 | |
Source: | Code function: | 4_2_6C310610 | |
Source: | Code function: | 4_2_6C31A720 | |
Source: | Code function: | 4_2_6C31A790 | |
Source: | Code function: | 4_2_6C31A790 | |
Source: | Code function: | 4_2_6C310010 | |
Source: | Code function: | 4_2_6C3C4110 | |
Source: | Code function: | 4_2_6C314203 | |
Source: | Code function: | 4_2_6C398250 | |
Source: | Code function: | 4_2_6C31C2C0 | |
Source: | Code function: | 4_2_6C31A330 | |
Source: | Code function: | 4_2_6C31A3A0 | |
Source: | Code function: | 4_2_6C31A3A0 | |
Source: | Code function: | 4_2_6C36BDF0 | |
Source: | Code function: | 4_2_6C36BF50 | |
Source: | Code function: | 4_2_6C349F90 | |
Source: | Code function: | 4_2_6C3A9900 | |
Source: | Code function: | 4_2_6C32B987 | |
Source: | Code function: | 4_2_6C32B98B | |
Source: | Code function: | 4_2_6C36BAC0 | |
Source: | Code function: | 4_2_6C367AC0 | |
Source: | Code function: | 4_2_6C31D424 | |
Source: | Code function: | 4_2_6C363440 | |
Source: | Code function: | 4_2_6C31D5A4 | |
Source: | Code function: | 4_2_6C3635F0 | |
Source: | Code function: | 4_2_6C31D724 | |
Source: | Code function: | 4_2_6C31D050 | |
Source: | Code function: | 4_2_6C387100 | |
Source: | Code function: | 4_2_6C31D2B4 | |
Source: | Code function: | 4_2_6C36B280 | |
Source: | Code function: | 4_2_6C3693B0 |
Networking |
---|
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: |
Source: | URLs: | ||
Source: | URLs: | ||
Source: | URLs: | ||
Source: | URLs: | ||
Source: | URLs: | ||
Source: | URLs: | ||
Source: | URLs: |
Source: | ASN Name: |
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: |
Source: | UDP traffic detected without corresponding DNS query: |
Source: | DNS traffic detected: |
Source: | HTTP traffic detected: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | Code function: | 4_2_6C309B99 |
Source: | Code function: | 4_2_6C309B99 |
System Summary |
---|
Source: | File dump: | Jump to dropped file |
Source: | Code function: | 4_2_005351B0 | |
Source: | Code function: | 4_2_00533E20 | |
Source: | Code function: | 4_2_6C2FCD00 | |
Source: | Code function: | 4_2_6C2FEE50 | |
Source: | Code function: | 4_2_6C3B4E80 | |
Source: | Code function: | 4_2_6C300FC0 | |
Source: | Code function: | 4_2_6C340870 | |
Source: | Code function: | 4_2_6C332A7E | |
Source: | Code function: | 4_2_6C334490 | |
Source: | Code function: | 4_2_6C3044F0 | |
Source: | Code function: | 4_2_6C328570 | |
Source: | Code function: | 4_2_6C330580 | |
Source: | Code function: | 4_2_6C322110 | |
Source: | Code function: | 4_2_6C33FE10 | |
Source: | Code function: | 4_2_6C331E40 | |
Source: | Code function: | 4_2_6C305880 | |
Source: | Code function: | 4_2_6C33D99E | |
Source: | Code function: | 4_2_6C34DA20 | |
Source: | Code function: | 4_2_6C31F510 | |
Source: | Code function: | 4_2_6C3296A0 | |
Source: | Code function: | 4_2_6C3377D0 | |
Source: | Code function: | 4_2_6C2F3000 | |
Source: | Code function: | 4_2_6C3070C0 | |
Source: | Code function: | 4_2_6C3311BE | |
Source: | Code function: | 4_2_6C3412C0 | |
Source: | Code function: | 4_2_6C33F3C0 |
Source: | Static PE information: |
Source: | Classification label: |
Source: | File created: | Jump to behavior |
Source: | Mutant created: | ||
Source: | Mutant created: |
Source: | File created: | Jump to behavior |
Source: | Static PE information: |
Source: | File read: | Jump to behavior |
Source: | Key opened: | Jump to behavior |
Source: | Binary or memory string: |
Source: | ReversingLabs: |
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior |
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior |
Source: | Key value queried: | Jump to behavior |
Source: | Static PE information: |
Source: | Static file information: |
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Code function: | 4_2_00538230 |
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Code function: | 4_2_0053A694 | |
Source: | Code function: | 4_2_6C338C3E | |
Source: | Code function: | 4_2_6C365018 | |
Source: | Code function: | 4_2_6C344DD5 | |
Source: | Code function: | 4_2_6C336E17 | |
Source: | Code function: | 4_2_6C344FB5 | |
Source: | Code function: | 4_2_6C36E98B | |
Source: | Code function: | 4_2_6C358E4F | |
Source: | Code function: | 4_2_6C340866 | |
Source: | Code function: | 4_2_6C342870 | |
Source: | Code function: | 4_2_6C372CD4 | |
Source: | Code function: | 4_2_6C372CF3 | |
Source: | Code function: | 4_2_6C3A0B5A | |
Source: | Code function: | 4_2_6C36EBE3 | |
Source: | Code function: | 4_2_6C344BF5 | |
Source: | Code function: | 4_2_6C3807FF | |
Source: | Code function: | 4_2_6C33048A | |
Source: | Code function: | 4_2_6C348459 | |
Source: | Code function: | 4_2_6C33048A | |
Source: | Code function: | 4_2_6C3364B7 | |
Source: | Code function: | 4_2_6C33048A | |
Source: | Code function: | 4_2_6C33A53B | |
Source: | Code function: | 4_2_6C3C6622 | |
Source: | Code function: | 4_2_6C3C6622 | |
Source: | Code function: | 4_2_6C33A70B | |
Source: | Code function: | 4_2_6C3C6AF6 | |
Source: | Code function: | 4_2_6C3C6B36 | |
Source: | Code function: | 4_2_6C3C6622 | |
Source: | Code function: | 4_2_6C3440E9 | |
Source: | Code function: | 4_2_6C3381F9 | |
Source: | Code function: | 4_2_6C330251 |
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file |
Boot Survival |
---|
Source: | Process created: |
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior |
Malware Analysis System Evasion |
---|
Source: | Evasive API call chain: | graph_4-158041 |
Source: | Stalling execution: | graph_4-158042 |
Source: | Registry key queried: | Jump to behavior |
Source: | Window / User API: | Jump to behavior |
Source: | API coverage: |
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep count: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior |
Source: | Last function: | ||
Source: | Last function: | ||
Source: | Last function: |
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Code function: | 4_2_00538230 |
Source: | Code function: | 4_2_0053116C | |
Source: | Code function: | 4_2_00531160 | |
Source: | Code function: | 4_2_005311A3 | |
Source: | Code function: | 4_2_005313C9 |
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior |
Source: | Code function: | 4_2_6C378280 |
Source: | Registry key value queried: | Jump to behavior |
Source: | Key value queried: | Jump to behavior |
Stealing of Sensitive Information |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Source: | File source: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior |
Source: | File source: |
Remote Access Functionality |
---|
Source: | File source: |
Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | 1 Scheduled Task/Job | 1 Scheduled Task/Job | 11 Process Injection | 1 Masquerading | 1 OS Credential Dumping | 11 Security Software Discovery | Remote Services | 1 Archive Collected Data | 2 Encrypted Channel | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
Credentials | Domains | Default Accounts | 11 Native API | 1 DLL Side-Loading | 1 Scheduled Task/Job | 2 Virtualization/Sandbox Evasion | LSASS Memory | 2 Virtualization/Sandbox Evasion | Remote Desktop Protocol | 2 Data from Local System | 2 Non-Application Layer Protocol | Exfiltration Over Bluetooth | Network Denial of Service |
Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | 1 DLL Side-Loading | 11 Process Injection | Security Account Manager | 1 Application Window Discovery | SMB/Windows Admin Shares | 2 Clipboard Data | 112 Application Layer Protocol | Automated Exfiltration | Data Encrypted for Impact |
Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | 1 Deobfuscate/Decode Files or Information | NTDS | 2 File and Directory Discovery | Distributed Component Object Model | Input Capture | Protocol Impersonation | Traffic Duplication | Data Destruction |
Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | 3 Obfuscated Files or Information | LSA Secrets | 22 System Information Discovery | SSH | Keylogging | Fallback Channels | Scheduled Transfer | Data Encrypted for Impact |
Domain Properties | Botnet | Replication Through Removable Media | Scheduled Task | RC Scripts | RC Scripts | 1 DLL Side-Loading | Cached Domain Credentials | Wi-Fi Discovery | VNC | GUI Input Capture | Multiband Communication | Data Transfer Size Limits | Service Stop |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
34% | ReversingLabs | Win32.Trojan.CryptBot |
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | Virustotal | Browse | ||
0% | Virustotal | Browse | ||
0% | Virustotal | Browse |
Name | IP | Active | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|---|
sevtbv17pn.top | 80.66.81.78 | true | true | unknown |
Name | Malicious | Antivirus Detection | Reputation |
---|---|---|---|
true | unknown | ||
true |
| unknown | |
true | unknown | ||
true | unknown | ||
true |
| unknown | |
true | unknown | ||
true | unknown |
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false | unknown | |||
false | unknown | |||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false | unknown | |||
false |
| unknown | ||
false |
| unknown |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
80.66.81.78 | sevtbv17pn.top | Russian Federation | 202984 | TEAM-HOSTASRU | true |
Joe Sandbox version: | 41.0.0 Charoite |
Analysis ID: | 1532996 |
Start date and time: | 2024-10-14 09:14:09 +02:00 |
Joe Sandbox product: | CloudBasic |
Overall analysis duration: | 0h 7m 38s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
Number of analysed new started processes analysed: | 10 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Sample name: | file.exe |
Detection: | MAL |
Classification: | mal100.troj.spyw.evad.winEXE@8/2@1/1 |
EGA Information: |
|
HCA Information: | Failed |
Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
- Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
- Execution Graph export aborted for target file.exe, PID 7432 because there are no executed function
- Not all processes where analyzed, report is missing behavior information
- Report size getting too big, too many NtOpenKeyEx calls found.
- Report size getting too big, too many NtQueryValueKey calls found.
- Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
Time | Type | Description |
---|---|---|
03:15:09 | API Interceptor | |
03:16:44 | API Interceptor | |
08:16:10 | Task Scheduler |
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
80.66.81.78 | Get hash | malicious | Clipboard Hijacker, Cryptbot | Browse |
| |
Get hash | malicious | LummaC, Amadey, Cryptbot, LummaC Stealer, RedLine, Stealc, Vidar | Browse |
| ||
Get hash | malicious | LummaC, Amadey, Clipboard Hijacker, CryptOne, Cryptbot, LummaC Stealer, RedLine | Browse |
|
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
TEAM-HOSTASRU | Get hash | malicious | Clipboard Hijacker, Cryptbot | Browse |
| |
Get hash | malicious | LummaC, Amadey, Cryptbot, LummaC Stealer, RedLine, Stealc, Vidar | Browse |
| ||
Get hash | malicious | LummaC, Amadey, Clipboard Hijacker, CryptOne, Cryptbot, LummaC Stealer, RedLine | Browse |
| ||
Get hash | malicious | DCRat, PureLog Stealer, zgRAT | Browse |
| ||
Get hash | malicious | Mirai, Moobot | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Mirai | Browse |
| ||
Get hash | malicious | Hook | Browse |
| ||
Get hash | malicious | DCRat, zgRAT | Browse |
|
Process: | C:\Users\user\Desktop\file.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 315803136 |
Entropy (8bit): | 0.0543661346359521 |
Encrypted: | false |
SSDEEP: | 24576:HFCE/Be//C7PeTpObC/8llm0WrFaQmWXn5EDP9wXNjKrfS2:yWWhAWXnCPeXRc |
MD5: | 6CF3458F05BBC4551C51F486A42C50E3 |
SHA1: | B50668C17009C2415ECDA15E5EA8F08BD3D43DBE |
SHA-256: | 917F2F431A70FC4A93588B99AF5A1D4D3CD21999A42B3C33F3493366CD7007DB |
SHA-512: | 89A5745ED10E2D2719AD00AE876BB740A8119DE37EC79369868A9FF41933DD7B1032F3B1C1E45D3C84A96C1495B6EB0C36308DCECF507F24A99955760C388CAA |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Users\user\Desktop\file.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 314617856 |
Entropy (8bit): | 0.0023405286258548507 |
Encrypted: | false |
SSDEEP: | |
MD5: | C7DE705DEE7C918329739835EB2FFF15 |
SHA1: | 7C25B9CB916A3C14189F19F8C814253C9FC75C77 |
SHA-256: | C4CC692D13488E6A0234BDEEDD876B027D6B5A52494EDF7C494E7B9653E59E40 |
SHA-512: | B40FFF161E6869803739E181022CF97A415D9B77F0C3915E102B5DE271CBB2E83B9191C2A057F83A4474F89533779A0BA32D7B109AA4C26AF8F89808F3E90CEC |
Malicious: | true |
Reputation: | low |
Preview: |
File type: | |
Entropy (8bit): | 5.1018163514744295 |
TrID: |
|
File name: | file.exe |
File size: | 7'457'792 bytes |
MD5: | 7105a2ba8c897b6c2072a6ab0bdecdf1 |
SHA1: | d3659027483c2825c8430a41a0c3e439aac78e2f |
SHA256: | abc53ac9f7564ceba0a7548b880b1e92c8e0329ff9680e3c5f06abcbd4e869b9 |
SHA512: | 25dc46cf350a294ea6ce7b7d07c07bfd379307783bea9f357d20a7277fa49736221c7ba1f33afd46ef26a917ef544303291263931b239c26aa8f5abb35a92c9e |
SSDEEP: | 49152:w6u6AkFUy00GL2vXkEkaBdCtsRbSgVw1y0y1zTPWs8Mo1FqSiqL7ECI4chxGeO2b:wyA+UtvLgXMaBssNSgAyPzT |
TLSH: | 43762C71DE9B51E9C6C34EBA8045F23FB930AB009C3DC6B9DE81EB51E7A0F22D599444 |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......g...............(.VL...q..............pL...@..........................@r......fr...@... ............................ |
Icon Hash: | 90cececece8e8eb0 |
Entrypoint: | 0x4014a0 |
Entrypoint Section: | .text |
Digitally signed: | false |
Imagebase: | 0x400000 |
Subsystem: | windows gui |
Image File Characteristics: | EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED |
DLL Characteristics: | DYNAMIC_BASE, NX_COMPAT |
Time Stamp: | 0x670BEAEF [Sun Oct 13 15:44:47 2024 UTC] |
TLS Callbacks: | 0x401800, 0x4017b0 |
CLR (.Net) Version: | |
OS Version Major: | 4 |
OS Version Minor: | 0 |
File Version Major: | 4 |
File Version Minor: | 0 |
Subsystem Version Major: | 4 |
Subsystem Version Minor: | 0 |
Import Hash: | 41db2083dac89343aef584a51a80b293 |
Instruction |
---|
mov dword ptr [00AB5070h], 00000001h |
jmp 00007FB680C0FF76h |
nop |
mov dword ptr [00AB5070h], 00000000h |
jmp 00007FB680C0FF66h |
nop |
sub esp, 1Ch |
mov eax, dword ptr [esp+20h] |
mov dword ptr [esp], eax |
call 00007FB680C1E61Eh |
cmp eax, 01h |
sbb eax, eax |
add esp, 1Ch |
ret |
nop |
nop |
nop |
nop |
nop |
nop |
nop |
nop |
push ebp |
mov ebp, esp |
push edi |
push esi |
push ebx |
sub esp, 1Ch |
mov dword ptr [esp], 00AA2000h |
call dword ptr [00AB623Ch] |
sub esp, 04h |
test eax, eax |
je 00007FB680C10335h |
mov ebx, eax |
mov dword ptr [esp], 00AA2000h |
call dword ptr [00AB6270h] |
mov edi, dword ptr [00AB6248h] |
sub esp, 04h |
mov dword ptr [00AB5028h], eax |
mov dword ptr [esp+04h], 00AA2013h |
mov dword ptr [esp], ebx |
call edi |
sub esp, 08h |
mov esi, eax |
mov dword ptr [esp+04h], 00AA2029h |
mov dword ptr [esp], ebx |
call edi |
sub esp, 08h |
mov dword ptr [008C7004h], eax |
test esi, esi |
je 00007FB680C102D3h |
mov dword ptr [esp+04h], 00AB502Ch |
mov dword ptr [esp], 00AB2104h |
call esi |
mov dword ptr [esp], 00401580h |
call 00007FB680C10223h |
lea esp, dword ptr [ebp-0Ch] |
pop ebx |
pop esi |
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x6b6000 | 0xb78 | .idata |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x6b9000 | 0x6a34c | .reloc |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x6b03a4 | 0x18 | .rdata |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x6b621c | 0x1cc | .idata |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|---|
.text | 0x1000 | 0x4c5528 | 0x4c5600 | 3b279bf93d94ab22d0e28a73e7862ebd | unknown | unknown | unknown | unknown | IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
.data | 0x4c7000 | 0x1da560 | 0x1da600 | 016a019e22381b9a78e4a677dfc29c25 | False | 0.027730257740447958 | dBase III DBT, version number 0, next free block index 10, 1st item "\245\215E" | 0.41917699946747966 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.rdata | 0x6a2000 | 0xf484 | 0xf600 | 6dc914609215d0f0bd0c8235622e4bd1 | False | 0.25112741361788615 | data | 5.882752268254566 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.eh_fram | 0x6b2000 | 0x210c | 0x2200 | 992f32ca83fa100daaa498dcbf920a8e | False | 0.32042738970588236 | data | 4.8026577249347095 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.bss | 0x6b5000 | 0xb74 | 0x0 | d41d8cd98f00b204e9800998ecf8427e | False | 0 | empty | 0.0 | IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.idata | 0x6b6000 | 0xb78 | 0xc00 | 97c698ca6b5b7a5c0fcdc583433c42b8 | False | 0.4029947916666667 | data | 4.998945017991226 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.CRT | 0x6b7000 | 0x30 | 0x200 | 947565758601e59a9e2e145caaaaefe2 | False | 0.064453125 | data | 0.2044881574398449 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.tls | 0x6b8000 | 0x8 | 0x200 | bf619eac0cdf3f68d496ea9344137e8b | False | 0.02734375 | data | 0.0 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.reloc | 0x6b9000 | 0x6a34c | 0x6a400 | accad031cb3a2885317d96ea1731e4cc | False | 0.11737132352941176 | data | 6.624873841003287 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
DLL | Import |
---|---|
ADVAPI32.dll | CryptAcquireContextA, CryptGenRandom, CryptReleaseContext |
KERNEL32.dll | DeleteCriticalSection, EnterCriticalSection, FreeLibrary, GetLastError, GetModuleHandleA, GetModuleHandleW, GetNativeSystemInfo, GetProcAddress, GetProcessHeap, GetStartupInfoA, GetThreadLocale, HeapAlloc, HeapFree, InitializeCriticalSection, IsBadReadPtr, IsDBCSLeadByteEx, LeaveCriticalSection, LoadLibraryA, MultiByteToWideChar, SetLastError, SetUnhandledExceptionFilter, Sleep, TlsGetValue, VirtualAlloc, VirtualFree, VirtualProtect, VirtualQuery, WideCharToMultiByte, lstrlenA |
msvcrt.dll | __getmainargs, __initenv, __mb_cur_max, __p__acmdln, __p__commode, __p__fmode, __set_app_type, __setusermatherr, _amsg_exit, _assert, _cexit, _errno, _chsize, _exit, _filelengthi64, _fileno, _initterm, _iob, _lock, _onexit, _unlock, _wcsnicmp, abort, atoi, bsearch, calloc, exit, fclose, fflush, fgetpos, fopen, fputc, fread, free, freopen, fsetpos, fwrite, getc, islower, isspace, isupper, isxdigit, localeconv, malloc, mbstowcs, memcmp, memcpy, memmove, memset, mktime, localtime, difftime, _mkdir, perror, qsort, realloc, remove, setlocale, signal, strchr, strcmp, strerror, strlen, strncmp, strncpy, strtol, strtoul, tolower, ungetc, vfprintf, time, wcslen, wcstombs, _stat, _write, _utime, _open, _fileno, _close, _chmod |
Timestamp | SID | Signature | Severity | Source IP | Source Port | Dest IP | Dest Port | Protocol |
---|---|---|---|---|---|---|---|---|
2024-10-14T09:15:10.390655+0200 | 2054350 | ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4 | 1 | 192.168.2.4 | 49730 | 80.66.81.78 | 80 | TCP |
2024-10-14T09:15:14.041830+0200 | 2054350 | ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4 | 1 | 192.168.2.4 | 49731 | 80.66.81.78 | 80 | TCP |
2024-10-14T09:15:19.548678+0200 | 2054350 | ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4 | 1 | 192.168.2.4 | 49734 | 80.66.81.78 | 80 | TCP |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Oct 14, 2024 09:15:09.687480927 CEST | 49730 | 80 | 192.168.2.4 | 80.66.81.78 |
Oct 14, 2024 09:15:09.692404032 CEST | 80 | 49730 | 80.66.81.78 | 192.168.2.4 |
Oct 14, 2024 09:15:09.692730904 CEST | 49730 | 80 | 192.168.2.4 | 80.66.81.78 |
Oct 14, 2024 09:15:09.692928076 CEST | 49730 | 80 | 192.168.2.4 | 80.66.81.78 |
Oct 14, 2024 09:15:09.692955971 CEST | 49730 | 80 | 192.168.2.4 | 80.66.81.78 |
Oct 14, 2024 09:15:09.700366974 CEST | 80 | 49730 | 80.66.81.78 | 192.168.2.4 |
Oct 14, 2024 09:15:09.700381041 CEST | 80 | 49730 | 80.66.81.78 | 192.168.2.4 |
Oct 14, 2024 09:15:10.390429974 CEST | 80 | 49730 | 80.66.81.78 | 192.168.2.4 |
Oct 14, 2024 09:15:10.390605927 CEST | 80 | 49730 | 80.66.81.78 | 192.168.2.4 |
Oct 14, 2024 09:15:10.390655041 CEST | 49730 | 80 | 192.168.2.4 | 80.66.81.78 |
Oct 14, 2024 09:15:10.390680075 CEST | 49730 | 80 | 192.168.2.4 | 80.66.81.78 |
Oct 14, 2024 09:15:10.395538092 CEST | 80 | 49730 | 80.66.81.78 | 192.168.2.4 |
Oct 14, 2024 09:15:13.983685017 CEST | 49731 | 80 | 192.168.2.4 | 80.66.81.78 |
Oct 14, 2024 09:15:13.988564014 CEST | 80 | 49731 | 80.66.81.78 | 192.168.2.4 |
Oct 14, 2024 09:15:13.988641977 CEST | 49731 | 80 | 192.168.2.4 | 80.66.81.78 |
Oct 14, 2024 09:15:13.988790989 CEST | 49731 | 80 | 192.168.2.4 | 80.66.81.78 |
Oct 14, 2024 09:15:13.988908052 CEST | 49731 | 80 | 192.168.2.4 | 80.66.81.78 |
Oct 14, 2024 09:15:13.993684053 CEST | 80 | 49731 | 80.66.81.78 | 192.168.2.4 |
Oct 14, 2024 09:15:13.993745089 CEST | 80 | 49731 | 80.66.81.78 | 192.168.2.4 |
Oct 14, 2024 09:15:13.993746996 CEST | 49731 | 80 | 192.168.2.4 | 80.66.81.78 |
Oct 14, 2024 09:15:13.993756056 CEST | 80 | 49731 | 80.66.81.78 | 192.168.2.4 |
Oct 14, 2024 09:15:13.993767023 CEST | 80 | 49731 | 80.66.81.78 | 192.168.2.4 |
Oct 14, 2024 09:15:13.993774891 CEST | 80 | 49731 | 80.66.81.78 | 192.168.2.4 |
Oct 14, 2024 09:15:13.993794918 CEST | 80 | 49731 | 80.66.81.78 | 192.168.2.4 |
Oct 14, 2024 09:15:13.993803978 CEST | 80 | 49731 | 80.66.81.78 | 192.168.2.4 |
Oct 14, 2024 09:15:13.993814945 CEST | 49731 | 80 | 192.168.2.4 | 80.66.81.78 |
Oct 14, 2024 09:15:13.993840933 CEST | 49731 | 80 | 192.168.2.4 | 80.66.81.78 |
Oct 14, 2024 09:15:13.993856907 CEST | 49731 | 80 | 192.168.2.4 | 80.66.81.78 |
Oct 14, 2024 09:15:13.994004011 CEST | 80 | 49731 | 80.66.81.78 | 192.168.2.4 |
Oct 14, 2024 09:15:13.994014025 CEST | 80 | 49731 | 80.66.81.78 | 192.168.2.4 |
Oct 14, 2024 09:15:13.994055033 CEST | 49731 | 80 | 192.168.2.4 | 80.66.81.78 |
Oct 14, 2024 09:15:13.998780012 CEST | 80 | 49731 | 80.66.81.78 | 192.168.2.4 |
Oct 14, 2024 09:15:13.998790979 CEST | 80 | 49731 | 80.66.81.78 | 192.168.2.4 |
Oct 14, 2024 09:15:13.998807907 CEST | 80 | 49731 | 80.66.81.78 | 192.168.2.4 |
Oct 14, 2024 09:15:13.998816013 CEST | 80 | 49731 | 80.66.81.78 | 192.168.2.4 |
Oct 14, 2024 09:15:13.998825073 CEST | 80 | 49731 | 80.66.81.78 | 192.168.2.4 |
Oct 14, 2024 09:15:13.998835087 CEST | 80 | 49731 | 80.66.81.78 | 192.168.2.4 |
Oct 14, 2024 09:15:13.998842001 CEST | 49731 | 80 | 192.168.2.4 | 80.66.81.78 |
Oct 14, 2024 09:15:13.998892069 CEST | 80 | 49731 | 80.66.81.78 | 192.168.2.4 |
Oct 14, 2024 09:15:13.998903036 CEST | 49731 | 80 | 192.168.2.4 | 80.66.81.78 |
Oct 14, 2024 09:15:13.998931885 CEST | 49731 | 80 | 192.168.2.4 | 80.66.81.78 |
Oct 14, 2024 09:15:14.041541100 CEST | 80 | 49731 | 80.66.81.78 | 192.168.2.4 |
Oct 14, 2024 09:15:14.041830063 CEST | 49731 | 80 | 192.168.2.4 | 80.66.81.78 |
Oct 14, 2024 09:15:14.093529940 CEST | 80 | 49731 | 80.66.81.78 | 192.168.2.4 |
Oct 14, 2024 09:15:14.093786955 CEST | 49731 | 80 | 192.168.2.4 | 80.66.81.78 |
Oct 14, 2024 09:15:14.145473003 CEST | 80 | 49731 | 80.66.81.78 | 192.168.2.4 |
Oct 14, 2024 09:15:14.145560980 CEST | 49731 | 80 | 192.168.2.4 | 80.66.81.78 |
Oct 14, 2024 09:15:14.197523117 CEST | 80 | 49731 | 80.66.81.78 | 192.168.2.4 |
Oct 14, 2024 09:15:14.197700977 CEST | 49731 | 80 | 192.168.2.4 | 80.66.81.78 |
Oct 14, 2024 09:15:14.249470949 CEST | 80 | 49731 | 80.66.81.78 | 192.168.2.4 |
Oct 14, 2024 09:15:14.249609947 CEST | 49731 | 80 | 192.168.2.4 | 80.66.81.78 |
Oct 14, 2024 09:15:14.297497034 CEST | 80 | 49731 | 80.66.81.78 | 192.168.2.4 |
Oct 14, 2024 09:15:14.483068943 CEST | 80 | 49731 | 80.66.81.78 | 192.168.2.4 |
Oct 14, 2024 09:15:14.946252108 CEST | 80 | 49731 | 80.66.81.78 | 192.168.2.4 |
Oct 14, 2024 09:15:14.946671009 CEST | 80 | 49731 | 80.66.81.78 | 192.168.2.4 |
Oct 14, 2024 09:15:14.946744919 CEST | 49731 | 80 | 192.168.2.4 | 80.66.81.78 |
Oct 14, 2024 09:15:14.949268103 CEST | 49731 | 80 | 192.168.2.4 | 80.66.81.78 |
Oct 14, 2024 09:15:14.954034090 CEST | 80 | 49731 | 80.66.81.78 | 192.168.2.4 |
Oct 14, 2024 09:15:18.204193115 CEST | 49734 | 80 | 192.168.2.4 | 80.66.81.78 |
Oct 14, 2024 09:15:18.731466055 CEST | 80 | 49734 | 80.66.81.78 | 192.168.2.4 |
Oct 14, 2024 09:15:18.731569052 CEST | 49734 | 80 | 192.168.2.4 | 80.66.81.78 |
Oct 14, 2024 09:15:18.731759071 CEST | 49734 | 80 | 192.168.2.4 | 80.66.81.78 |
Oct 14, 2024 09:15:18.731818914 CEST | 49734 | 80 | 192.168.2.4 | 80.66.81.78 |
Oct 14, 2024 09:15:18.736574888 CEST | 80 | 49734 | 80.66.81.78 | 192.168.2.4 |
Oct 14, 2024 09:15:18.736649036 CEST | 49734 | 80 | 192.168.2.4 | 80.66.81.78 |
Oct 14, 2024 09:15:18.736726046 CEST | 80 | 49734 | 80.66.81.78 | 192.168.2.4 |
Oct 14, 2024 09:15:18.736735106 CEST | 80 | 49734 | 80.66.81.78 | 192.168.2.4 |
Oct 14, 2024 09:15:18.736782074 CEST | 49734 | 80 | 192.168.2.4 | 80.66.81.78 |
Oct 14, 2024 09:15:18.736831903 CEST | 80 | 49734 | 80.66.81.78 | 192.168.2.4 |
Oct 14, 2024 09:15:18.736848116 CEST | 80 | 49734 | 80.66.81.78 | 192.168.2.4 |
Oct 14, 2024 09:15:18.736855984 CEST | 80 | 49734 | 80.66.81.78 | 192.168.2.4 |
Oct 14, 2024 09:15:18.736876011 CEST | 49734 | 80 | 192.168.2.4 | 80.66.81.78 |
Oct 14, 2024 09:15:18.736903906 CEST | 49734 | 80 | 192.168.2.4 | 80.66.81.78 |
Oct 14, 2024 09:15:18.739130020 CEST | 80 | 49734 | 80.66.81.78 | 192.168.2.4 |
Oct 14, 2024 09:15:18.739185095 CEST | 49734 | 80 | 192.168.2.4 | 80.66.81.78 |
Oct 14, 2024 09:15:18.739192009 CEST | 80 | 49734 | 80.66.81.78 | 192.168.2.4 |
Oct 14, 2024 09:15:18.739202023 CEST | 80 | 49734 | 80.66.81.78 | 192.168.2.4 |
Oct 14, 2024 09:15:18.739236116 CEST | 49734 | 80 | 192.168.2.4 | 80.66.81.78 |
Oct 14, 2024 09:15:18.739253998 CEST | 49734 | 80 | 192.168.2.4 | 80.66.81.78 |
Oct 14, 2024 09:15:18.739259005 CEST | 80 | 49734 | 80.66.81.78 | 192.168.2.4 |
Oct 14, 2024 09:15:18.741589069 CEST | 80 | 49734 | 80.66.81.78 | 192.168.2.4 |
Oct 14, 2024 09:15:18.741604090 CEST | 80 | 49734 | 80.66.81.78 | 192.168.2.4 |
Oct 14, 2024 09:15:18.741672039 CEST | 80 | 49734 | 80.66.81.78 | 192.168.2.4 |
Oct 14, 2024 09:15:18.741681099 CEST | 80 | 49734 | 80.66.81.78 | 192.168.2.4 |
Oct 14, 2024 09:15:18.741714001 CEST | 80 | 49734 | 80.66.81.78 | 192.168.2.4 |
Oct 14, 2024 09:15:18.741728067 CEST | 80 | 49734 | 80.66.81.78 | 192.168.2.4 |
Oct 14, 2024 09:15:18.785413027 CEST | 80 | 49734 | 80.66.81.78 | 192.168.2.4 |
Oct 14, 2024 09:15:19.548369884 CEST | 80 | 49734 | 80.66.81.78 | 192.168.2.4 |
Oct 14, 2024 09:15:19.548441887 CEST | 80 | 49734 | 80.66.81.78 | 192.168.2.4 |
Oct 14, 2024 09:15:19.548677921 CEST | 49734 | 80 | 192.168.2.4 | 80.66.81.78 |
Oct 14, 2024 09:15:19.550153971 CEST | 49734 | 80 | 192.168.2.4 | 80.66.81.78 |
Oct 14, 2024 09:15:19.555207968 CEST | 80 | 49734 | 80.66.81.78 | 192.168.2.4 |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Oct 14, 2024 09:15:09.235893965 CEST | 52739 | 53 | 192.168.2.4 | 1.1.1.1 |
Oct 14, 2024 09:15:09.681608915 CEST | 53 | 52739 | 1.1.1.1 | 192.168.2.4 |
Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
---|---|---|---|---|---|---|---|---|
Oct 14, 2024 09:15:09.235893965 CEST | 192.168.2.4 | 1.1.1.1 | 0x6e8f | Standard query (0) | A (IP address) | IN (0x0001) | false |
Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
---|---|---|---|---|---|---|---|---|---|---|
Oct 14, 2024 09:15:09.681608915 CEST | 1.1.1.1 | 192.168.2.4 | 0x6e8f | No error (0) | 80.66.81.78 | A (IP address) | IN (0x0001) | false |
|
Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
---|---|---|---|---|---|---|
0 | 192.168.2.4 | 49730 | 80.66.81.78 | 80 | 7432 | C:\Users\user\Desktop\file.exe |
Timestamp | Bytes transferred | Direction | Data |
---|---|---|---|
Oct 14, 2024 09:15:09.692928076 CEST | 333 | OUT | |
Oct 14, 2024 09:15:09.692955971 CEST | 411 | OUT | |
Oct 14, 2024 09:15:10.390429974 CEST | 209 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
---|---|---|---|---|---|---|
1 | 192.168.2.4 | 49731 | 80.66.81.78 | 80 | 7432 | C:\Users\user\Desktop\file.exe |
Timestamp | Bytes transferred | Direction | Data |
---|---|---|---|
Oct 14, 2024 09:15:13.988790989 CEST | 335 | OUT | |
Oct 14, 2024 09:15:13.988908052 CEST | 11124 | OUT | |
Oct 14, 2024 09:15:13.993746996 CEST | 1236 | OUT | |
Oct 14, 2024 09:15:13.993814945 CEST | 9888 | OUT | |
Oct 14, 2024 09:15:13.993840933 CEST | 2472 | OUT | |
Oct 14, 2024 09:15:13.993856907 CEST | 2472 | OUT | |
Oct 14, 2024 09:15:13.994055033 CEST | 4944 | OUT | |
Oct 14, 2024 09:15:13.998842001 CEST | 2472 | OUT | |
Oct 14, 2024 09:15:13.998903036 CEST | 6180 | OUT | |
Oct 14, 2024 09:15:13.998931885 CEST | 1236 | OUT | |
Oct 14, 2024 09:15:14.041830063 CEST | 25956 | OUT | |
Oct 14, 2024 09:15:14.946252108 CEST | 209 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
---|---|---|---|---|---|---|
2 | 192.168.2.4 | 49734 | 80.66.81.78 | 80 | 7432 | C:\Users\user\Desktop\file.exe |
Timestamp | Bytes transferred | Direction | Data |
---|---|---|---|
Oct 14, 2024 09:15:18.731759071 CEST | 335 | OUT | |
Oct 14, 2024 09:15:18.731818914 CEST | 11124 | OUT | |
Oct 14, 2024 09:15:18.736649036 CEST | 1236 | OUT | |
Oct 14, 2024 09:15:18.736782074 CEST | 4944 | OUT | |
Oct 14, 2024 09:15:18.736876011 CEST | 2472 | OUT | |
Oct 14, 2024 09:15:18.736903906 CEST | 4944 | OUT | |
Oct 14, 2024 09:15:18.739185095 CEST | 2472 | OUT | |
Oct 14, 2024 09:15:18.739236116 CEST | 2472 | OUT | |
Oct 14, 2024 09:15:18.739253998 CEST | 2260 | OUT | |
Oct 14, 2024 09:15:19.548369884 CEST | 209 | IN |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
Target ID: | 0 |
Start time: | 03:15:00 |
Start date: | 14/10/2024 |
Path: | C:\Users\user\Desktop\file.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x420000 |
File size: | 7'457'792 bytes |
MD5 hash: | 7105A2BA8C897B6C2072A6AB0BDECDF1 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Yara matches: |
|
Reputation: | low |
Has exited: | true |
Target ID: | 4 |
Start time: | 03:16:10 |
Start date: | 14/10/2024 |
Path: | C:\Users\user\AppData\Local\Temp\service123.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x530000 |
File size: | 314'617'856 bytes |
MD5 hash: | C7DE705DEE7C918329739835EB2FFF15 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | low |
Has exited: | false |
Target ID: | 5 |
Start time: | 03:16:10 |
Start date: | 14/10/2024 |
Path: | C:\Windows\SysWOW64\schtasks.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0xdc0000 |
File size: | 187'904 bytes |
MD5 hash: | 48C2FE20575769DE916F48EF0676A965 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Target ID: | 6 |
Start time: | 03:16:10 |
Start date: | 14/10/2024 |
Path: | C:\Windows\System32\conhost.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff7699e0000 |
File size: | 862'208 bytes |
MD5 hash: | 0D698AF330FD17BEE3BF90011D49251D |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Target ID: | 7 |
Start time: | 03:16:12 |
Start date: | 14/10/2024 |
Path: | C:\Users\user\AppData\Local\Temp\service123.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x530000 |
File size: | 314'617'856 bytes |
MD5 hash: | C7DE705DEE7C918329739835EB2FFF15 |
Has elevated privileges: | false |
Has administrator privileges: | false |
Programmed in: | C, C++ or other language |
Reputation: | low |
Has exited: | true |
Target ID: | 9 |
Start time: | 03:17:02 |
Start date: | 14/10/2024 |
Path: | C:\Users\user\AppData\Local\Temp\service123.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x530000 |
File size: | 314'617'856 bytes |
MD5 hash: | C7DE705DEE7C918329739835EB2FFF15 |
Has elevated privileges: | false |
Has administrator privileges: | false |
Programmed in: | C, C++ or other language |
Reputation: | low |
Has exited: | true |
Execution Graph
Execution Coverage: | 0.1% |
Dynamic/Decrypted Code Coverage: | 0% |
Signature Coverage: | 60.3% |
Total number of Nodes: | 73 |
Total number of Limit Nodes: | 3 |
Graph
Control-flow Graph
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 005381E0 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 87libraryloaderCOMMON
Control-flow Graph
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00538230 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 90libraryloaderCOMMON
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C3C4230 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 32sleepsynchronizationclipboardCOMMON
Control-flow Graph
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00531296 Relevance: 5.1, APIs: 4, Instructions: 80stringCOMMON
Control-flow Graph
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 005313BB Relevance: 5.1, APIs: 4, Instructions: 66stringCOMMON
Control-flow Graph
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C30B1A0 Relevance: 1.4, APIs: 1, Instructions: 144COMMON
Control-flow Graph
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C30B310 Relevance: 1.3, APIs: 1, Instructions: 95COMMON
Control-flow Graph
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C300FC0 Relevance: 22.6, APIs: 8, Strings: 4, Instructions: 1647stringCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C378280 Relevance: 17.7, Strings: 14, Instructions: 166COMMON
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C2FEE50 Relevance: 12.5, APIs: 8, Instructions: 494COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C31E490 Relevance: 12.2, APIs: 6, Strings: 2, Instructions: 219stringCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C310610 Relevance: 10.7, APIs: 5, Strings: 2, Instructions: 212stringCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C3070C0 Relevance: 9.6, APIs: 6, Instructions: 649COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00533E20 Relevance: 5.4, Strings: 4, Instructions: 351COMMON
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C3044F0 Relevance: 5.4, Strings: 4, Instructions: 351COMMON
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C3104F0 Relevance: 2.5, Strings: 2, Instructions: 42COMMON
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C31C2C0 Relevance: 2.5, Strings: 2, Instructions: 42COMMON
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C334490 Relevance: 2.1, APIs: 1, Instructions: 873COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C332A7E Relevance: 2.1, APIs: 1, Instructions: 811COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C3311BE Relevance: 2.1, APIs: 1, Instructions: 811COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C331E40 Relevance: 2.0, APIs: 1, Instructions: 790COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C330580 Relevance: 2.0, APIs: 1, Instructions: 789COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C31F510 Relevance: 2.0, APIs: 1, Instructions: 770stringCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C3377D0 Relevance: 1.9, APIs: 1, Instructions: 678COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C322110 Relevance: 1.6, APIs: 1, Instructions: 357COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C34DA20 Relevance: 1.6, APIs: 1, Instructions: 328COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C30E8C0 Relevance: 1.3, Strings: 1, Instructions: 23COMMON
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C310010 Relevance: 1.3, Strings: 1, Instructions: 20COMMON
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C33D99E Relevance: .8, Instructions: 838COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C3412C0 Relevance: .7, Instructions: 684COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C33FE10 Relevance: .7, Instructions: 683COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C340870 Relevance: .7, Instructions: 674COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C33F3C0 Relevance: .7, Instructions: 671COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C314203 Relevance: .5, Instructions: 465COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C2F3000 Relevance: .4, Instructions: 356COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C3B4E80 Relevance: .3, Instructions: 292COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C36AD20 Relevance: .2, Instructions: 202COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C387100 Relevance: .2, Instructions: 200COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C36BF50 Relevance: .2, Instructions: 181COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C32B987 Relevance: .1, Instructions: 87COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C3693B0 Relevance: .1, Instructions: 84COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C31D050 Relevance: .1, Instructions: 83COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C367AC0 Relevance: .1, Instructions: 81COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C32B98B Relevance: .1, Instructions: 78COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C3A9900 Relevance: .1, Instructions: 74COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C36AC70 Relevance: .1, Instructions: 67COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C36BAC0 Relevance: .1, Instructions: 67COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C36B280 Relevance: .1, Instructions: 58COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C36BDF0 Relevance: .1, Instructions: 57COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C398250 Relevance: .1, Instructions: 56COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C31D2B4 Relevance: .0, Instructions: 48COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C3C4110 Relevance: .0, Instructions: 46COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C349F90 Relevance: .0, Instructions: 18COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C31D424 Relevance: .0, Instructions: 14COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C31D5A4 Relevance: .0, Instructions: 14COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C31D724 Relevance: .0, Instructions: 14COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C30AF80 Relevance: .0, Instructions: 13COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C2F2290 Relevance: 42.4, APIs: 28, Instructions: 354COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C2FB7A0 Relevance: 42.2, APIs: 28, Instructions: 162COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C2F29F0 Relevance: 42.1, APIs: 28, Instructions: 78COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C2F28BB Relevance: 42.1, APIs: 28, Instructions: 73COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C2F2A6E Relevance: 42.1, APIs: 28, Instructions: 71COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C2F2B13 Relevance: 42.1, APIs: 28, Instructions: 69COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C2F2AAD Relevance: 42.1, APIs: 28, Instructions: 65COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C2FB930 Relevance: 40.6, APIs: 27, Instructions: 135COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C2FBFCC Relevance: 39.1, APIs: 26, Instructions: 63COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C2FBEE7 Relevance: 37.6, APIs: 25, Instructions: 83COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C2FBC1B Relevance: 37.6, APIs: 25, Instructions: 55COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C2FBE00 Relevance: 37.5, APIs: 25, Instructions: 46COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C2FBE70 Relevance: 37.5, APIs: 25, Instructions: 46COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C2FBDC7 Relevance: 37.5, APIs: 25, Instructions: 44COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C2FBE98 Relevance: 37.5, APIs: 25, Instructions: 43COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C2FBDE8 Relevance: 37.5, APIs: 25, Instructions: 42COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C2FC150 Relevance: 36.3, APIs: 24, Instructions: 284COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C2FC470 Relevance: 33.2, APIs: 22, Instructions: 152COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C2FD570 Relevance: 28.6, APIs: 19, Instructions: 116COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C2FD67C Relevance: 28.5, APIs: 19, Instructions: 32COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C2FD6C0 Relevance: 27.1, APIs: 18, Instructions: 138COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C2FD855 Relevance: 25.5, APIs: 17, Instructions: 45COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C30C0E0 Relevance: 24.6, APIs: 10, Strings: 4, Instructions: 130fileCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C2FD8A8 Relevance: 24.1, APIs: 16, Instructions: 52COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C2FDA90 Relevance: 22.6, APIs: 15, Instructions: 136COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C2FDCE0 Relevance: 21.1, APIs: 14, Instructions: 74COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C2FDD80 Relevance: 19.6, APIs: 13, Instructions: 77COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C300310 Relevance: 18.2, APIs: 12, Instructions: 165COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00531940 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 129fileCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C2FA690 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 129fileCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C2FE0A0 Relevance: 16.6, APIs: 11, Instructions: 98COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C2FE570 Relevance: 15.1, APIs: 10, Instructions: 145COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C2FE59B Relevance: 15.1, APIs: 10, Instructions: 89COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C2FE714 Relevance: 15.0, APIs: 10, Instructions: 35COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C309249 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 31libraryloaderCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C2FFEE0 Relevance: 13.7, APIs: 9, Instructions: 186synchronizationCOMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C2FE760 Relevance: 13.6, APIs: 9, Instructions: 67COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 005314E0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 43libraryloaderCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C2F13E0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 43libraryloaderCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C317170 Relevance: 12.2, APIs: 6, Strings: 2, Instructions: 237stringCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C2FE800 Relevance: 12.1, APIs: 8, Instructions: 89COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00531E70 Relevance: 12.1, APIs: 8, Instructions: 84COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C31B5C0 Relevance: 10.7, APIs: 5, Strings: 2, Instructions: 212stringCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C3174C0 Relevance: 10.7, APIs: 6, Strings: 1, Instructions: 211stringCOMMON
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C2FE8E0 Relevance: 10.7, APIs: 7, Instructions: 183COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C2FE340 Relevance: 10.6, APIs: 7, Instructions: 126synchronizationCOMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C3001F0 Relevance: 10.6, APIs: 7, Instructions: 65COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00538120 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36libraryloaderCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C309171 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 35libraryloaderCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C2FEA9B Relevance: 10.5, APIs: 7, Instructions: 21COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C394890 Relevance: 10.2, APIs: 8, Instructions: 158COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C390720 Relevance: 10.2, APIs: 8, Instructions: 150COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C2FEB70 Relevance: 9.2, APIs: 6, Instructions: 203COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C30AE10 Relevance: 9.1, APIs: 6, Instructions: 145COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C2F1020 Relevance: 9.1, APIs: 6, Instructions: 100sleepCOMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C311CB0 Relevance: 9.0, APIs: 6, Instructions: 50stringCOMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C311A00 Relevance: 9.0, APIs: 6, Instructions: 49stringCOMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C2FED31 Relevance: 9.0, APIs: 6, Instructions: 19COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C30DE80 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 130windowCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C2F9490 Relevance: 7.9, APIs: 4, Strings: 1, Instructions: 375stringCOMMON
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C36D5C0 Relevance: 7.7, APIs: 3, Strings: 2, Instructions: 153stringCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C2FF840 Relevance: 7.6, APIs: 5, Instructions: 87COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C3B82D0 Relevance: 7.6, APIs: 5, Instructions: 64stringCOMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C309530 Relevance: 7.6, APIs: 5, Instructions: 59COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C300290 Relevance: 7.5, APIs: 5, Instructions: 32memoryCOMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 005380D8 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 19stringCOMMON
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C309128 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 19stringCOMMON
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C309293 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C2FA340 Relevance: 6.3, APIs: 5, Instructions: 98stringCOMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C3C0D40 Relevance: 6.3, APIs: 3, Strings: 1, Instructions: 283stringCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C31E730 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 127stringCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C31E331 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 115stringCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00537C40 Relevance: 6.1, APIs: 4, Instructions: 93COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C309660 Relevance: 6.1, APIs: 4, Instructions: 93COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C2FF511 Relevance: 6.1, APIs: 4, Instructions: 91COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C2FF6B0 Relevance: 6.1, APIs: 4, Instructions: 86COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C2F55A8 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 64stringCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00531001 Relevance: 6.1, APIs: 4, Instructions: 59COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C369D20 Relevance: 6.0, APIs: 4, Instructions: 30stringCOMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C385B60 Relevance: 5.4, APIs: 4, Instructions: 369stringCOMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C385380 Relevance: 5.4, APIs: 4, Instructions: 369stringCOMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C384B80 Relevance: 5.4, APIs: 4, Instructions: 352stringCOMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C384380 Relevance: 5.4, APIs: 4, Instructions: 352stringCOMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C30DFA0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 89stringCOMMON
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C317561 Relevance: 5.1, APIs: 4, Instructions: 128stringCOMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00536B60 Relevance: 5.1, APIs: 4, Instructions: 53sleepCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C308080 Relevance: 5.1, APIs: 4, Instructions: 53sleepCOMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00532000 Relevance: 5.0, APIs: 4, Instructions: 39COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C2FAB50 Relevance: 5.0, APIs: 4, Instructions: 39COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|