Windows
Analysis Report
fresh_shrunk.exe
Overview
General Information
Detection
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
- System is w10x64
- fresh_shrunk.exe (PID: 6860 cmdline:
"C:\Users\ user\Deskt op\fresh_s hrunk.exe" MD5: 745A24A4347A0BB2B9C5E1BA5B2DADEB) - RegAsm.exe (PID: 6948 cmdline:
"C:\Window s\Microsof t.NET\Fram ework\v4.0 .30319\Reg Asm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13) - cmd.exe (PID: 6972 cmdline:
"cmd.exe" /C mkdir " C:\Users\u ser\AppDat a\Local\Te mp\bddddsx " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 6992 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - cmd.exe (PID: 6160 cmdline:
"cmd.exe" /C schtask s /create /sc minute /mo 10 /t n "Nano" / tr "'C:\Us ers\user\A ppData\Loc al\Temp\bd dddsx\bddd dsx.exe'" /f MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 7160 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - schtasks.exe (PID: 3452 cmdline:
schtasks / create /sc minute /m o 10 /tn " Nano" /tr "'C:\Users \user\AppD ata\Local\ Temp\bdddd sx\bddddsx .exe'" /f MD5: 48C2FE20575769DE916F48EF0676A965) - cmd.exe (PID: 2196 cmdline:
"cmd.exe" /C copy "C :\Users\us er\Desktop \fresh_shr unk.exe" " C:\Users\u ser\AppDat a\Local\Te mp\bddddsx \bddddsx.e xe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 7128 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
- bddddsx.exe (PID: 3192 cmdline:
C:\Users\u ser\AppDat a\Local\Te mp\bddddsx \bddddsx.e xe MD5: 745A24A4347A0BB2B9C5E1BA5B2DADEB) - RegAsm.exe (PID: 6616 cmdline:
"C:\Window s\Microsof t.NET\Fram ework\v4.0 .30319\Reg Asm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13) - cmd.exe (PID: 7104 cmdline:
"cmd.exe" /C mkdir " C:\Users\u ser\AppDat a\Local\Te mp\bddddsx " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 6204 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - cmd.exe (PID: 7088 cmdline:
"cmd.exe" /C schtask s /create /sc minute /mo 10 /t n "Nano" / tr "'C:\Us ers\user\A ppData\Loc al\Temp\bd dddsx\bddd dsx.exe'" /f MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 7084 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - schtasks.exe (PID: 6612 cmdline:
schtasks / create /sc minute /m o 10 /tn " Nano" /tr "'C:\Users \user\AppD ata\Local\ Temp\bdddd sx\bddddsx .exe'" /f MD5: 48C2FE20575769DE916F48EF0676A965) - cmd.exe (PID: 2316 cmdline:
"cmd.exe" /C copy "C :\Users\us er\AppData \Local\Tem p\bddddsx\ bddddsx.ex e" "C:\Use rs\user\Ap pData\Loca l\Temp\bdd ddsx\bdddd sx.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 5076 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
- cleanup
Name | Description | Attribution | Blogpost URLs | Link |
---|---|---|---|---|
XWorm | Malware with wide range of capabilities ranging from RAT to ransomware. | No Attribution |
{"C2 url": ["vbdsg.duckdns.org"], "Port": "8896", "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.2"}
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_XWorm | Yara detected XWorm | Joe Security | ||
MALWARE_Win_AsyncRAT | Detects AsyncRAT | ditekSHen |
| |
JoeSecurity_XWorm | Yara detected XWorm | Joe Security | ||
MALWARE_Win_AsyncRAT | Detects AsyncRAT | ditekSHen |
| |
JoeSecurity_XWorm | Yara detected XWorm | Joe Security | ||
Click to see the 6 entries |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_XWorm | Yara detected XWorm | Joe Security | ||
MALWARE_Win_AsyncRAT | Detects AsyncRAT | ditekSHen |
| |
JoeSecurity_XWorm | Yara detected XWorm | Joe Security | ||
MALWARE_Win_AsyncRAT | Detects AsyncRAT | ditekSHen |
| |
JoeSecurity_XWorm | Yara detected XWorm | Joe Security | ||
Click to see the 17 entries |
System Summary |
---|
Source: | Author: Florian Roth (Nextron Systems): |
Source: | Author: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: |
Timestamp: | 04/21/24-23:26:43.756948 |
SID: | 2852874 |
Source Port: | 8896 |
Destination Port: | 49730 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 04/21/24-23:23:14.441038 |
SID: | 2855924 |
Source Port: | 49730 |
Destination Port: | 8896 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 04/21/24-23:27:02.685039 |
SID: | 2852870 |
Source Port: | 8896 |
Destination Port: | 49730 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 04/21/24-23:27:02.686118 |
SID: | 2852923 |
Source Port: | 49730 |
Destination Port: | 8896 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 04/21/24-23:26:01.631776 |
SID: | 2853193 |
Source Port: | 49730 |
Destination Port: | 8896 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Click to jump to signature section
AV Detection |
---|
Source: | Malware Configuration Extractor: |
Source: | ReversingLabs: |
Source: | ReversingLabs: |
Source: | Joe Sandbox ML: |
Source: | Joe Sandbox ML: |
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: |
Source: | Static PE information: |
Source: | Static PE information: |
Networking |
---|
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: |
Source: | URLs: |
Source: | DNS query: |
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Source: | TCP traffic: |
Source: | IP Address: |
Source: | ASN Name: |
Source: | UDP traffic detected without corresponding DNS query: |
Source: | DNS traffic detected: |
Source: | String found in binary or memory: |
Key, Mouse, Clipboard, Microphone and Screen Capturing |
---|
Source: | .Net Code: | ||
Source: | .Net Code: | ||
Source: | .Net Code: | ||
Source: | .Net Code: |
System Summary |
---|
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: |
Source: | Process Stats: |
Source: | Code function: | 0_2_02718030 |
Source: | Code function: | 0_2_027150D0 | |
Source: | Code function: | 0_2_027159A0 | |
Source: | Code function: | 0_2_02714D88 | |
Source: | Code function: | 1_2_02D10ED0 | |
Source: | Code function: | 1_2_02D1D4DC | |
Source: | Code function: | 1_2_02DDB678 | |
Source: | Code function: | 1_2_02DDBF48 | |
Source: | Code function: | 1_2_02DDE638 | |
Source: | Code function: | 1_2_02DD0738 | |
Source: | Code function: | 1_2_02DDB330 | |
Source: | Code function: | 1_2_02DD71A9 | |
Source: | Code function: | 9_2_015159A0 | |
Source: | Code function: | 9_2_015150D0 | |
Source: | Code function: | 9_2_01514D88 | |
Source: | Code function: | 10_2_02E50EC0 |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Static PE information: |
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: |
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Cryptographic APIs: | ||
Source: | Cryptographic APIs: | ||
Source: | Cryptographic APIs: | ||
Source: | Cryptographic APIs: | ||
Source: | Cryptographic APIs: | ||
Source: | Cryptographic APIs: | ||
Source: | Cryptographic APIs: | ||
Source: | Cryptographic APIs: | ||
Source: | Cryptographic APIs: | ||
Source: | Cryptographic APIs: | ||
Source: | Cryptographic APIs: |
Source: | Security API names: | ||
Source: | Security API names: | ||
Source: | Security API names: | ||
Source: | Security API names: | ||
Source: | Security API names: | ||
Source: | Security API names: | ||
Source: | Security API names: | ||
Source: | Security API names: |
Source: | Classification label: |
Source: | File created: | Jump to behavior |
Source: | Mutant created: | ||
Source: | Mutant created: | ||
Source: | Mutant created: | ||
Source: | Mutant created: | ||
Source: | Mutant created: | ||
Source: | Mutant created: | ||
Source: | Mutant created: | ||
Source: | Mutant created: |
Source: | File created: | Jump to behavior |
Source: | Static PE information: |
Source: | Static file information: |
Source: | WMI Queries: | ||
Source: | WMI Queries: |
Source: | Key opened: | Jump to behavior |
Source: | ReversingLabs: |
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: |
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior |
Source: | Key value queried: | Jump to behavior |
Source: | File opened: | Jump to behavior |
Source: | Static PE information: |
Source: | Static PE information: |
Data Obfuscation |
---|
Source: | .Net Code: | ||
Source: | .Net Code: | ||
Source: | .Net Code: | ||
Source: | .Net Code: | ||
Source: | .Net Code: | ||
Source: | .Net Code: | ||
Source: | .Net Code: | ||
Source: | .Net Code: | ||
Source: | .Net Code: | ||
Source: | .Net Code: | ||
Source: | .Net Code: | ||
Source: | .Net Code: |
Source: | .Net Code: | ||
Source: | .Net Code: | ||
Source: | .Net Code: | ||
Source: | .Net Code: | ||
Source: | .Net Code: | ||
Source: | .Net Code: | ||
Source: | .Net Code: | ||
Source: | .Net Code: | ||
Source: | .Net Code: | ||
Source: | .Net Code: | ||
Source: | .Net Code: | ||
Source: | .Net Code: |
Source: | Code function: | 1_2_02DD63BB | |
Source: | Code function: | 1_2_02DD20D1 |
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | File created: | Jump to dropped file |
Boot Survival |
---|
Source: | Process created: |
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior |
Malware Analysis System Evasion |
---|
Source: | WMI Queries: |
Source: | Memory allocated: | Jump to behavior | ||
Source: | Memory allocated: | Jump to behavior | ||
Source: | Memory allocated: | Jump to behavior | ||
Source: | Memory allocated: | Jump to behavior | ||
Source: | Memory allocated: | Jump to behavior | ||
Source: | Memory allocated: | Jump to behavior | ||
Source: | Memory allocated: | Jump to behavior | ||
Source: | Memory allocated: | Jump to behavior | ||
Source: | Memory allocated: | Jump to behavior | ||
Source: | Memory allocated: | Jump to behavior | ||
Source: | Memory allocated: | Jump to behavior | ||
Source: | Memory allocated: | Jump to behavior |
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior |
Source: | Window / User API: | Jump to behavior |
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep count: | Jump to behavior | ||
Source: | Thread sleep count: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior |
Source: | WMI Queries: | ||
Source: | WMI Queries: |
Source: | WMI Queries: | ||
Source: | WMI Queries: |
Source: | File Volume queried: | Jump to behavior | ||
Source: | File Volume queried: | Jump to behavior | ||
Source: | File Volume queried: | Jump to behavior |
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Process information queried: | Jump to behavior |
Source: | Process token adjusted: | Jump to behavior |
Source: | Memory allocated: | Jump to behavior |
HIPS / PFW / Operating System Protection Evasion |
---|
Source: | Memory allocated: | Jump to behavior | ||
Source: | Memory allocated: | Jump to behavior |
Source: | Memory written: | Jump to behavior | ||
Source: | Memory written: | Jump to behavior |
Source: | Memory written: | Jump to behavior | ||
Source: | Memory written: | Jump to behavior | ||
Source: | Memory written: | Jump to behavior | ||
Source: | Memory written: | Jump to behavior | ||
Source: | Memory written: | Jump to behavior | ||
Source: | Memory written: | Jump to behavior | ||
Source: | Memory written: | Jump to behavior | ||
Source: | Memory written: | Jump to behavior | ||
Source: | Memory written: | Jump to behavior | ||
Source: | Memory written: | Jump to behavior |
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: |
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior |
Source: | Key value queried: | Jump to behavior |
Source: | Binary or memory string: |
Source: | WMI Queries: |
Stealing of Sensitive Information |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Remote Access Functionality |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Gather Victim Identity Information | Acquire Infrastructure | 1 Valid Accounts | 131 Windows Management Instrumentation | 1 Valid Accounts | 1 Valid Accounts | 1 Masquerading | 1 Input Capture | 231 Security Software Discovery | Remote Services | 1 Input Capture | 1 Encrypted Channel | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
Credentials | Domains | Default Accounts | 1 Scheduled Task/Job | 1 Scheduled Task/Job | 1 Access Token Manipulation | 1 Valid Accounts | LSASS Memory | 1 Process Discovery | Remote Desktop Protocol | 11 Archive Collected Data | 1 Non-Standard Port | Exfiltration Over Bluetooth | Network Denial of Service |
Email Addresses | DNS Server | Domain Accounts | At | 1 DLL Side-Loading | 311 Process Injection | 1 Access Token Manipulation | Security Account Manager | 141 Virtualization/Sandbox Evasion | SMB/Windows Admin Shares | Data from Network Shared Drive | 1 Non-Application Layer Protocol | Automated Exfiltration | Data Encrypted for Impact |
Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | 1 Scheduled Task/Job | 1 Disable or Modify Tools | NTDS | 1 Application Window Discovery | Distributed Component Object Model | Input Capture | 21 Application Layer Protocol | Traffic Duplication | Data Destruction |
Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | 1 DLL Side-Loading | 141 Virtualization/Sandbox Evasion | LSA Secrets | 24 System Information Discovery | SSH | Keylogging | Fallback Channels | Scheduled Transfer | Data Encrypted for Impact |
Domain Properties | Botnet | Replication Through Removable Media | Scheduled Task | RC Scripts | RC Scripts | 311 Process Injection | Cached Domain Credentials | Wi-Fi Discovery | VNC | GUI Input Capture | Multiband Communication | Data Transfer Size Limits | Service Stop |
DNS | Web Services | External Remote Services | Systemd Timers | Startup Items | Startup Items | 1 Deobfuscate/Decode Files or Information | DCSync | Remote System Discovery | Windows Remote Management | Web Portal Capture | Commonly Used Port | Exfiltration Over C2 Channel | Inhibit System Recovery |
Network Trust Dependencies | Serverless | Drive-by Compromise | Container Orchestration Job | Scheduled Task/Job | Scheduled Task/Job | 2 Obfuscated Files or Information | Proc Filesystem | System Owner/User Discovery | Cloud Services | Credential API Hooking | Application Layer Protocol | Exfiltration Over Alternative Protocol | Defacement |
Network Topology | Malvertising | Exploit Public-Facing Application | Command and Scripting Interpreter | At | At | 22 Software Packing | /etc/passwd and /etc/shadow | Network Sniffing | Direct Cloud VM Connections | Data Staged | Web Protocols | Exfiltration Over Symmetric Encrypted Non-C2 Protocol | Internal Defacement |
IP Addresses | Compromise Infrastructure | Supply Chain Compromise | PowerShell | Cron | Cron | 1 DLL Side-Loading | Network Sniffing | Network Service Discovery | Shared Webroot | Local Data Staging | File Transfer Protocols | Exfiltration Over Asymmetric Encrypted Non-C2 Protocol | External Defacement |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
55% | ReversingLabs | ByteCode-MSIL.Trojan.Seraph | ||
100% | Joe Sandbox ML |
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
100% | Joe Sandbox ML | |||
55% | ReversingLabs | ByteCode-MSIL.Trojan.Seraph |
Name | IP | Active | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|---|
vbdsg.duckdns.org | 57.128.155.22 | true | true | unknown |
Name | Malicious | Antivirus Detection | Reputation |
---|---|---|---|
true | unknown |
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false | high |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
57.128.155.22 | vbdsg.duckdns.org | Belgium | 2686 | ATGS-MMD-ASUS | true |
Joe Sandbox version: | 40.0.0 Tourmaline |
Analysis ID: | 1429324 |
Start date and time: | 2024-04-21 23:22:03 +02:00 |
Joe Sandbox product: | CloudBasic |
Overall analysis duration: | 0h 8m 14s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
Number of analysed new started processes analysed: | 22 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Sample name: | fresh_shrunk.exe |
Detection: | MAL |
Classification: | mal100.troj.spyw.evad.winEXE@28/5@1/1 |
EGA Information: |
|
HCA Information: |
|
Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
- Excluded IPs from analysis (whitelisted): 40.127.169.103, 72.21.81.240, 20.242.39.171, 20.3.187.198
- Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, wu.ec.azureedge.net, ctldl.windowsupdate.com, wu-bg-shim.trafficmanager.net, wu.azureedge.net, fe3cr.delivery.mp.microsoft.com, fe3.delivery.mp.microsoft.com, ocsp.digicert.com, bg.apr-52dd2-0503.edgecastdns.net, cs11.wpc.v0cdn.net, glb.cws.prod.dcat.dsp.trafficmanager.net, sls.update.microsoft.com, hlb.apr-52dd2-0.edgecastdns.net, glb.sls.prod.dcat.dsp.trafficmanager.net
- Execution Graph export aborted for target RegAsm.exe, PID 6616 because it is empty
- Not all processes where analyzed, report is missing behavior information
- Report size exceeded maximum capacity and may have missing behavior information.
