Windows
Analysis Report
af5Cop6pCN.exe
Overview
General Information
Detection
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
- System is w10x64
- af5Cop6pCN.exe (PID: 4856 cmdline:
"C:\Users\ user\Deskt op\af5Cop6 pCN.exe" MD5: 32A56B4E67436BDD3D39809A9BE949B8) - cmd.exe (PID: 1236 cmdline:
"C:\Window s\System32 \cmd.exe" /c schtask s /create /f /sc onl ogon /rl h ighest /tn "svchost" /tr '"C:\ Users\user \AppData\R oaming\svc host.exe"' & exit MD5: 4E2ACF4F8A396486AB4268C94A6A245F) - conhost.exe (PID: 1416 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - schtasks.exe (PID: 1592 cmdline:
schtasks / create /f /sc onlogo n /rl high est /tn "s vchost" /t r '"C:\Use rs\user\Ap pData\Roam ing\svchos t.exe"' MD5: 838D346D1D28F00783B7A6C6BD03A0DA) - cmd.exe (PID: 1256 cmdline:
C:\Windows \system32\ cmd.exe /c ""C:\User s\user\App Data\Local \Temp\tmp5 ECD.tmp.ba t"" MD5: 4E2ACF4F8A396486AB4268C94A6A245F) - conhost.exe (PID: 1948 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - timeout.exe (PID: 3228 cmdline:
timeout 3 MD5: EB9A65078396FB5D4E3813BB9198CB18) - svchost.exe (PID: 1016 cmdline:
"C:\Users\ user\AppDa ta\Roaming \svchost.e xe" MD5: 32A56B4E67436BDD3D39809A9BE949B8)
- svchost.exe (PID: 1120 cmdline:
C:\Users\u ser\AppDat a\Roaming\ svchost.ex e MD5: 32A56B4E67436BDD3D39809A9BE949B8)
- cleanup
{"Server": "<!Cv", "Ports": "1", "Telegram C2": "https://api.telegram.org/bot{\"GI/sendMessage?chat_id=8ByH|?~", "Version": "'j%av_@4t#STz0 Gk@=FUPshK6IBYUZdY}n Is8k(3qgO@UJR?LLHr5HXCRE+ N}z^MR#RxeMW", "AES_key": "WPC4*(7Gweu7\\z>W{A|`", "Mutex": "TN-BG", "Certificate": "NjlPUmtsM1RoZjF0bWVMaUNuUm5Jd2JxS05FSXo2aFo=", "ServerSignature": "svchost.exe", "Group": "%AppData%"}
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_GenericDownloader_1 | Yara detected Generic Downloader | Joe Security | ||
INDICATOR_SUSPICIOUS_EXE_B64_Artifacts | Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. | ditekSHen |
| |
INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice | Detects executables attemping to enumerate video devices using WMI | ditekSHen |
| |
INDICATOR_SUSPICIOUS_EXE_DcRatBy | Detects executables containing the string DcRatBy | ditekSHen |
|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
Windows_Trojan_DCRat_1aeea1ac | unknown | unknown |
|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_GenericDownloader_1 | Yara detected Generic Downloader | Joe Security | ||
INDICATOR_SUSPICIOUS_EXE_B64_Artifacts | Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. | ditekSHen |
| |
INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice | Detects executables attemping to enumerate video devices using WMI | ditekSHen |
| |
INDICATOR_SUSPICIOUS_EXE_DcRatBy | Detects executables containing the string DcRatBy | ditekSHen |
|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
Windows_Trojan_DCRat_1aeea1ac | unknown | unknown |
| |
Windows_Trojan_DCRat_1aeea1ac | unknown | unknown |
| |
JoeSecurity_DcRat_2 | Yara detected DcRat | Joe Security | ||
Windows_Trojan_DCRat_1aeea1ac | unknown | unknown |
| |
JoeSecurity_DcRat_2 | Yara detected DcRat | Joe Security | ||
Click to see the 14 entries |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_GenericDownloader_1 | Yara detected Generic Downloader | Joe Security | ||
INDICATOR_SUSPICIOUS_EXE_B64_Artifacts | Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. | ditekSHen |
| |
INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice | Detects executables attemping to enumerate video devices using WMI | ditekSHen |
| |
INDICATOR_SUSPICIOUS_EXE_DcRatBy | Detects executables containing the string DcRatBy | ditekSHen |
| |
INDICATOR_SUSPICIOUS_EXE_B64_Artifacts | Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. | ditekSHen |
| |
Click to see the 5 entries |
Persistence and Installation Behavior |
---|
Source: | Author: Joe Security: |
Timestamp: | 3.72.110.63192.168.2.49087497082848152 09/23/22-08:16:16.887686 |
SID: | 2848152 |
Source Port: | 9087 |
Destination Port: | 49708 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 3.72.110.63192.168.2.49087497082034847 09/23/22-08:16:16.887686 |
SID: | 2034847 |
Source Port: | 9087 |
Destination Port: | 49708 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Click to jump to signature section
AV Detection |
---|
Source: | ReversingLabs: | |||
Source: | Metadefender: | Perma Link |
Source: | Avira: |
Source: | Avira: |
Source: | ReversingLabs: | |||
Source: | Metadefender: | Perma Link |
Source: | Joe Sandbox ML: |
Source: | Joe Sandbox ML: |
Source: | Malware Configuration Extractor: |
Source: | Static PE information: |
Source: | HTTPS traffic detected: |
Source: | Static PE information: |
Networking |
---|
Source: | Network Connect: | Jump to behavior | ||
Source: | Domain query: | |||
Source: | Domain query: | |||
Source: | Network Connect: | Jump to behavior |
Source: | Snort IDS: | ||
Source: | Snort IDS: |
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Source: | URLs: |
Source: | DNS query: |
Source: | DNS query: |
Source: | ASN Name: |
Source: | JA3 fingerprint: |
Source: | HTTP traffic detected: |
Source: | IP Address: | ||
Source: | IP Address: |
Source: | HTTPS traffic detected: |
Source: | TCP traffic: |
Source: | Network traffic detected: | ||
Source: | Network traffic detected: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | DNS traffic detected: |
Source: | HTTP traffic detected: |
Key, Mouse, Clipboard, Microphone and Screen Capturing |
---|
Source: | File source: | ||
Source: | File source: |
System Summary |
---|
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: |
Source: | Static PE information: |
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: |
Source: | Code function: | 8_2_00007FF81640E8A2 | |
Source: | Code function: | 8_2_00007FF81640F33D | |
Source: | Code function: | 8_2_00007FF81640DAF6 |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Dropped File: |
Source: | ReversingLabs: | ||
Source: | Metadefender: |
Source: | File read: | Jump to behavior |
Source: | Static PE information: |
Source: | Key opened: | Jump to behavior |
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior |
Source: | Key value queried: | Jump to behavior |
Source: | File created: | Jump to behavior |
Source: | File created: | Jump to behavior |
Source: | Classification label: |
Source: | File read: | Jump to behavior |
Source: | Security API names: | ||
Source: | Security API names: | ||
Source: | Security API names: | ||
Source: | Security API names: |
Source: | Static file information: | |||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior |
Source: | Base64 encoded string: | ||
Source: | Base64 encoded string: |
Source: | Mutant created: | ||
Source: | Mutant created: | ||
Source: | Mutant created: |
Source: | Process created: |
Source: | Cryptographic APIs: | ||
Source: | Cryptographic APIs: |
Source: | File read: | Jump to behavior | ||
Source: | File read: | Jump to behavior | ||
Source: | File read: | Jump to behavior | ||
Source: | File read: | Jump to behavior |
Source: | Static PE information: |
Source: | Static PE information: |
Data Obfuscation |
---|
Source: | .Net Code: | ||
Source: | .Net Code: |
Persistence and Installation Behavior |
---|
Source: | File created: | Jump to dropped file |
Source: | File created: | Jump to dropped file |
Boot Survival |
---|
Source: | File source: | ||
Source: | File source: |
Source: | Process created: |
Hooking and other Techniques for Hiding and Protection |
---|
Source: | Icon embedded in binary file: |
Source: | Registry key monitored for changes: | Jump to behavior | ||
Source: | Registry key monitored for changes: | Jump to behavior |
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior |
Malware Analysis System Evasion |
---|
Source: | File source: | ||
Source: | File source: |
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep count: | Jump to behavior | ||
Source: | Thread sleep count: | Jump to behavior |
Source: | Last function: | ||
Source: | Last function: |
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior |
Source: | Window / User API: | Jump to behavior |
Source: | Process information queried: | Jump to behavior |
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior |
Source: | File Volume queried: | Jump to behavior | ||
Source: | File Volume queried: | Jump to behavior | ||
Source: | File Volume queried: | Jump to behavior |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Process token adjusted: | Jump to behavior | ||
Source: | Process token adjusted: | Jump to behavior |
Source: | Memory allocated: | Jump to behavior |
HIPS / PFW / Operating System Protection Evasion |
---|
Source: | Network Connect: | Jump to behavior | ||
Source: | Domain query: | |||
Source: | Domain query: | |||
Source: | Network Connect: | Jump to behavior |
Source: | Reference to suspicious API methods: | ||
Source: | Reference to suspicious API methods: | ||
Source: | Reference to suspicious API methods: | ||
Source: | Reference to suspicious API methods: |
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior |
Source: | Key value queried: | Jump to behavior |
Lowering of HIPS / PFW / Operating System Security Settings |
---|
Source: | File source: | ||
Source: | File source: |
Source: | WMI Queries: |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Stealing of Sensitive Information |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Remote Access Functionality |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Valid Accounts | 1 Windows Management Instrumentation | 2 Scheduled Task/Job | 112 Process Injection | 1 Disable or Modify Tools | OS Credential Dumping | 1 File and Directory Discovery | Remote Services | 11 Archive Collected Data | Exfiltration Over Other Network Medium | 1 Web Service | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | Modify System Partition |
Default Accounts | 1 Scripting | Boot or Logon Initialization Scripts | 2 Scheduled Task/Job | 1 Deobfuscate/Decode Files or Information | LSASS Memory | 13 System Information Discovery | Remote Desktop Protocol | Data from Removable Media | Exfiltration Over Bluetooth | 1 Ingress Tool Transfer | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
Domain Accounts | 1 Native API | Logon Script (Windows) | Logon Script (Windows) | 1 Scripting | Security Account Manager | 1 Query Registry | SMB/Windows Admin Shares | Data from Network Shared Drive | Automated Exfiltration | 11 Encrypted Channel | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
Local Accounts | 2 Scheduled Task/Job | Logon Script (Mac) | Logon Script (Mac) | 11 Obfuscated Files or Information | NTDS | 121 Security Software Discovery | Distributed Component Object Model | Input Capture | Scheduled Transfer | 1 Non-Standard Port | SIM Card Swap | Carrier Billing Fraud | |
Cloud Accounts | Cron | Network Logon Script | Network Logon Script | 1 Software Packing | LSA Secrets | 2 Process Discovery | SSH | Keylogging | Data Transfer Size Limits | 2 Non-Application Layer Protocol | Manipulate Device Communication | Manipulate App Store Rankings or Ratings | |
Replication Through Removable Media | Launchd | Rc.common | Rc.common | 21 Masquerading | Cached Domain Credentials | 21 Virtualization/Sandbox Evasion | VNC | GUI Input Capture | Exfiltration Over C2 Channel | 23 Application Layer Protocol | Jamming or Denial of Service | Abuse Accessibility Features | |
External Remote Services | Scheduled Task | Startup Items | Startup Items | 21 Virtualization/Sandbox Evasion | DCSync | 1 Application Window Discovery | Windows Remote Management | Web Portal Capture | Exfiltration Over Alternative Protocol | Commonly Used Port | Rogue Wi-Fi Access Points | Data Encrypted for Impact | |
Drive-by Compromise | Command and Scripting Interpreter | Scheduled Task/Job | Scheduled Task/Job | 112 Process Injection | Proc Filesystem | 1 Remote System Discovery | Shared Webroot | Credential API Hooking | Exfiltration Over Symmetric Encrypted Non-C2 Protocol | Application Layer Protocol | Downgrade to Insecure Protocols | Generate Fraudulent Advertising Revenue |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
92% | ReversingLabs | ByteCode-MSIL.Trojan.AgentTesla | ||
46% | Metadefender | Browse | ||
100% | Avira | HEUR/AGEN.1235730 | ||
100% | Joe Sandbox ML |
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
100% | Avira | HEUR/AGEN.1235730 | ||
100% | Joe Sandbox ML |
Source | Detection | Scanner | Label | Link | Download |
---|---|---|---|---|---|
100% | Avira | HEUR/AGEN.1235730 | Download File |
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe |
Name | IP | Active | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|---|
pastebin.com | 104.20.67.143 | true | false | high | |
termsiya.duckdns.org | 3.72.110.63 | true | true | unknown | |
windowsupdatebg.s.llnwi.net | 95.140.230.192 | true | false | unknown |
Name | Malicious | Antivirus Detection | Reputation |
---|---|---|---|
false | high | ||
true |
| low |
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false | high | |||
false | high | |||
false | high | |||
false |
| unknown |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
3.72.110.63 | termsiya.duckdns.org | United States | 16509 | AMAZON-02US | true | |
104.20.67.143 | pastebin.com | United States | 13335 | CLOUDFLARENETUS | false |
Joe Sandbox Version: | 36.0.0 Rainbow Opal |
Analysis ID: | 708255 |
Start date and time: | 2022-09-23 08:14:53 +02:00 |
Joe Sandbox Product: | CloudBasic |
Overall analysis duration: | 0h 8m 47s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Sample file name: | af5Cop6pCN.exe |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211 |
Number of analysed new started processes analysed: | 22 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Detection: | MAL |
Classification: | mal100.troj.evad.winEXE@15/7@2/2 |
EGA Information: |
|
HDC Information: | Failed |
HCA Information: |
|
Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, RuntimeBroker.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
- Excluded IPs from analysis (whitelisted): 95.140.230.192
- Excluded domains from analysis (whitelisted): login.live.com, ctldl.windowsupdate.com, displaycatalog.mp.microsoft.com, arc.msn.com, wu-bg-shim.trafficmanager.net
- Execution Graph export aborted for target af5Cop6pCN.exe, PID 4856 because it is empty
- Execution Graph export aborted for target svchost.exe, PID 1120 because it is empty
- Not all processes where analyzed, report is missing behavior information
- Report size getting too big, too many NtAllocateVirtualMemory calls found.
- Report size getting too big, too many NtOpenKeyEx calls found.
- Report size getting too big, too many NtProtectVirtualMemory calls found.
- Report size getting too big, too many NtQueryValueKey calls found.
- Report size getting too big, too many NtReadVirtualMemory calls found.
- VT rate limit hit for: af5Cop6pCN.exe
Time | Type | Description |
---|---|---|
08:15:56 | Task Scheduler |
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
104.20.67.143 | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
termsiya.duckdns.org | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
pastebin.com | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
AMAZON-02US | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
CLOUDFLARENETUS | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
54328bd36c14bd82ddaa0c04b25ed9ad | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
|
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506
Download File
Process: | C:\Users\user\AppData\Roaming\svchost.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 61745 |
Entropy (8bit): | 7.9946980850644 |
Encrypted: | true |
SSDEEP: | 768:chu+lK9x0bQ39uYFd7JuxDYQpxtxbVUt1bgZZisGRGL1V0u17ifoio8w/FFdG1Cb:klKIEvJJQjlZw9kEuQ1mFdGcLjx/eWL |
MD5: | 6C6A24456559F305308CB1FB6C5486B3 |
SHA1: | 3273AC27D78572F16C3316732B9756EBC22CB6ED |
SHA-256: | EFC3C579BD619CEAB040C4B8C1B821B2D82C64FDDD9E80A00EC0D7F6577ED973 |
SHA-512: | 587D4A9175A6AA82CD8BB1C11CA6508F95CD218F76AC322DDBD1BC7146A0E25F8937EE426A6FB0FB0BB045CEDB24D8C8A9EDFE9F654112F293D8701220F726B4 |
Malicious: | false |
Preview: |
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506
Download File
Process: | C:\Users\user\AppData\Roaming\svchost.exe |
File Type: | |
Category: | modified |
Size (bytes): | 290 |
Entropy (8bit): | 2.9849106129347183 |
Encrypted: | false |
SSDEEP: | 6:kKKUw6joSN+SkQlPlEGYRMY9z+4KlDA3RUe/:iPkPlE99SNxAhUe/ |
MD5: | 0A24000D2533F1DB86BCDD6B1D3A67C5 |
SHA1: | E1CB7831AD96C125559F2C2EA100F1B06A35D631 |
SHA-256: | 1E0841BFC0239DDBBD3EDCAB1B695741525F1A61D2E620857C2E753FCBC19E42 |
SHA-512: | B5A11055321A905CF4ED90885954DA66D982660CD08F4D9A90AF618FB2D075FF2D54A4C6980D2AA2F0FFC5E68E20DD01A6FB6A6183CF2A21306E71A16F4DCA42 |
Malicious: | false |
Preview: |
Process: | C:\Users\user\Desktop\af5Cop6pCN.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 425 |
Entropy (8bit): | 5.351599573976469 |
Encrypted: | false |
SSDEEP: | 12:Q3La/KDLI4MWuPTxAIOKbbDLI4MWuPOKN08JOKhav:ML9E4KrgKDE4KGKN08AKhk |
MD5: | BEBB66F4CB83D5C34857FE75DE3A8610 |
SHA1: | 66FB475AADAE0D4542125C8E272D9D6BBFA555BB |
SHA-256: | C1A8084313E66497C9F53D0F65E85AC2D4A840AF7FEBCCCFB3924F54BCF1BADC |
SHA-512: | 45181B8B60B7F0FD0D841F50592B9E83F7BADF1FFED040DFCAF5779BF5F653633D78B28E5AFA92A53E9DA965113E4A8E7A16456AE3A8FDF786B7DF6B3FEE5CE8 |
Malicious: | true |
Preview: |
Process: | C:\Users\user\AppData\Roaming\svchost.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 425 |
Entropy (8bit): | 5.351599573976469 |
Encrypted: | false |
SSDEEP: | 12:Q3La/KDLI4MWuPTxAIOKbbDLI4MWuPOKN08JOKhav:ML9E4KrgKDE4KGKN08AKhk |
MD5: | BEBB66F4CB83D5C34857FE75DE3A8610 |
SHA1: | 66FB475AADAE0D4542125C8E272D9D6BBFA555BB |
SHA-256: | C1A8084313E66497C9F53D0F65E85AC2D4A840AF7FEBCCCFB3924F54BCF1BADC |
SHA-512: | 45181B8B60B7F0FD0D841F50592B9E83F7BADF1FFED040DFCAF5779BF5F653633D78B28E5AFA92A53E9DA965113E4A8E7A16456AE3A8FDF786B7DF6B3FEE5CE8 |
Malicious: | false |
Preview: |
Process: | C:\Users\user\Desktop\af5Cop6pCN.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 151 |
Entropy (8bit): | 5.01924739101347 |
Encrypted: | false |
SSDEEP: | 3:mKDDCMNqTtvL5ot+kiEaKC5ZACSmqRDt+kiE2J5xAInTRI6fIV5ZPy:hWKqTtT6wknaZ5Omq1wkn23fTbok |
MD5: | 0275960B1A2EDAF670AECD394006F2F0 |
SHA1: | 0514DE3160222AD806EF30F1249BF8F3131E78D2 |
SHA-256: | 26DF3ED9CE964E53E16A1CC530C5171A90CF36BD79F916A3C9E036C75C03A596 |
SHA-512: | D710C4276828455E9E54207F448674A64CC455F546F70FF0F5C204DB0FDED2AD5D63DE4E5C812040D037DFD35A04681B3437909EAFD6F0742D811D01A9657B17 |
Malicious: | false |
Preview: |
Process: | C:\Users\user\Desktop\af5Cop6pCN.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 282112 |
Entropy (8bit): | 5.43867724754543 |
Encrypted: | false |
SSDEEP: | 3072:KxWdQMVESKpObIWR9NmLp9yei5KG4ZGYV8cVpFY:KxWGYKg94rJZt |
MD5: | 32A56B4E67436BDD3D39809A9BE949B8 |
SHA1: | DAC60CA2763D18CE9451B28F4D0A1D9FBDC3F4FC |
SHA-256: | 5F6475A6D18503FBC2EB916E32ED1D6B4769F58D364EF2F94C2FD1A52C9AA1DF |
SHA-512: | 70B8DC7B1509CFA3975C97BAA4A2B49746FAC2438307AB97AE67BDD0E98D2D26E05F2E83C0349234B4DEB9314715AEA01084FD11E7F77B2D4BBA856AA7726E47 |
Malicious: | true |
Yara Hits: |
|
Antivirus: |
|
Joe Sandbox View: |
|
Preview: |
Process: | C:\Windows\System32\timeout.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 60 |
Entropy (8bit): | 4.41440934524794 |
Encrypted: | false |
SSDEEP: | 3:hYFqdLGAR+mQRKVxLZXt0sn:hYFqGaNZKsn |
MD5: | 3DD7DD37C304E70A7316FE43B69F421F |
SHA1: | A3754CFC33E9CA729444A95E95BCB53384CB51E4 |
SHA-256: | 4FA27CE1D904EA973430ADC99062DCF4BAB386A19AB0F8D9A4185FA99067F3AA |
SHA-512: | 713533E973CF0FD359AC7DB22B1399392C86D9FD1E715248F5724AAFBBF0EEB5EAC0289A0E892167EB559BE976C2AD0A0A0D8EFC407FFAF5B3C3A32AA9A0AAA4 |
Malicious: | false |
Preview: |
File type: | |
Entropy (8bit): | 5.43867724754543 |
TrID: |
|
File name: | af5Cop6pCN.exe |
File size: | 282112 |
MD5: | 32a56b4e67436bdd3d39809a9be949b8 |
SHA1: | dac60ca2763d18ce9451b28f4d0a1d9fbdc3f4fc |
SHA256: | 5f6475a6d18503fbc2eb916e32ed1d6b4769f58d364ef2f94c2fd1a52c9aa1df |
SHA512: | 70b8dc7b1509cfa3975c97baa4a2b49746fac2438307ab97ae67bdd0e98d2d26e05f2e83c0349234b4deb9314715aea01084fd11e7f77b2d4bba856aa7726e47 |
SSDEEP: | 3072:KxWdQMVESKpObIWR9NmLp9yei5KG4ZGYV8cVpFY:KxWGYKg94rJZt |
TLSH: | CF54A60113D1EBBBEDD2297F8F73C207165F6B8163B5AD962C40554EBA12E5720D3A0E |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....c.b............................R.... ........@.. ....................................@................................ |
Icon Hash: | 70d4828c88c2e471 |
Entrypoint: | 0x41b052 |
Entrypoint Section: | .text |
Digitally signed: | false |
Imagebase: | 0x400000 |
Subsystem: | windows gui |
Image File Characteristics: | EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE |
DLL Characteristics: | DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE |
Time Stamp: | 0x62CF63D4 [Thu Jul 14 00:31:16 2022 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 4 |
OS Version Minor: | 0 |
File Version Major: | 4 |
File Version Minor: | 0 |
Subsystem Version Major: | 4 |
Subsystem Version Minor: | 0 |
Import Hash: | f34d5f2d4577ed6d9ceec516c1f5a744 |
Instruction |
---|
jmp dword ptr [00402000h] |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x1b008 | 0x4a | .text |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x1c000 | 0x2b656 | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x48000 | 0xc | .reloc |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x2000 | 0x8 | .text |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x2008 | 0x48 | .text |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Name | Virtual Address | Virtual Size | Raw Size | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|
.text | 0x2000 | 0x19058 | 0x19200 | False | 0.5033523787313433 | data | 5.832513098107651 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
.rsrc | 0x1c000 | 0x2b656 | 0x2b800 | False | 0.1814947018678161 | data | 4.751075003232281 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.reloc | 0x48000 | 0xc | 0x200 | False | 0.044921875 | data | 0.10191042566270775 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
Name | RVA | Size | Type | Language | Country |
---|---|---|---|---|---|
RT_ICON | 0x1c0ac | 0x2d6b | PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced | ||
RT_ICON | 0x1ee3b | 0x10828 | dBase IV DBT, blocks size 0, block length 2048, next free block index 40, next free block 0, next used block 0 | ||
RT_ICON | 0x2f687 | 0x94a8 | data | ||
RT_ICON | 0x38b53 | 0x5488 | data | ||
RT_ICON | 0x3dfff | 0x4228 | dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 16318463, next used block 4294909696 | ||
RT_ICON | 0x4224b | 0x25a8 | data | ||
RT_ICON | 0x44817 | 0x10a8 | data | ||
RT_ICON | 0x458e3 | 0x988 | data | ||
RT_ICON | 0x4628f | 0x468 | GLS_BINARY_LSB_FIRST | ||
RT_GROUP_ICON | 0x46733 | 0x84 | data | ||
RT_VERSION | 0x467f3 | 0x3a4 | data | ||
RT_MANIFEST | 0x46bd3 | 0xa83 | XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators |
DLL | Import |
---|---|
mscoree.dll | _CorExeMain |
Timestamp | Protocol | SID | Message | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|---|---|---|
3.72.110.63192.168.2.49087497082848152 09/23/22-08:16:16.887686 | TCP | 2848152 | ETPRO TROJAN Observed Malicious SSL Cert (AsyncRAT Variant) | 9087 | 49708 | 3.72.110.63 | 192.168.2.4 |
3.72.110.63192.168.2.49087497082034847 09/23/22-08:16:16.887686 | TCP | 2034847 | ET TROJAN Observed Malicious SSL Cert (AsyncRAT) | 9087 | 49708 | 3.72.110.63 | 192.168.2.4 |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Sep 23, 2022 08:16:15.904928923 CEST | 49707 | 443 | 192.168.2.4 | 104.20.67.143 |
Sep 23, 2022 08:16:15.904983044 CEST | 443 | 49707 | 104.20.67.143 | 192.168.2.4 |
Sep 23, 2022 08:16:15.905143023 CEST | 49707 | 443 | 192.168.2.4 | 104.20.67.143 |
Sep 23, 2022 08:16:15.978910923 CEST | 49707 | 443 | 192.168.2.4 | 104.20.67.143 |
Sep 23, 2022 08:16:15.978955030 CEST | 443 | 49707 | 104.20.67.143 | 192.168.2.4 |
Sep 23, 2022 08:16:16.038691044 CEST | 443 | 49707 | 104.20.67.143 | 192.168.2.4 |
Sep 23, 2022 08:16:16.038902998 CEST | 49707 | 443 | 192.168.2.4 | 104.20.67.143 |
Sep 23, 2022 08:16:16.058886051 CEST | 49707 | 443 | 192.168.2.4 | 104.20.67.143 |
Sep 23, 2022 08:16:16.058912039 CEST | 443 | 49707 | 104.20.67.143 | 192.168.2.4 |
Sep 23, 2022 08:16:16.059443951 CEST | 443 | 49707 | 104.20.67.143 | 192.168.2.4 |
Sep 23, 2022 08:16:16.114991903 CEST | 49707 | 443 | 192.168.2.4 | 104.20.67.143 |
Sep 23, 2022 08:16:16.517368078 CEST | 49707 | 443 | 192.168.2.4 | 104.20.67.143 |
Sep 23, 2022 08:16:16.550949097 CEST | 443 | 49707 | 104.20.67.143 | 192.168.2.4 |
Sep 23, 2022 08:16:16.551053047 CEST | 443 | 49707 | 104.20.67.143 | 192.168.2.4 |
Sep 23, 2022 08:16:16.551131010 CEST | 49707 | 443 | 192.168.2.4 | 104.20.67.143 |
Sep 23, 2022 08:16:16.560657024 CEST | 49707 | 443 | 192.168.2.4 | 104.20.67.143 |
Sep 23, 2022 08:16:16.768956900 CEST | 49708 | 9087 | 192.168.2.4 | 3.72.110.63 |
Sep 23, 2022 08:16:16.788619041 CEST | 9087 | 49708 | 3.72.110.63 | 192.168.2.4 |
Sep 23, 2022 08:16:16.788811922 CEST | 49708 | 9087 | 192.168.2.4 | 3.72.110.63 |
Sep 23, 2022 08:16:16.866048098 CEST | 49708 | 9087 | 192.168.2.4 | 3.72.110.63 |
Sep 23, 2022 08:16:16.887686014 CEST | 9087 | 49708 | 3.72.110.63 | 192.168.2.4 |
Sep 23, 2022 08:16:16.903249025 CEST | 49708 | 9087 | 192.168.2.4 | 3.72.110.63 |
Sep 23, 2022 08:16:16.924741983 CEST | 9087 | 49708 | 3.72.110.63 | 192.168.2.4 |
Sep 23, 2022 08:16:17.083888054 CEST | 49708 | 9087 | 192.168.2.4 | 3.72.110.63 |
Sep 23, 2022 08:16:27.872695923 CEST | 49708 | 9087 | 192.168.2.4 | 3.72.110.63 |
Sep 23, 2022 08:16:27.942609072 CEST | 9087 | 49708 | 3.72.110.63 | 192.168.2.4 |
Sep 23, 2022 08:16:27.942790031 CEST | 49708 | 9087 | 192.168.2.4 | 3.72.110.63 |
Sep 23, 2022 08:16:28.005429983 CEST | 9087 | 49708 | 3.72.110.63 | 192.168.2.4 |
Sep 23, 2022 08:16:41.026510000 CEST | 49708 | 9087 | 192.168.2.4 | 3.72.110.63 |
Sep 23, 2022 08:16:41.099261045 CEST | 9087 | 49708 | 3.72.110.63 | 192.168.2.4 |
Sep 23, 2022 08:16:41.099368095 CEST | 49708 | 9087 | 192.168.2.4 | 3.72.110.63 |
Sep 23, 2022 08:16:41.119456053 CEST | 9087 | 49708 | 3.72.110.63 | 192.168.2.4 |
Sep 23, 2022 08:16:41.288949966 CEST | 49708 | 9087 | 192.168.2.4 | 3.72.110.63 |
Sep 23, 2022 08:16:41.308408022 CEST | 9087 | 49708 | 3.72.110.63 | 192.168.2.4 |
Sep 23, 2022 08:16:41.464027882 CEST | 49708 | 9087 | 192.168.2.4 | 3.72.110.63 |
Sep 23, 2022 08:16:45.543930054 CEST | 9087 | 49708 | 3.72.110.63 | 192.168.2.4 |
Sep 23, 2022 08:16:45.789335966 CEST | 49708 | 9087 | 192.168.2.4 | 3.72.110.63 |
Sep 23, 2022 08:16:45.809439898 CEST | 9087 | 49708 | 3.72.110.63 | 192.168.2.4 |
Sep 23, 2022 08:16:45.976874113 CEST | 49708 | 9087 | 192.168.2.4 | 3.72.110.63 |
Sep 23, 2022 08:16:46.498739004 CEST | 49708 | 9087 | 192.168.2.4 | 3.72.110.63 |
Sep 23, 2022 08:16:46.570760965 CEST | 9087 | 49708 | 3.72.110.63 | 192.168.2.4 |
Sep 23, 2022 08:16:46.570938110 CEST | 49708 | 9087 | 192.168.2.4 | 3.72.110.63 |
Sep 23, 2022 08:16:46.646563053 CEST | 9087 | 49708 | 3.72.110.63 | 192.168.2.4 |
Sep 23, 2022 08:16:53.994374037 CEST | 49708 | 9087 | 192.168.2.4 | 3.72.110.63 |
Sep 23, 2022 08:16:54.068476915 CEST | 9087 | 49708 | 3.72.110.63 | 192.168.2.4 |
Sep 23, 2022 08:16:54.069508076 CEST | 49708 | 9087 | 192.168.2.4 | 3.72.110.63 |
Sep 23, 2022 08:16:54.089812994 CEST | 9087 | 49708 | 3.72.110.63 | 192.168.2.4 |
Sep 23, 2022 08:16:54.205245018 CEST | 49708 | 9087 | 192.168.2.4 | 3.72.110.63 |
Sep 23, 2022 08:16:54.224791050 CEST | 9087 | 49708 | 3.72.110.63 | 192.168.2.4 |
Sep 23, 2022 08:16:54.229171991 CEST | 49708 | 9087 | 192.168.2.4 | 3.72.110.63 |
Sep 23, 2022 08:16:54.302839994 CEST | 9087 | 49708 | 3.72.110.63 | 192.168.2.4 |
Sep 23, 2022 08:16:54.303117990 CEST | 49708 | 9087 | 192.168.2.4 | 3.72.110.63 |
Sep 23, 2022 08:16:54.365385056 CEST | 9087 | 49708 | 3.72.110.63 | 192.168.2.4 |
Sep 23, 2022 08:17:07.088820934 CEST | 49708 | 9087 | 192.168.2.4 | 3.72.110.63 |
Sep 23, 2022 08:17:07.162601948 CEST | 9087 | 49708 | 3.72.110.63 | 192.168.2.4 |
Sep 23, 2022 08:17:07.162787914 CEST | 49708 | 9087 | 192.168.2.4 | 3.72.110.63 |
Sep 23, 2022 08:17:07.182740927 CEST | 9087 | 49708 | 3.72.110.63 | 192.168.2.4 |
Sep 23, 2022 08:17:07.228696108 CEST | 49708 | 9087 | 192.168.2.4 | 3.72.110.63 |
Sep 23, 2022 08:17:07.248019934 CEST | 9087 | 49708 | 3.72.110.63 | 192.168.2.4 |
Sep 23, 2022 08:17:07.251569033 CEST | 49708 | 9087 | 192.168.2.4 | 3.72.110.63 |
Sep 23, 2022 08:17:07.319298029 CEST | 9087 | 49708 | 3.72.110.63 | 192.168.2.4 |
Sep 23, 2022 08:17:07.319509983 CEST | 49708 | 9087 | 192.168.2.4 | 3.72.110.63 |
Sep 23, 2022 08:17:07.381428003 CEST | 9087 | 49708 | 3.72.110.63 | 192.168.2.4 |
Sep 23, 2022 08:17:15.542717934 CEST | 9087 | 49708 | 3.72.110.63 | 192.168.2.4 |
Sep 23, 2022 08:17:15.588712931 CEST | 49708 | 9087 | 192.168.2.4 | 3.72.110.63 |
Sep 23, 2022 08:17:15.610255957 CEST | 9087 | 49708 | 3.72.110.63 | 192.168.2.4 |
Sep 23, 2022 08:17:15.651313066 CEST | 49708 | 9087 | 192.168.2.4 | 3.72.110.63 |
Sep 23, 2022 08:17:20.152755976 CEST | 49708 | 9087 | 192.168.2.4 | 3.72.110.63 |
Sep 23, 2022 08:17:20.212085962 CEST | 9087 | 49708 | 3.72.110.63 | 192.168.2.4 |
Sep 23, 2022 08:17:20.212295055 CEST | 49708 | 9087 | 192.168.2.4 | 3.72.110.63 |
Sep 23, 2022 08:17:20.240494013 CEST | 9087 | 49708 | 3.72.110.63 | 192.168.2.4 |
Sep 23, 2022 08:17:20.293848991 CEST | 49708 | 9087 | 192.168.2.4 | 3.72.110.63 |
Sep 23, 2022 08:17:20.313848019 CEST | 9087 | 49708 | 3.72.110.63 | 192.168.2.4 |
Sep 23, 2022 08:17:20.321336031 CEST | 49708 | 9087 | 192.168.2.4 | 3.72.110.63 |
Sep 23, 2022 08:17:20.384012938 CEST | 9087 | 49708 | 3.72.110.63 | 192.168.2.4 |
Sep 23, 2022 08:17:20.384171963 CEST | 49708 | 9087 | 192.168.2.4 | 3.72.110.63 |
Sep 23, 2022 08:17:20.449337006 CEST | 9087 | 49708 | 3.72.110.63 | 192.168.2.4 |
Sep 23, 2022 08:17:33.247617006 CEST | 49708 | 9087 | 192.168.2.4 | 3.72.110.63 |
Sep 23, 2022 08:17:33.321877003 CEST | 9087 | 49708 | 3.72.110.63 | 192.168.2.4 |
Sep 23, 2022 08:17:33.322803020 CEST | 49708 | 9087 | 192.168.2.4 | 3.72.110.63 |
Sep 23, 2022 08:17:33.342842102 CEST | 9087 | 49708 | 3.72.110.63 | 192.168.2.4 |
Sep 23, 2022 08:17:33.402740002 CEST | 49708 | 9087 | 192.168.2.4 | 3.72.110.63 |
Sep 23, 2022 08:17:33.422184944 CEST | 9087 | 49708 | 3.72.110.63 | 192.168.2.4 |
Sep 23, 2022 08:17:33.424719095 CEST | 49708 | 9087 | 192.168.2.4 | 3.72.110.63 |
Sep 23, 2022 08:17:33.495209932 CEST | 9087 | 49708 | 3.72.110.63 | 192.168.2.4 |
Sep 23, 2022 08:17:33.495389938 CEST | 49708 | 9087 | 192.168.2.4 | 3.72.110.63 |
Sep 23, 2022 08:17:33.556210995 CEST | 9087 | 49708 | 3.72.110.63 | 192.168.2.4 |
Sep 23, 2022 08:17:45.548614025 CEST | 9087 | 49708 | 3.72.110.63 | 192.168.2.4 |
Sep 23, 2022 08:17:45.614175081 CEST | 49708 | 9087 | 192.168.2.4 | 3.72.110.63 |
Sep 23, 2022 08:17:45.635935068 CEST | 9087 | 49708 | 3.72.110.63 | 192.168.2.4 |
Sep 23, 2022 08:17:45.814027071 CEST | 49708 | 9087 | 192.168.2.4 | 3.72.110.63 |
Sep 23, 2022 08:17:46.309535027 CEST | 49708 | 9087 | 192.168.2.4 | 3.72.110.63 |
Sep 23, 2022 08:17:46.369138956 CEST | 9087 | 49708 | 3.72.110.63 | 192.168.2.4 |
Sep 23, 2022 08:17:46.388631105 CEST | 49708 | 9087 | 192.168.2.4 | 3.72.110.63 |
Sep 23, 2022 08:17:46.408622980 CEST | 9087 | 49708 | 3.72.110.63 | 192.168.2.4 |
Sep 23, 2022 08:17:46.621927977 CEST | 49708 | 9087 | 192.168.2.4 | 3.72.110.63 |
Sep 23, 2022 08:17:46.641309023 CEST | 9087 | 49708 | 3.72.110.63 | 192.168.2.4 |
Sep 23, 2022 08:17:46.705971003 CEST | 49708 | 9087 | 192.168.2.4 | 3.72.110.63 |
Sep 23, 2022 08:17:46.775481939 CEST | 9087 | 49708 | 3.72.110.63 | 192.168.2.4 |
Sep 23, 2022 08:17:46.777625084 CEST | 49708 | 9087 | 192.168.2.4 | 3.72.110.63 |
Sep 23, 2022 08:17:46.838196039 CEST | 9087 | 49708 | 3.72.110.63 | 192.168.2.4 |
Sep 23, 2022 08:17:59.351788998 CEST | 49708 | 9087 | 192.168.2.4 | 3.72.110.63 |
Sep 23, 2022 08:17:59.416476011 CEST | 9087 | 49708 | 3.72.110.63 | 192.168.2.4 |
Sep 23, 2022 08:17:59.416538000 CEST | 49708 | 9087 | 192.168.2.4 | 3.72.110.63 |
Sep 23, 2022 08:17:59.436575890 CEST | 9087 | 49708 | 3.72.110.63 | 192.168.2.4 |
Sep 23, 2022 08:17:59.523016930 CEST | 49708 | 9087 | 192.168.2.4 | 3.72.110.63 |
Sep 23, 2022 08:17:59.542501926 CEST | 9087 | 49708 | 3.72.110.63 | 192.168.2.4 |
Sep 23, 2022 08:17:59.543075085 CEST | 49708 | 9087 | 192.168.2.4 | 3.72.110.63 |
Sep 23, 2022 08:17:59.604021072 CEST | 9087 | 49708 | 3.72.110.63 | 192.168.2.4 |
Sep 23, 2022 08:17:59.604127884 CEST | 49708 | 9087 | 192.168.2.4 | 3.72.110.63 |
Sep 23, 2022 08:17:59.666486979 CEST | 9087 | 49708 | 3.72.110.63 | 192.168.2.4 |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Sep 23, 2022 08:16:15.844961882 CEST | 52239 | 53 | 192.168.2.4 | 8.8.8.8 |
Sep 23, 2022 08:16:15.864907026 CEST | 53 | 52239 | 8.8.8.8 | 192.168.2.4 |
Sep 23, 2022 08:16:16.656079054 CEST | 56807 | 53 | 192.168.2.4 | 8.8.8.8 |
Sep 23, 2022 08:16:16.766113997 CEST | 53 | 56807 | 8.8.8.8 | 192.168.2.4 |
Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
---|---|---|---|---|---|---|---|---|
Sep 23, 2022 08:16:15.844961882 CEST | 192.168.2.4 | 8.8.8.8 | 0xbe57 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
Sep 23, 2022 08:16:16.656079054 CEST | 192.168.2.4 | 8.8.8.8 | 0x5ae4 | Standard query (0) | A (IP address) | IN (0x0001) | false |
Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
---|---|---|---|---|---|---|---|---|---|---|
Sep 23, 2022 08:16:15.864907026 CEST | 8.8.8.8 | 192.168.2.4 | 0xbe57 | No error (0) | 104.20.67.143 | A (IP address) | IN (0x0001) | false | ||
Sep 23, 2022 08:16:15.864907026 CEST | 8.8.8.8 | 192.168.2.4 | 0xbe57 | No error (0) | 172.67.34.170 | A (IP address) | IN (0x0001) | false | ||
Sep 23, 2022 08:16:15.864907026 CEST | 8.8.8.8 | 192.168.2.4 | 0xbe57 | No error (0) | 104.20.68.143 | A (IP address) | IN (0x0001) | false | ||
Sep 23, 2022 08:16:16.766113997 CEST | 8.8.8.8 | 192.168.2.4 | 0x5ae4 | No error (0) | 3.72.110.63 | A (IP address) | IN (0x0001) | false | ||
Sep 23, 2022 08:16:17.181047916 CEST | 8.8.8.8 | 192.168.2.4 | 0xfb9b | No error (0) | 95.140.230.192 | A (IP address) | IN (0x0001) | false |
|
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
0 | 192.168.2.4 | 49707 | 104.20.67.143 | 443 | C:\Users\user\AppData\Roaming\svchost.exe |
Timestamp | kBytes transferred | Direction | Data |
---|---|---|---|
2022-09-23 06:16:16 UTC | 0 | OUT | |
2022-09-23 06:16:16 UTC | 0 | IN | |
2022-09-23 06:16:16 UTC | 0 | IN | |
2022-09-23 06:16:16 UTC | 0 | IN |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
Target ID: | 0 |
Start time: | 08:15:46 |
Start date: | 23/09/2022 |
Path: | C:\Users\user\Desktop\af5Cop6pCN.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0xb40000 |
File size: | 282112 bytes |
MD5 hash: | 32A56B4E67436BDD3D39809A9BE949B8 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | .Net C# or VB.NET |
Yara matches: |
|
Reputation: | low |
Target ID: | 1 |
Start time: | 08:15:53 |
Start date: | 23/09/2022 |
Path: | C:\Windows\System32\cmd.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff632260000 |
File size: | 273920 bytes |
MD5 hash: | 4E2ACF4F8A396486AB4268C94A6A245F |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Target ID: | 2 |
Start time: | 08:15:54 |
Start date: | 23/09/2022 |
Path: | C:\Windows\System32\conhost.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff7c72c0000 |
File size: | 625664 bytes |
MD5 hash: | EA777DEEA782E8B4D7C7C33BBF8A4496 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Target ID: | 3 |
Start time: | 08:15:54 |
Start date: | 23/09/2022 |
Path: | C:\Windows\System32\cmd.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff632260000 |
File size: | 273920 bytes |
MD5 hash: | 4E2ACF4F8A396486AB4268C94A6A245F |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Target ID: | 4 |
Start time: | 08:15:54 |
Start date: | 23/09/2022 |
Path: | C:\Windows\System32\schtasks.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff7c8230000 |
File size: | 226816 bytes |
MD5 hash: | 838D346D1D28F00783B7A6C6BD03A0DA |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Target ID: | 5 |
Start time: | 08:15:55 |
Start date: | 23/09/2022 |
Path: | C:\Windows\System32\conhost.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff7c72c0000 |
File size: | 625664 bytes |
MD5 hash: | EA777DEEA782E8B4D7C7C33BBF8A4496 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Target ID: | 6 |
Start time: | 08:15:55 |
Start date: | 23/09/2022 |
Path: | C:\Windows\System32\timeout.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff63f000000 |
File size: | 30720 bytes |
MD5 hash: | EB9A65078396FB5D4E3813BB9198CB18 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | moderate |
Target ID: | 7 |
Start time: | 08:15:57 |
Start date: | 23/09/2022 |
Path: | C:\Users\user\AppData\Roaming\svchost.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0xbc0000 |
File size: | 282112 bytes |
MD5 hash: | 32A56B4E67436BDD3D39809A9BE949B8 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | .Net C# or VB.NET |
Yara matches: |
|
Antivirus matches: |
|
Target ID: | 8 |
Start time: | 08:15:59 |
Start date: | 23/09/2022 |
Path: | C:\Users\user\AppData\Roaming\svchost.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0xe00000 |
File size: | 282112 bytes |
MD5 hash: | 32A56B4E67436BDD3D39809A9BE949B8 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | .Net C# or VB.NET |
Yara matches: |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF816425795 Relevance: .1, Instructions: 121COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF81642575C Relevance: .1, Instructions: 114COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF816425139 Relevance: .1, Instructions: 105COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF81642520F Relevance: .1, Instructions: 98COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF816423C21 Relevance: .1, Instructions: 83COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF81642677F Relevance: .1, Instructions: 78COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF816423C40 Relevance: .1, Instructions: 67COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF816424C59 Relevance: .1, Instructions: 67COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF816423A28 Relevance: .1, Instructions: 66COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF816423E3E Relevance: .1, Instructions: 63COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF816425CCE Relevance: .1, Instructions: 59COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF816425919 Relevance: .1, Instructions: 56COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF8164234AD Relevance: .1, Instructions: 55COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF816420430 Relevance: .1, Instructions: 54COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF816423DD7 Relevance: .1, Instructions: 51COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF816424BBC Relevance: .1, Instructions: 51COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF816423F8B Relevance: .0, Instructions: 50COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF81642556C Relevance: .0, Instructions: 49COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF816420438 Relevance: .0, Instructions: 49COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF816425A5F Relevance: .0, Instructions: 49COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF81642352E Relevance: .0, Instructions: 48COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF816424DBC Relevance: .0, Instructions: 48COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF816423F87 Relevance: .0, Instructions: 48COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF816425DB3 Relevance: .0, Instructions: 36COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF8164258B6 Relevance: .0, Instructions: 36COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF816425DAF Relevance: .0, Instructions: 34COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF816423A1A Relevance: .0, Instructions: 34COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF816422C47 Relevance: .0, Instructions: 27COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF8164266ED Relevance: .0, Instructions: 27COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF8164233C8 Relevance: .0, Instructions: 26COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF816425BF6 Relevance: .0, Instructions: 26COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF816425B60 Relevance: .0, Instructions: 25COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF816423408 Relevance: .0, Instructions: 21COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF816424BFE Relevance: .0, Instructions: 21COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF816425C1D Relevance: .0, Instructions: 20COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF816422C6F Relevance: .0, Instructions: 18COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF816426713 Relevance: .0, Instructions: 17COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF8164230F8 Relevance: .0, Instructions: 17COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF816425B9A Relevance: .0, Instructions: 17COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF8164230A8 Relevance: .0, Instructions: 17COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF8164254B6 Relevance: .0, Instructions: 16COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF816426672 Relevance: .0, Instructions: 15COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF816425E0B Relevance: .0, Instructions: 14COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF816425AEF Relevance: .0, Instructions: 12COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF816423373 Relevance: .0, Instructions: 7COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF8164204B0 Relevance: .0, Instructions: 7COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF816425BBB Relevance: .0, Instructions: 5COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF816422DE6 Relevance: .0, Instructions: 5COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF816425CBD Relevance: .0, Instructions: 4COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF816405139 Relevance: .1, Instructions: 103COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF81640520F Relevance: .1, Instructions: 96COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF816403C21 Relevance: .1, Instructions: 83COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF816404B6E Relevance: .1, Instructions: 73COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF816403A1D Relevance: .1, Instructions: 68COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF816403C40 Relevance: .1, Instructions: 67COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF816404C59 Relevance: .1, Instructions: 67COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF816403E3E Relevance: .1, Instructions: 63COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF816402C47 Relevance: .1, Instructions: 57COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF816403F7F Relevance: .1, Instructions: 55COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF8164034AD Relevance: .1, Instructions: 55COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF816400430 Relevance: .1, Instructions: 54COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF816403DD7 Relevance: .1, Instructions: 51COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF81640556C Relevance: .0, Instructions: 49COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF816400438 Relevance: .0, Instructions: 49COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF81640352E Relevance: .0, Instructions: 48COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF816404DBC Relevance: .0, Instructions: 48COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF816404BB8 Relevance: .0, Instructions: 34COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF8164033C8 Relevance: .0, Instructions: 26COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF816404BFE Relevance: .0, Instructions: 21COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF816403408 Relevance: .0, Instructions: 21COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF816402D82 Relevance: .0, Instructions: 18COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF816402C6F Relevance: .0, Instructions: 18COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF8164030F8 Relevance: .0, Instructions: 17COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF8164030A8 Relevance: .0, Instructions: 17COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF8164054B6 Relevance: .0, Instructions: 16COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF816403373 Relevance: .0, Instructions: 7COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF8164004B0 Relevance: .0, Instructions: 7COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Execution Graph
Execution Coverage: | 10.4% |
Dynamic/Decrypted Code Coverage: | 100% |
Signature Coverage: | 0% |
Total number of Nodes: | 6 |
Total number of Limit Nodes: | 0 |
Graph
Control-flow Graph
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF81640DAF6 Relevance: .5, Instructions: 475COMMON
Control-flow Graph
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF81640E8A2 Relevance: .5, Instructions: 461COMMON
Control-flow Graph
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |