Edit tour
Windows
Analysis Report
QuickTextPaste.exe
Overview
General Information
| Sample name: | QuickTextPaste.exe |
| Analysis ID: | 1562564 |
| MD5: | 1fdc72504c644ec1fcc368c24f12d94d |
| SHA1: | fb77c3f53398a7781de54ae0596fed19ed7524a4 |
| SHA256: | 07fdc5476b30c54df6fbb7991f855d6c9ee1d15e000e4966c06f8f2f3951b381 |
| Tags: | Compilazioneprotetticopyrightexeuser-JAMESWT_MHT |
| Infos: |   |
 | |
Detection
XWorm
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Detected unpacking (creates a PE file in dynamic memory)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected XWorm
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
AI detected suspicious sample
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to register a low level keyboard hook
Drops large PE files
Injects a PE file into a foreign processes
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Compiles C# or VB.Net code
Contains functionality for read data from the clipboard
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to simulate keystroke presses
Contains long sleeps (>= 3 min)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evasive API chain (date check)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
Launches processes in debugging mode, may be used to hinder debugging
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Startup Folder File Write
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match
Classification
- System is w10x64
QuickTextPaste.exe (PID: 7320 cmdline: "C:\Users\ user\Deskt op\QuickTe xtPaste.ex e" MD5: 1FDC72504C644EC1FCC368C24F12D94D) 
csc.exe (PID: 7588 cmdline: "C:\Window s\Microsof t.NET\Fram ework\v4.0 .30319\csc .exe" MD5: EB80BB1CA9B9C7F516FF69AFCFD75B7D)
- cleanup
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| XWorm | Malware with wide range of capabilities ranging from RAT to ransomware. | No Attribution |
{"C2 url": ["45.32.146.65"], "Port": 6868, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6"}| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_XWorm | Yara detected XWorm | Joe Security | ||
| MALWARE_Win_AsyncRAT | Detects AsyncRAT | ditekSHen |
| |
| JoeSecurity_XWorm | Yara detected XWorm | Joe Security | ||
| MALWARE_Win_AsyncRAT | Detects AsyncRAT | ditekSHen |
| |
| JoeSecurity_XWorm | Yara detected XWorm | Joe Security | ||
| Click to see the 3 entries | ||||
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_XWorm | Yara detected XWorm | Joe Security | ||
| MALWARE_Win_AsyncRAT | Detects AsyncRAT | ditekSHen |
| |
| JoeSecurity_XWorm | Yara detected XWorm | Joe Security | ||
| MALWARE_Win_AsyncRAT | Detects AsyncRAT | ditekSHen |
| |
| JoeSecurity_XWorm | Yara detected XWorm | Joe Security | ||
| Click to see the 5 entries | ||||
System Summary |   |
|---|
| Source: | Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): | ||
| Source: | Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): | ||
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-11-25T18:06:07.898238+0100 | 2853193 | 1 | Malware Command and Control Activity Detected | 192.168.2.9 | 49716 | 45.32.146.65 | 6868 | TCP |
Click to jump to signature section
Show All Signature Results
AV Detection | |
|---|
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Malware Configuration Extractor: | ||
| Source: | ReversingLabs: | ||
| Source: | Integrated Neural Analysis Model: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
Compliance | |
|---|
| Source: | Unpacked PE file: | ||
| Source: | Static PE information: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
Networking | |
|---|
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | URLs: | ||
| Source: | TCP traffic: | ||
| Source: | ASN Name: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | String found in binary or memory: | ||
Key, Mouse, Clipboard, Microphone and Screen Capturing | |
|---|
| Source: | Code function: | 0_2_00426601 | |
| Source: | Code function: | 0_2_00433F0D | |
| Source: | Code function: | 0_2_00433F0D | |
| Source: | Code function: | 0_2_004324DC | |
System Summary | |
|---|
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | File dump: | Jump to dropped file | ||
| Source: | Process Stats: | ||
| Source: | Code function: | 0_2_00406EBE | |
| Source: | Code function: | 0_2_0040691A | |
| Source: | Code function: | 0_2_00402A35 | |
| Source: | Code function: | 0_2_0040EB7D | |
| Source: | Code function: | 0_2_0041E397 | |
| Source: | Code function: | 0_2_0040EBBA | |
| Source: | Code function: | 0_2_0040747A | |
| Source: | Code function: | 0_2_00402CBF | |
| Source: | Code function: | 0_2_0040759C | |
| Source: | Code function: | 0_2_00402D9D | |
| Source: | Code function: | 0_2_0040EE30 | |
| Source: | Code function: | 0_2_0041EF19 | |
| Source: | Code function: | 0_2_0040EF2D | |
| Source: | Code function: | 0_2_004067E0 | |
| Source: | Code function: | 0_2_00402FF2 | |
| Source: | Code function: | 0_2_00402FF8 | |
| Source: | Code function: | 3_2_0573B7F8 | |
| Source: | Code function: | 3_2_05738FD0 | |
| Source: | Code function: | 3_2_05734138 | |
| Source: | Code function: | 3_2_05731030 | |
| Source: | Code function: | 3_2_057398A0 | |
| Source: | Code function: | 3_2_05733B40 | |
| Source: | Code function: | 3_2_05738C88 | |
| Source: | Code function: | 3_2_05731610 | |
| Source: | Code function: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Static PE information: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Cryptographic APIs: | ||
| Source: | Cryptographic APIs: | ||
| Source: | Cryptographic APIs: | ||
| Source: | Classification label: | ||
| Source: | Code function: | 0_2_00426601 | |
| Source: | File created: | Jump to behavior | ||
| Source: | Mutant created: | ||
| Source: | Mutant created: | ||
| Source: | Static PE information: | ||
| Source: | File read: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | ReversingLabs: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | File read: | Jump to behavior | ||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Key value queried: | Jump to behavior | ||
| Source: | LNK file: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
Data Obfuscation | |
|---|
| Source: | Unpacked PE file: | ||
| Source: | .Net Code: | ||
| Source: | .Net Code: | ||
| Source: | .Net Code: | ||
| Source: | .Net Code: | ||
| Source: | .Net Code: | ||
| Source: | Process created: | |||
| Source: | Process created: | Jump to behavior | ||
| Source: | Code function: | 0_2_00434350 | |
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Code function: | 0_2_00437C9E | |
| Source: | Code function: | 0_2_00437CCE | |
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | File created: | Jump to dropped file | ||
| Source: | File created: | Jump to dropped file | ||
| Source: | File created: | Jump to behavior | ||
| Source: | File created: | Jump to behavior | ||
| Source: | Registry value created or modified: | Jump to behavior | ||
| Source: | Registry value created or modified: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
Malware Analysis System Evasion | |
|---|
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | Memory allocated: | Jump to behavior | ||
| Source: | Memory allocated: | Jump to behavior | ||
| Source: | Memory allocated: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Window / User API: | Jump to behavior | ||
| Source: | Window / User API: | Jump to behavior | ||
| Source: | Dropped PE file which has not been started: | Jump to dropped file | ||
| Source: | Evasive API call chain: | graph_0-9789 | ||
| Source: | API coverage: | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep count: | Jump to behavior | ||
| Source: | Thread sleep count: | Jump to behavior | ||
| Source: | File Volume queried: | Jump to behavior | ||
| Source: | File Volume queried: | Jump to behavior | ||
| Source: | File Volume queried: | Jump to behavior | ||
| Source: | File Volume queried: | Jump to behavior | ||
| Source: | File Volume queried: | Jump to behavior | ||
| Source: | File Volume queried: | Jump to behavior | ||
| Source: | File Volume queried: | Jump to behavior | ||
| Source: | File Volume queried: | Jump to behavior | ||
| Source: | File Volume queried: | Jump to behavior | ||
| Source: | File Volume queried: | Jump to behavior | ||
| Source: | File Volume queried: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | Code function: | 0_2_00434350 | |
| Source: | Process token adjusted: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Memory allocated: | Jump to behavior | ||
HIPS / PFW / Operating System Protection Evasion | |
|---|
| Source: | Memory allocated: | Jump to behavior | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | Code function: | 0_2_004324DC | |
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Code function: | 0_2_0043271F | |
| Source: | Code function: | 0_2_004327AB | |
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Code function: | 0_2_00421838 | |
| Source: | Key value queried: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
Stealing of Sensitive Information | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
Remote Access Functionality | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | 11 Windows Management Instrumentation | 21 Registry Run Keys / Startup Folder | 32 Process Injection | 1 Masquerading | 111 Input Capture | 1 System Time Discovery | Remote Services | 111 Input Capture | 1 Encrypted Channel | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
| Credentials | Domains | Default Accounts | 2 Command and Scripting Interpreter | 1 DLL Side-Loading | 21 Registry Run Keys / Startup Folder | 11 Disable or Modify Tools | LSASS Memory | 121 Security Software Discovery | Remote Desktop Protocol | 11 Archive Collected Data | 1 Non-Standard Port | Exfiltration Over Bluetooth | Network Denial of Service |
| Email Addresses | DNS Server | Domain Accounts | 2 Native API | Logon Script (Windows) | 1 DLL Side-Loading | 131 Virtualization/Sandbox Evasion | Security Account Manager | 1 Process Discovery | SMB/Windows Admin Shares | 2 Clipboard Data | 1 Application Layer Protocol | Automated Exfiltration | Data Encrypted for Impact |
| Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | 32 Process Injection | NTDS | 131 Virtualization/Sandbox Evasion | Distributed Component Object Model | Input Capture | Protocol Impersonation | Traffic Duplication | Data Destruction |
| Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | 11 Deobfuscate/Decode Files or Information | LSA Secrets | 1 Application Window Discovery | SSH | Keylogging | Fallback Channels | Scheduled Transfer | Data Encrypted for Impact |
| Domain Properties | Botnet | Replication Through Removable Media | Scheduled Task | RC Scripts | RC Scripts | 3 Obfuscated Files or Information | Cached Domain Credentials | 1 File and Directory Discovery | VNC | GUI Input Capture | Multiband Communication | Data Transfer Size Limits | Service Stop |
| DNS | Web Services | External Remote Services | Systemd Timers | Startup Items | Startup Items | 31 Software Packing | DCSync | 24 System Information Discovery | Windows Remote Management | Web Portal Capture | Commonly Used Port | Exfiltration Over C2 Channel | Inhibit System Recovery |
| Network Trust Dependencies | Serverless | Drive-by Compromise | Container Orchestration Job | Scheduled Task/Job | Scheduled Task/Job | 1 DLL Side-Loading | Proc Filesystem | System Owner/User Discovery | Cloud Services | Credential API Hooking | Application Layer Protocol | Exfiltration Over Alternative Protocol | Defacement |
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetThis section contains all screenshots as thumbnails, including those not shown in the slideshow.
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 61% | ReversingLabs | Win32.Trojan.Leonem | ||
| 100% | Avira | TR/Crypt.XPACK.Gen2 |
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 100% | Avira | TR/Crypt.XPACK.Gen2 | ||
| 0% | ReversingLabs |
⊘No Antivirus matches
⊘No Antivirus matches
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 0% | Avira URL Cloud | safe |
⊘No contacted domains info
| Name | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|
| true |
| unknown |
| Name | Source | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|
| false | high |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
| IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
|---|---|---|---|---|---|---|
| 45.32.146.65 | unknown | United States | 20473 | AS-CHOOPAUS | true |
| Joe Sandbox version: | 41.0.0 Charoite |
| Analysis ID: | 1562564 |
| Start date and time: | 2024-11-25 18:02:03 +01:00 |
| Joe Sandbox product: | CloudBasic |
| Overall analysis duration: | 0h 8m 17s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
| Number of analysed new started processes analysed: | 9 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Sample name: | QuickTextPaste.exe |
| Detection: | MAL |
| Classification: | mal100.troj.spyw.evad.winEXE@3/3@0/1 |
| EGA Information: |
|
| HCA Information: |
|
| Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
- Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, fe3cr.delivery.mp.microsoft.com
- Execution Graph export aborted for target csc.exe, PID 7588 because it is empty
- Not all processes where analyzed, report is missing behavior information
- Report size getting too big, too many NtOpenKeyEx calls found.
- Report size getting too big, too many NtProtectVirtualMemory calls found.
- Report size getting too big, too many NtQueryValueKey calls found.
- VT rate limit hit for: QuickTextPaste.exe
| Time | Type | Description |
|---|---|---|
| 12:03:23 | API Interceptor | |
| 17:03:24 | Autostart | |
| 17:03:32 | Autostart | |
| 17:03:41 | Autostart |
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| 45.32.146.65 | Get hash | malicious | Xmrig | Browse |
|
⊘No context
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| AS-CHOOPAUS | Get hash | malicious | MeshAgent | Browse |
| |
| Get hash | malicious | MeshAgent | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Mirai, Okiru | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Mirai | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Xmrig | Browse |
|
⊘No context
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk
Download File
| Process: | C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 763 |
| Entropy (8bit): | 5.062818943637931 |
| Encrypted: | false |
| SSDEEP: | 12:8/VN624oA/4f4tChSgedY//0tFctL2d8pVjAEqwNHkstmV:8/VN8TgsjgZN2dMhAEqwCstm |
| MD5: | 6F6B57DDAF09191583BD5946E1998911 |
| SHA1: | 3FE4A82861D4BC05CFDE7475EED6074963B3060E |
| SHA-256: | 8D7490D8038AF2DD8EF0455161CE117375A083EBA572B5867FA0F32487F4DB38 |
| SHA-512: | D77E5FAF156E75C4C45C67C88070534D114E8F3D3B0506AB9DF1DE1085E7B54C0A15023F6FF086414E764894CF66323B9CAA74704895A4915F0046E39C1BD169 |
| Malicious: | false |
| Reputation: | low |
| Preview: |
| Process: | C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 2141552 |
| Entropy (8bit): | 6.386741262990515 |
| Encrypted: | false |
| SSDEEP: | 49152:Mnqqr9wJI6S7RSSon9X6f4IeY0+h1s410I1xIdcxynt:Mnq29lFHon9X5Iddq41Lxry |
| MD5: | EB80BB1CA9B9C7F516FF69AFCFD75B7D |
| SHA1: | DB402FB24B206C4A378A74FD649C60A413CE5A92 |
| SHA-256: | 38C407DBF41E99396B78D00DD796930D8838DCB4AF77C3F23BA0E800D1213EBE |
| SHA-512: | B7669D624366D1B2C0D162053DEE91AA2A319DEA90B32E314DD8C8ABC7306035C262454A500DEDA3EF9ED833D409E958CAD759D7925E8E352B499EB86A17E814 |
| Malicious: | false |
| Antivirus: |
|
| Joe Sandbox View: |
|
| Reputation: | low |
| Preview: |
| Process: | C:\Users\user\Desktop\QuickTextPaste.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 979567349 |
| Entropy (8bit): | 0.018309622341759393 |
| Encrypted: | false |
| SSDEEP: | |
| MD5: | E501EFBC24F246944EE95644B388CF15 |
| SHA1: | 8870EA7C3D57A213A7962167450FAAC368561E65 |
| SHA-256: | B28C5899FB149E638DB5634B08032C3DAFF4559113EF8F40BED2EC97722902C7 |
| SHA-512: | 3C0CB7A9AB7B14C435B695FC8FD01CA881EF45693975A1D1DF54ECF4AE2F21C050931715D93F6E04E2EB6FECAF2F5310A72AB9D1FF5CBDED77CB1CA57B104264 |
| Malicious: | true |
| Antivirus: |
|
| Reputation: | low |
| Preview: |
| File type: | |
| Entropy (8bit): | 7.080290762638287 |
| TrID: |
|
| File name: | QuickTextPaste.exe |
| File size: | 1'027'072 bytes |
| MD5: | 1fdc72504c644ec1fcc368c24f12d94d |
| SHA1: | fb77c3f53398a7781de54ae0596fed19ed7524a4 |
| SHA256: | 07fdc5476b30c54df6fbb7991f855d6c9ee1d15e000e4966c06f8f2f3951b381 |
| SHA512: | e214a4a09c6b8ad0526100d0d8e8bcfaf4b0844399e6b737d1740ac513eaf6e412d08e0ae74a1d69e5ee81f8d5ec35d16b3b937162eb8b5ae45ec275f300a88d |
| SSDEEP: | 12288:H1JjmFIYq7Dmy8tTB8ELASLB71s9Nxr/3tgOTSGaOqlL9/d/Ce4+s6SeTEETRnLE:bye7etHLvLBhmZPtgtd4cLTEQNE |
| TLSH: | FD25AE007701852FD1AA78BA06ABA7F5AA691D761C334503725FBF2CEB38417E1117EE |
| File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........................................................................9..........._.......Rich....................PE..L.....7g... |
 | |
| Icon Hash: | 0f2fcaabb0aaf830 |
| Entrypoint: | 0x437ee0 |
| Entrypoint Section: | .text |
| Digitally signed: | true |
| Imagebase: | 0x400000 |
| Subsystem: | windows gui |
| Image File Characteristics: | RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE |
| DLL Characteristics: | |
| Time Stamp: | 0x67371DD6 [Fri Nov 15 10:09:26 2024 UTC] |
| TLS Callbacks: | |
| CLR (.Net) Version: | |
| OS Version Major: | 4 |
| OS Version Minor: | 0 |
| File Version Major: | 4 |
| File Version Minor: | 0 |
| Subsystem Version Major: | 4 |
| Subsystem Version Minor: | 0 |
| Import Hash: | e65d5d56989c1441945255d78668884e |
| Signature Valid: | |
| Signature Issuer: | |
| Signature Validation Error: | |
| Error Number: | |
| Not Before, Not After | |
| Subject Chain | |
| Version: | |
| Thumbprint MD5: | |
| Thumbprint SHA-1: | |
| Thumbprint SHA-256: | |
| Serial: |
| Instruction |
|---|
| push ebp |
| mov ebp, esp |
| push FFFFFFFFh |
| push 0043D1E8h |
| push 00438066h |
| mov eax, dword ptr fs:[00000000h] |
| push eax |
| mov dword ptr fs:[00000000h], esp |
| sub esp, 68h |
| push ebx |
| push esi |
| push edi |
| mov dword ptr [ebp-18h], esp |
| xor ebx, ebx |
| mov dword ptr [ebp-04h], ebx |
| push 00000002h |
| pop edi |
| push edi |
| call 00007EFE14691DA1h |
| nop |
| pop ecx |
| or dword ptr [004808F4h], FFFFFFFFh |
| or dword ptr [004808F8h], FFFFFFFFh |
| call dword ptr [0043C330h] |
| mov ecx, dword ptr [004808C8h] |
| mov dword ptr [eax], ecx |
| call dword ptr [0043C2ACh] |
| mov ecx, dword ptr [004808C4h] |
| mov dword ptr [eax], ecx |
| mov eax, dword ptr [0043C234h] |
| mov eax, dword ptr [eax] |
| mov dword ptr [004808F0h], eax |
| call 00007EFE146C8DADh |
| cmp dword ptr [00456140h], ebx |
| jne 00007EFE146C8C6Eh |
| push 00438096h |
| call dword ptr [0043C238h] |
| pop ecx |
| call 00007EFE146C8D7Fh |
| push 004440ECh |
| push 004440E8h |
| call 00007EFE146C8D6Ah |
| mov eax, dword ptr [004808C0h] |
| mov dword ptr [ebp-6Ch], eax |
| lea eax, dword ptr [ebp-6Ch] |
| push eax |
| push dword ptr [004808BCh] |
| lea eax, dword ptr [ebp-64h] |
| push eax |
| lea eax, dword ptr [ebp-70h] |
| push eax |
| lea eax, dword ptr [ebp-60h] |
| push eax |
| call dword ptr [0043C240h] |
| push 004440E4h |
| push 00444000h |
| Programming Language: |
|
| Name | Virtual Address | Virtual Size | Is in Section |
|---|---|---|---|
| IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IMPORT | 0x418e8 | 0xdc | .rdata |
| IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x81000 | 0xa6908 | .rsrc |
| IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_SECURITY | 0x72200 | 0x2908 | .data |
| IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IAT | 0x3c000 | 0x634 | .rdata |
| IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
| Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
|---|---|---|---|---|---|---|---|---|---|
| .text | 0x1000 | 0x3a2ea | 0x3a400 | 556493db292203113e5324c6d7f95608 | False | 0.5195773538090128 | data | 6.817168827886 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
| .rdata | 0x3c000 | 0x77cc | 0x7800 | 91c6ff2fd3bb8dc0dd623e04098000ef | False | 0.3382161458333333 | data | 4.707298007686286 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .data | 0x44000 | 0x3c8fc | 0x12200 | 044dced594e170048a01f833f33579cd | False | 0.8952586206896552 | data | 7.634244653448693 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .rsrc | 0x81000 | 0xa6908 | 0xa6a00 | e46c92bd2102032dc0d1beac94412508 | False | 0.5088044472055514 | data | 6.990670517689552 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
|---|---|---|---|---|---|---|
| PNG | 0x81f6c | 0xefec | data | 0.9566916313904266 | ||
| TEXTINCLUDE | 0x90f58 | 0x49 | ASCII text, with CRLF line terminators | 1.0136986301369864 | ||
| RT_BITMAP | 0x90fa4 | 0x3668 | Device independent bitmap graphic, 512 x 54 x 4, image size 13824, 16 important colors | German | Germany | 0.16082711085582999 |
| RT_BITMAP | 0x9460c | 0xe8 | Device independent bitmap graphic, 16 x 16 x 4, image size 128 | German | Germany | 0.3620689655172414 |
| RT_BITMAP | 0x946f4 | 0xd4 | Device independent bitmap graphic, 18 x 9 x 4, image size 108 | German | Germany | 0.42924528301886794 |
| RT_BITMAP | 0x947c8 | 0x158 | Device independent bitmap graphic, 32 x 15 x 4, image size 240 | German | Germany | 0.3081395348837209 |
| RT_BITMAP | 0x94920 | 0xd4 | Device independent bitmap graphic, 18 x 9 x 4, image size 108, resolution 2867 x 2867 px/m, 16 important colors | German | Germany | 0.6132075471698113 |
| RT_BITMAP | 0x949f4 | 0x3e8 | Device independent bitmap graphic, 112 x 16 x 4, image size 896 | German | Germany | 0.303 |
| RT_BITMAP | 0x94ddc | 0x4e8 | Device independent bitmap graphic, 48 x 48 x 4, image size 1152 | German | Germany | 0.04856687898089172 |
| RT_BITMAP | 0x952c4 | 0x4e8 | Device independent bitmap graphic, 48 x 48 x 4, image size 1152 | German | Germany | 0.04856687898089172 |
| RT_BITMAP | 0x957ac | 0x4e8 | Device independent bitmap graphic, 48 x 48 x 4, image size 1152 | German | Germany | 0.04856687898089172 |
| RT_BITMAP | 0x95c94 | 0x4e8 | Device independent bitmap graphic, 48 x 48 x 4, image size 1152 | German | Germany | 0.04856687898089172 |
| RT_BITMAP | 0x9617c | 0x1aa8 | Device independent bitmap graphic, 128 x 105 x 4, image size 6720 | German | Germany | 0.011137162954279016 |
| RT_BITMAP | 0x97c24 | 0x4e8 | Device independent bitmap graphic, 48 x 48 x 4, image size 1152 | English | United States | 0.04856687898089172 |
| RT_BITMAP | 0x9810c | 0xd10 | Device independent bitmap graphic, 144 x 45 x 4, image size 3240 | German | Germany | 0.0215311004784689 |
| RT_BITMAP | 0x98e1c | 0x4e8 | Device independent bitmap graphic, 48 x 48 x 4, image size 1152 | German | Germany | 0.04856687898089172 |
| RT_ICON | 0x99304 | 0x8a8 | Device independent bitmap graphic, 32 x 64 x 8, image size 0 | German | Germany | 0.3398014440433213 |
| RT_ICON | 0x99bac | 0x568 | Device independent bitmap graphic, 16 x 32 x 8, image size 0 | German | Germany | 0.24783236994219654 |
| RT_ICON | 0x9a114 | 0x128 | Device independent bitmap graphic, 16 x 32 x 4, image size 192 | German | Germany | 0.3783783783783784 |
| RT_ICON | 0x9a23c | 0x2e8 | Device independent bitmap graphic, 32 x 64 x 4, image size 640 | German | Germany | 0.1827956989247312 |
| RT_ICON | 0x9a524 | 0x128 | Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors | German | Germany | 0.2668918918918919 |
| RT_ICON | 0x9a64c | 0x468 | Device independent bitmap graphic, 16 x 32 x 32, image size 0 | German | Germany | 0.7322695035460993 |
| RT_ICON | 0x9aab4 | 0x10a8 | Device independent bitmap graphic, 32 x 64 x 32, image size 0 | German | Germany | 0.4294090056285178 |
| RT_ICON | 0x9bb5c | 0x368 | Device independent bitmap graphic, 16 x 32 x 24, image size 832 | German | Germany | 0.6353211009174312 |
| RT_ICON | 0x9bec4 | 0x10a8 | Device independent bitmap graphic, 32 x 64 x 32, image size 0 | German | Germany | 0.5032833020637899 |
| RT_ICON | 0x9cf6c | 0x568 | Device independent bitmap graphic, 16 x 32 x 8, image size 320 | German | Germany | 0.3432080924855491 |
| RT_DIALOG | 0x9d4d4 | 0xbc | data | German | Germany | 0.7287234042553191 |
| RT_DIALOG | 0x9d590 | 0x98 | data | German | Germany | 0.7763157894736842 |
| RT_DIALOG | 0x9d628 | 0x5a | data | German | Germany | 0.8111111111111111 |
| RT_DIALOG | 0x9d684 | 0xa4 | data | German | Germany | 0.7012195121951219 |
| RT_DIALOG | 0x9d728 | 0xa8 | data | German | Germany | 0.7797619047619048 |
| RT_DIALOG | 0x9d7d0 | 0x3b6 | data | German | Germany | 0.4610526315789474 |
| RT_DIALOG | 0x9db88 | 0x36 | data | German | Germany | 0.7962962962962963 |
| RT_DIALOG | 0x9dbc0 | 0xca | data | German | Liechtenstein | 0.6782178217821783 |
| RT_DIALOG | 0x9dc8c | 0xb6 | data | German | Germany | 0.6813186813186813 |
| RT_DIALOG | 0x9dd44 | 0x80 | data | German | Germany | 0.796875 |
| RT_DIALOG | 0x9ddc4 | 0x90 | data | German | Germany | 0.7361111111111112 |
| RT_DIALOG | 0x9de54 | 0x90 | data | German | Germany | 0.7361111111111112 |
| RT_DIALOG | 0x9dee4 | 0x90 | data | German | Germany | 0.7361111111111112 |
| RT_DIALOG | 0x9df74 | 0x90 | data | German | Germany | 0.7361111111111112 |
| RT_DIALOG | 0x9e004 | 0x90 | data | German | Germany | 0.7361111111111112 |
| RT_DIALOG | 0x9e094 | 0x90 | data | German | Germany | 0.7361111111111112 |
| RT_DIALOG | 0x9e124 | 0x90 | data | German | Germany | 0.7361111111111112 |
| RT_DIALOG | 0x9e1b4 | 0xa6 | data | German | Germany | 0.7469879518072289 |
| RT_DIALOG | 0x9e25c | 0x90 | data | German | Germany | 0.7361111111111112 |
| RT_DIALOG | 0x9e2ec | 0x90 | data | German | Germany | 0.7361111111111112 |
| RT_DIALOG | 0x9e37c | 0x90 | data | German | Germany | 0.7361111111111112 |
| RT_DIALOG | 0x9e40c | 0xf2 | data | 0.6776859504132231 | ||
| RT_STRING | 0x9e500 | 0x80 | data | German | Germany | 0.453125 |
| RT_STRING | 0x9e580 | 0x50 | data | German | Germany | 0.6625 |
| RT_GROUP_ICON | 0x9e5d0 | 0x22 | data | German | Germany | 0.9705882352941176 |
| RT_GROUP_ICON | 0x9e5f4 | 0x14 | data | German | Germany | 1.25 |
| RT_GROUP_ICON | 0x9e608 | 0x14 | data | German | Germany | 1.2 |
| RT_GROUP_ICON | 0x9e61c | 0x14 | data | German | Germany | 1.2 |
| RT_GROUP_ICON | 0x9e630 | 0x14 | data | German | Germany | 1.25 |
| RT_GROUP_ICON | 0x9e644 | 0x14 | data | German | Germany | 1.25 |
| RT_GROUP_ICON | 0x9e658 | 0x14 | data | German | Germany | 1.2 |
| RT_GROUP_ICON | 0x9e66c | 0x14 | data | German | Germany | 1.25 |
| RT_GROUP_ICON | 0x9e680 | 0x14 | data | German | Germany | 1.25 |
| RT_VERSION | 0x9e694 | 0x45c | data | 0.3888888888888889 | ||
| RT_VXD | 0x9eaf0 | 0x8836 | PC bitmap, Windows 3.x format, 5210 x 2 x 37, image size 35523, cbSize 34870, bits offset 54 | 0.7212503584743333 | ||
| RT_ANIICON | 0xa7328 | 0xcee3 | PC bitmap, Windows 3.x format, 7149 x 2 x 42, image size 53618, cbSize 52963, bits offset 54 | 0.4219360685761758 | ||
| RT_ANIICON | 0xb420c | 0x80d5 | PC bitmap, Windows 3.x format, 4750 x 2 x 49, image size 32991, cbSize 32981, bits offset 54 | 0.4458324489857797 | ||
| RT_ANIICON | 0xbc2e4 | 0x9aea | PC bitmap, Windows 3.x format, 5872 x 2 x 46, image size 40456, cbSize 39658, bits offset 54 | 0.42732866004337083 | ||
| RT_ANIICON | 0xc5dd0 | 0x33edf | PC bitmap, Windows 3.x format, 27311 x 2 x 36, image size 213277, cbSize 212703, bits offset 54 | 0.4810510430036248 | ||
| RT_ANIICON | 0xf9cb0 | 0x2d78f | PC bitmap, Windows 3.x format, 23698 x 2 x 52, image size 186515, cbSize 186255, bits offset 54 | 0.4956591769348474 | ||
| RT_MANIFEST | 0x127440 | 0x334 | XML 1.0 document, ASCII text, with CRLF line terminators | 0.4975609756097561 | ||
| None | 0x127774 | 0xaa | data | German | Germany | 0.40588235294117647 |
| None | 0x127820 | 0xaa | data | German | Germany | 0.40588235294117647 |
| None | 0x1278cc | 0xc | Windows metafile | German | Germany | 1.5 |
| None | 0x1278d8 | 0xc | data | German | Germany | 1.6666666666666667 |
| None | 0x1278e4 | 0x22 | data | German | Germany | 1.0 |
| DLL | Import |
|---|---|
| KERNEL32.dll | GetStartupInfoW, CreateThread, TerminateThread, FindFirstFileW, FindClose, FormatMessageW, GetEnvironmentVariableW, GetComputerNameW, GetLocaleInfoW, Sleep, LocalFree, CreateMutexW, MulDiv, lstrcpynW, OutputDebugStringA, GetLocalTime, GetPrivateProfileStringW, WritePrivateProfileStringW, CreateDirectoryW, GetUserDefaultLangID, GetFileAttributesW, InitializeCriticalSection, DeleteCriticalSection, GlobalHandle, FreeResource, DeleteFileW, lstrcmpW, lstrcatW, CopyFileW, GetTempPathW, GetTimeZoneInformation, GetModuleFileNameW, GetModuleHandleW, GetCurrentThreadId, GetVersionExW, GlobalReAlloc, FindResourceW, LoadResource, LockResource, FreeLibrary, LoadLibraryW, GetProcAddress, lstrlenA, InterlockedDecrement, InterlockedIncrement, GetLastError, WriteFile, CreateFileW, GetFileSize, ReadFile, CloseHandle, OutputDebugStringW, lstrcmpiW, GlobalSize, MultiByteToWideChar, WideCharToMultiByte, GlobalAlloc, GlobalLock, GlobalUnlock, GlobalFree, EnterCriticalSection, LeaveCriticalSection, lstrlenW, GetCurrentProcess, FlushInstructionCache, lstrcpyW, InterlockedExchange |
| USER32.dll | GetWindowRect, IsWindowVisible, FindWindowExW, PtInRect, GetCursorPos, ScreenToClient, GetWindowTextW, GetDlgCtrlID, GetScrollPos, SetWindowTextW, GetKeyState, SetFocus, LoadCursorW, SendMessageW, RegisterClassExW, CreateWindowExW, LoadImageW, GetWindowLongW, GetSysColor, DefWindowProcW, CallWindowProcW, SetMenuItemInfoW, EndDialog, SystemParametersInfoW, CharNextW, EnumClipboardFormats, GetClipboardFormatNameW, GetClipboardData, MessageBoxW, RegisterClipboardFormatW, OpenClipboard, EmptyClipboard, SetClipboardData, CloseClipboard, SetWindowLongW, EnumChildWindows, CharLowerW, SetParent, CopyRect, DestroyWindow, PostQuitMessage, KillTimer, GetActiveWindow, SetTimer, DispatchMessageW, TranslateMessage, GetMessageW, PeekMessageW, CreateDialogParamW, GetSystemMetrics, MapWindowPoints, GetSysColorBrush, ReleaseDC, GetDC, GetClientRect, GetDlgItem, LoadBitmapW, SetWindowPos, ShowWindow, IsDialogMessageW, GetParent, IsChild, GetFocus, TrackPopupMenuEx, DestroyMenu, GetWindow, CreateDialogIndirectParamW, GetClassInfoExW, RegisterWindowMessageW, GetWindowTextLengthW, EndPaint, FillRect, BeginPaint, IsWindow, RedrawWindow, GetClassNameW, GetDesktopWindow, CreateAcceleratorTableW, wsprintfW, LoadStringW, ReleaseCapture, GetIconInfo, SetCapture, DrawAnimatedRects, DestroyIcon, CopyImage, GetKeyboardState, MessageBoxA, DrawEdge, GetCapture, SetCursor, GetMessagePos, GetSubMenu, SetRectEmpty, GetWindowPlacement, RegisterHotKey, UnregisterHotKey, UnhookWindowsHookEx, SetDlgItemTextW, GetDlgItemTextW, EnableWindow, IsCharLowerW, SendMessageA, EnableMenuItem, CheckMenuItem, GetForegroundWindow, GetWindowThreadProcessId, AttachThreadInput, GetCaretPos, SetRect, SetForegroundWindow, SetActiveWindow, GetMenuItemRect, GetMenuItemCount, GetMenuState, GetMenuItemID, CreatePopupMenu, CharUpperW, keybd_event, MapVirtualKeyW, DialogBoxParamW, GetDlgItemInt, UpdateWindow, LoadIconW, LoadAcceleratorsW, EnumWindows, SendMessageTimeoutW, AppendMenuW, DrawFocusRect, InflateRect, IntersectRect, IsRectEmpty, ClientToScreen, MoveWindow, PostMessageW, SetWindowsHookExW, CallNextHookEx, GetWindowDC, GetMenuItemInfoW, OffsetRect, SetPropW, InvalidateRgn, DrawTextW, InvalidateRect, CreateIconIndirect |
| GDI32.dll | LPtoDP, RestoreDC, LineTo, MoveToEx, CreatePen, SaveDC, DPtoLP, CreatePatternBrush, SetBitmapBits, GetBitmapBits, SetPixel, GetPixel, SetWindowOrgEx, GetBkColor, ExcludeClipRect, SetPixelV, GetTextExtentPoint32W, OffsetWindowOrgEx, GetClipBox, CreateSolidBrush, GetDeviceCaps, CreateDCW, CreateEnhMetaFileW, CloseEnhMetaFile, SelectPalette, RealizePalette, CreateCompatibleBitmap, GetCurrentObject, CreateBitmap, GetStockObject, SetBkMode, SetTextColor, GetDIBits, GetObjectW, CreateDIBSection, CreateCompatibleDC, SelectObject, SetBkColor, ExtTextOutW, CreateFontIndirectW, DeleteObject, BitBlt, DeleteDC, PatBlt |
| comdlg32.dll | GetOpenFileNameW |
| ADVAPI32.dll | CryptAcquireContextW, CryptDestroyHash, CryptReleaseContext, CryptHashData, CryptGetHashParam, RegDeleteValueW, RegSetValueExW, RegCloseKey, RegCreateKeyExW, RegQueryValueExW, RegOpenKeyW, GetUserNameW, CryptCreateHash, OpenProcessToken, GetTokenInformation, RegOpenKeyExW |
| SHELL32.dll | SHGetFileInfoW, SHAppBarMessage, Shell_NotifyIconW, SHGetDesktopFolder, SHGetMalloc, ExtractIconExW, SHGetSpecialFolderPathW, ShellExecuteW, ShellExecuteExW |
| ole32.dll | RegisterDragDrop, CreateStreamOnHGlobal, CoInitialize, CoCreateInstance, OleInitialize, OleUninitialize, CLSIDFromProgID, CLSIDFromString, StringFromCLSID, OleLockRunning, CoTaskMemAlloc, DoDragDrop, CoTaskMemFree |
| OLEAUT32.dll | VariantTimeToSystemTime, OleCreateFontIndirect, SysAllocStringLen, SafeArrayDestroy, VariantInit, SafeArrayCreateVector, SafeArrayAccessData, SafeArrayUnaccessData, SysAllocString, SysStringLen, LoadRegTypeLib, DispCallFunc, VariantClear, SysFreeString, SystemTimeToVariantTime |
| COMCTL32.dll | ImageList_ReplaceIcon, ImageList_GetIcon, ImageList_GetImageCount, ImageList_Create, ImageList_Add, ImageList_Draw, ImageList_LoadImageW, InitCommonControlsEx, ImageList_DrawEx |
| Language of compilation system | Country where language is spoken | Map |
|---|---|---|
| German | Germany |  |
| English | United States |  |
| German | Liechtenstein |  |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library Node| Timestamp | SID | Signature | Severity | Source IP | Source Port | Dest IP | Dest Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-11-25T18:03:35.903281+0100 | 2855924 | ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound | 1 | 192.168.2.9 | 49709 | 45.32.146.65 | 6868 | TCP |
| 2024-11-25T18:06:07.898238+0100 | 2853193 | ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound | 1 | 192.168.2.9 | 49716 | 45.32.146.65 | 6868 | TCP |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Nov 25, 2024 18:03:23.869184017 CET | 49709 | 6868 | 192.168.2.9 | 45.32.146.65 |
| Nov 25, 2024 18:03:23.990421057 CET | 6868 | 49709 | 45.32.146.65 | 192.168.2.9 |
| Nov 25, 2024 18:03:23.990551949 CET | 49709 | 6868 | 192.168.2.9 | 45.32.146.65 |
| Nov 25, 2024 18:03:24.554229021 CET | 49709 | 6868 | 192.168.2.9 | 45.32.146.65 |
| Nov 25, 2024 18:03:24.678538084 CET | 6868 | 49709 | 45.32.146.65 | 192.168.2.9 |
| Nov 25, 2024 18:03:35.903280973 CET | 49709 | 6868 | 192.168.2.9 | 45.32.146.65 |
| Nov 25, 2024 18:03:36.024024010 CET | 6868 | 49709 | 45.32.146.65 | 192.168.2.9 |
| Nov 25, 2024 18:03:45.935614109 CET | 6868 | 49709 | 45.32.146.65 | 192.168.2.9 |
| Nov 25, 2024 18:03:45.938915968 CET | 49709 | 6868 | 192.168.2.9 | 45.32.146.65 |
| Nov 25, 2024 18:03:49.540198088 CET | 49709 | 6868 | 192.168.2.9 | 45.32.146.65 |
| Nov 25, 2024 18:03:49.541701078 CET | 49710 | 6868 | 192.168.2.9 | 45.32.146.65 |
| Nov 25, 2024 18:03:49.660825014 CET | 6868 | 49709 | 45.32.146.65 | 192.168.2.9 |
| Nov 25, 2024 18:03:49.662334919 CET | 6868 | 49710 | 45.32.146.65 | 192.168.2.9 |
| Nov 25, 2024 18:03:49.662971020 CET | 49710 | 6868 | 192.168.2.9 | 45.32.146.65 |
| Nov 25, 2024 18:03:50.353754044 CET | 49710 | 6868 | 192.168.2.9 | 45.32.146.65 |
| Nov 25, 2024 18:03:50.475444078 CET | 6868 | 49710 | 45.32.146.65 | 192.168.2.9 |
| Nov 25, 2024 18:04:02.448378086 CET | 49710 | 6868 | 192.168.2.9 | 45.32.146.65 |
| Nov 25, 2024 18:04:02.568770885 CET | 6868 | 49710 | 45.32.146.65 | 192.168.2.9 |
| Nov 25, 2024 18:04:11.608067036 CET | 6868 | 49710 | 45.32.146.65 | 192.168.2.9 |
| Nov 25, 2024 18:04:11.608145952 CET | 49710 | 6868 | 192.168.2.9 | 45.32.146.65 |
| Nov 25, 2024 18:04:11.823463917 CET | 49710 | 6868 | 192.168.2.9 | 45.32.146.65 |
| Nov 25, 2024 18:04:11.922255039 CET | 49712 | 6868 | 192.168.2.9 | 45.32.146.65 |
| Nov 25, 2024 18:04:11.943888903 CET | 6868 | 49710 | 45.32.146.65 | 192.168.2.9 |
| Nov 25, 2024 18:04:12.212208033 CET | 6868 | 49712 | 45.32.146.65 | 192.168.2.9 |
| Nov 25, 2024 18:04:12.212291002 CET | 49712 | 6868 | 192.168.2.9 | 45.32.146.65 |
| Nov 25, 2024 18:04:12.561500072 CET | 49712 | 6868 | 192.168.2.9 | 45.32.146.65 |
| Nov 25, 2024 18:04:12.683285952 CET | 6868 | 49712 | 45.32.146.65 | 192.168.2.9 |
| Nov 25, 2024 18:04:26.991821051 CET | 49712 | 6868 | 192.168.2.9 | 45.32.146.65 |
| Nov 25, 2024 18:04:27.112965107 CET | 6868 | 49712 | 45.32.146.65 | 192.168.2.9 |
| Nov 25, 2024 18:04:28.272924900 CET | 49712 | 6868 | 192.168.2.9 | 45.32.146.65 |
| Nov 25, 2024 18:04:28.394092083 CET | 6868 | 49712 | 45.32.146.65 | 192.168.2.9 |
| Nov 25, 2024 18:04:28.394164085 CET | 49712 | 6868 | 192.168.2.9 | 45.32.146.65 |
| Nov 25, 2024 18:04:28.515222073 CET | 6868 | 49712 | 45.32.146.65 | 192.168.2.9 |
| Nov 25, 2024 18:04:33.491642952 CET | 49712 | 6868 | 192.168.2.9 | 45.32.146.65 |
| Nov 25, 2024 18:04:33.612240076 CET | 6868 | 49712 | 45.32.146.65 | 192.168.2.9 |
| Nov 25, 2024 18:04:34.170609951 CET | 6868 | 49712 | 45.32.146.65 | 192.168.2.9 |
| Nov 25, 2024 18:04:34.171183109 CET | 49712 | 6868 | 192.168.2.9 | 45.32.146.65 |
| Nov 25, 2024 18:04:38.553982019 CET | 49712 | 6868 | 192.168.2.9 | 45.32.146.65 |
| Nov 25, 2024 18:04:38.556436062 CET | 49713 | 6868 | 192.168.2.9 | 45.32.146.65 |
| Nov 25, 2024 18:04:38.674442053 CET | 6868 | 49712 | 45.32.146.65 | 192.168.2.9 |
| Nov 25, 2024 18:04:38.676781893 CET | 6868 | 49713 | 45.32.146.65 | 192.168.2.9 |
| Nov 25, 2024 18:04:38.676845074 CET | 49713 | 6868 | 192.168.2.9 | 45.32.146.65 |
| Nov 25, 2024 18:04:38.716262102 CET | 49713 | 6868 | 192.168.2.9 | 45.32.146.65 |
| Nov 25, 2024 18:04:38.837819099 CET | 6868 | 49713 | 45.32.146.65 | 192.168.2.9 |
| Nov 25, 2024 18:04:38.851119041 CET | 49713 | 6868 | 192.168.2.9 | 45.32.146.65 |
| Nov 25, 2024 18:04:38.972148895 CET | 6868 | 49713 | 45.32.146.65 | 192.168.2.9 |
| Nov 25, 2024 18:04:46.679233074 CET | 49713 | 6868 | 192.168.2.9 | 45.32.146.65 |
| Nov 25, 2024 18:04:46.805741072 CET | 6868 | 49713 | 45.32.146.65 | 192.168.2.9 |
| Nov 25, 2024 18:04:49.023497105 CET | 49713 | 6868 | 192.168.2.9 | 45.32.146.65 |
| Nov 25, 2024 18:04:49.143953085 CET | 6868 | 49713 | 45.32.146.65 | 192.168.2.9 |
| Nov 25, 2024 18:04:49.144007921 CET | 49713 | 6868 | 192.168.2.9 | 45.32.146.65 |
| Nov 25, 2024 18:04:49.264439106 CET | 6868 | 49713 | 45.32.146.65 | 192.168.2.9 |
| Nov 25, 2024 18:04:49.264653921 CET | 49713 | 6868 | 192.168.2.9 | 45.32.146.65 |
| Nov 25, 2024 18:04:49.385580063 CET | 6868 | 49713 | 45.32.146.65 | 192.168.2.9 |
| Nov 25, 2024 18:05:00.702300072 CET | 6868 | 49713 | 45.32.146.65 | 192.168.2.9 |
| Nov 25, 2024 18:05:00.702450991 CET | 49713 | 6868 | 192.168.2.9 | 45.32.146.65 |
| Nov 25, 2024 18:05:05.146924019 CET | 49713 | 6868 | 192.168.2.9 | 45.32.146.65 |
| Nov 25, 2024 18:05:05.147634983 CET | 49714 | 6868 | 192.168.2.9 | 45.32.146.65 |
| Nov 25, 2024 18:05:05.267416954 CET | 6868 | 49713 | 45.32.146.65 | 192.168.2.9 |
| Nov 25, 2024 18:05:05.268047094 CET | 6868 | 49714 | 45.32.146.65 | 192.168.2.9 |
| Nov 25, 2024 18:05:05.268171072 CET | 49714 | 6868 | 192.168.2.9 | 45.32.146.65 |
| Nov 25, 2024 18:05:05.554096937 CET | 49714 | 6868 | 192.168.2.9 | 45.32.146.65 |
| Nov 25, 2024 18:05:05.675405025 CET | 6868 | 49714 | 45.32.146.65 | 192.168.2.9 |
| Nov 25, 2024 18:05:05.913738012 CET | 49714 | 6868 | 192.168.2.9 | 45.32.146.65 |
| Nov 25, 2024 18:05:06.034167051 CET | 6868 | 49714 | 45.32.146.65 | 192.168.2.9 |
| Nov 25, 2024 18:05:06.820024967 CET | 49714 | 6868 | 192.168.2.9 | 45.32.146.65 |
| Nov 25, 2024 18:05:06.941235065 CET | 6868 | 49714 | 45.32.146.65 | 192.168.2.9 |
| Nov 25, 2024 18:05:16.741787910 CET | 49714 | 6868 | 192.168.2.9 | 45.32.146.65 |
| Nov 25, 2024 18:05:16.866660118 CET | 6868 | 49714 | 45.32.146.65 | 192.168.2.9 |
| Nov 25, 2024 18:05:27.209274054 CET | 6868 | 49714 | 45.32.146.65 | 192.168.2.9 |
| Nov 25, 2024 18:05:27.209341049 CET | 49714 | 6868 | 192.168.2.9 | 45.32.146.65 |
| Nov 25, 2024 18:05:27.211047888 CET | 49714 | 6868 | 192.168.2.9 | 45.32.146.65 |
| Nov 25, 2024 18:05:27.213447094 CET | 49715 | 6868 | 192.168.2.9 | 45.32.146.65 |
| Nov 25, 2024 18:05:27.406553030 CET | 6868 | 49714 | 45.32.146.65 | 192.168.2.9 |
| Nov 25, 2024 18:05:27.406585932 CET | 6868 | 49715 | 45.32.146.65 | 192.168.2.9 |
| Nov 25, 2024 18:05:27.407341957 CET | 49715 | 6868 | 192.168.2.9 | 45.32.146.65 |
| Nov 25, 2024 18:05:27.503576994 CET | 49715 | 6868 | 192.168.2.9 | 45.32.146.65 |
| Nov 25, 2024 18:05:27.730982065 CET | 6868 | 49715 | 45.32.146.65 | 192.168.2.9 |
| Nov 25, 2024 18:05:27.773173094 CET | 49715 | 6868 | 192.168.2.9 | 45.32.146.65 |
| Nov 25, 2024 18:05:27.897584915 CET | 6868 | 49715 | 45.32.146.65 | 192.168.2.9 |
| Nov 25, 2024 18:05:32.835948944 CET | 49715 | 6868 | 192.168.2.9 | 45.32.146.65 |
| Nov 25, 2024 18:05:32.956799030 CET | 6868 | 49715 | 45.32.146.65 | 192.168.2.9 |
| Nov 25, 2024 18:05:38.789016008 CET | 49715 | 6868 | 192.168.2.9 | 45.32.146.65 |
| Nov 25, 2024 18:05:38.909796000 CET | 6868 | 49715 | 45.32.146.65 | 192.168.2.9 |
| Nov 25, 2024 18:05:49.522412062 CET | 6868 | 49715 | 45.32.146.65 | 192.168.2.9 |
| Nov 25, 2024 18:05:49.522488117 CET | 49715 | 6868 | 192.168.2.9 | 45.32.146.65 |
| Nov 25, 2024 18:05:49.527211905 CET | 49715 | 6868 | 192.168.2.9 | 45.32.146.65 |
| Nov 25, 2024 18:05:49.531613111 CET | 49716 | 6868 | 192.168.2.9 | 45.32.146.65 |
| Nov 25, 2024 18:05:49.647892952 CET | 6868 | 49715 | 45.32.146.65 | 192.168.2.9 |
| Nov 25, 2024 18:05:49.652046919 CET | 6868 | 49716 | 45.32.146.65 | 192.168.2.9 |
| Nov 25, 2024 18:05:49.652122021 CET | 49716 | 6868 | 192.168.2.9 | 45.32.146.65 |
| Nov 25, 2024 18:05:50.231338978 CET | 49716 | 6868 | 192.168.2.9 | 45.32.146.65 |
| Nov 25, 2024 18:05:50.351882935 CET | 6868 | 49716 | 45.32.146.65 | 192.168.2.9 |
| Nov 25, 2024 18:05:56.086155891 CET | 49716 | 6868 | 192.168.2.9 | 45.32.146.65 |
| Nov 25, 2024 18:05:56.206588030 CET | 6868 | 49716 | 45.32.146.65 | 192.168.2.9 |
| Nov 25, 2024 18:05:56.206681013 CET | 49716 | 6868 | 192.168.2.9 | 45.32.146.65 |
| Nov 25, 2024 18:05:56.327116966 CET | 6868 | 49716 | 45.32.146.65 | 192.168.2.9 |
| Nov 25, 2024 18:05:56.327156067 CET | 49716 | 6868 | 192.168.2.9 | 45.32.146.65 |
| Nov 25, 2024 18:05:56.449925900 CET | 6868 | 49716 | 45.32.146.65 | 192.168.2.9 |
| Nov 25, 2024 18:05:59.241975069 CET | 49716 | 6868 | 192.168.2.9 | 45.32.146.65 |
| Nov 25, 2024 18:05:59.362601042 CET | 6868 | 49716 | 45.32.146.65 | 192.168.2.9 |
| Nov 25, 2024 18:06:07.898237944 CET | 49716 | 6868 | 192.168.2.9 | 45.32.146.65 |
| Nov 25, 2024 18:06:08.019362926 CET | 6868 | 49716 | 45.32.146.65 | 192.168.2.9 |
| Nov 25, 2024 18:06:11.688457966 CET | 6868 | 49716 | 45.32.146.65 | 192.168.2.9 |
| Nov 25, 2024 18:06:11.688544035 CET | 49716 | 6868 | 192.168.2.9 | 45.32.146.65 |
| Nov 25, 2024 18:06:12.992331982 CET | 49716 | 6868 | 192.168.2.9 | 45.32.146.65 |
| Nov 25, 2024 18:06:12.993706942 CET | 49717 | 6868 | 192.168.2.9 | 45.32.146.65 |
| Nov 25, 2024 18:06:13.113686085 CET | 6868 | 49716 | 45.32.146.65 | 192.168.2.9 |
| Nov 25, 2024 18:06:13.114526033 CET | 6868 | 49717 | 45.32.146.65 | 192.168.2.9 |
| Nov 25, 2024 18:06:13.114666939 CET | 49717 | 6868 | 192.168.2.9 | 45.32.146.65 |
| Nov 25, 2024 18:06:13.401531935 CET | 49717 | 6868 | 192.168.2.9 | 45.32.146.65 |
| Nov 25, 2024 18:06:13.522897959 CET | 6868 | 49717 | 45.32.146.65 | 192.168.2.9 |
| Nov 25, 2024 18:06:14.243582964 CET | 49717 | 6868 | 192.168.2.9 | 45.32.146.65 |
| Nov 25, 2024 18:06:14.364485025 CET | 6868 | 49717 | 45.32.146.65 | 192.168.2.9 |
| Nov 25, 2024 18:06:14.554737091 CET | 49717 | 6868 | 192.168.2.9 | 45.32.146.65 |
| Nov 25, 2024 18:06:14.675409079 CET | 6868 | 49717 | 45.32.146.65 | 192.168.2.9 |
| Nov 25, 2024 18:06:14.675462961 CET | 49717 | 6868 | 192.168.2.9 | 45.32.146.65 |
| Nov 25, 2024 18:06:14.796021938 CET | 6868 | 49717 | 45.32.146.65 | 192.168.2.9 |
| Nov 25, 2024 18:06:14.913954973 CET | 49717 | 6868 | 192.168.2.9 | 45.32.146.65 |
| Nov 25, 2024 18:06:15.126004934 CET | 6868 | 49717 | 45.32.146.65 | 192.168.2.9 |
| Nov 25, 2024 18:06:15.126069069 CET | 49717 | 6868 | 192.168.2.9 | 45.32.146.65 |
| Nov 25, 2024 18:06:15.248585939 CET | 6868 | 49717 | 45.32.146.65 | 192.168.2.9 |
| Nov 25, 2024 18:06:28.929629087 CET | 49717 | 6868 | 192.168.2.9 | 45.32.146.65 |
| Nov 25, 2024 18:06:29.055922031 CET | 6868 | 49717 | 45.32.146.65 | 192.168.2.9 |
| Nov 25, 2024 18:06:35.054492950 CET | 6868 | 49717 | 45.32.146.65 | 192.168.2.9 |
| Nov 25, 2024 18:06:35.057905912 CET | 49717 | 6868 | 192.168.2.9 | 45.32.146.65 |
| Nov 25, 2024 18:06:36.242028952 CET | 49717 | 6868 | 192.168.2.9 | 45.32.146.65 |
| Nov 25, 2024 18:06:36.244512081 CET | 49718 | 6868 | 192.168.2.9 | 45.32.146.65 |
| Nov 25, 2024 18:06:36.365820885 CET | 6868 | 49717 | 45.32.146.65 | 192.168.2.9 |
| Nov 25, 2024 18:06:36.367286921 CET | 6868 | 49718 | 45.32.146.65 | 192.168.2.9 |
| Nov 25, 2024 18:06:36.367367983 CET | 49718 | 6868 | 192.168.2.9 | 45.32.146.65 |
| Nov 25, 2024 18:06:36.801811934 CET | 49718 | 6868 | 192.168.2.9 | 45.32.146.65 |
| Nov 25, 2024 18:06:36.923224926 CET | 6868 | 49718 | 45.32.146.65 | 192.168.2.9 |
| Nov 25, 2024 18:06:36.960993052 CET | 49718 | 6868 | 192.168.2.9 | 45.32.146.65 |
| Nov 25, 2024 18:06:37.082010984 CET | 6868 | 49718 | 45.32.146.65 | 192.168.2.9 |
| Nov 25, 2024 18:06:37.082200050 CET | 49718 | 6868 | 192.168.2.9 | 45.32.146.65 |
| Nov 25, 2024 18:06:37.208972931 CET | 6868 | 49718 | 45.32.146.65 | 192.168.2.9 |
| Nov 25, 2024 18:06:51.711752892 CET | 49718 | 6868 | 192.168.2.9 | 45.32.146.65 |
| Nov 25, 2024 18:06:51.832300901 CET | 6868 | 49718 | 45.32.146.65 | 192.168.2.9 |
| Nov 25, 2024 18:06:55.539432049 CET | 49718 | 6868 | 192.168.2.9 | 45.32.146.65 |
| Nov 25, 2024 18:06:55.659934044 CET | 6868 | 49718 | 45.32.146.65 | 192.168.2.9 |
| Nov 25, 2024 18:06:57.726689100 CET | 49718 | 6868 | 192.168.2.9 | 45.32.146.65 |
| Nov 25, 2024 18:06:57.847162008 CET | 6868 | 49718 | 45.32.146.65 | 192.168.2.9 |
| Nov 25, 2024 18:06:57.847234964 CET | 49718 | 6868 | 192.168.2.9 | 45.32.146.65 |
| Nov 25, 2024 18:06:57.967724085 CET | 6868 | 49718 | 45.32.146.65 | 192.168.2.9 |
| Nov 25, 2024 18:06:58.361110926 CET | 6868 | 49718 | 45.32.146.65 | 192.168.2.9 |
| Nov 25, 2024 18:06:58.361170053 CET | 49718 | 6868 | 192.168.2.9 | 45.32.146.65 |
| Nov 25, 2024 18:07:02.885019064 CET | 49718 | 6868 | 192.168.2.9 | 45.32.146.65 |
| Nov 25, 2024 18:07:02.886802912 CET | 49719 | 6868 | 192.168.2.9 | 45.32.146.65 |
| Nov 25, 2024 18:07:03.005667925 CET | 6868 | 49718 | 45.32.146.65 | 192.168.2.9 |
| Nov 25, 2024 18:07:03.007308006 CET | 6868 | 49719 | 45.32.146.65 | 192.168.2.9 |
| Nov 25, 2024 18:07:03.013866901 CET | 49719 | 6868 | 192.168.2.9 | 45.32.146.65 |
| Nov 25, 2024 18:07:03.930949926 CET | 49719 | 6868 | 192.168.2.9 | 45.32.146.65 |
| Nov 25, 2024 18:07:04.052056074 CET | 6868 | 49719 | 45.32.146.65 | 192.168.2.9 |
| Nov 25, 2024 18:07:07.835850954 CET | 49719 | 6868 | 192.168.2.9 | 45.32.146.65 |
| Nov 25, 2024 18:07:08.046456099 CET | 6868 | 49719 | 45.32.146.65 | 192.168.2.9 |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
| Target ID: | 0 |
| Start time: | 12:02:59 |
| Start date: | 25/11/2024 |
| Path: | C:\Users\user\Desktop\QuickTextPaste.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x400000 |
| File size: | 1'027'072 bytes |
| MD5 hash: | 1FDC72504C644EC1FCC368C24F12D94D |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Yara matches: |
|
| Reputation: | low |
| Has exited: | true |
| Target ID: | 3 |
| Start time: | 12:03:18 |
| Start date: | 25/11/2024 |
| Path: | C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x940000 |
| File size: | 2'141'552 bytes |
| MD5 hash: | EB80BB1CA9B9C7F516FF69AFCFD75B7D |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Yara matches: |
|
| Reputation: | moderate |
| Has exited: | false |
Execution Graph
| Execution Coverage: | 0.3% |
| Dynamic/Decrypted Code Coverage: | 0% |
| Signature Coverage: | 4.8% |
| Total number of Nodes: | 1245 |
| Total number of Limit Nodes: | 0 |
Graph
Control-flow Graph
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Control-flow Graph
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Control-flow Graph
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Control-flow Graph
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Control-flow Graph
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Control-flow Graph
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Control-flow Graph
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Control-flow Graph
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Control-flow Graph
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Control-flow Graph
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Control-flow Graph
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00407801 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 189memoryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00406D70 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 184memoryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Control-flow Graph
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00406D59 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 158memoryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00407959 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 82memoryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0041E77F Relevance: 1.7, APIs: 1, Instructions: 183COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0041F32D Relevance: 1.6, APIs: 1, Instructions: 82COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0041E8FC Relevance: 1.6, APIs: 1, Instructions: 77COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0041E652 Relevance: 1.6, APIs: 1, Instructions: 70COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0041ED04 Relevance: 1.6, APIs: 1, Instructions: 68COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0041E5EA Relevance: 1.6, APIs: 1, Instructions: 65COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0041E84F Relevance: 1.5, APIs: 1, Instructions: 48COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0041F106 Relevance: 1.5, APIs: 1, Instructions: 39COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0041E8EA Relevance: 1.5, APIs: 1, Instructions: 32COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00433F0D Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 49clipboardregistryCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00426601 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 40windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00434350 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 38libraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0041EF19 Relevance: 1.4, Strings: 1, Instructions: 159COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0040EBBA Relevance: .3, Instructions: 294COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00402A35 Relevance: .2, Instructions: 209COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0040EE30 Relevance: .2, Instructions: 187COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00402FF8 Relevance: .2, Instructions: 187COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00402FF2 Relevance: .2, Instructions: 185COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00402D9D Relevance: .2, Instructions: 167COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00402CBF Relevance: .2, Instructions: 150COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0040EF2D Relevance: .2, Instructions: 150COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0040EB7D Relevance: .1, Instructions: 96COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 004210CC Relevance: 65.2, APIs: 25, Strings: 12, Instructions: 439windowstringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 004218E6 Relevance: 49.3, APIs: 11, Strings: 17, Instructions: 265stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00409767 Relevance: 42.3, APIs: 22, Strings: 2, Instructions: 281windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00427502 Relevance: 30.1, APIs: 8, Strings: 9, Instructions: 324stringwindowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 004360E5 Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 122windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 004355CC Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 129windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00432160 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 105windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00421ECF Relevance: 21.2, APIs: 2, Strings: 10, Instructions: 190stringCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0042A30D Relevance: 21.1, APIs: 2, Strings: 10, Instructions: 53stringCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00430481 Relevance: 19.6, APIs: 13, Instructions: 112COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00429893 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 112filestringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00436F70 Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 84stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0042D4F4 Relevance: 18.1, APIs: 12, Instructions: 87COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00434F5D Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 106windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 004365CD Relevance: 15.1, APIs: 10, Instructions: 104COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00428264 Relevance: 15.1, APIs: 10, Instructions: 92COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00431AAD Relevance: 15.1, APIs: 10, Instructions: 72COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00437058 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 122windowstringCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00435886 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 100windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 004215AA Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 81windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00436419 Relevance: 13.6, APIs: 9, Instructions: 81COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0043754D Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 92registrystringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00428E73 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 79windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00427C1A Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 55registryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00436D29 Relevance: 10.6, APIs: 7, Instructions: 140COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00424930 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 110stringwindowCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0042BE3E Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 85windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00425931 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 79stringwindowCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00423C17 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 71stringwindowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00424156 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 71filetimeCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0043622C Relevance: 10.6, APIs: 7, Instructions: 61windowCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00424245 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 47stringCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0042D41B Relevance: 9.1, APIs: 6, Instructions: 100COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 004362C5 Relevance: 9.1, APIs: 6, Instructions: 75windowCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00430273 Relevance: 9.1, APIs: 6, Instructions: 66windowCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00425C5D Relevance: 9.1, APIs: 6, Instructions: 55windowCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0043748C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 35registrystringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0042BBBE Relevance: 7.6, APIs: 5, Instructions: 105COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 004264D2 Relevance: 7.6, APIs: 5, Instructions: 86stringCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 004323BC Relevance: 7.6, APIs: 5, Instructions: 64fileCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00430328 Relevance: 7.6, APIs: 5, Instructions: 58COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0041F600 Relevance: 7.5, APIs: 5, Instructions: 47COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00426DE8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55stringCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0043598B Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 54windowCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0042169F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 52windowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 004374EA Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 28registryCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0043551A Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 22libraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00436C21 Relevance: 6.1, APIs: 4, Instructions: 72COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00429B7C Relevance: 6.1, APIs: 4, Instructions: 63fileCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0042D279 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 004254DA Relevance: 6.0, APIs: 4, Instructions: 48windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0042D5E3 Relevance: 6.0, APIs: 4, Instructions: 44COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 004380A0 Relevance: 6.0, APIs: 4, Instructions: 43COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0041F675 Relevance: 6.0, APIs: 4, Instructions: 39windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00421728 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51windowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00424FEE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36stringCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 004354E9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0573B408 Relevance: 1.6, APIs: 1, Instructions: 138COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0573A9B8 Relevance: 1.6, APIs: 1, Instructions: 55COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|