- VT rate limit hit for: fresh_shrunk.exe
Time | Type | Description |
---|---|---|
22:22:56 | Task Scheduler | |
23:23:06 | API Interceptor |
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
57.128.155.22 | Get hash | malicious | PureLog Stealer | Browse | ||
Get hash | malicious | Glupteba, Petite Virus, Raccoon Stealer v2, RedLine, SmokeLoader, Socks5Systemz | Browse | |||
Get hash | malicious | Glupteba, Petite Virus, Raccoon Stealer v2, RedLine, SmokeLoader, Socks5Systemz | Browse | |||
Get hash | malicious | RedLine | Browse | |||
Get hash | malicious | Glupteba, LummaC Stealer, Petite Virus, Raccoon Stealer v2, RedLine, SmokeLoader, zgRAT | Browse | |||
Get hash | malicious | Glupteba, LummaC Stealer, Petite Virus, Raccoon Stealer v2, RedLine, SmokeLoader, Socks5Systemz | Browse | |||
Get hash | malicious | Glupteba, LummaC Stealer, Petite Virus, Raccoon Stealer v2, RedLine, SmokeLoader, Socks5Systemz | Browse | |||
Get hash | malicious | Glupteba, LummaC Stealer, Raccoon Stealer v2, RedLine, SmokeLoader, zgRAT | Browse | |||
Get hash | malicious | Glupteba, LummaC Stealer, Petite Virus, Raccoon Stealer v2, RedLine, SmokeLoader, zgRAT | Browse | |||
Get hash | malicious | RedLine | Browse |
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
vbdsg.duckdns.org | Get hash | malicious | AsyncRAT, Metasploit, VenomRAT, XWorm | Browse |
|
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
ATGS-MMD-ASUS | Get hash | malicious | Mirai | Browse |
| |
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Mirai | Browse |
| ||
Get hash | malicious | Mirai | Browse |
| ||
Get hash | malicious | Mirai | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Mirai | Browse |
| ||
Get hash | malicious | Mirai, Okiru | Browse |
| ||
Get hash | malicious | IPRoyal Pawns | Browse |
| ||
Get hash | malicious | Unknown | Browse |
|
Process: | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 323 |
Entropy (8bit): | 5.363435887027673 |
Encrypted: | false |
SSDEEP: | 6:Q3La/xwcz92W+P12MUAvvr3tDLIP12MUAvvR+uTL2ql2ABgTv:Q3La/hz92n4M9tDLI4MWuPTAv |
MD5: | A92E44C0313DAFEC1988D0D379E41A2F |
SHA1: | C2F5644C418A81C1FB40F74298FF39D1420BFAC0 |
SHA-256: | F3F3E681BE07C36042639B1679ACF8B2D23BE037713D5E395C48006840DBE77A |
SHA-512: | 4F32FE6F35FC6EB4D4CF41EDEDE3C6B3FDFE31E58DA6FC7B301B1EBD3FBEEE64681C928B45E87CD556A1D32D32CB5932764EAB22FFEE11E42B8D5EB0DCFDC22C |
Malicious: | false |
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\bddddsx\bddddsx.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 737 |
Entropy (8bit): | 5.352753964755418 |
Encrypted: | false |
SSDEEP: | 12:Q3La/KDLI4MWuPTAWzAbDLI4MNldKZarkvoDLI4MWuCOKbbDLI4MWuPJKAVKhav:ML9E4KjsXE4qdKqE4KnKDE4KhKiKhk |
MD5: | DA7EF1B9630A3E6C3B70892390887AF9 |
SHA1: | 6EF2D6E0ADFC00EF044509BD3AA1A22791B968FA |
SHA-256: | 82B646ADAC247AF19A3994984FA089EEB9DD71405062D3CE971735D51F0E95AD |
SHA-512: | AF6CD48959D6705FC5B9EC82DBF1BDB9D585141A2CE9A57E45B579D257AC8C8781D1F88F5855EC14ED707EF30D98C8AD9C6382C9DF5F0A69FD12BEC86A3DE128 |
Malicious: | false |
Preview: |
Process: | C:\Users\user\Desktop\fresh_shrunk.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 737 |
Entropy (8bit): | 5.352753964755418 |
Encrypted: | false |
SSDEEP: | 12:Q3La/KDLI4MWuPTAWzAbDLI4MNldKZarkvoDLI4MWuCOKbbDLI4MWuPJKAVKhav:ML9E4KjsXE4qdKqE4KnKDE4KhKiKhk |
MD5: | DA7EF1B9630A3E6C3B70892390887AF9 |
SHA1: | 6EF2D6E0ADFC00EF044509BD3AA1A22791B968FA |
SHA-256: | 82B646ADAC247AF19A3994984FA089EEB9DD71405062D3CE971735D51F0E95AD |
SHA-512: | AF6CD48959D6705FC5B9EC82DBF1BDB9D585141A2CE9A57E45B579D257AC8C8781D1F88F5855EC14ED707EF30D98C8AD9C6382C9DF5F0A69FD12BEC86A3DE128 |
Malicious: | false |
Preview: |
Process: | C:\Windows\SysWOW64\cmd.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 167936 |
Entropy (8bit): | 4.978749761301541 |
Encrypted: | false |
SSDEEP: | 1536:fJZhM+Qw6/iPxFPP3t/zzdnr8EI5jayp3z3hXdmd30RrSkbiKyhz5u36UU5eX9Mk:++SrvbvyZg6UU529cI1VoheH |
MD5: | 745A24A4347A0BB2B9C5E1BA5B2DADEB |
SHA1: | E89EECDF3BD5A8F34B8933986567CFDA2401E17A |
SHA-256: | AD5C027ED298920CD09CEFBFCB08BFF9B5B55EE1F411BA59F6D1E77677E3BB5C |
SHA-512: | 6E5226E348C37DED536177495F5D6697AB4034FD12433A069BD9B9EECE5585853E921AAF76BA68A92FF349147BC1272D9156EDE8EC6C1DBBFA6D16A659EBCAFF |
Malicious: | true |
Antivirus: |
|
Preview: |
Process: | C:\Windows\SysWOW64\cmd.exe |
File Type: | |
Category: | modified |
Size (bytes): | 26 |
Entropy (8bit): | 3.95006375643621 |
Encrypted: | false |
SSDEEP: | 3:ggPYV:rPYV |
MD5: | 187F488E27DB4AF347237FE461A079AD |
SHA1: | 6693BA299EC1881249D59262276A0D2CB21F8E64 |
SHA-256: | 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309 |
SHA-512: | 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E |
Malicious: | false |
Preview: |
File type: | |
Entropy (8bit): | 4.978749761301541 |
TrID: |
|
File name: | fresh_shrunk.exe |
File size: | 167'936 bytes |
MD5: | 745a24a4347a0bb2b9c5e1ba5b2dadeb |
SHA1: | e89eecdf3bd5a8f34b8933986567cfda2401e17a |
SHA256: | ad5c027ed298920cd09cefbfcb08bff9b5b55ee1f411ba59f6d1e77677e3bb5c |
SHA512: | 6e5226e348c37ded536177495f5d6697ab4034fd12433a069bd9b9eece5585853e921aaf76ba68a92ff349147bc1272d9156ede8ec6c1dbbfa6d16a659ebcaff |
SSDEEP: | 1536:fJZhM+Qw6/iPxFPP3t/zzdnr8EI5jayp3z3hXdmd30RrSkbiKyhz5u36UU5eX9Mk:++SrvbvyZg6UU529cI1VoheH |
TLSH: | FCF35BBE37558E33E94909B088994154832DBD469E83DF1774893F28BF717C92A1BACC |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...%..e.................6...P.......U... ...`....@.. ....................................@................................ |
Icon Hash: | 1ff3b0b0b0b0331e |
Entrypoint: | 0x4155ab |
Entrypoint Section: | .text |
Digitally signed: | false |
Imagebase: | 0x400000 |
Subsystem: | windows gui |
Image File Characteristics: | EXECUTABLE_IMAGE, 32BIT_MACHINE |
DLL Characteristics: | DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE |
Time Stamp: | 0x65F3EA25 [Fri Mar 15 06:26:45 2024 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 4 |
OS Version Minor: | 0 |
File Version Major: | 4 |
File Version Minor: | 0 |
Subsystem Version Major: | 4 |
Subsystem Version Minor: | 0 |
Import Hash: | f34d5f2d4577ed6d9ceec516c1f5a744 |
Instruction |
---|
jmp dword ptr [00402000h] |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x15561 | 0x4a | .text |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x16000 | 0x14cdd | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x2c000 | 0xc | .reloc |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x2000 | 0x8 | .text |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x2008 | 0x48 | .text |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|---|
.text | 0x2000 | 0x135b1 | 0x13600 | 1c302f8e97dbfa18502b35bf1beae8c9 | False | 0.7181577620967742 | data | 7.228149219206704 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
.rsrc | 0x16000 | 0x14cdd | 0x14e00 | 3e2b82f432db956a89421325885fba87 | False | 0.0578686377245509 | data | 1.9011718204172392 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.reloc | 0x2c000 | 0xc | 0x200 | 33e042c05234517b70c8d592d6567816 | False | 0.044921875 | data | 0.10191042566270775 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
---|---|---|---|---|---|---|
RT_ICON | 0x16084 | 0x10828 | Device independent bitmap graphic, 128 x 256 x 32, image size 65536, resolution 2834 x 2834 px/m | English | United States | 0.03228143854252928 |
RT_ICON | 0x268d0 | 0x25a8 | Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 2834 x 2834 px/m | English | United States | 0.08360995850622406 |
RT_ICON | 0x28e9c | 0x10a8 | Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 2834 x 2834 px/m | English | United States | 0.12312382739212008 |
RT_ICON | 0x29f68 | 0x468 | Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 2834 x 2834 px/m | English | United States | 0.25975177304964536 |
RT_GROUP_ICON | 0x2a420 | 0x3e | data | English | United States | 0.8387096774193549 |
RT_VERSION | 0x2a49a | 0x420 | data | English | United States | 0.3693181818181818 |
RT_MANIFEST | 0x2a8f6 | 0x3e7 | XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (939), with CRLF line terminators | English | United States | 0.5145145145145145 |
DLL | Import |
---|---|
mscoree.dll | _CorExeMain |
Language of compilation system | Country where language is spoken | Map |
---|---|---|
English | United States |
Timestamp | Protocol | SID | Message | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|---|---|---|
04/21/24-23:26:43.756948 | TCP | 2852874 | ETPRO TROJAN Win32/XWorm CnC PING Command Inbound M2 | 8896 | 49730 | 57.128.155.22 | 192.168.2.4 |
04/21/24-23:23:14.441038 | TCP | 2855924 | ETPRO TROJAN Win32/XWorm V3 CnC Command - PING Outbound | 49730 | 8896 | 192.168.2.4 | 57.128.155.22 |
04/21/24-23:27:02.685039 | TCP | 2852870 | ETPRO TROJAN Win32/XWorm CnC Checkin - Generic Prefix Bytes | 8896 | 49730 | 57.128.155.22 | 192.168.2.4 |
04/21/24-23:27:02.686118 | TCP | 2852923 | ETPRO TROJAN Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) | 49730 | 8896 | 192.168.2.4 | 57.128.155.22 |
04/21/24-23:26:01.631776 | TCP | 2853193 | ETPRO TROJAN Win32/XWorm V3 CnC Command - PING Outbound | 49730 | 8896 | 192.168.2.4 | 57.128.155.22 |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Apr 21, 2024 23:23:03.372555017 CEST | 49730 | 8896 | 192.168.2.4 | 57.128.155.22 |
Apr 21, 2024 23:23:03.569631100 CEST | 8896 | 49730 | 57.128.155.22 | 192.168.2.4 |
Apr 21, 2024 23:23:03.569751024 CEST | 49730 | 8896 | 192.168.2.4 | 57.128.155.22 |
Apr 21, 2024 23:23:03.744055986 CEST | 49730 | 8896 | 192.168.2.4 | 57.128.155.22 |
Apr 21, 2024 23:23:03.982362032 CEST | 8896 | 49730 | 57.128.155.22 | 192.168.2.4 |
Apr 21, 2024 23:23:13.622119904 CEST | 8896 | 49730 | 57.128.155.22 | 192.168.2.4 |
Apr 21, 2024 23:23:13.677329063 CEST | 49730 | 8896 | 192.168.2.4 | 57.128.155.22 |
Apr 21, 2024 23:23:14.441037893 CEST | 49730 | 8896 | 192.168.2.4 | 57.128.155.22 |
Apr 21, 2024 23:23:14.653438091 CEST | 8896 | 49730 | 57.128.155.22 | 192.168.2.4 |
Apr 21, 2024 23:23:14.656141996 CEST | 49730 | 8896 | 192.168.2.4 | 57.128.155.22 |
Apr 21, 2024 23:23:14.893460035 CEST | 8896 | 49730 | 57.128.155.22 | 192.168.2.4 |
Apr 21, 2024 23:23:25.115336895 CEST | 49730 | 8896 | 192.168.2.4 | 57.128.155.22 |
Apr 21, 2024 23:23:25.326075077 CEST | 8896 | 49730 | 57.128.155.22 | 192.168.2.4 |
Apr 21, 2024 23:23:25.328269958 CEST | 49730 | 8896 | 192.168.2.4 | 57.128.155.22 |
Apr 21, 2024 23:23:25.565290928 CEST | 8896 | 49730 | 57.128.155.22 | 192.168.2.4 |
Apr 21, 2024 23:23:35.802908897 CEST | 49730 | 8896 | 192.168.2.4 | 57.128.155.22 |
Apr 21, 2024 23:23:36.001081944 CEST | 8896 | 49730 | 57.128.155.22 | 192.168.2.4 |
Apr 21, 2024 23:23:36.004924059 CEST | 49730 | 8896 | 192.168.2.4 | 57.128.155.22 |
Apr 21, 2024 23:23:36.242527962 CEST | 8896 | 49730 | 57.128.155.22 | 192.168.2.4 |
Apr 21, 2024 23:23:43.624783039 CEST | 8896 | 49730 | 57.128.155.22 | 192.168.2.4 |
Apr 21, 2024 23:23:43.677382946 CEST | 49730 | 8896 | 192.168.2.4 | 57.128.155.22 |
Apr 21, 2024 23:23:46.491039038 CEST | 49730 | 8896 | 192.168.2.4 | 57.128.155.22 |
Apr 21, 2024 23:23:46.693980932 CEST | 8896 | 49730 | 57.128.155.22 | 192.168.2.4 |
Apr 21, 2024 23:23:46.698088884 CEST | 49730 | 8896 | 192.168.2.4 | 57.128.155.22 |
Apr 21, 2024 23:23:46.936300039 CEST | 8896 | 49730 | 57.128.155.22 | 192.168.2.4 |
Apr 21, 2024 23:23:57.177817106 CEST | 49730 | 8896 | 192.168.2.4 | 57.128.155.22 |
Apr 21, 2024 23:23:57.382275105 CEST | 8896 | 49730 | 57.128.155.22 | 192.168.2.4 |
Apr 21, 2024 23:23:57.386032104 CEST | 49730 | 8896 | 192.168.2.4 | 57.128.155.22 |
Apr 21, 2024 23:23:57.623375893 CEST | 8896 | 49730 | 57.128.155.22 | 192.168.2.4 |
Apr 21, 2024 23:24:03.287004948 CEST | 49730 | 8896 | 192.168.2.4 | 57.128.155.22 |
Apr 21, 2024 23:24:03.489339113 CEST | 8896 | 49730 | 57.128.155.22 | 192.168.2.4 |
Apr 21, 2024 23:24:03.491452932 CEST | 49730 | 8896 | 192.168.2.4 | 57.128.155.22 |
Apr 21, 2024 23:24:03.728630066 CEST | 8896 | 49730 | 57.128.155.22 | 192.168.2.4 |
Apr 21, 2024 23:24:05.615314007 CEST | 49730 | 8896 | 192.168.2.4 | 57.128.155.22 |
Apr 21, 2024 23:24:05.819125891 CEST | 8896 | 49730 | 57.128.155.22 | 192.168.2.4 |
Apr 21, 2024 23:24:05.820583105 CEST | 49730 | 8896 | 192.168.2.4 | 57.128.155.22 |
Apr 21, 2024 23:24:06.058979988 CEST | 8896 | 49730 | 57.128.155.22 | 192.168.2.4 |
Apr 21, 2024 23:24:07.818308115 CEST | 49730 | 8896 | 192.168.2.4 | 57.128.155.22 |
Apr 21, 2024 23:24:08.032133102 CEST | 8896 | 49730 | 57.128.155.22 | 192.168.2.4 |
Apr 21, 2024 23:24:08.037156105 CEST | 49730 | 8896 | 192.168.2.4 | 57.128.155.22 |
Apr 21, 2024 23:24:08.275115967 CEST | 8896 | 49730 | 57.128.155.22 | 192.168.2.4 |
Apr 21, 2024 23:24:13.631813049 CEST | 8896 | 49730 | 57.128.155.22 | 192.168.2.4 |
Apr 21, 2024 23:24:13.677462101 CEST | 49730 | 8896 | 192.168.2.4 | 57.128.155.22 |
Apr 21, 2024 23:24:18.505767107 CEST | 49730 | 8896 | 192.168.2.4 | 57.128.155.22 |
Apr 21, 2024 23:24:18.705950022 CEST | 8896 | 49730 | 57.128.155.22 | 192.168.2.4 |
Apr 21, 2024 23:24:18.707484961 CEST | 49730 | 8896 | 192.168.2.4 | 57.128.155.22 |
Apr 21, 2024 23:24:18.953938007 CEST | 8896 | 49730 | 57.128.155.22 | 192.168.2.4 |
Apr 21, 2024 23:24:23.149889946 CEST | 49730 | 8896 | 192.168.2.4 | 57.128.155.22 |
Apr 21, 2024 23:24:23.369520903 CEST | 8896 | 49730 | 57.128.155.22 | 192.168.2.4 |
Apr 21, 2024 23:24:23.374878883 CEST | 49730 | 8896 | 192.168.2.4 | 57.128.155.22 |
Apr 21, 2024 23:24:23.611116886 CEST | 8896 | 49730 | 57.128.155.22 | 192.168.2.4 |
Apr 21, 2024 23:24:31.865227938 CEST | 49730 | 8896 | 192.168.2.4 | 57.128.155.22 |
Apr 21, 2024 23:24:32.065583944 CEST | 8896 | 49730 | 57.128.155.22 | 192.168.2.4 |
Apr 21, 2024 23:24:32.068551064 CEST | 49730 | 8896 | 192.168.2.4 | 57.128.155.22 |
Apr 21, 2024 23:24:32.305314064 CEST | 8896 | 49730 | 57.128.155.22 | 192.168.2.4 |
Apr 21, 2024 23:24:35.865466118 CEST | 49730 | 8896 | 192.168.2.4 | 57.128.155.22 |
Apr 21, 2024 23:24:36.075592041 CEST | 8896 | 49730 | 57.128.155.22 | 192.168.2.4 |
Apr 21, 2024 23:24:36.077763081 CEST | 49730 | 8896 | 192.168.2.4 | 57.128.155.22 |
Apr 21, 2024 23:24:36.319375038 CEST | 8896 | 49730 | 57.128.155.22 | 192.168.2.4 |
Apr 21, 2024 23:24:43.838212967 CEST | 8896 | 49730 | 57.128.155.22 | 192.168.2.4 |
Apr 21, 2024 23:24:43.880637884 CEST | 49730 | 8896 | 192.168.2.4 | 57.128.155.22 |
Apr 21, 2024 23:24:44.177797079 CEST | 49730 | 8896 | 192.168.2.4 | 57.128.155.22 |
Apr 21, 2024 23:24:44.397531986 CEST | 8896 | 49730 | 57.128.155.22 | 192.168.2.4 |
Apr 21, 2024 23:24:44.399211884 CEST | 49730 | 8896 | 192.168.2.4 | 57.128.155.22 |
Apr 21, 2024 23:24:44.637353897 CEST | 8896 | 49730 | 57.128.155.22 | 192.168.2.4 |
Apr 21, 2024 23:24:47.256289005 CEST | 49730 | 8896 | 192.168.2.4 | 57.128.155.22 |
Apr 21, 2024 23:24:47.454758883 CEST | 8896 | 49730 | 57.128.155.22 | 192.168.2.4 |
Apr 21, 2024 23:24:47.457797050 CEST | 49730 | 8896 | 192.168.2.4 | 57.128.155.22 |
Apr 21, 2024 23:24:47.694945097 CEST | 8896 | 49730 | 57.128.155.22 | 192.168.2.4 |
Apr 21, 2024 23:24:52.802843094 CEST | 49730 | 8896 | 192.168.2.4 | 57.128.155.22 |
Apr 21, 2024 23:24:53.000772953 CEST | 8896 | 49730 | 57.128.155.22 | 192.168.2.4 |
Apr 21, 2024 23:24:53.000927925 CEST | 49730 | 8896 | 192.168.2.4 | 57.128.155.22 |
Apr 21, 2024 23:24:53.216415882 CEST | 8896 | 49730 | 57.128.155.22 | 192.168.2.4 |
Apr 21, 2024 23:24:53.216655016 CEST | 49730 | 8896 | 192.168.2.4 | 57.128.155.22 |
Apr 21, 2024 23:24:53.436222076 CEST | 8896 | 49730 | 57.128.155.22 | 192.168.2.4 |
Apr 21, 2024 23:24:53.436364889 CEST | 49730 | 8896 | 192.168.2.4 | 57.128.155.22 |
Apr 21, 2024 23:24:53.677815914 CEST | 8896 | 49730 | 57.128.155.22 | 192.168.2.4 |
Apr 21, 2024 23:24:53.677891016 CEST | 49730 | 8896 | 192.168.2.4 | 57.128.155.22 |
Apr 21, 2024 23:24:53.917680025 CEST | 8896 | 49730 | 57.128.155.22 | 192.168.2.4 |
Apr 21, 2024 23:24:56.646600008 CEST | 49730 | 8896 | 192.168.2.4 | 57.128.155.22 |
Apr 21, 2024 23:24:56.847608089 CEST | 8896 | 49730 | 57.128.155.22 | 192.168.2.4 |
Apr 21, 2024 23:24:56.849386930 CEST | 49730 | 8896 | 192.168.2.4 | 57.128.155.22 |
Apr 21, 2024 23:24:57.087912083 CEST | 8896 | 49730 | 57.128.155.22 | 192.168.2.4 |
Apr 21, 2024 23:25:02.396760941 CEST | 49730 | 8896 | 192.168.2.4 | 57.128.155.22 |
Apr 21, 2024 23:25:02.595947981 CEST | 8896 | 49730 | 57.128.155.22 | 192.168.2.4 |
Apr 21, 2024 23:25:02.600737095 CEST | 49730 | 8896 | 192.168.2.4 | 57.128.155.22 |
Apr 21, 2024 23:25:02.837860107 CEST | 8896 | 49730 | 57.128.155.22 | 192.168.2.4 |
Apr 21, 2024 23:25:05.271725893 CEST | 49730 | 8896 | 192.168.2.4 | 57.128.155.22 |
Apr 21, 2024 23:25:05.470650911 CEST | 8896 | 49730 | 57.128.155.22 | 192.168.2.4 |
Apr 21, 2024 23:25:05.472330093 CEST | 49730 | 8896 | 192.168.2.4 | 57.128.155.22 |
Apr 21, 2024 23:25:05.712244034 CEST | 8896 | 49730 | 57.128.155.22 | 192.168.2.4 |
Apr 21, 2024 23:25:13.858192921 CEST | 8896 | 49730 | 57.128.155.22 | 192.168.2.4 |
Apr 21, 2024 23:25:13.912187099 CEST | 49730 | 8896 | 192.168.2.4 | 57.128.155.22 |
Apr 21, 2024 23:25:14.959889889 CEST | 49730 | 8896 | 192.168.2.4 | 57.128.155.22 |
Apr 21, 2024 23:25:15.159610033 CEST | 8896 | 49730 | 57.128.155.22 | 192.168.2.4 |
Apr 21, 2024 23:25:15.162328005 CEST | 49730 | 8896 | 192.168.2.4 | 57.128.155.22 |
Apr 21, 2024 23:25:15.400275946 CEST | 8896 | 49730 | 57.128.155.22 | 192.168.2.4 |
Apr 21, 2024 23:25:25.646917105 CEST | 49730 | 8896 | 192.168.2.4 | 57.128.155.22 |
Apr 21, 2024 23:25:25.845801115 CEST | 8896 | 49730 | 57.128.155.22 | 192.168.2.4 |
Apr 21, 2024 23:25:25.850166082 CEST | 49730 | 8896 | 192.168.2.4 | 57.128.155.22 |
Apr 21, 2024 23:25:26.086821079 CEST | 8896 | 49730 | 57.128.155.22 | 192.168.2.4 |
Apr 21, 2024 23:25:28.834573984 CEST | 49730 | 8896 | 192.168.2.4 | 57.128.155.22 |
Apr 21, 2024 23:25:29.033370018 CEST | 8896 | 49730 | 57.128.155.22 | 192.168.2.4 |
Apr 21, 2024 23:25:29.034898996 CEST | 49730 | 8896 | 192.168.2.4 | 57.128.155.22 |
Apr 21, 2024 23:25:29.273413897 CEST | 8896 | 49730 | 57.128.155.22 | 192.168.2.4 |
Apr 21, 2024 23:25:30.256372929 CEST | 49730 | 8896 | 192.168.2.4 | 57.128.155.22 |
Apr 21, 2024 23:25:30.483460903 CEST | 8896 | 49730 | 57.128.155.22 | 192.168.2.4 |
Apr 21, 2024 23:25:30.485003948 CEST | 49730 | 8896 | 192.168.2.4 | 57.128.155.22 |
Apr 21, 2024 23:25:30.723738909 CEST | 8896 | 49730 | 57.128.155.22 | 192.168.2.4 |
Apr 21, 2024 23:25:36.100123882 CEST | 49730 | 8896 | 192.168.2.4 | 57.128.155.22 |
Apr 21, 2024 23:25:36.298695087 CEST | 8896 | 49730 | 57.128.155.22 | 192.168.2.4 |
Apr 21, 2024 23:25:36.300127983 CEST | 49730 | 8896 | 192.168.2.4 | 57.128.155.22 |
Apr 21, 2024 23:25:36.537247896 CEST | 8896 | 49730 | 57.128.155.22 | 192.168.2.4 |
Apr 21, 2024 23:25:43.533736944 CEST | 8896 | 49730 | 57.128.155.22 | 192.168.2.4 |
Apr 21, 2024 23:25:43.584323883 CEST | 49730 | 8896 | 192.168.2.4 | 57.128.155.22 |
Apr 21, 2024 23:25:46.790811062 CEST | 49730 | 8896 | 192.168.2.4 | 57.128.155.22 |
Apr 21, 2024 23:25:46.988955975 CEST | 8896 | 49730 | 57.128.155.22 | 192.168.2.4 |
Apr 21, 2024 23:25:46.991215944 CEST | 49730 | 8896 | 192.168.2.4 | 57.128.155.22 |
Apr 21, 2024 23:25:47.228734970 CEST | 8896 | 49730 | 57.128.155.22 | 192.168.2.4 |
Apr 21, 2024 23:25:57.240961075 CEST | 49730 | 8896 | 192.168.2.4 | 57.128.155.22 |
Apr 21, 2024 23:25:57.439332962 CEST | 8896 | 49730 | 57.128.155.22 | 192.168.2.4 |
Apr 21, 2024 23:25:57.441339016 CEST | 49730 | 8896 | 192.168.2.4 | 57.128.155.22 |
Apr 21, 2024 23:25:57.679769993 CEST | 8896 | 49730 | 57.128.155.22 | 192.168.2.4 |
Apr 21, 2024 23:26:01.631776094 CEST | 49730 | 8896 | 192.168.2.4 | 57.128.155.22 |
Apr 21, 2024 23:26:01.829998970 CEST | 8896 | 49730 | 57.128.155.22 | 192.168.2.4 |
Apr 21, 2024 23:26:01.830071926 CEST | 49730 | 8896 | 192.168.2.4 | 57.128.155.22 |
Apr 21, 2024 23:26:02.027967930 CEST | 8896 | 49730 | 57.128.155.22 | 192.168.2.4 |
Apr 21, 2024 23:26:02.028460026 CEST | 49730 | 8896 | 192.168.2.4 | 57.128.155.22 |
Apr 21, 2024 23:26:02.225863934 CEST | 8896 | 49730 | 57.128.155.22 | 192.168.2.4 |
Apr 21, 2024 23:26:02.228419065 CEST | 49730 | 8896 | 192.168.2.4 | 57.128.155.22 |
Apr 21, 2024 23:26:02.425661087 CEST | 8896 | 49730 | 57.128.155.22 | 192.168.2.4 |
Apr 21, 2024 23:26:02.425832033 CEST | 49730 | 8896 | 192.168.2.4 | 57.128.155.22 |
Apr 21, 2024 23:26:02.668462992 CEST | 8896 | 49730 | 57.128.155.22 | 192.168.2.4 |
Apr 21, 2024 23:26:02.668620110 CEST | 49730 | 8896 | 192.168.2.4 | 57.128.155.22 |
Apr 21, 2024 23:26:02.906622887 CEST | 8896 | 49730 | 57.128.155.22 | 192.168.2.4 |
Apr 21, 2024 23:26:08.084995985 CEST | 49730 | 8896 | 192.168.2.4 | 57.128.155.22 |
Apr 21, 2024 23:26:08.283586025 CEST | 8896 | 49730 | 57.128.155.22 | 192.168.2.4 |
Apr 21, 2024 23:26:08.285370111 CEST | 49730 | 8896 | 192.168.2.4 | 57.128.155.22 |
Apr 21, 2024 23:26:08.524384975 CEST | 8896 | 49730 | 57.128.155.22 | 192.168.2.4 |
Apr 21, 2024 23:26:13.747680902 CEST | 8896 | 49730 | 57.128.155.22 | 192.168.2.4 |
Apr 21, 2024 23:26:13.912720919 CEST | 49730 | 8896 | 192.168.2.4 | 57.128.155.22 |
Apr 21, 2024 23:26:14.047055006 CEST | 8896 | 49730 | 57.128.155.22 | 192.168.2.4 |
Apr 21, 2024 23:26:14.047133923 CEST | 49730 | 8896 | 192.168.2.4 | 57.128.155.22 |
Apr 21, 2024 23:26:18.772455931 CEST | 49730 | 8896 | 192.168.2.4 | 57.128.155.22 |
Apr 21, 2024 23:26:18.971230030 CEST | 8896 | 49730 | 57.128.155.22 | 192.168.2.4 |
Apr 21, 2024 23:26:18.974659920 CEST | 49730 | 8896 | 192.168.2.4 | 57.128.155.22 |
Apr 21, 2024 23:26:19.213866949 CEST | 8896 | 49730 | 57.128.155.22 | 192.168.2.4 |
Apr 21, 2024 23:26:23.475698948 CEST | 49730 | 8896 | 192.168.2.4 | 57.128.155.22 |
Apr 21, 2024 23:26:23.679619074 CEST | 8896 | 49730 | 57.128.155.22 | 192.168.2.4 |
Apr 21, 2024 23:26:23.728462934 CEST | 49730 | 8896 | 192.168.2.4 | 57.128.155.22 |
Apr 21, 2024 23:26:23.853245020 CEST | 49730 | 8896 | 192.168.2.4 | 57.128.155.22 |
Apr 21, 2024 23:26:24.091512918 CEST | 8896 | 49730 | 57.128.155.22 | 192.168.2.4 |
Apr 21, 2024 23:26:26.163173914 CEST | 49730 | 8896 | 192.168.2.4 | 57.128.155.22 |
Apr 21, 2024 23:26:26.400296926 CEST | 8896 | 49730 | 57.128.155.22 | 192.168.2.4 |
Apr 21, 2024 23:26:26.421097040 CEST | 8896 | 49730 | 57.128.155.22 | 192.168.2.4 |
Apr 21, 2024 23:26:26.422986984 CEST | 49730 | 8896 | 192.168.2.4 | 57.128.155.22 |
Apr 21, 2024 23:26:26.661381006 CEST | 8896 | 49730 | 57.128.155.22 | 192.168.2.4 |
Apr 21, 2024 23:26:28.241239071 CEST | 49730 | 8896 | 192.168.2.4 | 57.128.155.22 |
Apr 21, 2024 23:26:28.443537951 CEST | 8896 | 49730 | 57.128.155.22 | 192.168.2.4 |
Apr 21, 2024 23:26:28.445575953 CEST | 49730 | 8896 | 192.168.2.4 | 57.128.155.22 |
Apr 21, 2024 23:26:28.682708979 CEST | 8896 | 49730 | 57.128.155.22 | 192.168.2.4 |
Apr 21, 2024 23:26:30.725956917 CEST | 49730 | 8896 | 192.168.2.4 | 57.128.155.22 |
Apr 21, 2024 23:26:30.923717022 CEST | 8896 | 49730 | 57.128.155.22 | 192.168.2.4 |
Apr 21, 2024 23:26:30.923799038 CEST | 49730 | 8896 | 192.168.2.4 | 57.128.155.22 |
Apr 21, 2024 23:26:31.121428013 CEST | 8896 | 49730 | 57.128.155.22 | 192.168.2.4 |
Apr 21, 2024 23:26:31.126522064 CEST | 49730 | 8896 | 192.168.2.4 | 57.128.155.22 |
Apr 21, 2024 23:26:31.364308119 CEST | 8896 | 49730 | 57.128.155.22 | 192.168.2.4 |
Apr 21, 2024 23:26:31.366918087 CEST | 49730 | 8896 | 192.168.2.4 | 57.128.155.22 |
Apr 21, 2024 23:26:31.607069969 CEST | 8896 | 49730 | 57.128.155.22 | 192.168.2.4 |
Apr 21, 2024 23:26:33.241244078 CEST | 49730 | 8896 | 192.168.2.4 | 57.128.155.22 |
Apr 21, 2024 23:26:33.439599037 CEST | 8896 | 49730 | 57.128.155.22 | 192.168.2.4 |
Apr 21, 2024 23:26:33.441183090 CEST | 49730 | 8896 | 192.168.2.4 | 57.128.155.22 |
Apr 21, 2024 23:26:33.678348064 CEST | 8896 | 49730 | 57.128.155.22 | 192.168.2.4 |
Apr 21, 2024 23:26:33.678469896 CEST | 49730 | 8896 | 192.168.2.4 | 57.128.155.22 |
Apr 21, 2024 23:26:33.877882957 CEST | 8896 | 49730 | 57.128.155.22 | 192.168.2.4 |
Apr 21, 2024 23:26:33.882816076 CEST | 49730 | 8896 | 192.168.2.4 | 57.128.155.22 |
Apr 21, 2024 23:26:34.120840073 CEST | 8896 | 49730 | 57.128.155.22 | 192.168.2.4 |
Apr 21, 2024 23:26:36.226013899 CEST | 49730 | 8896 | 192.168.2.4 | 57.128.155.22 |
Apr 21, 2024 23:26:36.426326990 CEST | 8896 | 49730 | 57.128.155.22 | 192.168.2.4 |
Apr 21, 2024 23:26:36.431091070 CEST | 49730 | 8896 | 192.168.2.4 | 57.128.155.22 |
Apr 21, 2024 23:26:36.668994904 CEST | 8896 | 49730 | 57.128.155.22 | 192.168.2.4 |
Apr 21, 2024 23:26:43.756947994 CEST | 8896 | 49730 | 57.128.155.22 | 192.168.2.4 |
Apr 21, 2024 23:26:43.803817034 CEST | 49730 | 8896 | 192.168.2.4 | 57.128.155.22 |
Apr 21, 2024 23:26:46.616436958 CEST | 49730 | 8896 | 192.168.2.4 | 57.128.155.22 |
Apr 21, 2024 23:26:46.814907074 CEST | 8896 | 49730 | 57.128.155.22 | 192.168.2.4 |
Apr 21, 2024 23:26:46.816431999 CEST | 49730 | 8896 | 192.168.2.4 | 57.128.155.22 |
Apr 21, 2024 23:26:47.053190947 CEST | 8896 | 49730 | 57.128.155.22 | 192.168.2.4 |
Apr 21, 2024 23:26:49.492536068 CEST | 49730 | 8896 | 192.168.2.4 | 57.128.155.22 |
Apr 21, 2024 23:26:49.729532957 CEST | 8896 | 49730 | 57.128.155.22 | 192.168.2.4 |
Apr 21, 2024 23:26:49.770524025 CEST | 8896 | 49730 | 57.128.155.22 | 192.168.2.4 |
Apr 21, 2024 23:26:49.772306919 CEST | 49730 | 8896 | 192.168.2.4 | 57.128.155.22 |
Apr 21, 2024 23:26:50.013292074 CEST | 8896 | 49730 | 57.128.155.22 | 192.168.2.4 |
Apr 21, 2024 23:26:50.538310051 CEST | 49730 | 8896 | 192.168.2.4 | 57.128.155.22 |
Apr 21, 2024 23:26:50.760000944 CEST | 8896 | 49730 | 57.128.155.22 | 192.168.2.4 |
Apr 21, 2024 23:26:50.761746883 CEST | 49730 | 8896 | 192.168.2.4 | 57.128.155.22 |
Apr 21, 2024 23:26:50.999877930 CEST | 8896 | 49730 | 57.128.155.22 | 192.168.2.4 |
Apr 21, 2024 23:26:56.944940090 CEST | 49730 | 8896 | 192.168.2.4 | 57.128.155.22 |
Apr 21, 2024 23:26:57.183329105 CEST | 8896 | 49730 | 57.128.155.22 | 192.168.2.4 |
Apr 21, 2024 23:26:57.754271984 CEST | 8896 | 49730 | 57.128.155.22 | 192.168.2.4 |
Apr 21, 2024 23:26:57.756340981 CEST | 49730 | 8896 | 192.168.2.4 | 57.128.155.22 |
Apr 21, 2024 23:26:57.994399071 CEST | 8896 | 49730 | 57.128.155.22 | 192.168.2.4 |
Apr 21, 2024 23:27:02.476038933 CEST | 49730 | 8896 | 192.168.2.4 | 57.128.155.22 |
Apr 21, 2024 23:27:02.685039043 CEST | 8896 | 49730 | 57.128.155.22 | 192.168.2.4 |
Apr 21, 2024 23:27:02.686117887 CEST | 49730 | 8896 | 192.168.2.4 | 57.128.155.22 |
Apr 21, 2024 23:27:02.928292036 CEST | 8896 | 49730 | 57.128.155.22 | 192.168.2.4 |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Apr 21, 2024 23:23:03.227469921 CEST | 49227 | 53 | 192.168.2.4 | 1.1.1.1 |
Apr 21, 2024 23:23:03.366585016 CEST | 53 | 49227 | 1.1.1.1 | 192.168.2.4 |
Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
---|---|---|---|---|---|---|---|---|
Apr 21, 2024 23:23:03.227469921 CEST | 192.168.2.4 | 1.1.1.1 | 0xe624 | Standard query (0) | A (IP address) | IN (0x0001) | false |
Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
---|---|---|---|---|---|---|---|---|---|---|
Apr 21, 2024 23:23:03.366585016 CEST | 1.1.1.1 | 192.168.2.4 | 0xe624 | No error (0) | 57.128.155.22 | A (IP address) | IN (0x0001) | false |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
Target ID: | 0 |
Start time: | 23:22:54 |
Start date: | 21/04/2024 |
Path: | C:\Users\user\Desktop\fresh_shrunk.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x5b0000 |
File size: | 167'936 bytes |
MD5 hash: | 745A24A4347A0BB2B9C5E1BA5B2DADEB |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Yara matches: |
|
Reputation: | low |
Has exited: | true |
Target ID: | 1 |
Start time: | 23:22:54 |
Start date: | 21/04/2024 |
Path: | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x9d0000 |
File size: | 65'440 bytes |
MD5 hash: | 0D5DF43AF2916F47D00C1573797C1A13 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Yara matches: |
|
Reputation: | high |
Has exited: | false |
Target ID: | 2 |
Start time: | 23:22:54 |
Start date: | 21/04/2024 |
Path: | C:\Windows\SysWOW64\cmd.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x240000 |
File size: | 236'544 bytes |
MD5 hash: | D0FCE3AFA6AA1D58CE9FA336CC2B675B |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Target ID: | 3 |
Start time: | 23:22:54 |
Start date: | 21/04/2024 |
Path: | C:\Windows\System32\conhost.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff7699e0000 |
File size: | 862'208 bytes |
MD5 hash: | 0D698AF330FD17BEE3BF90011D49251D |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Target ID: | 4 |
Start time: | 23:22:54 |
Start date: | 21/04/2024 |
Path: | C:\Windows\SysWOW64\cmd.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x240000 |
File size: | 236'544 bytes |
MD5 hash: | D0FCE3AFA6AA1D58CE9FA336CC2B675B |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Target ID: | 5 |
Start time: | 23:22:54 |
Start date: | 21/04/2024 |
Path: | C:\Windows\System32\conhost.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff7699e0000 |
File size: | 862'208 bytes |
MD5 hash: | 0D698AF330FD17BEE3BF90011D49251D |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Target ID: | 6 |
Start time: | 23:22:54 |
Start date: | 21/04/2024 |
Path: | C:\Windows\SysWOW64\schtasks.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0xc70000 |
File size: | 187'904 bytes |
MD5 hash: | 48C2FE20575769DE916F48EF0676A965 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Target ID: | 7 |
Start time: | 23:22:55 |
Start date: | 21/04/2024 |
Path: | C:\Windows\SysWOW64\cmd.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x240000 |
File size: | 236'544 bytes |
MD5 hash: | D0FCE3AFA6AA1D58CE9FA336CC2B675B |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Target ID: | 8 |
Start time: | 23:22:55 |
Start date: | 21/04/2024 |
Path: | C:\Windows\System32\conhost.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff7699e0000 |
File size: | 862'208 bytes |
MD5 hash: | 0D698AF330FD17BEE3BF90011D49251D |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Target ID: | 9 |
Start time: | 23:22:56 |
Start date: | 21/04/2024 |
Path: | C:\Users\user\AppData\Local\Temp\bddddsx\bddddsx.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0xb20000 |
File size: | 167'936 bytes |
MD5 hash: | 745A24A4347A0BB2B9C5E1BA5B2DADEB |
Has elevated privileges: | false |
Has administrator privileges: | false |
Programmed in: | C, C++ or other language |
Yara matches: |
|
Antivirus matches: |
|
Reputation: | low |
Has exited: | true |
Target ID: | 10 |
Start time: | 23:22:56 |
Start date: | 21/04/2024 |
Path: | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0xcd0000 |
File size: | 65'440 bytes |
MD5 hash: | 0D5DF43AF2916F47D00C1573797C1A13 |
Has elevated privileges: | false |
Has administrator privileges: | false |
Programmed in: | C, C++ or other language |
Yara matches: |
|
Reputation: | high |
Has exited: | true |
Target ID: | 11 |
Start time: | 23:22:56 |
Start date: | 21/04/2024 |
Path: | C:\Windows\SysWOW64\cmd.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x240000 |
File size: | 236'544 bytes |
MD5 hash: | D0FCE3AFA6AA1D58CE9FA336CC2B675B |
Has elevated privileges: | false |
Has administrator privileges: | false |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Target ID: | 12 |
Start time: | 23:22:56 |
Start date: | 21/04/2024 |
Path: | C:\Windows\System32\conhost.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff7699e0000 |
File size: | 862'208 bytes |
MD5 hash: | 0D698AF330FD17BEE3BF90011D49251D |
Has elevated privileges: | false |
Has administrator privileges: | false |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Target ID: | 13 |
Start time: | 23:22:56 |
Start date: | 21/04/2024 |
Path: | C:\Windows\SysWOW64\cmd.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x240000 |
File size: | 236'544 bytes |
MD5 hash: | D0FCE3AFA6AA1D58CE9FA336CC2B675B |
Has elevated privileges: | false |
Has administrator privileges: | false |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Target ID: | 14 |
Start time: | 23:22:56 |
Start date: | 21/04/2024 |
Path: | C:\Windows\System32\conhost.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff7699e0000 |
File size: | 862'208 bytes |
MD5 hash: | 0D698AF330FD17BEE3BF90011D49251D |
Has elevated privileges: | false |
Has administrator privileges: | false |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Target ID: | 15 |
Start time: | 23:22:56 |
Start date: | 21/04/2024 |
Path: | C:\Windows\SysWOW64\schtasks.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0xc70000 |
File size: | 187'904 bytes |
MD5 hash: | 48C2FE20575769DE916F48EF0676A965 |
Has elevated privileges: | false |
Has administrator privileges: | false |
Programmed in: | C, C++ or other language |
Has exited: | true |
Target ID: | 16 |
Start time: | 23:22:56 |
Start date: | 21/04/2024 |
Path: | C:\Windows\SysWOW64\cmd.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x7ff7699e0000 |
File size: | 236'544 bytes |
MD5 hash: | D0FCE3AFA6AA1D58CE9FA336CC2B675B |
Has elevated privileges: | false |
Has administrator privileges: | false |
Programmed in: | C, C++ or other language |
Has exited: | true |
Target ID: | 17 |
Start time: | 23:22:56 |
Start date: | 21/04/2024 |
Path: | C:\Windows\System32\conhost.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff7699e0000 |
File size: | 862'208 bytes |
MD5 hash: | 0D698AF330FD17BEE3BF90011D49251D |
Has elevated privileges: | false |
Has administrator privileges: | false |
Programmed in: | C, C++ or other language |
Has exited: | true |
Execution Graph
Execution Coverage: | 16.4% |
Dynamic/Decrypted Code Coverage: | 100% |
Signature Coverage: | 4.7% |
Total number of Nodes: | 64 |
Total number of Limit Nodes: | 4 |
Graph
Control-flow Graph
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 027150D0 Relevance: .3, Instructions: 281COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 027159A0 Relevance: .3, Instructions: 266COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 027187C0 Relevance: 1.6, APIs: 1, Instructions: 61threadCOMMON
Control-flow Graph
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 02718400 Relevance: 1.6, APIs: 1, Instructions: 61threadCOMMON
Control-flow Graph
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 027187C8 Relevance: 1.6, APIs: 1, Instructions: 59threadCOMMON
Control-flow Graph
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 027184C0 Relevance: 1.6, APIs: 1, Instructions: 59COMMON
Control-flow Graph
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 02718408 Relevance: 1.6, APIs: 1, Instructions: 58threadCOMMON
Control-flow Graph
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 027184C8 Relevance: 1.6, APIs: 1, Instructions: 56COMMON
Control-flow Graph
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 027185B1 Relevance: 1.6, APIs: 1, Instructions: 50memoryCOMMON
Control-flow Graph
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 027185B8 Relevance: 1.5, APIs: 1, Instructions: 48memoryCOMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 02718888 Relevance: 1.5, APIs: 1, Instructions: 47threadCOMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 02718890 Relevance: 1.5, APIs: 1, Instructions: 45threadCOMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 02740000 Relevance: .0, Instructions: 37COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 02714D88 Relevance: .2, Instructions: 238COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Execution Graph
Execution Coverage: | 10% |
Dynamic/Decrypted Code Coverage: | 100% |
Signature Coverage: | 0% |
Total number of Nodes: | 191 |
Total number of Limit Nodes: | 22 |
Graph
Function 02D17128 Relevance: 6.1, APIs: 4, Instructions: 136threadCOMMON
Control-flow Graph
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 02D17138 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
Control-flow Graph
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 02DD0040 Relevance: 1.7, APIs: 1, Instructions: 198COMMON
Control-flow Graph
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 02DDE238 Relevance: 1.6, APIs: 1, Instructions: 138COMMON
Control-flow Graph
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 02DD2224 Relevance: 1.6, APIs: 1, Instructions: 118COMMON
Control-flow Graph
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 02DD2230 Relevance: 1.6, APIs: 1, Instructions: 113COMMON
Control-flow Graph
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 02DD4990 Relevance: 1.6, APIs: 1, Instructions: 93COMMON
Control-flow Graph
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 02D17378 Relevance: 1.6, APIs: 1, Instructions: 76COMMON
Control-flow Graph
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 02D17380 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
Control-flow Graph
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 02D11D20 Relevance: 1.6, APIs: 1, Instructions: 61COMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 02D12278 Relevance: 1.6, APIs: 1, Instructions: 59COMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 02DD04B1 Relevance: 1.6, APIs: 1, Instructions: 54libraryCOMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 02DDE320 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 02DD04B8 Relevance: 1.6, APIs: 1, Instructions: 52libraryCOMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Execution Graph
Execution Coverage: | 15.4% |
Dynamic/Decrypted Code Coverage: | 100% |
Signature Coverage: | 0% |
Total number of Nodes: | 42 |
Total number of Limit Nodes: | 2 |
Graph
Control-flow Graph
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 015187C0 Relevance: 1.6, APIs: 1, Instructions: 59threadCOMMON
Control-flow Graph
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 015187C8 Relevance: 1.6, APIs: 1, Instructions: 59threadCOMMON
Control-flow Graph
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 01518408 Relevance: 1.6, APIs: 1, Instructions: 58threadCOMMON
Control-flow Graph
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 015184C8 Relevance: 1.6, APIs: 1, Instructions: 56COMMON
Control-flow Graph
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 015185B8 Relevance: 1.5, APIs: 1, Instructions: 48memoryCOMMON
Control-flow Graph
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 01518890 Relevance: 1.5, APIs: 1, Instructions: 45threadCOMMON
Control-flow Graph
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 01518888 Relevance: 1.5, APIs: 1, Instructions: 45threadCOMMON
Control-flow Graph
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 02D80000 Relevance: .1, Instructions: 55COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 02E50901 Relevance: 1.3, Strings: 1, Instructions: 69COMMON
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 02E50BD8 Relevance: .2, Instructions: 205COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 02E50BC8 Relevance: .1, Instructions: 121COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 02E51361 Relevance: .1, Instructions: 79COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 02E51249 Relevance: .1, Instructions: 76COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 02E50CC2 Relevance: .1, Instructions: 69COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 02E51258 Relevance: .1, Instructions: 69COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 02E50838 Relevance: .0, Instructions: 43COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 02E50848 Relevance: .0, Instructions: 38COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |