Analysis Report BL Draft Copy #747470.exe
Overview
General Information
Detection
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
Startup |
---|
|
Malware Configuration |
---|
Threatname: Agenttesla |
---|
{"Username: ": "CEoVwenaUi", "URL: ": "http://Jneszaj6A5TZOa4IbKa.net", "To: ": "mpdolx@yandex.com", "ByHost: ": "mail.unique-skill.com:587", "Password: ": "liyrWKt", "From: ": ""}
Yara Overview |
---|
Memory Dumps |
---|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | ||
JoeSecurity_AntiVM_3 | Yara detected AntiVM_3 | Joe Security | ||
JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | ||
JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | ||
JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
Click to see the 5 entries |
Unpacked PEs |
---|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security |
Sigma Overview |
---|
System Summary: |
---|
Sigma detected: Scheduled temp file as task from temp location | Show sources |
Source: | Author: Joe Security: |
Signature Overview |
---|
Click to jump to signature section
AV Detection: |
---|
Found malware configuration | Show sources |
Source: | Malware Configuration Extractor: |
Multi AV Scanner detection for dropped file | Show sources |
Source: | ReversingLabs: |
Multi AV Scanner detection for submitted file | Show sources |
Source: | Virustotal: | Perma Link | ||
Source: | ReversingLabs: |
Machine Learning detection for dropped file | Show sources |
Source: | Joe Sandbox ML: |
Machine Learning detection for sample | Show sources |
Source: | Joe Sandbox ML: |
Source: | Avira: |
Compliance: |
---|
Uses 32bit PE files | Show sources |
Source: | Static PE information: |
Contains modern PE file flags such as dynamic base (ASLR) or NX | Show sources |
Source: | Static PE information: |
Networking: |
---|
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) | Show sources |
Source: | Snort IDS: | ||
Source: | Snort IDS: |
C2 URLs / IPs found in malware configuration | Show sources |
Source: | URLs: |
Source: | TCP traffic: |
Source: | TCP traffic: |
Source: | DNS traffic detected: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Key, Mouse, Clipboard, Microphone and Screen Capturing: |
---|
Installs a global keyboard hook | Show sources |
Source: | Windows user hook set: | Jump to behavior |
Source: | Code function: | 3_2_01420A70 |
Source: | Window created: | Jump to behavior |
System Summary: |
---|
.NET source code contains very large array initializations | Show sources |
Source: | Large array initialization: |
Source: | Code function: | 3_2_01426178 | |
Source: | Code function: | 3_2_014268B0 | |
Source: | Code function: | 3_2_01425B45 | |
Source: | Code function: | 3_2_0142D898 | |
Source: | Code function: | 3_2_01694750 | |
Source: | Code function: | 3_2_01694806 | |
Source: | Code function: | 3_2_05B7C6F0 |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Static PE information: |
Source: | Cryptographic APIs: | ||
Source: | Cryptographic APIs: |
Source: | Classification label: |
Source: | File created: | Jump to behavior |
Source: | Mutant created: | ||
Source: | Mutant created: |
Source: | File created: | Jump to behavior |
Source: | Static PE information: |
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior |
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: |
Source: | File read: | Jump to behavior |
Source: | Key opened: | Jump to behavior |
Source: | File read: | Jump to behavior | ||
Source: | File read: | Jump to behavior | ||
Source: | File read: | Jump to behavior | ||
Source: | File read: | Jump to behavior | ||
Source: | File read: | Jump to behavior |
Source: | Virustotal: | ||
Source: | ReversingLabs: |
Source: | File read: | Jump to behavior |
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior |
Source: | Key value queried: | Jump to behavior |
Source: | File opened: | Jump to behavior |
Source: | Key opened: | Jump to behavior |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Code function: | 3_2_0142B599 |
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | File created: | Jump to dropped file |
Boot Survival: |
---|
Uses schtasks.exe or at.exe to add and modify task schedules | Show sources |
Source: | Process created: |
Source: | Registry key monitored for changes: | Jump to behavior |
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior |
Malware Analysis System Evasion: |
---|
Yara detected AntiVM_3 | Show sources |
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) | Show sources |
Source: | WMI Queries: |
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) | Show sources |
Source: | WMI Queries: |
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) | Show sources |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | File opened / queried: | Jump to behavior |
Source: | Thread delayed: | Jump to behavior |
Source: | Window / User API: | Jump to behavior | ||
Source: | Window / User API: | Jump to behavior |
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep count: | Jump to behavior | ||
Source: | Thread sleep count: | Jump to behavior |
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: |
Source: | Last function: |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Process information queried: | Jump to behavior |
Source: | Code function: | 3_2_01420A70 |
Source: | Process token adjusted: | Jump to behavior | ||
Source: | Process token adjusted: | Jump to behavior |
Source: | Memory allocated: | Jump to behavior |
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior |
Source: | Key value queried: | Jump to behavior |
Stealing of Sensitive Information: |
---|
Yara detected AgentTesla | Show sources |
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) | Show sources |
Source: | Key opened: | Jump to behavior |
Tries to harvest and steal browser information (history, passwords, etc) | Show sources |
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior |
Tries to harvest and steal ftp login credentials | Show sources |
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior |
Tries to steal Mail credentials (via file access) | Show sources |
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior |
Source: | File source: | ||
Source: | File source: |
Remote Access Functionality: |
---|
Yara detected AgentTesla | Show sources |
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Mitre Att&ck Matrix |
---|
Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Valid Accounts | Windows Management Instrumentation211 | Scheduled Task/Job1 | Process Injection12 | Disable or Modify Tools1 | OS Credential Dumping2 | File and Directory Discovery1 | Remote Services | Archive Collected Data11 | Exfiltration Over Other Network Medium | Encrypted Channel1 | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | Modify System Partition |
Default Accounts | Scheduled Task/Job1 | Boot or Logon Initialization Scripts | Scheduled Task/Job1 | Deobfuscate/Decode Files or Information1 | Input Capture111 | System Information Discovery114 | Remote Desktop Protocol | Data from Local System2 | Exfiltration Over Bluetooth | Non-Standard Port1 | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
Domain Accounts | At (Linux) | Logon Script (Windows) | Logon Script (Windows) | Obfuscated Files or Information2 | Credentials in Registry1 | Query Registry1 | SMB/Windows Admin Shares | Email Collection1 | Automated Exfiltration | Non-Application Layer Protocol1 | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
Local Accounts | At (Windows) | Logon Script (Mac) | Logon Script (Mac) | Software Packing2 | NTDS | Security Software Discovery321 | Distributed Component Object Model | Input Capture111 | Scheduled Transfer | Application Layer Protocol111 | SIM Card Swap | Carrier Billing Fraud | |
Cloud Accounts | Cron | Network Logon Script | Network Logon Script | Masquerading1 | LSA Secrets | Virtualization/Sandbox Evasion14 | SSH | Clipboard Data1 | Data Transfer Size Limits | Fallback Channels | Manipulate Device Communication | Manipulate App Store Rankings or Ratings | |
Replication Through Removable Media | Launchd | Rc.common | Rc.common | Virtualization/Sandbox Evasion14 | Cached Domain Credentials | Process Discovery2 | VNC | GUI Input Capture | Exfiltration Over C2 Channel | Multiband Communication | Jamming or Denial of Service | Abuse Accessibility Features | |
External Remote Services | Scheduled Task | Startup Items | Startup Items | Process Injection12 | DCSync | Application Window Discovery1 | Windows Remote Management | Web Portal Capture | Exfiltration Over Alternative Protocol | Commonly Used Port | Rogue Wi-Fi Access Points | Data Encrypted for Impact | |
Drive-by Compromise | Command and Scripting Interpreter | Scheduled Task/Job | Scheduled Task/Job | Indicator Removal from Tools | Proc Filesystem | Remote System Discovery1 | Shared Webroot | Credential API Hooking | Exfiltration Over Symmetric Encrypted Non-C2 Protocol | Application Layer Protocol | Downgrade to Insecure Protocols | Generate Fraudulent Advertising Revenue |
Behavior Graph |
---|
Screenshots |
---|
Thumbnails
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Antivirus, Machine Learning and Genetic Malware Detection |
---|
Initial Sample |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
44% | Virustotal | Browse | ||
35% | ReversingLabs | ByteCode-MSIL.Trojan.Wacatac | ||
100% | Joe Sandbox ML |
Dropped Files |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
100% | Joe Sandbox ML | |||
35% | ReversingLabs | ByteCode-MSIL.Trojan.Wacatac |
Unpacked PE Files |
---|
Source | Detection | Scanner | Label | Link | Download |
---|---|---|---|---|---|
100% | Avira | TR/Spy.Gen8 | Download File |
Domains |
---|
No Antivirus matches |
---|
URLs |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | Avira URL Cloud | safe |
Domains and IPs |
---|
Contacted Domains |
---|
Name | IP | Active | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|---|
shared116.accountservergroup.com | 162.215.249.91 | true | false | high | |
mail.unique-skill.com | unknown | unknown | true | unknown |
Contacted URLs |
---|
Name | Malicious | Antivirus Detection | Reputation |
---|---|---|---|
true |
| unknown |
URLs from Memory and Binaries |
---|
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false |
| unknown | ||
false |
| low | ||
false |
| low | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false | high | |||
false | high | |||
false |
| unknown | ||
false |
| low |
Contacted IPs |
---|
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
Public |
---|
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
162.215.249.91 | unknown | United States | 394695 | PUBLIC-DOMAIN-REGISTRYUS | false |
General Information |
---|
Joe Sandbox Version: | 31.0.0 Emerald |
Analysis ID: | 344998 |
Start date: | 27.01.2021 |
Start time: | 15:37:53 |
Joe Sandbox Product: | CloudBasic |
Overall analysis duration: | 0h 8m 51s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Sample file name: | BL Draft Copy #747470.exe |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211 |
Number of analysed new started processes analysed: | 30 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Detection: | MAL |
Classification: | mal100.troj.spyw.evad.winEXE@6/5@4/1 |
EGA Information: | Failed |
HDC Information: |
|
HCA Information: |
|
Cookbook Comments: |
|
Warnings: | Show All
|
Simulations |
---|
Behavior and APIs |
---|
Time | Type | Description |
---|---|---|
15:38:47 | API Interceptor |
Joe Sandbox View / Context |
---|
IPs |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
162.215.249.91 | Get hash | malicious | Browse | ||
Get hash | malicious | Browse |
Domains |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
shared116.accountservergroup.com | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
|
ASN |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
PUBLIC-DOMAIN-REGISTRYUS | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
|
JA3 Fingerprints |
---|
No context |
---|
Dropped Files |
---|
No context |
---|
Created / dropped Files |
---|
Process: | C:\Users\user\Desktop\BL Draft Copy #747470.exe |
File Type: | |
Category: | modified |
Size (bytes): | 1216 |
Entropy (8bit): | 5.355304211458859 |
Encrypted: | false |
SSDEEP: | 24:MLUE4K5E4Ks2E1qE4x84qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4j:MIHK5HKXE1qHxviYHKhQnoPtHoxHhAHY |
MD5: | 69206D3AF7D6EFD08F4B4726998856D3 |
SHA1: | E778D4BF781F7712163CF5E2F5E7C15953E484CF |
SHA-256: | A937AD22F9C3E667A062BA0E116672960CD93522F6997C77C00370755929BA87 |
SHA-512: | CD270C3DF75E548C9B0727F13F44F45262BD474336E89AAEBE56FABFE8076CD4638F88D3C0837B67C2EB3C54055679B07E4212FB3FEDBF88C015EB5DBBCD7FF8 |
Malicious: | true |
Reputation: | moderate, very likely benign file |
Preview: |
|
Process: | C:\Users\user\Desktop\BL Draft Copy #747470.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 1641 |
Entropy (8bit): | 5.184319550582037 |
Encrypted: | false |
SSDEEP: | 24:2dH4+SEqC/Q7hxlNMFp1/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBptn:cbh47TlNQ//rydbz9I3YODOLNdq3t |
MD5: | EA820972FA2CCF8B35D40CA1210C43A5 |
SHA1: | F325CC00E898EB253AD5537DC3A54DCAA68E93E4 |
SHA-256: | 47F45706B26E170F985B2883DB4DFB3943962AC5ADF8093E18D483C554DE27FF |
SHA-512: | CE1D8673A1C8827F8687F2D849CE74CB1D9891472EB659A13027C9AB9C2522D182845B09EDA24D5BF8E7C957B4E46A067D39FC1031EB2E8E75DE26F30BB7F2FF |
Malicious: | true |
Reputation: | low |
Preview: |
|
Process: | C:\Users\user\Desktop\BL Draft Copy #747470.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 20480 |
Entropy (8bit): | 0.6970840431455908 |
Encrypted: | false |
SSDEEP: | 24:TLbJLbXaFpEO5bNmISHn06UwcQPx5fBocLgAZOZD/0:T5LLOpEO5J/Kn7U1uBo8NOZ0 |
MD5: | 00681D89EDDB6AD25E6F4BD2E66C61C6 |
SHA1: | 14B2FBFB460816155190377BBC66AB5D2A15F7AB |
SHA-256: | 8BF06FD5FAE8199D261EB879E771146AE49600DBDED7FDC4EAC83A8C6A7A5D85 |
SHA-512: | 159A9DE664091A3986042B2BE594E989FD514163094AC606DC3A6A7661A66A78C0D365B8CA2C94B8BC86D552E59D50407B4680EDADB894320125F0E9F48872D3 |
Malicious: | false |
Reputation: | moderate, very likely benign file |
Preview: |
|
Process: | C:\Users\user\Desktop\BL Draft Copy #747470.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 878592 |
Entropy (8bit): | 6.815171149795038 |
Encrypted: | false |
SSDEEP: | 12288:CCImHAGL08xZXMzcY8KaVumnG4ju84e+e+KBj:exLofxVU4Ge+K |
MD5: | 125158A5CEC004BA7EE2910B6A835292 |
SHA1: | 22A58409BED9A9801AA9894CEAE4858FBF2C81E5 |
SHA-256: | 4BC04AA1102D1DDAB6DE06654183987351F5215C5CF3FE6F9CB13B3EFCD99656 |
SHA-512: | A7CC602AD37DC4AC15327D22E59CA2C57C2C91231F3E89A62384BD4727D7D30BCD64E65475313A0B37EB709D8C8C7B1FBCD0270B0E4C63BE30C29F9DAB2A38C5 |
Malicious: | true |
Antivirus: |
|
Reputation: | low |
Preview: |
|
Process: | C:\Users\user\Desktop\BL Draft Copy #747470.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 26 |
Entropy (8bit): | 3.95006375643621 |
Encrypted: | false |
SSDEEP: | 3:ggPYV:rPYV |
MD5: | 187F488E27DB4AF347237FE461A079AD |
SHA1: | 6693BA299EC1881249D59262276A0D2CB21F8E64 |
SHA-256: | 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309 |
SHA-512: | 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E |
Malicious: | true |
Reputation: | high, very likely benign file |
Preview: |
|
Static File Info |
---|
General | |
---|---|
File type: | |
Entropy (8bit): | 6.815171149795038 |
TrID: |
|
File name: | BL Draft Copy #747470.exe |
File size: | 878592 |
MD5: | 125158a5cec004ba7ee2910b6a835292 |
SHA1: | 22a58409bed9a9801aa9894ceae4858fbf2c81e5 |
SHA256: | 4bc04aa1102d1ddab6de06654183987351f5215c5cf3fe6f9cb13b3efcd99656 |
SHA512: | a7cc602ad37dc4ac15327d22e59ca2c57c2c91231f3e89a62384bd4727d7d30bcd64e65475313a0b37eb709d8c8c7b1fbcd0270b0e4c63be30c29f9dab2a38c5 |
SSDEEP: | 12288:CCImHAGL08xZXMzcY8KaVumnG4ju84e+e+KBj:exLofxVU4Ge+K |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......`..............P.............~.... ........... ....................................@................................ |
File Icon |
---|
Icon Hash: | 78e4c4ccc4c4c0c0 |
Static PE Info |
---|
General | |
---|---|
Entrypoint: | 0x110ae87e |
Entrypoint Section: | .text |
Digitally signed: | false |
Imagebase: | 0x11000000 |
Subsystem: | windows gui |
Image File Characteristics: | 32BIT_MACHINE, EXECUTABLE_IMAGE |
DLL Characteristics: | NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT |
Time Stamp: | 0x600E9011 [Mon Jan 25 09:32:01 2021 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | v4.0.30319 |
OS Version Major: | 4 |
OS Version Minor: | 0 |
File Version Major: | 4 |
File Version Minor: | 0 |
Subsystem Version Major: | 4 |
Subsystem Version Minor: | 0 |
Import Hash: | f34d5f2d4577ed6d9ceec516c1f5a744 |
Entrypoint Preview |
---|
Instruction |
---|
jmp dword ptr [11002000h] |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
Data Directories |
---|
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0xae830 | 0x4b | .text |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0xb0000 | 0x29a00 | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0xda000 | 0xc | .reloc |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x2000 | 0x8 | .text |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x2008 | 0x48 | .text |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Sections |
---|
Name | Virtual Address | Virtual Size | Raw Size | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|
.text | 0x2000 | 0xac884 | 0xaca00 | False | 0.675396564989 | data | 7.4641212281 | IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
.rsrc | 0xb0000 | 0x29a00 | 0x29a00 | False | 0.118689001502 | data | 2.57748829649 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.reloc | 0xda000 | 0xc | 0x200 | False | 0.044921875 | data | 0.101910425663 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
Resources |
---|
Name | RVA | Size | Type | Language | Country |
---|---|---|---|---|---|
RT_ICON | 0xb0250 | 0x10828 | dBase III DBT, version number 0, next free block index 40 | ||
RT_ICON | 0xc0a78 | 0x860 | PNG image data, 256 x 256, 8-bit gray+alpha, non-interlaced | ||
RT_ICON | 0xc12d8 | 0x25a8 | dBase IV DBT of `.DBF, block length 9216, next free block index 40, next free block 0, next used block 0 | ||
RT_ICON | 0xc3880 | 0x10a8 | dBase IV DBT of @.DBF, block length 4096, next free block index 40, next free block 0, next used block 0 | ||
RT_ICON | 0xc4928 | 0x10828 | dBase III DBT, version number 0, next free block index 40 | ||
RT_ICON | 0xd5150 | 0x4228 | dBase IV DBT of \200.DBF, blocks size 0, block length 16384, next free block index 40, next free block 0, next used block 0 | ||
RT_GROUP_ICON | 0xd9378 | 0x14 | data | ||
RT_GROUP_ICON | 0xd938c | 0x5a | data | ||
RT_VERSION | 0xd93e8 | 0x3a4 | data | ||
RT_MANIFEST | 0xd978c | 0x1ea | XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators |
Imports |
---|
DLL | Import |
---|---|
mscoree.dll | _CorExeMain |
Version Infos |
---|
Description | Data |
---|---|
Translation | 0x0000 0x04b0 |
LegalCopyright | Bharat Biotech (C) 2021 |
Assembly Version | 48.0.31.9 |
InternalName | AssemblyAttributesGoHereSM.exe |
FileVersion | 48.0.31.09 |
CompanyName | Bharat Biotech |
LegalTrademarks | |
Comments | BBV152 |
ProductName | BBV152 |
ProductVersion | 48.0.31.09 |
FileDescription | BBV152 |
OriginalFilename | AssemblyAttributesGoHereSM.exe |
Network Behavior |
---|
Snort IDS Alerts |
---|
Timestamp | Protocol | SID | Message | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|---|---|---|
01/27/21-15:40:35.387940 | TCP | 2030171 | ET TROJAN AgentTesla Exfil Via SMTP | 49744 | 587 | 192.168.2.3 | 162.215.249.91 |
01/27/21-15:40:39.573506 | TCP | 2030171 | ET TROJAN AgentTesla Exfil Via SMTP | 49745 | 587 | 192.168.2.3 | 162.215.249.91 |
Network Port Distribution |
---|
TCP Packets |
---|
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Jan 27, 2021 15:40:33.500226021 CET | 49744 | 587 | 192.168.2.3 | 162.215.249.91 |
Jan 27, 2021 15:40:33.687643051 CET | 587 | 49744 | 162.215.249.91 | 192.168.2.3 |
Jan 27, 2021 15:40:33.687750101 CET | 49744 | 587 | 192.168.2.3 | 162.215.249.91 |
Jan 27, 2021 15:40:34.172257900 CET | 587 | 49744 | 162.215.249.91 | 192.168.2.3 |
Jan 27, 2021 15:40:34.172804117 CET | 49744 | 587 | 192.168.2.3 | 162.215.249.91 |
Jan 27, 2021 15:40:34.361555099 CET | 587 | 49744 | 162.215.249.91 | 192.168.2.3 |
Jan 27, 2021 15:40:34.364537001 CET | 49744 | 587 | 192.168.2.3 | 162.215.249.91 |
Jan 27, 2021 15:40:34.552763939 CET | 587 | 49744 | 162.215.249.91 | 192.168.2.3 |
Jan 27, 2021 15:40:34.556365967 CET | 49744 | 587 | 192.168.2.3 | 162.215.249.91 |
Jan 27, 2021 15:40:34.784570932 CET | 587 | 49744 | 162.215.249.91 | 192.168.2.3 |
Jan 27, 2021 15:40:34.786215067 CET | 49744 | 587 | 192.168.2.3 | 162.215.249.91 |
Jan 27, 2021 15:40:34.971618891 CET | 587 | 49744 | 162.215.249.91 | 192.168.2.3 |
Jan 27, 2021 15:40:34.972244978 CET | 49744 | 587 | 192.168.2.3 | 162.215.249.91 |
Jan 27, 2021 15:40:35.190584898 CET | 587 | 49744 | 162.215.249.91 | 192.168.2.3 |
Jan 27, 2021 15:40:35.191073895 CET | 49744 | 587 | 192.168.2.3 | 162.215.249.91 |
Jan 27, 2021 15:40:35.376176119 CET | 587 | 49744 | 162.215.249.91 | 192.168.2.3 |
Jan 27, 2021 15:40:35.376306057 CET | 587 | 49744 | 162.215.249.91 | 192.168.2.3 |
Jan 27, 2021 15:40:35.387939930 CET | 49744 | 587 | 192.168.2.3 | 162.215.249.91 |
Jan 27, 2021 15:40:35.388271093 CET | 49744 | 587 | 192.168.2.3 | 162.215.249.91 |
Jan 27, 2021 15:40:35.388468981 CET | 49744 | 587 | 192.168.2.3 | 162.215.249.91 |
Jan 27, 2021 15:40:35.388636112 CET | 49744 | 587 | 192.168.2.3 | 162.215.249.91 |
Jan 27, 2021 15:40:35.578268051 CET | 587 | 49744 | 162.215.249.91 | 192.168.2.3 |
Jan 27, 2021 15:40:35.578305960 CET | 587 | 49744 | 162.215.249.91 | 192.168.2.3 |
Jan 27, 2021 15:40:35.578315973 CET | 587 | 49744 | 162.215.249.91 | 192.168.2.3 |
Jan 27, 2021 15:40:35.628073931 CET | 49744 | 587 | 192.168.2.3 | 162.215.249.91 |
Jan 27, 2021 15:40:36.831295967 CET | 49744 | 587 | 192.168.2.3 | 162.215.249.91 |
Jan 27, 2021 15:40:37.022589922 CET | 587 | 49744 | 162.215.249.91 | 192.168.2.3 |
Jan 27, 2021 15:40:37.023705006 CET | 587 | 49744 | 162.215.249.91 | 192.168.2.3 |
Jan 27, 2021 15:40:37.023778915 CET | 49744 | 587 | 192.168.2.3 | 162.215.249.91 |
Jan 27, 2021 15:40:37.023808956 CET | 49744 | 587 | 192.168.2.3 | 162.215.249.91 |
Jan 27, 2021 15:40:37.211483002 CET | 587 | 49744 | 162.215.249.91 | 192.168.2.3 |
Jan 27, 2021 15:40:37.889930964 CET | 49745 | 587 | 192.168.2.3 | 162.215.249.91 |
Jan 27, 2021 15:40:38.075484037 CET | 587 | 49745 | 162.215.249.91 | 192.168.2.3 |
Jan 27, 2021 15:40:38.075812101 CET | 49745 | 587 | 192.168.2.3 | 162.215.249.91 |
Jan 27, 2021 15:40:38.388313055 CET | 587 | 49745 | 162.215.249.91 | 192.168.2.3 |
Jan 27, 2021 15:40:38.391540051 CET | 49745 | 587 | 192.168.2.3 | 162.215.249.91 |
Jan 27, 2021 15:40:38.577089071 CET | 587 | 49745 | 162.215.249.91 | 192.168.2.3 |
Jan 27, 2021 15:40:38.577860117 CET | 49745 | 587 | 192.168.2.3 | 162.215.249.91 |
Jan 27, 2021 15:40:38.763447046 CET | 587 | 49745 | 162.215.249.91 | 192.168.2.3 |
Jan 27, 2021 15:40:38.763978004 CET | 49745 | 587 | 192.168.2.3 | 162.215.249.91 |
Jan 27, 2021 15:40:38.953967094 CET | 587 | 49745 | 162.215.249.91 | 192.168.2.3 |
Jan 27, 2021 15:40:38.958499908 CET | 49745 | 587 | 192.168.2.3 | 162.215.249.91 |
Jan 27, 2021 15:40:39.144212961 CET | 587 | 49745 | 162.215.249.91 | 192.168.2.3 |
Jan 27, 2021 15:40:39.144929886 CET | 49745 | 587 | 192.168.2.3 | 162.215.249.91 |
Jan 27, 2021 15:40:39.379036903 CET | 587 | 49745 | 162.215.249.91 | 192.168.2.3 |
Jan 27, 2021 15:40:39.381092072 CET | 587 | 49745 | 162.215.249.91 | 192.168.2.3 |
Jan 27, 2021 15:40:39.381411076 CET | 49745 | 587 | 192.168.2.3 | 162.215.249.91 |
Jan 27, 2021 15:40:39.566580057 CET | 587 | 49745 | 162.215.249.91 | 192.168.2.3 |
Jan 27, 2021 15:40:39.566694975 CET | 587 | 49745 | 162.215.249.91 | 192.168.2.3 |
Jan 27, 2021 15:40:39.573129892 CET | 49745 | 587 | 192.168.2.3 | 162.215.249.91 |
Jan 27, 2021 15:40:39.573506117 CET | 49745 | 587 | 192.168.2.3 | 162.215.249.91 |
Jan 27, 2021 15:40:39.573797941 CET | 49745 | 587 | 192.168.2.3 | 162.215.249.91 |
Jan 27, 2021 15:40:39.574081898 CET | 49745 | 587 | 192.168.2.3 | 162.215.249.91 |
Jan 27, 2021 15:40:39.574393034 CET | 49745 | 587 | 192.168.2.3 | 162.215.249.91 |
Jan 27, 2021 15:40:39.574650049 CET | 49745 | 587 | 192.168.2.3 | 162.215.249.91 |
Jan 27, 2021 15:40:39.574857950 CET | 49745 | 587 | 192.168.2.3 | 162.215.249.91 |
Jan 27, 2021 15:40:39.575015068 CET | 49745 | 587 | 192.168.2.3 | 162.215.249.91 |
Jan 27, 2021 15:40:39.758888006 CET | 587 | 49745 | 162.215.249.91 | 192.168.2.3 |
Jan 27, 2021 15:40:39.759186983 CET | 587 | 49745 | 162.215.249.91 | 192.168.2.3 |
Jan 27, 2021 15:40:39.759448051 CET | 587 | 49745 | 162.215.249.91 | 192.168.2.3 |
Jan 27, 2021 15:40:39.760349989 CET | 587 | 49745 | 162.215.249.91 | 192.168.2.3 |
Jan 27, 2021 15:40:39.760638952 CET | 587 | 49745 | 162.215.249.91 | 192.168.2.3 |
Jan 27, 2021 15:40:39.815946102 CET | 49745 | 587 | 192.168.2.3 | 162.215.249.91 |
UDP Packets |
---|
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Jan 27, 2021 15:38:40.633764982 CET | 60831 | 53 | 192.168.2.3 | 8.8.8.8 |
Jan 27, 2021 15:38:40.684362888 CET | 53 | 60831 | 8.8.8.8 | 192.168.2.3 |
Jan 27, 2021 15:38:41.609376907 CET | 60100 | 53 | 192.168.2.3 | 8.8.8.8 |
Jan 27, 2021 15:38:41.660146952 CET | 53 | 60100 | 8.8.8.8 | 192.168.2.3 |
Jan 27, 2021 15:38:42.541364908 CET | 53195 | 53 | 192.168.2.3 | 8.8.8.8 |
Jan 27, 2021 15:38:42.597834110 CET | 53 | 53195 | 8.8.8.8 | 192.168.2.3 |
Jan 27, 2021 15:38:43.587028980 CET | 50141 | 53 | 192.168.2.3 | 8.8.8.8 |
Jan 27, 2021 15:38:43.637615919 CET | 53 | 50141 | 8.8.8.8 | 192.168.2.3 |
Jan 27, 2021 15:38:44.569364071 CET | 53023 | 53 | 192.168.2.3 | 8.8.8.8 |
Jan 27, 2021 15:38:44.618776083 CET | 53 | 53023 | 8.8.8.8 | 192.168.2.3 |
Jan 27, 2021 15:38:45.516994953 CET | 49563 | 53 | 192.168.2.3 | 8.8.8.8 |
Jan 27, 2021 15:38:45.566935062 CET | 53 | 49563 | 8.8.8.8 | 192.168.2.3 |
Jan 27, 2021 15:38:46.508770943 CET | 51352 | 53 | 192.168.2.3 | 8.8.8.8 |
Jan 27, 2021 15:38:46.568001986 CET | 53 | 51352 | 8.8.8.8 | 192.168.2.3 |
Jan 27, 2021 15:38:47.628586054 CET | 59349 | 53 | 192.168.2.3 | 8.8.8.8 |
Jan 27, 2021 15:38:47.686671972 CET | 53 | 59349 | 8.8.8.8 | 192.168.2.3 |
Jan 27, 2021 15:38:48.615596056 CET | 57084 | 53 | 192.168.2.3 | 8.8.8.8 |
Jan 27, 2021 15:38:48.676919937 CET | 53 | 57084 | 8.8.8.8 | 192.168.2.3 |
Jan 27, 2021 15:38:49.646852970 CET | 58823 | 53 | 192.168.2.3 | 8.8.8.8 |
Jan 27, 2021 15:38:49.694704056 CET | 53 | 58823 | 8.8.8.8 | 192.168.2.3 |
Jan 27, 2021 15:38:50.669192076 CET | 57568 | 53 | 192.168.2.3 | 8.8.8.8 |
Jan 27, 2021 15:38:50.717133999 CET | 53 | 57568 | 8.8.8.8 | 192.168.2.3 |
Jan 27, 2021 15:39:10.820998907 CET | 50540 | 53 | 192.168.2.3 | 8.8.8.8 |
Jan 27, 2021 15:39:10.882679939 CET | 53 | 50540 | 8.8.8.8 | 192.168.2.3 |
Jan 27, 2021 15:39:10.985491991 CET | 54366 | 53 | 192.168.2.3 | 8.8.8.8 |
Jan 27, 2021 15:39:11.035700083 CET | 53 | 54366 | 8.8.8.8 | 192.168.2.3 |
Jan 27, 2021 15:39:22.213756084 CET | 53034 | 53 | 192.168.2.3 | 8.8.8.8 |
Jan 27, 2021 15:39:22.271456957 CET | 53 | 53034 | 8.8.8.8 | 192.168.2.3 |
Jan 27, 2021 15:39:29.062257051 CET | 57762 | 53 | 192.168.2.3 | 8.8.8.8 |
Jan 27, 2021 15:39:29.120871067 CET | 53 | 57762 | 8.8.8.8 | 192.168.2.3 |
Jan 27, 2021 15:39:30.326040983 CET | 55435 | 53 | 192.168.2.3 | 8.8.8.8 |
Jan 27, 2021 15:39:30.373845100 CET | 53 | 55435 | 8.8.8.8 | 192.168.2.3 |
Jan 27, 2021 15:39:35.005244017 CET | 50713 | 53 | 192.168.2.3 | 8.8.8.8 |
Jan 27, 2021 15:39:35.080034018 CET | 53 | 50713 | 8.8.8.8 | 192.168.2.3 |
Jan 27, 2021 15:39:37.994842052 CET | 56132 | 53 | 192.168.2.3 | 8.8.8.8 |
Jan 27, 2021 15:39:38.055236101 CET | 53 | 56132 | 8.8.8.8 | 192.168.2.3 |
Jan 27, 2021 15:40:18.616282940 CET | 58987 | 53 | 192.168.2.3 | 8.8.8.8 |
Jan 27, 2021 15:40:18.664115906 CET | 53 | 58987 | 8.8.8.8 | 192.168.2.3 |
Jan 27, 2021 15:40:32.956835032 CET | 56579 | 53 | 192.168.2.3 | 8.8.8.8 |
Jan 27, 2021 15:40:33.150487900 CET | 53 | 56579 | 8.8.8.8 | 192.168.2.3 |
Jan 27, 2021 15:40:33.179351091 CET | 60633 | 53 | 192.168.2.3 | 8.8.8.8 |
Jan 27, 2021 15:40:33.394534111 CET | 53 | 60633 | 8.8.8.8 | 192.168.2.3 |
Jan 27, 2021 15:40:37.353630066 CET | 61292 | 53 | 192.168.2.3 | 8.8.8.8 |
Jan 27, 2021 15:40:37.410239935 CET | 53 | 61292 | 8.8.8.8 | 192.168.2.3 |
Jan 27, 2021 15:40:37.829807043 CET | 63619 | 53 | 192.168.2.3 | 8.8.8.8 |
Jan 27, 2021 15:40:37.888125896 CET | 53 | 63619 | 8.8.8.8 | 192.168.2.3 |
Jan 27, 2021 15:40:37.944574118 CET | 64938 | 53 | 192.168.2.3 | 8.8.8.8 |
Jan 27, 2021 15:40:37.992598057 CET | 53 | 64938 | 8.8.8.8 | 192.168.2.3 |
Jan 27, 2021 15:40:38.385370970 CET | 61946 | 53 | 192.168.2.3 | 8.8.8.8 |
Jan 27, 2021 15:40:38.461071968 CET | 53 | 61946 | 8.8.8.8 | 192.168.2.3 |
Jan 27, 2021 15:41:29.406645060 CET | 64910 | 53 | 192.168.2.3 | 8.8.8.8 |
Jan 27, 2021 15:41:29.458532095 CET | 53 | 64910 | 8.8.8.8 | 192.168.2.3 |
Jan 27, 2021 15:41:30.167496920 CET | 52123 | 53 | 192.168.2.3 | 8.8.8.8 |
Jan 27, 2021 15:41:30.226586103 CET | 53 | 52123 | 8.8.8.8 | 192.168.2.3 |
Jan 27, 2021 15:41:31.175510883 CET | 56130 | 53 | 192.168.2.3 | 8.8.8.8 |
Jan 27, 2021 15:41:31.237050056 CET | 53 | 56130 | 8.8.8.8 | 192.168.2.3 |
Jan 27, 2021 15:41:31.845662117 CET | 56338 | 53 | 192.168.2.3 | 8.8.8.8 |
Jan 27, 2021 15:41:31.906846046 CET | 53 | 56338 | 8.8.8.8 | 192.168.2.3 |
Jan 27, 2021 15:41:32.505964994 CET | 59420 | 53 | 192.168.2.3 | 8.8.8.8 |
Jan 27, 2021 15:41:32.562412977 CET | 53 | 59420 | 8.8.8.8 | 192.168.2.3 |
Jan 27, 2021 15:41:33.250128031 CET | 58784 | 53 | 192.168.2.3 | 8.8.8.8 |
Jan 27, 2021 15:41:33.298245907 CET | 53 | 58784 | 8.8.8.8 | 192.168.2.3 |
Jan 27, 2021 15:41:34.069631100 CET | 63978 | 53 | 192.168.2.3 | 8.8.8.8 |
Jan 27, 2021 15:41:34.117554903 CET | 53 | 63978 | 8.8.8.8 | 192.168.2.3 |
Jan 27, 2021 15:41:35.339411020 CET | 62938 | 53 | 192.168.2.3 | 8.8.8.8 |
Jan 27, 2021 15:41:35.398880005 CET | 53 | 62938 | 8.8.8.8 | 192.168.2.3 |
Jan 27, 2021 15:41:36.606127024 CET | 55708 | 53 | 192.168.2.3 | 8.8.8.8 |
Jan 27, 2021 15:41:37.578093052 CET | 55708 | 53 | 192.168.2.3 | 8.8.8.8 |
Jan 27, 2021 15:41:38.084826946 CET | 53 | 55708 | 8.8.8.8 | 192.168.2.3 |
Jan 27, 2021 15:41:38.085246086 CET | 53 | 55708 | 8.8.8.8 | 192.168.2.3 |
Jan 27, 2021 15:41:38.629118919 CET | 56803 | 53 | 192.168.2.3 | 8.8.8.8 |
Jan 27, 2021 15:41:38.685359001 CET | 53 | 56803 | 8.8.8.8 | 192.168.2.3 |
DNS Queries |
---|
Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class |
---|---|---|---|---|---|---|---|
Jan 27, 2021 15:40:32.956835032 CET | 192.168.2.3 | 8.8.8.8 | 0x938c | Standard query (0) | A (IP address) | IN (0x0001) | |
Jan 27, 2021 15:40:33.179351091 CET | 192.168.2.3 | 8.8.8.8 | 0x438b | Standard query (0) | A (IP address) | IN (0x0001) | |
Jan 27, 2021 15:40:37.353630066 CET | 192.168.2.3 | 8.8.8.8 | 0xba21 | Standard query (0) | A (IP address) | IN (0x0001) | |
Jan 27, 2021 15:40:37.829807043 CET | 192.168.2.3 | 8.8.8.8 | 0x7cb1 | Standard query (0) | A (IP address) | IN (0x0001) |
DNS Answers |
---|
Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class |
---|---|---|---|---|---|---|---|---|---|
Jan 27, 2021 15:40:33.150487900 CET | 8.8.8.8 | 192.168.2.3 | 0x938c | No error (0) | shared116.accountservergroup.com | CNAME (Canonical name) | IN (0x0001) | ||
Jan 27, 2021 15:40:33.150487900 CET | 8.8.8.8 | 192.168.2.3 | 0x938c | No error (0) | 162.215.249.91 | A (IP address) | IN (0x0001) | ||
Jan 27, 2021 15:40:33.394534111 CET | 8.8.8.8 | 192.168.2.3 | 0x438b | No error (0) | shared116.accountservergroup.com | CNAME (Canonical name) | IN (0x0001) | ||
Jan 27, 2021 15:40:33.394534111 CET | 8.8.8.8 | 192.168.2.3 | 0x438b | No error (0) | 162.215.249.91 | A (IP address) | IN (0x0001) | ||
Jan 27, 2021 15:40:37.410239935 CET | 8.8.8.8 | 192.168.2.3 | 0xba21 | No error (0) | shared116.accountservergroup.com | CNAME (Canonical name) | IN (0x0001) | ||
Jan 27, 2021 15:40:37.410239935 CET | 8.8.8.8 | 192.168.2.3 | 0xba21 | No error (0) | 162.215.249.91 | A (IP address) | IN (0x0001) | ||
Jan 27, 2021 15:40:37.888125896 CET | 8.8.8.8 | 192.168.2.3 | 0x7cb1 | No error (0) | shared116.accountservergroup.com | CNAME (Canonical name) | IN (0x0001) | ||
Jan 27, 2021 15:40:37.888125896 CET | 8.8.8.8 | 192.168.2.3 | 0x7cb1 | No error (0) | 162.215.249.91 | A (IP address) | IN (0x0001) |
SMTP Packets |
---|
Timestamp | Source Port | Dest Port | Source IP | Dest IP | Commands |
---|---|---|---|---|---|
Jan 27, 2021 15:40:34.172257900 CET | 587 | 49744 | 162.215.249.91 | 192.168.2.3 | 220-shared116.accountservergroup.com ESMTP Exim 4.91 #1 Wed, 27 Jan 2021 08:40:34 -0600 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail. |
Jan 27, 2021 15:40:34.172804117 CET | 49744 | 587 | 192.168.2.3 | 162.215.249.91 | EHLO 128757 |
Jan 27, 2021 15:40:34.361555099 CET | 587 | 49744 | 162.215.249.91 | 192.168.2.3 | 250-shared116.accountservergroup.com Hello 128757 [84.17.52.74] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP |
Jan 27, 2021 15:40:34.364537001 CET | 49744 | 587 | 192.168.2.3 | 162.215.249.91 | AUTH login cG1AdW5pcXVlLXNraWxsLmNvbQ== |
Jan 27, 2021 15:40:34.552763939 CET | 587 | 49744 | 162.215.249.91 | 192.168.2.3 | 334 UGFzc3dvcmQ6 |
Jan 27, 2021 15:40:34.784570932 CET | 587 | 49744 | 162.215.249.91 | 192.168.2.3 | 235 Authentication succeeded |
Jan 27, 2021 15:40:34.786215067 CET | 49744 | 587 | 192.168.2.3 | 162.215.249.91 | MAIL FROM:<pm@unique-skill.com> |
Jan 27, 2021 15:40:34.971618891 CET | 587 | 49744 | 162.215.249.91 | 192.168.2.3 | 250 OK |
Jan 27, 2021 15:40:34.972244978 CET | 49744 | 587 | 192.168.2.3 | 162.215.249.91 | RCPT TO:<mpdolx@yandex.com> |
Jan 27, 2021 15:40:35.190584898 CET | 587 | 49744 | 162.215.249.91 | 192.168.2.3 | 250 Accepted |
Jan 27, 2021 15:40:35.191073895 CET | 49744 | 587 | 192.168.2.3 | 162.215.249.91 | DATA |
Jan 27, 2021 15:40:35.376306057 CET | 587 | 49744 | 162.215.249.91 | 192.168.2.3 | 354 Enter message, ending with "." on a line by itself |
Jan 27, 2021 15:40:35.388636112 CET | 49744 | 587 | 192.168.2.3 | 162.215.249.91 | . |
Jan 27, 2021 15:40:35.578315973 CET | 587 | 49744 | 162.215.249.91 | 192.168.2.3 | 250 OK id=1l4lzn-000foR-9h |
Jan 27, 2021 15:40:36.831295967 CET | 49744 | 587 | 192.168.2.3 | 162.215.249.91 | QUIT |
Jan 27, 2021 15:40:37.022589922 CET | 587 | 49744 | 162.215.249.91 | 192.168.2.3 | 221 shared116.accountservergroup.com closing connection |
Jan 27, 2021 15:40:38.388313055 CET | 587 | 49745 | 162.215.249.91 | 192.168.2.3 | 220-shared116.accountservergroup.com ESMTP Exim 4.91 #1 Wed, 27 Jan 2021 08:40:38 -0600 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail. |
Jan 27, 2021 15:40:38.391540051 CET | 49745 | 587 | 192.168.2.3 | 162.215.249.91 | EHLO 128757 |
Jan 27, 2021 15:40:38.577089071 CET | 587 | 49745 | 162.215.249.91 | 192.168.2.3 | 250-shared116.accountservergroup.com Hello 128757 [84.17.52.74] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP |
Jan 27, 2021 15:40:38.577860117 CET | 49745 | 587 | 192.168.2.3 | 162.215.249.91 | AUTH login cG1AdW5pcXVlLXNraWxsLmNvbQ== |
Jan 27, 2021 15:40:38.763447046 CET | 587 | 49745 | 162.215.249.91 | 192.168.2.3 | 334 UGFzc3dvcmQ6 |
Jan 27, 2021 15:40:38.953967094 CET | 587 | 49745 | 162.215.249.91 | 192.168.2.3 | 235 Authentication succeeded |
Jan 27, 2021 15:40:38.958499908 CET | 49745 | 587 | 192.168.2.3 | 162.215.249.91 | MAIL FROM:<pm@unique-skill.com> |
Jan 27, 2021 15:40:39.144212961 CET | 587 | 49745 | 162.215.249.91 | 192.168.2.3 | 250 OK |
Jan 27, 2021 15:40:39.144929886 CET | 49745 | 587 | 192.168.2.3 | 162.215.249.91 | RCPT TO:<mpdolx@yandex.com> |
Jan 27, 2021 15:40:39.381092072 CET | 587 | 49745 | 162.215.249.91 | 192.168.2.3 | 250 Accepted |
Jan 27, 2021 15:40:39.381411076 CET | 49745 | 587 | 192.168.2.3 | 162.215.249.91 | DATA |
Jan 27, 2021 15:40:39.566694975 CET | 587 | 49745 | 162.215.249.91 | 192.168.2.3 | 354 Enter message, ending with "." on a line by itself |
Jan 27, 2021 15:40:39.575015068 CET | 49745 | 587 | 192.168.2.3 | 162.215.249.91 | . |
Jan 27, 2021 15:40:39.760638952 CET | 587 | 49745 | 162.215.249.91 | 192.168.2.3 | 250 OK id=1l4lzr-000fvO-Fq |
Code Manipulations |
---|
Statistics |
---|
CPU Usage |
---|
Click to jump to process
Memory Usage |
---|
Click to jump to process
High Level Behavior Distribution |
---|
back
Click to dive into process behavior distribution
Behavior |
---|
Click to jump to process
System Behavior |
---|
General |
---|
Start time: | 15:38:45 |
Start date: | 27/01/2021 |
Path: | C:\Users\user\Desktop\BL Draft Copy #747470.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0xe0000 |
File size: | 878592 bytes |
MD5 hash: | 125158A5CEC004BA7EE2910B6A835292 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | .Net C# or VB.NET |
Yara matches: |
|
Reputation: | low |
General |
---|
Start time: | 15:38:49 |
Start date: | 27/01/2021 |
Path: | C:\Windows\SysWOW64\schtasks.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x1110000 |
File size: | 185856 bytes |
MD5 hash: | 15FF7D8324231381BAD48A052F85DF04 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
General |
---|
Start time: | 15:38:49 |
Start date: | 27/01/2021 |
Path: | C:\Windows\System32\conhost.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff6b2800000 |
File size: | 625664 bytes |
MD5 hash: | EA777DEEA782E8B4D7C7C33BBF8A4496 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
General |
---|
Start time: | 15:38:50 |
Start date: | 27/01/2021 |
Path: | C:\Users\user\Desktop\BL Draft Copy #747470.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0xc00000 |
File size: | 878592 bytes |
MD5 hash: | 125158A5CEC004BA7EE2910B6A835292 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | .Net C# or VB.NET |
Yara matches: |
|
Reputation: | low |
Disassembly |
---|
Code Analysis |
---|
Executed Functions |
---|
Function 00A7D4A0, Relevance: .1, Instructions: 75COMMON
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00A7D3B4, Relevance: .1, Instructions: 75COMMON
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00A8D01C, Relevance: .1, Instructions: 72COMMON
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00A8D006, Relevance: .1, Instructions: 63COMMON
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00A7D3AF, Relevance: .1, Instructions: 56COMMON
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00A7D49B, Relevance: .1, Instructions: 56COMMON
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00A7D731, Relevance: .0, Instructions: 45COMMON
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00A7D730, Relevance: .0, Instructions: 36COMMON
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Non-executed Functions |
---|
Executed Functions |
---|
Function 01420A70, Relevance: 28.0, APIs: 18, Instructions: 984keyboardlibrarywindowCOMMON
APIs |
|
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 014268B0, Relevance: .9, Instructions: 890COMMON
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 01425B45, Relevance: .5, Instructions: 514COMMON
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 01426178, Relevance: .4, Instructions: 445COMMON
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 01694750, Relevance: .3, Instructions: 312COMMON
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 01694806, Relevance: .2, Instructions: 250COMMON
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 01420A91, Relevance: 26.1, APIs: 17, Instructions: 637keyboardlibrarywindowCOMMON
APIs |
|
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 01420AD6, Relevance: 26.1, APIs: 17, Instructions: 628keyboardlibrarywindowCOMMON
APIs |
|
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 01420B12, Relevance: 26.1, APIs: 17, Instructions: 621keyboardlibrarywindowCOMMON
APIs |
|
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 01420B4E, Relevance: 26.1, APIs: 17, Instructions: 616keyboardlibrarywindowCOMMON
APIs |
|
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 01420B93, Relevance: 26.1, APIs: 17, Instructions: 609keyboardlibrarywindowCOMMON
APIs |
|
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 01420BD8, Relevance: 26.1, APIs: 17, Instructions: 602keyboardlibrarywindowCOMMON
APIs |
|
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 01420C1D, Relevance: 24.6, APIs: 16, Instructions: 595keyboardlibrarywindowCOMMON
APIs |
|
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 01420C62, Relevance: 23.1, APIs: 15, Instructions: 588keyboardlibrarywindowCOMMON
APIs |
|
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 01420CA7, Relevance: 21.6, APIs: 14, Instructions: 581keyboardlibrarywindowCOMMON
APIs |
|
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 01420CEC, Relevance: 21.6, APIs: 14, Instructions: 574keyboardlibrarywindowCOMMON
APIs |
|
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 01420D47, Relevance: 20.1, APIs: 13, Instructions: 563keyboardlibrarywindowCOMMON
APIs |
|
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 01420D8C, Relevance: 20.1, APIs: 13, Instructions: 556keyboardlibrarywindowCOMMON
APIs |
|
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 01420DD1, Relevance: 20.0, APIs: 13, Instructions: 549keyboardlibrarywindowCOMMON
APIs |
|
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 01420E16, Relevance: 20.0, APIs: 13, Instructions: 542keyboardlibrarywindowCOMMON
APIs |
|
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 01420E5B, Relevance: 20.0, APIs: 13, Instructions: 533keyboardlibrarywindowCOMMON
APIs |
|
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 01420E97, Relevance: 20.0, APIs: 13, Instructions: 526keyboardlibrarywindowCOMMON
APIs |
|
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 01420ED3, Relevance: 20.0, APIs: 13, Instructions: 521keyboardlibrarywindowCOMMON
APIs |
|
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 01420F18, Relevance: 20.0, APIs: 13, Instructions: 514keyboardlibrarywindowCOMMON
APIs |
|
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 01420F5D, Relevance: 20.0, APIs: 13, Instructions: 507keyboardlibrarywindowCOMMON
APIs |
|
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 01420FA2, Relevance: 18.5, APIs: 12, Instructions: 500keyboardlibrarywindowCOMMON
APIs |
|
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 01420FE7, Relevance: 17.0, APIs: 11, Instructions: 493keyboardlibrarywindowCOMMON
APIs |
|
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0142102C, Relevance: 17.0, APIs: 11, Instructions: 486keyboardlibrarywindowCOMMON
APIs |
|
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 01421071, Relevance: 17.0, APIs: 11, Instructions: 477keyboardlibrarywindowCOMMON
APIs |
|
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 014210AD, Relevance: 17.0, APIs: 11, Instructions: 470keyboardlibrarywindowCOMMON
APIs |
|
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 014210E9, Relevance: 17.0, APIs: 11, Instructions: 465keyboardlibrarywindowCOMMON
APIs |
|
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0142112E, Relevance: 15.5, APIs: 10, Instructions: 458keyboardlibrarywindowCOMMON
APIs |
|
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 01421173, Relevance: 15.5, APIs: 10, Instructions: 451keyboardlibrarywindowCOMMON
APIs |
|
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 014217C8, Relevance: 6.2, APIs: 4, Instructions: 237COMMON
APIs |
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 01421826, Relevance: 6.2, APIs: 4, Instructions: 226COMMON
APIs |
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0142186E, Relevance: 4.7, APIs: 3, Instructions: 219COMMON
APIs |
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 014218B6, Relevance: 4.7, APIs: 3, Instructions: 212COMMON
APIs |
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 014218FE, Relevance: 4.7, APIs: 3, Instructions: 205COMMON
APIs |
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 01421946, Relevance: 4.7, APIs: 3, Instructions: 198COMMON
APIs |
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0142198E, Relevance: 4.7, APIs: 3, Instructions: 191COMMON
APIs |
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 014219D6, Relevance: 3.2, APIs: 2, Instructions: 184COMMON
APIs |
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 01693EB8, Relevance: 1.8, APIs: 1, Instructions: 280COMMON
APIs |
|
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 01421A1E, Relevance: 1.7, APIs: 1, Instructions: 177COMMON
APIs |
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 01421A66, Relevance: 1.7, APIs: 1, Instructions: 170COMMON
APIs |
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 01421AAE, Relevance: 1.7, APIs: 1, Instructions: 161COMMON
APIs |
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0169516F, Relevance: 1.7, APIs: 1, Instructions: 161COMMON
APIs |
|
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 01421AEA, Relevance: 1.7, APIs: 1, Instructions: 156COMMON
APIs |
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 01421B32, Relevance: 1.6, APIs: 1, Instructions: 149COMMON
APIs |
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 01421B7A, Relevance: 1.6, APIs: 1, Instructions: 142COMMON
APIs |
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 016951F0, Relevance: 1.6, APIs: 1, Instructions: 113COMMON
APIs |
|
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 016969C4, Relevance: 1.6, APIs: 1, Instructions: 97COMMON
APIs |
|
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 01696DD2, Relevance: 1.6, APIs: 1, Instructions: 64COMMON
APIs |
|
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 01696DD8, Relevance: 1.6, APIs: 1, Instructions: 62COMMON
APIs |
|
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0169BE59, Relevance: 1.6, APIs: 1, Instructions: 55COMMON
APIs |
|
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0169BE68, Relevance: 1.6, APIs: 1, Instructions: 54COMMON
APIs |
|
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 01692F8C, Relevance: 1.6, APIs: 1, Instructions: 50COMMON
APIs |
|
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0169420A, Relevance: 1.5, APIs: 1, Instructions: 49COMMON
APIs |
|
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 016941E0, Relevance: 1.5, APIs: 1, Instructions: 45COMMON
APIs |
|
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 011FD53C, Relevance: .1, Instructions: 75COMMON
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 011FD537, Relevance: .1, Instructions: 56COMMON
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Non-executed Functions |
---|
Function 0142D898, Relevance: .4, Instructions: 378COMMON
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 05B7C6F0, Relevance: .3, Instructions: 265COMMON
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |