Windows
Analysis Report
SC_TR11670000.exe
Overview
General Information
Detection
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
- System is w10x64native
- SC_TR11670000.exe (PID: 2852 cmdline:
C:\Users\u ser\Deskto p\SC_TR116 70000.exe MD5: 778F9F61191BF812A829EDFB93F5B442) - SC_TR11670000.exe (PID: 6728 cmdline:
C:\Users\u ser\Deskto p\SC_TR116 70000.exe MD5: 778F9F61191BF812A829EDFB93F5B442) - WerFault.exe (PID: 2396 cmdline:
C:\Windows \SysWOW64\ WerFault.e xe -u -p 6 728 -s 212 MD5: 40A149513D721F096DDF50C04DA2F01F)
- cleanup
Name | Description | Attribution | Blogpost URLs | Link |
---|---|---|---|---|
CloudEyE, GuLoader | CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored. | No Attribution |
Name | Description | Attribution | Blogpost URLs | Link |
---|---|---|---|---|
Loki Password Stealer (PWS), LokiBot | "Loki Bot is a commodity malware sold on underground sites which is designed to steal private data from infected machines, and then submit that info to a command and control host via HTTP POST. This private data includes stored passwords, login credential information from Web browsers, and a variety of cryptocurrency wallets." - PhishMeLoki-Bot employs function hashing to obfuscate the libraries utilized. While not all functions are hashed, a vast majority of them are.Loki-Bot accepts a single argument/switch of -u that simply delays execution (sleeps) for 10 seconds. This is used when Loki-Bot is upgrading itself.The Mutex generated is the result of MD5 hashing the Machine GUID and trimming to 24-characters. For example: B7E1C2CC98066B250DDB2123.Loki-Bot creates a hidden folder within the %APPDATA% directory whose name is supplied by the 8th thru 13th characters of the Mutex. For example: %APPDATA%\ C98066\.There can be four files within the hidden %APPDATA% directory at any given time: .exe, .lck, .hdb and .kdb. They will be named after characters 13 thru 18 of the Mutex. For example: 6B250D. Below is the explanation of their purpose:FILE EXTENSIONFILE DESCRIPTION.exeA copy of the malware that will execute every time the user account is logged into.lckA lock file created when either decrypting Windows Credentials or Keylogging to prevent resource conflicts.hdbA database of hashes for data that has already been exfiltrated to the C2 server.kdbA database of keylogger data that has yet to be sent to the C2 serverIf the user is privileged, Loki-Bot sets up persistence within the registry under HKEY_LOCAL_MACHINE. If not, it sets up persistence under HKEY_CURRENT_USER.The first packet transmitted by Loki-Bot contains application data.The second packet transmitted by Loki-Bot contains decrypted Windows credentials.The third packet transmitted by Loki-Bot is the malware requesting C2 commands from the C2 server. By default, Loki-Bot will send this request out every 10 minutes after the initial packet it sent.Communications to the C2 server from the compromised host contain information about the user and system including the username, hostname, domain, screen resolution, privilege level, system architecture, and Operating System.The first WORD of the HTTP Payload represents the Loki-Bot version.The second WORD of the HTTP Payload is the Payload Type. Below is the table of identified payload types:BYTEPAYLOAD TYPE0x26Stolen Cryptocurrency Wallet0x27Stolen Application Data0x28Get C2 Commands from C2 Server0x29Stolen File0x2APOS (Point of Sale?)0x2BKeylogger Data0x2CScreenshotThe 11th byte of the HTTP Payload begins the Binary ID. This might be useful in tracking campaigns or specific threat actors. This value value is typically ckav.ru. If you come across a Binary ID that is different from this, take note!Loki-Bot encrypts both the URL and the registry key used for persistence using Triple DES encryption.The Content-Key HTTP Header value is the result of hashing the HTTP Header values that precede it. This is likely used as a protection against researchers who wish to poke and prod at Loki-Bots C2 infrastructure.Loki-Bot can accept the following instructions from the C2 Server:BYTEINSTRUCTION DESCRIPTION0x00Download EXE & Execute0x01Download DLL & Load #10x02Download DLL & Load #20x08Delete HDB File0x09Start Keylogger0x0AMine & Steal Data0x0EExit Loki-Bot0x0FUpgrade Loki-Bot0x10Change C2 Polling Frequency0x11Delete Executables & ExitSuricata SignaturesRULE SIDRULE NAME2024311ET TROJAN Loki Bot Cryptocurrency Wallet Exfiltration Detected2024312ET TROJAN Loki Bot Application/Credential Data Exfiltration Detected M12024313ET TROJAN Loki Bot Request for C2 Commands Detected M12024314ET TROJAN Loki Bot File Exfiltration Detected2024315ET TROJAN Loki Bot Keylogger Data Exfiltration Detected M12024316ET TROJAN Loki Bot Screenshot Exfiltration Detected2024317ET TROJAN Loki Bot Application/Credential Data Exfiltration Detected M22024318ET TROJAN Loki Bot Request for C2 Commands Detected M22024319ET TROJAN Loki Bot Keylogger Data Exfiltration Detected M2 |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Lokibot_1 | Yara detected Lokibot | Joe Security |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_GuLoader_5 | Yara detected GuLoader | Joe Security |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_GuLoader_5 | Yara detected GuLoader | Joe Security | ||
JoeSecurity_GuLoader_5 | Yara detected GuLoader | Joe Security | ||
JoeSecurity_GuLoader_5 | Yara detected GuLoader | Joe Security | ||
JoeSecurity_GuLoader_2 | Yara detected GuLoader | Joe Security | ||
JoeSecurity_GuLoader_3 | Yara detected GuLoader | Joe Security |
Timestamp: | 192.168.11.20171.22.30.14749842802024317 03/17/23-08:58:50.216236 |
SID: | 2024317 |
Source Port: | 49842 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 192.168.11.20171.22.30.14749842802025381 03/17/23-08:58:50.216236 |
SID: | 2025381 |
Source Port: | 49842 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 192.168.11.20171.22.30.14749842802021641 03/17/23-08:58:50.216236 |
SID: | 2021641 |
Source Port: | 49842 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 192.168.11.20171.22.30.14749842802825766 03/17/23-08:58:50.216236 |
SID: | 2825766 |
Source Port: | 49842 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 192.168.11.20171.22.30.14749842802024312 03/17/23-08:58:50.216236 |
SID: | 2024312 |
Source Port: | 49842 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Click to jump to signature section
AV Detection |
---|
Source: | Virustotal: | Perma Link | ||
Source: | ReversingLabs: |
Source: | Avira URL Cloud: |
Source: | Virustotal: | Perma Link |
Source: | Static PE information: |
Source: | HTTPS traffic detected: |
Source: | Static PE information: |
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: |
Source: | Code function: | 1_2_0040626D | |
Source: | Code function: | 1_2_00405732 | |
Source: | Code function: | 1_2_004026FE |
Networking |
---|
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: |
Source: | ASN Name: |
Source: | JA3 fingerprint: |
Source: | IP Address: |
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: |
Source: | Network traffic detected: | ||
Source: | Network traffic detected: |
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | HTTP traffic detected: |
Source: | DNS traffic detected: |
Source: | HTTP traffic detected: |
Source: | HTTPS traffic detected: |
Source: | Code function: | 1_2_004051CF |
Source: | Static PE information: |
Source: | Process created: |
Source: | Code function: | 1_2_004031D6 |
Source: | Code function: | 1_2_00404A0E | |
Source: | Code function: | 1_2_004065F6 | |
Source: | Code function: | 1_2_73EC1A9C |
Source: | Binary or memory string: |
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior |
Source: | Static PE information: |
Source: | Virustotal: | ||
Source: | ReversingLabs: |
Source: | File read: | Jump to behavior |
Source: | Static PE information: |
Source: | Key opened: | Jump to behavior |
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | Jump to behavior |
Source: | Key value queried: | Jump to behavior |
Source: | Code function: | 1_2_004031D6 |
Source: | File created: | Jump to behavior |
Source: | File created: | Jump to behavior |
Source: | Classification label: |
Source: | Code function: | 1_2_004020D1 |
Source: | File read: | Jump to behavior |
Source: | Code function: | 1_2_0040449B |
Source: | Mutant created: |
Source: | File written: | Jump to behavior |
Source: | Key opened: | Jump to behavior |
Source: | Static PE information: |
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: |
Data Obfuscation |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Source: | Code function: | 1_2_73EC2F4E | |
Source: | Code function: | 1_2_03338B48 | |
Source: | Code function: | 1_2_0333594B | |
Source: | Code function: | 1_2_033383A6 | |
Source: | Code function: | 1_2_03336BF6 | |
Source: | Code function: | 1_2_03338A30 | |
Source: | Code function: | 1_2_03333407 | |
Source: | Code function: | 1_2_03336EA6 |
Source: | Code function: | 1_2_73EC1A9C |
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file |
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior |
Malware Analysis System Evasion |
---|
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior |
Source: | Last function: |
Source: | Dropped PE file which has not been started: | Jump to dropped file |
Source: | Code function: | 1_2_0040626D | |
Source: | Code function: | 1_2_00405732 | |
Source: | Code function: | 1_2_004026FE |
Source: | API call chain: | graph_1-4962 | ||
Source: | API call chain: | graph_1-5132 |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Code function: | 1_2_73EC1A9C |
Source: | Process token adjusted: | Jump to behavior |
Source: | Code function: | 1_2_00402D63 |
Source: | Process created: | Jump to behavior |
Source: | Key value queried: | Jump to behavior |
Source: | Code function: | 1_2_004031D6 |
Stealing of Sensitive Information |
---|
Source: | File source: |
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior |
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior |
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior |
Source: | File opened: | Jump to behavior |
Remote Access Functionality |
---|
Source: | File source: |
Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Valid Accounts | 1 Native API | 1 DLL Side-Loading | 1 Access Token Manipulation | 1 Masquerading | 2 OS Credential Dumping | 11 Security Software Discovery | Remote Services | 1 Email Collection | Exfiltration Over Other Network Medium | 11 Encrypted Channel | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | 1 System Shutdown/Reboot |
Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | 11 Process Injection | 1 Virtualization/Sandbox Evasion | 1 Credentials in Registry | 1 Virtualization/Sandbox Evasion | Remote Desktop Protocol | 1 Archive Collected Data | Exfiltration Over Bluetooth | 1 Ingress Tool Transfer | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
Domain Accounts | At (Linux) | Logon Script (Windows) | 1 DLL Side-Loading | 1 Access Token Manipulation | Security Account Manager | 3 File and Directory Discovery | SMB/Windows Admin Shares | 2 Data from Local System | Automated Exfiltration | 3 Non-Application Layer Protocol | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
Local Accounts | At (Windows) | Logon Script (Mac) | Logon Script (Mac) | 11 Process Injection | NTDS | 5 System Information Discovery | Distributed Component Object Model | 1 Clipboard Data | Scheduled Transfer | 14 Application Layer Protocol | SIM Card Swap | Carrier Billing Fraud | |
Cloud Accounts | Cron | Network Logon Script | Network Logon Script | 1 Obfuscated Files or Information | LSA Secrets | Remote System Discovery | SSH | Keylogging | Data Transfer Size Limits | Fallback Channels | Manipulate Device Communication | Manipulate App Store Rankings or Ratings | |
Replication Through Removable Media | Launchd | Rc.common | Rc.common | 1 DLL Side-Loading | Cached Domain Credentials | System Owner/User Discovery | VNC | GUI Input Capture | Exfiltration Over C2 Channel | Multiband Communication | Jamming or Denial of Service | Abuse Accessibility Features |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
48% | Virustotal | Browse | ||
51% | ReversingLabs | Win32.Trojan.Krynis |
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | ReversingLabs | |||
0% | ReversingLabs |
Source | Detection | Scanner | Label | Link | Download |
---|---|---|---|---|---|
100% | Avira | HEUR/AGEN.1223491 | Download File | ||
100% | Avira | HEUR/AGEN.1223491 | Download File | ||
100% | Avira | HEUR/AGEN.1223491 | Download File |
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
7% | Virustotal | Browse |
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | Avira URL Cloud | safe | ||
100% | Avira URL Cloud | malware | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Virustotal | Browse | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Virustotal | Browse |
Name | IP | Active | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|---|
zed-unusual-activity-com.veldaeffertz.ml | 188.114.97.3 | true | false |
| unknown |
Name | Malicious | Antivirus Detection | Reputation |
---|---|---|---|
true |
| unknown | |
true |
| unknown |
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false | high | |||
false | high | |||
false | high | |||
false |
| unknown | ||
false |
| unknown |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
171.22.30.147 | unknown | Germany | 33657 | CMCSUS | true | |
188.114.97.3 | zed-unusual-activity-com.veldaeffertz.ml | European Union | 13335 | CLOUDFLARENETUS | false |
Joe Sandbox Version: | 37.0.0 Beryl |
Analysis ID: | 828467 |
Start date and time: | 2023-03-17 08:55:19 +01:00 |
Joe Sandbox Product: | CloudBasic |
Overall analysis duration: | 0h 11m 25s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, IE 11, Chrome 93, Firefox 91, Adobe Reader DC 21, Java 8 Update 301 |
Number of analysed new started processes analysed: | 8 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Sample file name: | SC_TR11670000.exe |
Detection: | MAL |
Classification: | mal100.troj.spyw.evad.winEXE@4/19@1/2 |
EGA Information: |
|
HDC Information: |
|
HCA Information: |
|
Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, backgroundTaskHost.exe, svchost.exe
- Excluded domains from analysis (whitelisted): wdcpalt.microsoft.com, client.wns.windows.com, login.live.com, wdcp.microsoft.com
- Report creation exceeded maximum time and may have missing disassembly code information.
- Report size getting too big, too many NtOpenKeyEx calls found.
- Report size getting too big, too many NtProtectVirtualMemory calls found.
- Report size getting too big, too many NtQueryValueKey calls found.
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
171.22.30.147 | Get hash | malicious | GuLoader, Lokibot | Browse |
| |
Get hash | malicious | Lokibot | Browse |
| ||
Get hash | malicious | GuLoader, Lokibot | Browse |
| ||
Get hash | malicious | Lokibot | Browse |
| ||
Get hash | malicious | Lokibot | Browse |
| ||
Get hash | malicious | Lokibot | Browse |
| ||
Get hash | malicious | Lokibot | Browse |
| ||
Get hash | malicious | Lokibot | Browse |
| ||
Get hash | malicious | Lokibot | Browse |
| ||
Get hash | malicious | GuLoader, Lokibot | Browse |
| ||
Get hash | malicious | Lokibot | Browse |
| ||
Get hash | malicious | Lokibot | Browse |
| ||
Get hash | malicious | Lokibot | Browse |
| ||
Get hash | malicious | Lokibot | Browse |
| ||
Get hash | malicious | Lokibot | Browse |
| ||
Get hash | malicious | GuLoader, Lokibot | Browse |
| ||
Get hash | malicious | Lokibot | Browse |
| ||
Get hash | malicious | Lokibot | Browse |
| ||
Get hash | malicious | Lokibot | Browse |
| ||
Get hash | malicious | Lokibot | Browse |
|
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
zed-unusual-activity-com.veldaeffertz.ml | Get hash | malicious | GuLoader, Lokibot | Browse |
| |
Get hash | malicious | GuLoader, Lokibot | Browse |
| ||
Get hash | malicious | GuLoader, Lokibot | Browse |
| ||
Get hash | malicious | GuLoader, Lokibot | Browse |
| ||
Get hash | malicious | GuLoader, Lokibot | Browse |
|
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
CMCSUS | Get hash | malicious | Nymaim | Browse |
| |
Get hash | malicious | GuLoader, Lokibot | Browse |
| ||
Get hash | malicious | Lokibot | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Mirai | Browse |
| ||
Get hash | malicious | Lokibot | Browse |
| ||
Get hash | malicious | FormBook | Browse |
| ||
Get hash | malicious | Nymaim | Browse |
| ||
Get hash | malicious | Nymaim | Browse |
| ||
Get hash | malicious | Nymaim | Browse |
| ||
Get hash | malicious | AsyncRAT | Browse |
| ||
Get hash | malicious | Nymaim | Browse |
| ||
Get hash | malicious | GuLoader, Lokibot | Browse |
| ||
Get hash | malicious | Lokibot | Browse |
| ||
Get hash | malicious | Lokibot | Browse |
| ||
Get hash | malicious | Lokibot | Browse |
| ||
Get hash | malicious | Lokibot | Browse |
| ||
Get hash | malicious | Lokibot | Browse |
| ||
Get hash | malicious | Lokibot | Browse |
| ||
Get hash | malicious | Lokibot | Browse |
|
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
37f463bf4616ecd445d4a1937da06e19 | Get hash | malicious | Amadey, Babuk, Clipboard Hijacker, Djvu, Fabookie, RedLine, SmokeLoader | Browse |
| |
Get hash | malicious | Babuk, Clipboard Hijacker, Djvu, Vidar | Browse |
| ||
Get hash | malicious | Babuk, Clipboard Hijacker, Djvu, Vidar | Browse |
| ||
Get hash | malicious | Amadey, Djvu, RedLine, SmokeLoader | Browse |
| ||
Get hash | malicious | Babuk, Clipboard Hijacker, Djvu, Vidar | Browse |
| ||
Get hash | malicious | Clipboard Hijacker, Djvu, HTMLPhisher, Vidar | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | BluStealer, ThunderFox Stealer, a310Logger | Browse |
| ||
Get hash | malicious | Amadey, Djvu, SmokeLoader | Browse |
| ||
Get hash | malicious | Babuk, Djvu | Browse |
| ||
Get hash | malicious | Grandcrab, Gandcrab | Browse |
| ||
Get hash | malicious | Vidar | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Qbot | Browse |
| ||
Get hash | malicious | Remcos, GuLoader | Browse |
| ||
Get hash | malicious | FormBook | Browse |
| ||
Get hash | malicious | Babuk, Clipboard Hijacker, Djvu, Vidar | Browse |
| ||
Get hash | malicious | Babuk, Clipboard Hijacker, Djvu, Vidar | Browse |
| ||
Get hash | malicious | Amadey, Djvu, SmokeLoader | Browse |
| ||
Get hash | malicious | Djvu | Browse |
|
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
C:\Users\user\AppData\Local\Temp\nss6D2B.tmp\System.dll | Get hash | malicious | GuLoader, Lokibot | Browse | ||
Get hash | malicious | GuLoader | Browse | |||
Get hash | malicious | GuLoader, Lokibot | Browse | |||
Get hash | malicious | GuLoader | Browse | |||
Get hash | malicious | AveMaria, GuLoader, UACMe | Browse | |||
Get hash | malicious | GuLoader | Browse | |||
Get hash | malicious | GuLoader, Lokibot | Browse | |||
Get hash | malicious | GuLoader | Browse | |||
Get hash | malicious | FormBook, GuLoader | Browse | |||
Get hash | malicious | GuLoader | Browse | |||
Get hash | malicious | FormBook, GuLoader | Browse | |||
Get hash | malicious | GuLoader | Browse | |||
Get hash | malicious | GuLoader | Browse | |||
Get hash | malicious | GuLoader | Browse | |||
Get hash | malicious | GuLoader | Browse | |||
Get hash | malicious | GuLoader | Browse | |||
Get hash | malicious | GuLoader | Browse | |||
Get hash | malicious | GuLoader | Browse | |||
Get hash | malicious | AgentTesla, GuLoader | Browse |
Process: | C:\Users\user\Desktop\SC_TR11670000.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 54 |
Entropy (8bit): | 4.838039816898156 |
Encrypted: | false |
SSDEEP: | 3:7KG/LmI/cXQQLQIfLBJXmgxv:OG/LmI/cXQQkIP2I |
MD5: | FB5EE2C0CAC332EC8390F50016EF0769 |
SHA1: | 11D9FB52FE5289140B9D52A38B56F99512B3A3A7 |
SHA-256: | C557AFE51AB22916E3423820A09D3805BF9DCDCECBEC4FE8DE2C67FB023BA631 |
SHA-512: | 87CCEA7B203B8BFC4E21544FE4FE9693AF230E246C450E673410565791DFE8257E30354772FDCC114C7068D9295FDB491E9B52D1A3B490C0756E568B70B95C0A |
Malicious: | false |
Reputation: | moderate, very likely benign file |
Preview: |
Process: | C:\Users\user\Desktop\SC_TR11670000.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 11776 |
Entropy (8bit): | 5.832316471889005 |
Encrypted: | false |
SSDEEP: | 192:4PtkiQJr7jHYT87RfwXQ6YSYtOuVDi7IsFW14Ll8CO:H78TQIgGCDp14LGC |
MD5: | B0C77267F13B2F87C084FD86EF51CCFC |
SHA1: | F7543F9E9B4F04386DFBF33C38CBED1BF205AFB3 |
SHA-256: | A0CAC4CF4852895619BC7743EBEB89F9E4927CCDB9E66B1BCD92A4136D0F9C77 |
SHA-512: | F2B57A2EEA00F52A3C7080F4B5F2BB85A7A9B9F16D12DA8F8FF673824556C62A0F742B72BE0FD82A2612A4B6DBD7E0FDC27065212DA703C2F7E28D199696F66E |
Malicious: | false |
Antivirus: |
|
Joe Sandbox View: |
|
Reputation: | moderate, very likely benign file |
Preview: |
Process: | C:\Users\user\Desktop\SC_TR11670000.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 1 |
Entropy (8bit): | 0.0 |
Encrypted: | false |
SSDEEP: | 3:U:U |
MD5: | C4CA4238A0B923820DCC509A6F75849B |
SHA1: | 356A192B7913B04C54574D18C28D46E6395428AB |
SHA-256: | 6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B |
SHA-512: | 4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A |
Malicious: | false |
Preview: |
C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3425316567-2969588382-3778222414-1001\1b1d0082738e9f9011266f86ab9723d2_11389406-0377-47ed-98c7-d564e683c6eb
Download File
Process: | C:\Users\user\Desktop\SC_TR11670000.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 47 |
Entropy (8bit): | 1.1262763721961973 |
Encrypted: | false |
SSDEEP: | 3:/lSllIEXln:AWE1 |
MD5: | D69FB7CE74DAC48982B69816C3772E4E |
SHA1: | B1C04CDB2567DC2B50D903B0E1D0D3211191E065 |
SHA-256: | 8CC6CA5CA4D0FA03842A60D90A6141F0B8D64969E830FC899DBA60ACB4905396 |
SHA-512: | 7E4EC58DA8335E43A4542E0F6E05FA2D15393E83634BE973AA3E758A870577BA0BA136F6E831907C4B30D587B8E6EEAFA2A4B8142F49714101BA50ECC294DDB0 |
Malicious: | false |
Preview: |
C:\Users\user\AppData\Roaming\fumigatorium\Tertser\Omstrukturdnr\Brandmurens\Antirevolutionist\Nitrosobacterium\Eliksirens\dotnet.api
Download File
Process: | C:\Users\user\Desktop\SC_TR11670000.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 1245 |
Entropy (8bit): | 5.462849750105637 |
Encrypted: | false |
SSDEEP: | 24:hM0mIAvy4Wvsqs1Ra7JZRGNeHX+AYcvP2wk1RjdEF3qpMk5:lmIAq1UqsziJZ+eHX+AdP2TvpMk5 |
MD5: | 5343C1A8B203C162A3BF3870D9F50FD4 |
SHA1: | 04B5B886C20D88B57EEA6D8FF882624A4AC1E51D |
SHA-256: | DC1D54DAB6EC8C00F70137927504E4F222C8395F10760B6BEECFCFA94E08249F |
SHA-512: | E0F50ACB6061744E825A4051765CEBF23E8C489B55B190739409D8A79BB08DAC8F919247A4E5F65A015EA9C57D326BBEF7EA045163915129E01F316C4958D949 |
Malicious: | false |
Preview: |
C:\Users\user\AppData\Roaming\fumigatorium\Tertser\Omstrukturdnr\Brandmurens\Antirevolutionist\Nitrosobacterium\Eliksirens\ebook-reader.png
Download File
Process: | C:\Users\user\Desktop\SC_TR11670000.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 555 |
Entropy (8bit): | 7.499536740374189 |
Encrypted: | false |
SSDEEP: | 12:6v/7anZhFxDEKwjAq0kaO/yvSL6T1pjNngLpzPanwmB9HE4JqSjF:5bDEPxdqKLmpqLdynw29kEqSZ |
MD5: | BFF011148B773FA44B9A9BB029E8CC52 |
SHA1: | F2B838927E320D12649CEFDEA3AFE383C6650D7C |
SHA-256: | B21DE7B432A7A67544D007ECC0FDD95F8E8C6129AF558A32102EE04C08635653 |
SHA-512: | A57C83AEE0E1F4C530D2F5B90589C31FD6E2FF8F62F998963284218FAC5EE164BCA7A619A9597DC3E2ECD0095A2CF04467E89EDF86700E1A90B3DF60B5121C9B |
Malicious: | false |
Preview: |
C:\Users\user\AppData\Roaming\fumigatorium\Tertser\Omstrukturdnr\Brandmurens\Antirevolutionist\Nitrosobacterium\Eliksirens\emblem-photos-symbolic.svg
Download File
Process: | C:\Users\user\Desktop\SC_TR11670000.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 680 |
Entropy (8bit): | 5.109191824773878 |
Encrypted: | false |
SSDEEP: | 12:t4CP5GEA9xI7jhz4AeW02KdTwWjhz4AeW02KdTPqkoop4p:t4CBGEAgF4AeW0/N4AeW0/Zqg4p |
MD5: | 379690952AAA576521D51249D404CBCD |
SHA1: | 61A8A95B0454422AA47379CF983B99FFDD839439 |
SHA-256: | EAD402FB0B85DB153356EC695016FD4F2C4031367D8ED6D1C1EF5FF4F28A8DE8 |
SHA-512: | 35B6BC866C3D02A2486D3447C82405103DE89D46940F7FE44A7009E714BBA57FBE601EEC939C3206ADB06FB31C4FD1D3822A0ED52A346ACFDE5908643432F928 |
Malicious: | false |
Preview: |
C:\Users\user\AppData\Roaming\fumigatorium\Tertser\Omstrukturdnr\Brandmurens\Antirevolutionist\Nitrosobacterium\Eliksirens\font-select-symbolic.symbolic.png
Download File
Process: | C:\Users\user\Desktop\SC_TR11670000.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 220 |
Entropy (8bit): | 6.546211943247282 |
Encrypted: | false |
SSDEEP: | 6:6v/lhPysde0C1jngP3V95D2tOA/RDvhpLUxbVp:6v/7jC1zi3Sr/hW |
MD5: | C84EE7522C124892455BB09DEBCF9340 |
SHA1: | AF87A2A5688346A3902762DD250328B7EF224620 |
SHA-256: | E0A3BD6FE1A1BAEFFE04BCA2980ADF755F888E31DCE3686B16C5DAC4202A38C8 |
SHA-512: | 3BEED79366F15CD075781F677C0C9E84081D2189D1FB541A34AA25980B48701A3D93DC550E4ABEB550EFBE3167B1CAB8338E22F4603C6A71936876FBA75FAD58 |
Malicious: | false |
Preview: |
C:\Users\user\AppData\Roaming\fumigatorium\Tertser\Omstrukturdnr\Brandmurens\Antirevolutionist\Nitrosobacterium\Eliksirens\network-wired-symbolic.symbolic.png
Download File
Process: | C:\Users\user\Desktop\SC_TR11670000.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 144 |
Entropy (8bit): | 5.708279548998072 |
Encrypted: | false |
SSDEEP: | 3:yionv//thPl9vt3lAnsrtxBllAoSF1/LvgStjP9f9uvJYUo+/JHt//sup:6v/lhPysKo21/Lvlt7V9+YUouJH1/jp |
MD5: | 1ED278AD206D6EA33FF787DD326E0FC5 |
SHA1: | 8CFF7AD12FC0E5545E71D05879A0245BEDAF4D46 |
SHA-256: | CC88E76F7C7D2E5B07E49D1F2AD88F8BAFC0542EB11CEB2B2FFF235C87AB4417 |
SHA-512: | 7291085B6153C02EDBF679CDDB93B97DBB74943F216EB622CE9722E02613269F626F8A7A5BE8DA683153E9AEE22C40ED7264E8A0ED62A99F477E2B96642596BF |
Malicious: | false |
Preview: |
C:\Users\user\AppData\Roaming\fumigatorium\Tertser\Omstrukturdnr\Brandmurens\Antirevolutionist\Nitrosobacterium\Eliksirens\pan-start-symbolic.symbolic.png
Download File
Process: | C:\Users\user\Desktop\SC_TR11670000.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 140 |
Entropy (8bit): | 5.529383944212929 |
Encrypted: | false |
SSDEEP: | 3:yionv//thPl9vt3lAnsrtxBllDM9vFW0p/sXm1MMos9DwlTYTbklt/sbp:6v/lhPysx8vFW0pkX4iZlTYTI3Ebp |
MD5: | 4308BBBAB1DB146494AE5ABB07B8E6DB |
SHA1: | 58121574EEB070E26DDD75A964F3548E176E58A4 |
SHA-256: | EFB732049C674EB25BFCB2FA0CBCC45D24190BF1479C054647F424B31E34C828 |
SHA-512: | 41C9B37516F8D6AB7155F890EE36C26FE4161383A93BFBF696AB18292774C3556642E898361D21CECCBFEFFAF5814495CFAC2C74791E02F068B055BD3AD87DE4 |
Malicious: | false |
Preview: |
C:\Users\user\AppData\Roaming\fumigatorium\Tertser\Omstrukturdnr\Fadernes\Amphiaster213\printer-symbolic.symbolic.png
Download File
Process: | C:\Users\user\Desktop\SC_TR11670000.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 147 |
Entropy (8bit): | 5.834297280344084 |
Encrypted: | false |
SSDEEP: | 3:yionv//thPl9vt3lAnsrtxBllPhF1MzoQxJrN7djpdXLImeR/mV2kg1p:6v/lhPysx1MzoQxlRZbCRaip |
MD5: | 38D787F55E22FB591135F9250CD259D4 |
SHA1: | 0E135B0E1CA49A6E43DB4CB7596FAEA022E23924 |
SHA-256: | 1ED839B015A67CAB9948469975411D982A96314CE82851EA2F9F6BB8D733A002 |
SHA-512: | 4E21AB54B7110B4CD2EBC0E2CF6DF3F8C7C988495BCCA76949BC3C5EB669A793FCCDA5CB4DDB7B627A21734BD181FE44670757144CC2A007FCB695405F08EC2B |
Malicious: | false |
Preview: |
C:\Users\user\AppData\Roaming\fumigatorium\Tertser\Omstrukturdnr\Lejningerne\AEGISIIIRadeonHelper.dll
Download File
Process: | C:\Users\user\Desktop\SC_TR11670000.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 34016 |
Entropy (8bit): | 6.1021284380541925 |
Encrypted: | false |
SSDEEP: | 384:JP7a6wQdSCVWSdoEdXjYmxzfkfIwuWR7UPMEdxsTStsBdMQJK2wKucYkcuhV3:N7a6eiHdFdr7W5UPMgy+OBG2X90uhV3 |
MD5: | 4FC7FC174E80C178225C2509027DF961 |
SHA1: | 9FF62413EC0DD462F5F016EBC804F1D736D24796 |
SHA-256: | 866B31DD39B97DEDAFD0FBD5672639EE91B47AD319C47816B4F6D01BFF93FF8C |
SHA-512: | 29261B9ABC4AF2F51C05B61A37721BC737B411530361A4B48A7BFFAB0F8263EA75BFD51B6E6E94E91E1D02DC442B534C3334B05FD8324E7CF307FA08179A1ED9 |
Malicious: | false |
Antivirus: |
|
Preview: |
C:\Users\user\AppData\Roaming\fumigatorium\Tertser\Omstrukturdnr\Lejningerne\Cementblander.Pfe
Download File
Process: | C:\Users\user\Desktop\SC_TR11670000.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 40788 |
Entropy (8bit): | 4.589793625224697 |
Encrypted: | false |
SSDEEP: | 768:DUa4mGn6n+kvKNlpCMP7Llxd7kcrTZ7m3Rpck:QDm1+zHTrTZsP |
MD5: | 9B6AD96E03564D53EBE96EA4529819D3 |
SHA1: | 74B86EC24C053C083CF85BC1B9B2A33E5C34FC81 |
SHA-256: | AE83602A47931BA1E9DD2A64C03A314AED410A4C5D100D6A724041C38213CEF2 |
SHA-512: | A913F2421FAD00A885C022380FE1CFF518D9368E439C355A0A90D6AE6548CFB4EDA1A9C35D19FD4CAA2062F9AA94D44BCBF78A6D43D3CC660B9C86235ACFD592 |
Malicious: | false |
Preview: |
C:\Users\user\AppData\Roaming\fumigatorium\Tertser\Omstrukturdnr\Lejningerne\Krugerite.Fri
Download File
Process: | C:\Users\user\Desktop\SC_TR11670000.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 291871 |
Entropy (8bit): | 6.780687426184548 |
Encrypted: | false |
SSDEEP: | 3072:7YqIuagJ5wYGodW90uakeSjZJgDjhK+jtDTL+pQVrdYM8R4JvUHlFD4gELWSgoJI:uuPko0903YiZxV0QXwjD03LXgALpm |
MD5: | 2A43E2AF179CD9567C670A702490375F |
SHA1: | 55B83DDF870907571F22CA6951C6D335520D9B89 |
SHA-256: | 2C3B071D869AC1DBD120A4F0628D1299016EE8C6338A7A3C1A25DB04E00A82A2 |
SHA-512: | E8EFA4DB3C5669E08C0DCF4E259B9AA04CA3C7977EE4409AF154A6299DC8E31A1C425892E70335274C99BE7B4CA57A1470849E9F8A917EA597EC07848296D299 |
Malicious: | true |
Yara Hits: |
|
Preview: |
C:\Users\user\AppData\Roaming\fumigatorium\Tertser\Omstrukturdnr\Lejningerne\LogoCanary.png
Download File
Process: | C:\Users\user\Desktop\SC_TR11670000.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 16669 |
Entropy (8bit): | 7.836876926418697 |
Encrypted: | false |
SSDEEP: | 384:dg1Ew+1FT+/6trrKWzge5jh2xmalhctpNy:W1E1c6tru1CUYa4tDy |
MD5: | F80867A421C85C6E2865CF85FF7C4B02 |
SHA1: | C3EAB6B7E92646FE3407B2B3C5AFFE13A7873C48 |
SHA-256: | BCAA3B1333919176137D4DE4B1E3F31126159B12F959D7277BD8537B95139BD3 |
SHA-512: | 06B51E660AEE86FC3BB068C6DEA046920E04F86B8EDD02E640EAC619F0F0D7E87E5CAE5BE1390CEBC5DFE70AA13BAB1710176E88C9D1C859182629D429745D78 |
Malicious: | false |
Preview: |
C:\Users\user\AppData\Roaming\fumigatorium\Tertser\Omstrukturdnr\Lejningerne\avatar-default-symbolic.svg
Download File
Process: | C:\Users\user\Desktop\SC_TR11670000.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 266 |
Entropy (8bit): | 4.986245244009802 |
Encrypted: | false |
SSDEEP: | 6:tI9mc4slzc8SRIKMNo/aMhFl1OkUjq5eKVrGDVfqKlNK+:t4C8LKMuyMhPobjoprGDRlj |
MD5: | 8B727826F9D8C0C7C954EDE912CB0DEB |
SHA1: | 1518AA80747326B5353C22D32E57A33D61285119 |
SHA-256: | 0783A7F518D3879C8F0F50B45FBD779A98652469E9B7C659CE41F14D1629D334 |
SHA-512: | 0ABB243F9D1E0B6EDA0CB25D35C3449AB2B5B83078208F11B876A27FF11FF70B79F8BA97D4DA3AED21A8314C75FB2174D9378AF59B57DCB99DFF681D9AAB8561 |
Malicious: | false |
Preview: |
Process: | C:\Users\user\Desktop\SC_TR11670000.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 12193 |
Entropy (8bit): | 4.4720152705808935 |
Encrypted: | false |
SSDEEP: | 192:i2PDEeaNB1PmcptkcDHxbTvPnc67bMxQxGx4ch/JuLQRcg/oN96bPNljYiYr197:ikDFKBFmcPLx3HPnIsqrJuqcgAN96b87 |
MD5: | 3C21135144AC7452E7DB66F0214F9D68 |
SHA1: | B1EC0589D769EAB5E4E8F0F8C21B157EF5EBB47D |
SHA-256: | D095879B8BBC67A1C9875C5E9896942BACF730BD76155C06105544408068C59E |
SHA-512: | 0446A0E2570A1F360FD8700FD4C869C7E2DBB9476BBDEC2526A53844074C79691542B91455343C50941B8A6D5E02A58EE6AA539CC4C4AE9CF000B4034EF663E2 |
Malicious: | false |
Preview: |
C:\Users\user\AppData\Roaming\fumigatorium\Tertser\Omstrukturdnr\Lejningerne\changes-allow-symbolic.svg
Download File
Process: | C:\Users\user\Desktop\SC_TR11670000.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 998 |
Entropy (8bit): | 5.186938379246791 |
Encrypted: | false |
SSDEEP: | 24:t4CBGD0QNRWLLxo2em0yKbRAecFxV0/wXK:gDrc0NtAecFiH |
MD5: | CB1EEE7BDB582B756D0F68EF02D6D96D |
SHA1: | 9E9B0F25BC472EF1C1C13EEAC12FD11C4CC0D2D9 |
SHA-256: | 20EA767E852A8EBF2C5BA16D56CBAE10BD09D6CBA89B372A57EAA973AD3281B4 |
SHA-512: | E22FAEAE78D244A0F4E7215B31125D5AA4FD66C0720B0DE61D12084EAB879D7A9E231CCD5CD431417115B0945B450DC348DA400D67DB1898513B7BD6B9C274DB |
Malicious: | false |
Preview: |
C:\Users\user\AppData\Roaming\fumigatorium\Tertser\Omstrukturdnr\Preconstituent\Uforsonligere\Informationssystemernes\pt-br.txt
Download File
Process: | C:\Users\user\Desktop\SC_TR11670000.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 9515 |
Entropy (8bit): | 5.04214621707661 |
Encrypted: | false |
SSDEEP: | 192:icoGT04mzNN8hYivh5gtE/PkjY09fdNQuQ:ibGg4mzNhi4tEHoDfHQuQ |
MD5: | 7B02E1AE16E2E709D7C97DE560B4DBE9 |
SHA1: | 191A54644417F7D36F5CB4182DCDB3737D74BE51 |
SHA-256: | DA0B58F52BBC131F967942D1D8E9DE1B5721AE864BC21852A0AD4062332297CB |
SHA-512: | 4F689F854DB3F766B5E53CE2F19E9F8293C075EE3F9B18098EB05B352F2EC95DF85E49A78540781EB531BCE60C7B1F7890F1FE3C65200DEC3CB908E90FB827A1 |
Malicious: | false |
Preview: |
File type: | |
Entropy (8bit): | 7.55806590652357 |
TrID: |
|
File name: | SC_TR11670000.exe |
File size: | 329416 |
MD5: | 778f9f61191bf812a829edfb93f5b442 |
SHA1: | 20f3e834b759252210d047091bc98c47e7e6ffdd |
SHA256: | 47b5e835d443cde52de78c36998cf1e312d391501226238ea00968139790e32d |
SHA512: | 77e917288d88cbb90bc7e67f423546d766571d926ab3b0f9b0749735b3d4ef48020fc66a861bc15afc131ec8afca55504a2aeb2c604bd1c36b1591e8e0c4242d |
SSDEEP: | 6144:VDkBNYb/zy86tyPhzKpqs1z3WRA8ZbO7Sv4Zbf9CbTqGErmroIbvF:O3gUtuzaq+zwjZbrc4Tqxrmrh9 |
TLSH: | A064F1253AB1C033FD954170CAA5D6F3E229FE48C924C18777A43F6EB9315848549EBB |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........(...F...F...F.*.....F...G.v.F.*.....F...v...F...@...F.Rich..F.........................PE..L...+.oZ.................`......... |
Icon Hash: | 08c2b0d8cc64b046 |
Entrypoint: | 0x4031d6 |
Entrypoint Section: | .text |
Digitally signed: | true |
Imagebase: | 0x400000 |
Subsystem: | windows gui |
Image File Characteristics: | RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE |
DLL Characteristics: | DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE |
Time Stamp: | 0x5A6FED2B [Tue Jan 30 03:57:31 2018 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 4 |
OS Version Minor: | 0 |
File Version Major: | 4 |
File Version Minor: | 0 |
Subsystem Version Major: | 4 |
Subsystem Version Minor: | 0 |
Import Hash: | 3abe302b6d9a1256e6a915429af4ffd2 |
Signature Valid: | false |
Signature Issuer: | E=Forureningsraads@Selvbebrejdelser.Bve, OU="nucal bisserups Nigher ", O=Admirer, L=Eastabuchie, S=Mississippi, C=US |
Signature Validation Error: | A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider |
Error Number: | -2146762487 |
Not Before, Not After |
|
Subject Chain |
|
Version: | 3 |
Thumbprint MD5: | F6FF0FF5CCC259F19FAA81DDC8079502 |
Thumbprint SHA-1: | AC5B272F037D232BD3181F065A062D0D45E91C45 |
Thumbprint SHA-256: | 9D58D97305576E4D1E04A49E8F14AADA686A7693DCBEF30297267F3B724593AD |
Serial: | 421F24E2B8A1818548F8C8D7DBE6D51C18A183FA |
Instruction |
---|
sub esp, 00000184h |
push ebx |
push esi |
push edi |
xor ebx, ebx |
push 00008001h |
mov dword ptr [esp+18h], ebx |
mov dword ptr [esp+10h], 00409198h |
mov dword ptr [esp+20h], ebx |
mov byte ptr [esp+14h], 00000020h |
call dword ptr [004070A0h] |
call dword ptr [0040709Ch] |
and eax, BFFFFFFFh |
cmp ax, 00000006h |
mov dword ptr [0042370Ch], eax |
je 00007FB75D177323h |
push ebx |
call 00007FB75D17A3FAh |
cmp eax, ebx |
je 00007FB75D177319h |
push 00000C00h |
call eax |
mov esi, 00407298h |
push esi |
call 00007FB75D17A376h |
push esi |
call dword ptr [00407098h] |
lea esi, dword ptr [esi+eax+01h] |
cmp byte ptr [esi], bl |
jne 00007FB75D1772FDh |
push 0000000Ah |
call 00007FB75D17A3CEh |
push 00000008h |
call 00007FB75D17A3C7h |
push 00000006h |
mov dword ptr [00423704h], eax |
call 00007FB75D17A3BBh |
cmp eax, ebx |
je 00007FB75D177321h |
push 0000001Eh |
call eax |
test eax, eax |
je 00007FB75D177319h |
or byte ptr [0042370Fh], 00000040h |
push ebp |
call dword ptr [00407044h] |
push ebx |
call dword ptr [00407288h] |
mov dword ptr [004237D8h], eax |
push ebx |
lea eax, dword ptr [esp+38h] |
push 00000160h |
push eax |
push ebx |
push 0041ECC8h |
call dword ptr [00407178h] |
push 00409188h |
Programming Language: |
|
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x7428 | 0xa0 | .rdata |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x36000 | 0xa3c0 | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x4fcb8 | 0xa10 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x7000 | 0x298 | .rdata |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Name | Virtual Address | Virtual Size | Raw Size | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|
.text | 0x1000 | 0x5f0d | 0x6000 | False | 0.6649169921875 | data | 6.450520423955375 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
.rdata | 0x7000 | 0x1248 | 0x1400 | False | 0.4275390625 | data | 5.007650149182371 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.data | 0x9000 | 0x1a818 | 0x400 | False | 0.6376953125 | data | 5.129587811765307 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.ndata | 0x24000 | 0x12000 | 0x0 | False | 0 | empty | 0.0 | IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.rsrc | 0x36000 | 0xa3c0 | 0xa400 | False | 0.0760766006097561 | data | 1.8822021165260459 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
Name | RVA | Size | Type | Language | Country |
---|---|---|---|---|---|
RT_BITMAP | 0x36268 | 0x368 | Device independent bitmap graphic, 96 x 16 x 4, image size 768 | English | United States |
RT_ICON | 0x365d0 | 0x94a8 | Device independent bitmap graphic, 96 x 192 x 32, image size 0 | English | United States |
RT_DIALOG | 0x3fa78 | 0x144 | data | English | United States |
RT_DIALOG | 0x3fbc0 | 0x13c | data | English | United States |
RT_DIALOG | 0x3fd00 | 0x120 | data | English | United States |
RT_DIALOG | 0x3fe20 | 0x11c | data | English | United States |
RT_DIALOG | 0x3ff40 | 0xc4 | data | English | United States |
RT_DIALOG | 0x40008 | 0x60 | data | English | United States |
RT_GROUP_ICON | 0x40068 | 0x14 | data | English | United States |
RT_MANIFEST | 0x40080 | 0x33e | XML 1.0 document, ASCII text, with very long lines (830), with no line terminators | English | United States |
DLL | Import |
---|---|
KERNEL32.dll | GetTempPathA, GetFileSize, GetModuleFileNameA, GetCurrentProcess, CopyFileA, ExitProcess, SetEnvironmentVariableA, Sleep, GetTickCount, GetCommandLineA, lstrlenA, GetVersion, SetErrorMode, lstrcpynA, GetDiskFreeSpaceA, GlobalUnlock, GetWindowsDirectoryA, SetCurrentDirectoryA, GetLastError, CreateDirectoryA, CreateProcessA, RemoveDirectoryA, CreateFileA, GetTempFileNameA, ReadFile, WriteFile, lstrcpyA, MoveFileExA, lstrcatA, GetSystemDirectoryA, GetProcAddress, GetExitCodeProcess, WaitForSingleObject, CompareFileTime, SetFileAttributesA, GetFileAttributesA, GetShortPathNameA, MoveFileA, GetFullPathNameA, SetFileTime, SearchPathA, CloseHandle, lstrcmpiA, CreateThread, GlobalLock, lstrcmpA, FindFirstFileA, FindNextFileA, DeleteFileA, SetFilePointer, GetPrivateProfileStringA, FindClose, MultiByteToWideChar, FreeLibrary, MulDiv, WritePrivateProfileStringA, LoadLibraryExA, GetModuleHandleA, GlobalAlloc, GlobalFree, ExpandEnvironmentStringsA |
USER32.dll | ScreenToClient, GetSystemMenu, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, PostQuitMessage, GetWindowRect, EnableMenuItem, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, ReleaseDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, EndDialog, RegisterClassA, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, ExitWindowsEx, GetDC, CreateDialogParamA, SetTimer, GetDlgItem, SetWindowLongA, SetForegroundWindow, LoadImageA, IsWindow, SendMessageTimeoutA, FindWindowExA, OpenClipboard, TrackPopupMenu, AppendMenuA, EndPaint, DestroyWindow, wsprintfA, ShowWindow, SetWindowTextA |
GDI32.dll | SelectObject, SetBkMode, CreateFontIndirectA, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor |
SHELL32.dll | SHGetSpecialFolderLocation, ShellExecuteExA, SHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, SHFileOperationA |
ADVAPI32.dll | AdjustTokenPrivileges, RegCreateKeyExA, RegOpenKeyExA, SetFileSecurityA, OpenProcessToken, LookupPrivilegeValueA, RegEnumValueA, RegDeleteKeyA, RegDeleteValueA, RegCloseKey, RegSetValueExA, RegQueryValueExA, RegEnumKeyA |
COMCTL32.dll | ImageList_Create, ImageList_AddMasked, ImageList_Destroy |
ole32.dll | OleUninitialize, OleInitialize, CoTaskMemFree, CoCreateInstance |
Language of compilation system | Country where language is spoken | Map |
---|---|---|
English | United States |
Timestamp | Protocol | SID | Message | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|---|---|---|
192.168.11.20171.22.30.14749842802024317 03/17/23-08:58:50.216236 | TCP | 2024317 | ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2 | 49842 | 80 | 192.168.11.20 | 171.22.30.147 |
192.168.11.20171.22.30.14749842802025381 03/17/23-08:58:50.216236 | TCP | 2025381 | ET TROJAN LokiBot Checkin | 49842 | 80 | 192.168.11.20 | 171.22.30.147 |
192.168.11.20171.22.30.14749842802021641 03/17/23-08:58:50.216236 | TCP | 2021641 | ET TROJAN LokiBot User-Agent (Charon/Inferno) | 49842 | 80 | 192.168.11.20 | 171.22.30.147 |
192.168.11.20171.22.30.14749842802825766 03/17/23-08:58:50.216236 | TCP | 2825766 | ETPRO TROJAN LokiBot Checkin M2 | 49842 | 80 | 192.168.11.20 | 171.22.30.147 |
192.168.11.20171.22.30.14749842802024312 03/17/23-08:58:50.216236 | TCP | 2024312 | ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1 | 49842 | 80 | 192.168.11.20 | 171.22.30.147 |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Mar 17, 2023 08:58:48.597004890 CET | 49841 | 443 | 192.168.11.20 | 188.114.97.3 |
Mar 17, 2023 08:58:48.597106934 CET | 443 | 49841 | 188.114.97.3 | 192.168.11.20 |
Mar 17, 2023 08:58:48.597336054 CET | 49841 | 443 | 192.168.11.20 | 188.114.97.3 |
Mar 17, 2023 08:58:48.617896080 CET | 49841 | 443 | 192.168.11.20 | 188.114.97.3 |
Mar 17, 2023 08:58:48.617924929 CET | 443 | 49841 | 188.114.97.3 | 192.168.11.20 |
Mar 17, 2023 08:58:48.657238007 CET | 443 | 49841 | 188.114.97.3 | 192.168.11.20 |
Mar 17, 2023 08:58:48.657501936 CET | 49841 | 443 | 192.168.11.20 | 188.114.97.3 |
Mar 17, 2023 08:58:48.726515055 CET | 49841 | 443 | 192.168.11.20 | 188.114.97.3 |
Mar 17, 2023 08:58:48.726622105 CET | 443 | 49841 | 188.114.97.3 | 192.168.11.20 |
Mar 17, 2023 08:58:48.727859974 CET | 443 | 49841 | 188.114.97.3 | 192.168.11.20 |
Mar 17, 2023 08:58:48.728156090 CET | 49841 | 443 | 192.168.11.20 | 188.114.97.3 |
Mar 17, 2023 08:58:48.731024981 CET | 49841 | 443 | 192.168.11.20 | 188.114.97.3 |
Mar 17, 2023 08:58:48.772418022 CET | 443 | 49841 | 188.114.97.3 | 192.168.11.20 |
Mar 17, 2023 08:58:48.985445976 CET | 443 | 49841 | 188.114.97.3 | 192.168.11.20 |
Mar 17, 2023 08:58:48.985666037 CET | 49841 | 443 | 192.168.11.20 | 188.114.97.3 |
Mar 17, 2023 08:58:48.985692024 CET | 443 | 49841 | 188.114.97.3 | 192.168.11.20 |
Mar 17, 2023 08:58:48.985740900 CET | 443 | 49841 | 188.114.97.3 | 192.168.11.20 |
Mar 17, 2023 08:58:48.985861063 CET | 49841 | 443 | 192.168.11.20 | 188.114.97.3 |
Mar 17, 2023 08:58:48.985937119 CET | 443 | 49841 | 188.114.97.3 | 192.168.11.20 |
Mar 17, 2023 08:58:48.986161947 CET | 443 | 49841 | 188.114.97.3 | 192.168.11.20 |
Mar 17, 2023 08:58:48.986183882 CET | 49841 | 443 | 192.168.11.20 | 188.114.97.3 |
Mar 17, 2023 08:58:48.986257076 CET | 443 | 49841 | 188.114.97.3 | 192.168.11.20 |
Mar 17, 2023 08:58:48.986341953 CET | 49841 | 443 | 192.168.11.20 | 188.114.97.3 |
Mar 17, 2023 08:58:48.986458063 CET | 443 | 49841 | 188.114.97.3 | 192.168.11.20 |
Mar 17, 2023 08:58:48.986543894 CET | 49841 | 443 | 192.168.11.20 | 188.114.97.3 |
Mar 17, 2023 08:58:48.986618042 CET | 443 | 49841 | 188.114.97.3 | 192.168.11.20 |
Mar 17, 2023 08:58:48.986665964 CET | 49841 | 443 | 192.168.11.20 | 188.114.97.3 |
Mar 17, 2023 08:58:48.986759901 CET | 443 | 49841 | 188.114.97.3 | 192.168.11.20 |
Mar 17, 2023 08:58:48.986830950 CET | 49841 | 443 | 192.168.11.20 | 188.114.97.3 |
Mar 17, 2023 08:58:48.986903906 CET | 443 | 49841 | 188.114.97.3 | 192.168.11.20 |
Mar 17, 2023 08:58:48.986951113 CET | 49841 | 443 | 192.168.11.20 | 188.114.97.3 |
Mar 17, 2023 08:58:48.987122059 CET | 443 | 49841 | 188.114.97.3 | 192.168.11.20 |
Mar 17, 2023 08:58:48.987150908 CET | 49841 | 443 | 192.168.11.20 | 188.114.97.3 |
Mar 17, 2023 08:58:48.987226009 CET | 443 | 49841 | 188.114.97.3 | 192.168.11.20 |
Mar 17, 2023 08:58:48.987456083 CET | 49841 | 443 | 192.168.11.20 | 188.114.97.3 |
Mar 17, 2023 08:58:49.099929094 CET | 443 | 49841 | 188.114.97.3 | 192.168.11.20 |
Mar 17, 2023 08:58:49.100255013 CET | 49841 | 443 | 192.168.11.20 | 188.114.97.3 |
Mar 17, 2023 08:58:49.100286961 CET | 443 | 49841 | 188.114.97.3 | 192.168.11.20 |
Mar 17, 2023 08:58:49.100368977 CET | 443 | 49841 | 188.114.97.3 | 192.168.11.20 |
Mar 17, 2023 08:58:49.100435972 CET | 49841 | 443 | 192.168.11.20 | 188.114.97.3 |
Mar 17, 2023 08:58:49.100577116 CET | 49841 | 443 | 192.168.11.20 | 188.114.97.3 |
Mar 17, 2023 08:58:49.100610018 CET | 443 | 49841 | 188.114.97.3 | 192.168.11.20 |
Mar 17, 2023 08:58:49.100723982 CET | 443 | 49841 | 188.114.97.3 | 192.168.11.20 |
Mar 17, 2023 08:58:49.100778103 CET | 49841 | 443 | 192.168.11.20 | 188.114.97.3 |
Mar 17, 2023 08:58:49.100805044 CET | 443 | 49841 | 188.114.97.3 | 192.168.11.20 |
Mar 17, 2023 08:58:49.100919962 CET | 49841 | 443 | 192.168.11.20 | 188.114.97.3 |
Mar 17, 2023 08:58:49.100919962 CET | 49841 | 443 | 192.168.11.20 | 188.114.97.3 |
Mar 17, 2023 08:58:49.100965023 CET | 443 | 49841 | 188.114.97.3 | 192.168.11.20 |
Mar 17, 2023 08:58:49.100991011 CET | 443 | 49841 | 188.114.97.3 | 192.168.11.20 |
Mar 17, 2023 08:58:49.101126909 CET | 49841 | 443 | 192.168.11.20 | 188.114.97.3 |
Mar 17, 2023 08:58:49.101172924 CET | 443 | 49841 | 188.114.97.3 | 192.168.11.20 |
Mar 17, 2023 08:58:49.101329088 CET | 49841 | 443 | 192.168.11.20 | 188.114.97.3 |
Mar 17, 2023 08:58:49.101355076 CET | 443 | 49841 | 188.114.97.3 | 192.168.11.20 |
Mar 17, 2023 08:58:49.101459026 CET | 49841 | 443 | 192.168.11.20 | 188.114.97.3 |
Mar 17, 2023 08:58:49.101485014 CET | 443 | 49841 | 188.114.97.3 | 192.168.11.20 |
Mar 17, 2023 08:58:49.101614952 CET | 443 | 49841 | 188.114.97.3 | 192.168.11.20 |
Mar 17, 2023 08:58:49.101630926 CET | 49841 | 443 | 192.168.11.20 | 188.114.97.3 |
Mar 17, 2023 08:58:49.101658106 CET | 443 | 49841 | 188.114.97.3 | 192.168.11.20 |
Mar 17, 2023 08:58:49.101748943 CET | 49841 | 443 | 192.168.11.20 | 188.114.97.3 |
Mar 17, 2023 08:58:49.101748943 CET | 49841 | 443 | 192.168.11.20 | 188.114.97.3 |
Mar 17, 2023 08:58:49.101783037 CET | 443 | 49841 | 188.114.97.3 | 192.168.11.20 |
Mar 17, 2023 08:58:49.101898909 CET | 49841 | 443 | 192.168.11.20 | 188.114.97.3 |
Mar 17, 2023 08:58:49.101922035 CET | 443 | 49841 | 188.114.97.3 | 192.168.11.20 |
Mar 17, 2023 08:58:49.102080107 CET | 49841 | 443 | 192.168.11.20 | 188.114.97.3 |
Mar 17, 2023 08:58:49.102103949 CET | 443 | 49841 | 188.114.97.3 | 192.168.11.20 |
Mar 17, 2023 08:58:49.102260113 CET | 49841 | 443 | 192.168.11.20 | 188.114.97.3 |
Mar 17, 2023 08:58:49.102288008 CET | 443 | 49841 | 188.114.97.3 | 192.168.11.20 |
Mar 17, 2023 08:58:49.102408886 CET | 443 | 49841 | 188.114.97.3 | 192.168.11.20 |
Mar 17, 2023 08:58:49.102432013 CET | 49841 | 443 | 192.168.11.20 | 188.114.97.3 |
Mar 17, 2023 08:58:49.102459908 CET | 443 | 49841 | 188.114.97.3 | 192.168.11.20 |
Mar 17, 2023 08:58:49.102556944 CET | 49841 | 443 | 192.168.11.20 | 188.114.97.3 |
Mar 17, 2023 08:58:49.102605104 CET | 49841 | 443 | 192.168.11.20 | 188.114.97.3 |
Mar 17, 2023 08:58:49.102629900 CET | 443 | 49841 | 188.114.97.3 | 192.168.11.20 |
Mar 17, 2023 08:58:49.102653980 CET | 443 | 49841 | 188.114.97.3 | 192.168.11.20 |
Mar 17, 2023 08:58:49.102792025 CET | 49841 | 443 | 192.168.11.20 | 188.114.97.3 |
Mar 17, 2023 08:58:49.102818012 CET | 443 | 49841 | 188.114.97.3 | 192.168.11.20 |
Mar 17, 2023 08:58:49.102973938 CET | 443 | 49841 | 188.114.97.3 | 192.168.11.20 |
Mar 17, 2023 08:58:49.103008032 CET | 49841 | 443 | 192.168.11.20 | 188.114.97.3 |
Mar 17, 2023 08:58:49.103034973 CET | 443 | 49841 | 188.114.97.3 | 192.168.11.20 |
Mar 17, 2023 08:58:49.103125095 CET | 49841 | 443 | 192.168.11.20 | 188.114.97.3 |
Mar 17, 2023 08:58:49.103169918 CET | 49841 | 443 | 192.168.11.20 | 188.114.97.3 |
Mar 17, 2023 08:58:49.103192091 CET | 443 | 49841 | 188.114.97.3 | 192.168.11.20 |
Mar 17, 2023 08:58:49.103395939 CET | 49841 | 443 | 192.168.11.20 | 188.114.97.3 |
Mar 17, 2023 08:58:49.216362953 CET | 443 | 49841 | 188.114.97.3 | 192.168.11.20 |
Mar 17, 2023 08:58:49.216634989 CET | 49841 | 443 | 192.168.11.20 | 188.114.97.3 |
Mar 17, 2023 08:58:49.216645956 CET | 443 | 49841 | 188.114.97.3 | 192.168.11.20 |
Mar 17, 2023 08:58:49.216674089 CET | 443 | 49841 | 188.114.97.3 | 192.168.11.20 |
Mar 17, 2023 08:58:49.216805935 CET | 49841 | 443 | 192.168.11.20 | 188.114.97.3 |
Mar 17, 2023 08:58:49.216805935 CET | 49841 | 443 | 192.168.11.20 | 188.114.97.3 |
Mar 17, 2023 08:58:49.216847897 CET | 443 | 49841 | 188.114.97.3 | 192.168.11.20 |
Mar 17, 2023 08:58:49.217000008 CET | 49841 | 443 | 192.168.11.20 | 188.114.97.3 |
Mar 17, 2023 08:58:49.217021942 CET | 443 | 49841 | 188.114.97.3 | 192.168.11.20 |
Mar 17, 2023 08:58:49.217061043 CET | 443 | 49841 | 188.114.97.3 | 192.168.11.20 |
Mar 17, 2023 08:58:49.217171907 CET | 49841 | 443 | 192.168.11.20 | 188.114.97.3 |
Mar 17, 2023 08:58:49.217191935 CET | 443 | 49841 | 188.114.97.3 | 192.168.11.20 |
Mar 17, 2023 08:58:49.217246056 CET | 49841 | 443 | 192.168.11.20 | 188.114.97.3 |
Mar 17, 2023 08:58:49.217272043 CET | 443 | 49841 | 188.114.97.3 | 192.168.11.20 |
Mar 17, 2023 08:58:49.217370987 CET | 49841 | 443 | 192.168.11.20 | 188.114.97.3 |
Mar 17, 2023 08:58:49.217392921 CET | 443 | 49841 | 188.114.97.3 | 192.168.11.20 |
Mar 17, 2023 08:58:49.217451096 CET | 49841 | 443 | 192.168.11.20 | 188.114.97.3 |
Mar 17, 2023 08:58:49.217533112 CET | 49841 | 443 | 192.168.11.20 | 188.114.97.3 |
Mar 17, 2023 08:58:49.217645884 CET | 443 | 49841 | 188.114.97.3 | 192.168.11.20 |
Mar 17, 2023 08:58:49.217864037 CET | 49841 | 443 | 192.168.11.20 | 188.114.97.3 |
Mar 17, 2023 08:58:49.217883110 CET | 443 | 49841 | 188.114.97.3 | 192.168.11.20 |
Mar 17, 2023 08:58:49.217907906 CET | 443 | 49841 | 188.114.97.3 | 192.168.11.20 |
Mar 17, 2023 08:58:49.218069077 CET | 443 | 49841 | 188.114.97.3 | 192.168.11.20 |
Mar 17, 2023 08:58:49.218074083 CET | 49841 | 443 | 192.168.11.20 | 188.114.97.3 |
Mar 17, 2023 08:58:49.218096972 CET | 443 | 49841 | 188.114.97.3 | 192.168.11.20 |
Mar 17, 2023 08:58:49.218262911 CET | 49841 | 443 | 192.168.11.20 | 188.114.97.3 |
Mar 17, 2023 08:58:49.218287945 CET | 443 | 49841 | 188.114.97.3 | 192.168.11.20 |
Mar 17, 2023 08:58:49.218442917 CET | 49841 | 443 | 192.168.11.20 | 188.114.97.3 |
Mar 17, 2023 08:58:49.220417023 CET | 443 | 49841 | 188.114.97.3 | 192.168.11.20 |
Mar 17, 2023 08:58:49.220565081 CET | 49841 | 443 | 192.168.11.20 | 188.114.97.3 |
Mar 17, 2023 08:58:49.220565081 CET | 49841 | 443 | 192.168.11.20 | 188.114.97.3 |
Mar 17, 2023 08:58:49.220639944 CET | 443 | 49841 | 188.114.97.3 | 192.168.11.20 |
Mar 17, 2023 08:58:49.220788002 CET | 49841 | 443 | 192.168.11.20 | 188.114.97.3 |
Mar 17, 2023 08:58:49.220788002 CET | 49841 | 443 | 192.168.11.20 | 188.114.97.3 |
Mar 17, 2023 08:58:49.220819950 CET | 443 | 49841 | 188.114.97.3 | 192.168.11.20 |
Mar 17, 2023 08:58:49.220845938 CET | 49841 | 443 | 192.168.11.20 | 188.114.97.3 |
Mar 17, 2023 08:58:49.220875025 CET | 443 | 49841 | 188.114.97.3 | 192.168.11.20 |
Mar 17, 2023 08:58:49.220901012 CET | 443 | 49841 | 188.114.97.3 | 192.168.11.20 |
Mar 17, 2023 08:58:49.220995903 CET | 49841 | 443 | 192.168.11.20 | 188.114.97.3 |
Mar 17, 2023 08:58:49.221075058 CET | 49841 | 443 | 192.168.11.20 | 188.114.97.3 |
Mar 17, 2023 08:58:49.221358061 CET | 443 | 49841 | 188.114.97.3 | 192.168.11.20 |
Mar 17, 2023 08:58:49.221530914 CET | 49841 | 443 | 192.168.11.20 | 188.114.97.3 |
Mar 17, 2023 08:58:49.221532106 CET | 49841 | 443 | 192.168.11.20 | 188.114.97.3 |
Mar 17, 2023 08:58:49.224143982 CET | 443 | 49841 | 188.114.97.3 | 192.168.11.20 |
Mar 17, 2023 08:58:49.224354029 CET | 49841 | 443 | 192.168.11.20 | 188.114.97.3 |
Mar 17, 2023 08:58:49.224402905 CET | 443 | 49841 | 188.114.97.3 | 192.168.11.20 |
Mar 17, 2023 08:58:49.224509001 CET | 443 | 49841 | 188.114.97.3 | 192.168.11.20 |
Mar 17, 2023 08:58:49.224546909 CET | 49841 | 443 | 192.168.11.20 | 188.114.97.3 |
Mar 17, 2023 08:58:49.224546909 CET | 49841 | 443 | 192.168.11.20 | 188.114.97.3 |
Mar 17, 2023 08:58:49.224591017 CET | 49841 | 443 | 192.168.11.20 | 188.114.97.3 |
Mar 17, 2023 08:58:49.224616051 CET | 443 | 49841 | 188.114.97.3 | 192.168.11.20 |
Mar 17, 2023 08:58:49.224692106 CET | 49841 | 443 | 192.168.11.20 | 188.114.97.3 |
Mar 17, 2023 08:58:49.224692106 CET | 49841 | 443 | 192.168.11.20 | 188.114.97.3 |
Mar 17, 2023 08:58:49.224787951 CET | 49841 | 443 | 192.168.11.20 | 188.114.97.3 |
Mar 17, 2023 08:58:49.333076000 CET | 443 | 49841 | 188.114.97.3 | 192.168.11.20 |
Mar 17, 2023 08:58:49.333340883 CET | 49841 | 443 | 192.168.11.20 | 188.114.97.3 |
Mar 17, 2023 08:58:49.333414078 CET | 443 | 49841 | 188.114.97.3 | 192.168.11.20 |
Mar 17, 2023 08:58:49.333575010 CET | 443 | 49841 | 188.114.97.3 | 192.168.11.20 |
Mar 17, 2023 08:58:49.333657980 CET | 49841 | 443 | 192.168.11.20 | 188.114.97.3 |
Mar 17, 2023 08:58:49.333724022 CET | 49841 | 443 | 192.168.11.20 | 188.114.97.3 |
Mar 17, 2023 08:58:49.333724976 CET | 49841 | 443 | 192.168.11.20 | 188.114.97.3 |
Mar 17, 2023 08:58:49.333724976 CET | 49841 | 443 | 192.168.11.20 | 188.114.97.3 |
Mar 17, 2023 08:58:49.333777905 CET | 443 | 49841 | 188.114.97.3 | 192.168.11.20 |
Mar 17, 2023 08:58:49.333995104 CET | 49841 | 443 | 192.168.11.20 | 188.114.97.3 |
Mar 17, 2023 08:58:50.196197033 CET | 49842 | 80 | 192.168.11.20 | 171.22.30.147 |
Mar 17, 2023 08:58:50.214428902 CET | 80 | 49842 | 171.22.30.147 | 192.168.11.20 |
Mar 17, 2023 08:58:50.214683056 CET | 49842 | 80 | 192.168.11.20 | 171.22.30.147 |
Mar 17, 2023 08:58:50.216236115 CET | 49842 | 80 | 192.168.11.20 | 171.22.30.147 |
Mar 17, 2023 08:58:50.234369040 CET | 80 | 49842 | 171.22.30.147 | 192.168.11.20 |
Mar 17, 2023 08:58:50.234601021 CET | 49842 | 80 | 192.168.11.20 | 171.22.30.147 |
Mar 17, 2023 08:58:50.252654076 CET | 80 | 49842 | 171.22.30.147 | 192.168.11.20 |
Mar 17, 2023 08:58:50.542670965 CET | 80 | 49842 | 171.22.30.147 | 192.168.11.20 |
Mar 17, 2023 08:58:50.542751074 CET | 80 | 49842 | 171.22.30.147 | 192.168.11.20 |
Mar 17, 2023 08:58:50.542913914 CET | 49842 | 80 | 192.168.11.20 | 171.22.30.147 |
Mar 17, 2023 08:58:50.542975903 CET | 49842 | 80 | 192.168.11.20 | 171.22.30.147 |
Mar 17, 2023 08:58:50.560857058 CET | 80 | 49842 | 171.22.30.147 | 192.168.11.20 |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Mar 17, 2023 08:58:48.561542988 CET | 54874 | 53 | 192.168.11.20 | 1.1.1.1 |
Mar 17, 2023 08:58:48.591098070 CET | 53 | 54874 | 1.1.1.1 | 192.168.11.20 |
Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
---|---|---|---|---|---|---|---|---|
Mar 17, 2023 08:58:48.561542988 CET | 192.168.11.20 | 1.1.1.1 | 0xdc9e | Standard query (0) | A (IP address) | IN (0x0001) | false |
Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
---|---|---|---|---|---|---|---|---|---|---|
Mar 17, 2023 08:58:48.591098070 CET | 1.1.1.1 | 192.168.11.20 | 0xdc9e | No error (0) | 188.114.97.3 | A (IP address) | IN (0x0001) | false | ||
Mar 17, 2023 08:58:48.591098070 CET | 1.1.1.1 | 192.168.11.20 | 0xdc9e | No error (0) | 188.114.96.3 | A (IP address) | IN (0x0001) | false |
|
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
0 | 192.168.11.20 | 49841 | 188.114.97.3 | 443 | C:\Users\user\Desktop\SC_TR11670000.exe |
Timestamp | kBytes transferred | Direction | Data |
---|
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
1 | 192.168.11.20 | 49842 | 171.22.30.147 | 80 | C:\Users\user\Desktop\SC_TR11670000.exe |
Timestamp | kBytes transferred | Direction | Data |
---|---|---|---|
Mar 17, 2023 08:58:50.216236115 CET | 251 | OUT | |
Mar 17, 2023 08:58:50.234601021 CET | 251 | OUT | |
Mar 17, 2023 08:58:50.542670965 CET | 252 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
0 | 192.168.11.20 | 49841 | 188.114.97.3 | 443 | C:\Users\user\Desktop\SC_TR11670000.exe |
Timestamp | kBytes transferred | Direction | Data |
---|---|---|---|
2023-03-17 07:58:48 UTC | 0 | OUT | |
2023-03-17 07:58:48 UTC | 0 | IN | |
2023-03-17 07:58:48 UTC | 0 | IN | |
2023-03-17 07:58:48 UTC | 1 | IN | |
2023-03-17 07:58:48 UTC | 2 | IN | |
2023-03-17 07:58:48 UTC | 4 | IN | |
2023-03-17 07:58:48 UTC | 5 | IN | |
2023-03-17 07:58:48 UTC | 6 | IN | |
2023-03-17 07:58:48 UTC | 8 | IN | |
2023-03-17 07:58:48 UTC | 9 | IN | |
2023-03-17 07:58:48 UTC | 10 | IN | |
2023-03-17 07:58:48 UTC | 12 | IN | |
2023-03-17 07:58:48 UTC | 13 | IN | |
2023-03-17 07:58:49 UTC | 14 | IN | |
2023-03-17 07:58:49 UTC | 16 | IN | |
2023-03-17 07:58:49 UTC | 17 | IN | |
2023-03-17 07:58:49 UTC | 18 | IN | |
2023-03-17 07:58:49 UTC | 20 | IN | |
2023-03-17 07:58:49 UTC | 21 | IN | |
2023-03-17 07:58:49 UTC | 22 | IN | |
2023-03-17 07:58:49 UTC | 23 | IN | |
2023-03-17 07:58:49 UTC | 24 | IN | |
2023-03-17 07:58:49 UTC | 25 | IN | |
2023-03-17 07:58:49 UTC | 26 | IN | |
2023-03-17 07:58:49 UTC | 27 | IN | |
2023-03-17 07:58:49 UTC | 28 | IN | |
2023-03-17 07:58:49 UTC | 30 | IN | |
2023-03-17 07:58:49 UTC | 30 | IN | |
2023-03-17 07:58:49 UTC | 31 | IN | |
2023-03-17 07:58:49 UTC | 32 | IN | |
2023-03-17 07:58:49 UTC | 34 | IN | |
2023-03-17 07:58:49 UTC | 35 | IN | |
2023-03-17 07:58:49 UTC | 36 | IN | |
2023-03-17 07:58:49 UTC | 37 | IN | |
2023-03-17 07:58:49 UTC | 38 | IN | |
2023-03-17 07:58:49 UTC | 40 | IN | |
2023-03-17 07:58:49 UTC | 41 | IN | |
2023-03-17 07:58:49 UTC | 42 | IN | |
2023-03-17 07:58:49 UTC | 43 | IN | |
2023-03-17 07:58:49 UTC | 44 | IN | |
2023-03-17 07:58:49 UTC | 45 | IN | |
2023-03-17 07:58:49 UTC | 47 | IN | |
2023-03-17 07:58:49 UTC | 48 | IN | |
2023-03-17 07:58:49 UTC | 49 | IN | |
2023-03-17 07:58:49 UTC | 53 | IN | |
2023-03-17 07:58:49 UTC | 57 | IN | |
2023-03-17 07:58:49 UTC | 61 | IN | |
2023-03-17 07:58:49 UTC | 61 | IN | |
2023-03-17 07:58:49 UTC | 62 | IN | |
2023-03-17 07:58:49 UTC | 66 | IN | |
2023-03-17 07:58:49 UTC | 68 | IN | |
2023-03-17 07:58:49 UTC | 72 | IN | |
2023-03-17 07:58:49 UTC | 76 | IN | |
2023-03-17 07:58:49 UTC | 80 | IN | |
2023-03-17 07:58:49 UTC | 85 | IN | |
2023-03-17 07:58:49 UTC | 88 | IN | |
2023-03-17 07:58:49 UTC | 92 | IN | |
2023-03-17 07:58:49 UTC | 96 | IN | |
2023-03-17 07:58:49 UTC | 99 | IN | |
2023-03-17 07:58:49 UTC | 103 | IN |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
Target ID: | 1 |
Start time: | 08:57:13 |
Start date: | 17/03/2023 |
Path: | C:\Users\user\Desktop\SC_TR11670000.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x400000 |
File size: | 329416 bytes |
MD5 hash: | 778F9F61191BF812A829EDFB93F5B442 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Yara matches: |
|
Reputation: | low |
Target ID: | 4 |
Start time: | 08:58:32 |
Start date: | 17/03/2023 |
Path: | C:\Users\user\Desktop\SC_TR11670000.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x400000 |
File size: | 329416 bytes |
MD5 hash: | 778F9F61191BF812A829EDFB93F5B442 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Yara matches: |
|
Reputation: | low |
Target ID: | 7 |
Start time: | 08:58:51 |
Start date: | 17/03/2023 |
Path: | C:\Windows\SysWOW64\WerFault.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0xa20000 |
File size: | 482640 bytes |
MD5 hash: | 40A149513D721F096DDF50C04DA2F01F |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | moderate |
Execution Graph
Execution Coverage: | 19.8% |
Dynamic/Decrypted Code Coverage: | 14.2% |
Signature Coverage: | 22% |
Total number of Nodes: | 1502 |
Total number of Limit Nodes: | 49 |
Graph
Function 004031D6 Relevance: 91.4, APIs: 32, Strings: 20, Instructions: 366stringcomfileCOMMON
Control-flow Graph
C-Code - Quality: 86% |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00404A0E Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 481windowmemoryCOMMONCrypto
Control-flow Graph
C-Code - Quality: 96% |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
C-Code - Quality: 80% |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 73EC1A9C Relevance: 20.1, APIs: 13, Instructions: 571stringlibrarymemoryCOMMONCrypto
C-Code - Quality: 95% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00405732 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 159filestringCOMMON
Control-flow Graph
C-Code - Quality: 98% |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 004065F6 Relevance: 5.4, APIs: 4, Instructions: 382COMMONCrypto
C-Code - Quality: 98% |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 100% |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
C-Code - Quality: 84% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00403798 Relevance: 47.5, APIs: 14, Strings: 13, Instructions: 215stringregistryCOMMON
Control-flow Graph
C-Code - Quality: 96% |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00405F8C Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 199stringCOMMON
Control-flow Graph
C-Code - Quality: 72% |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00401759 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 147stringtimeCOMMON
Control-flow Graph
C-Code - Quality: 61% |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
C-Code - Quality: 100% |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00406294 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36libraryCOMMON
Control-flow Graph
C-Code - Quality: 100% |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
C-Code - Quality: 94% |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00402003 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73libraryloaderCOMMON
Control-flow Graph
C-Code - Quality: 60% |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
C-Code - Quality: 100% |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
C-Code - Quality: 94% |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00401C0A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON
Control-flow Graph
C-Code - Quality: 59% |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 004023D6 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64registrystringCOMMON
C-Code - Quality: 83% |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 87% |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00405005 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON
C-Code - Quality: 89% |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00405E51 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44registryCOMMON
C-Code - Quality: 90% |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00405609 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON
C-Code - Quality: 100% |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00406A2B Relevance: 5.2, APIs: 4, Instructions: 236COMMON
C-Code - Quality: 99% |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00406C2C Relevance: 5.2, APIs: 4, Instructions: 208COMMON
C-Code - Quality: 98% |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00406942 Relevance: 5.2, APIs: 4, Instructions: 205COMMON
C-Code - Quality: 98% |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00406447 Relevance: 5.2, APIs: 4, Instructions: 198COMMON
C-Code - Quality: 98% |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00406895 Relevance: 5.2, APIs: 4, Instructions: 180COMMON
C-Code - Quality: 98% |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 004069B3 Relevance: 5.2, APIs: 4, Instructions: 170COMMON
C-Code - Quality: 98% |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 004068FF Relevance: 5.2, APIs: 4, Instructions: 168COMMON
C-Code - Quality: 98% |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 86% |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 73EC29C0 Relevance: 3.2, APIs: 2, Instructions: 156fileCOMMON
C-Code - Quality: 16% |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 84% |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON
C-Code - Quality: 59% |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00401E2B Relevance: 3.0, APIs: 2, Instructions: 25COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 100% |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00405B03 Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON
C-Code - Quality: 68% |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00405ADE Relevance: 3.0, APIs: 2, Instructions: 13COMMON
C-Code - Quality: 100% |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 004055D4 Relevance: 3.0, APIs: 2, Instructions: 9COMMON
C-Code - Quality: 100% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 004025CA Relevance: 1.6, APIs: 1, Instructions: 76COMMON
C-Code - Quality: 100% |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0040166A Relevance: 1.5, APIs: 1, Instructions: 38fileCOMMON
C-Code - Quality: 70% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00402688 Relevance: 1.5, APIs: 1, Instructions: 28COMMON
C-Code - Quality: 40% |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 004022FC Relevance: 1.5, APIs: 1, Instructions: 26COMMON
C-Code - Quality: 100% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 100% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00405B7B Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
C-Code - Quality: 100% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00405BAA Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
C-Code - Quality: 100% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 73EC28E5 Relevance: 1.5, APIs: 1, Instructions: 21memoryCOMMON
C-Code - Quality: 100% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00402340 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
C-Code - Quality: 100% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 100% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0040159D Relevance: 1.5, APIs: 1, Instructions: 18COMMON
C-Code - Quality: 100% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0040403E Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON
C-Code - Quality: 100% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0040318E Relevance: 1.5, APIs: 1, Instructions: 6COMMON
C-Code - Quality: 100% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 73EC1215 Relevance: 1.3, APIs: 1, Instructions: 4memoryCOMMON
C-Code - Quality: 100% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 004051CF Relevance: 54.3, APIs: 36, Instructions: 282windowclipboardmemoryCOMMON
C-Code - Quality: 96% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0040449B Relevance: 24.8, APIs: 10, Strings: 4, Instructions: 274stringCOMMON
C-Code - Quality: 78% |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 74% |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 004026FE Relevance: 1.5, APIs: 1, Instructions: 29fileCOMMON
C-Code - Quality: 39% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00404174 Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 202windowstringCOMMON
C-Code - Quality: 93% |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 90% |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00405BD9 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 129memorystringCOMMON
C-Code - Quality: 100% |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 100% |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00404070 Relevance: 12.1, APIs: 8, Instructions: 68COMMON
C-Code - Quality: 100% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 73EC249C Relevance: 10.6, APIs: 7, Instructions: 124COMMON
C-Code - Quality: 77% |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 100% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0040495C Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
C-Code - Quality: 100% |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 73% |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00402C7C Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON
C-Code - Quality: 100% |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 73EC22B5 Relevance: 9.1, APIs: 6, Instructions: 140memoryCOMMON
C-Code - Quality: 86% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 37% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00401D41 Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON
C-Code - Quality: 100% |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00404852 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84stringCOMMON
C-Code - Quality: 77% |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 004059F0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46stringCOMMON
C-Code - Quality: 53% |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00405902 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON
C-Code - Quality: 100% |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 84% |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 100% |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00402CFF Relevance: 6.0, APIs: 4, Instructions: 33COMMON
C-Code - Quality: 100% |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 100% |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00405949 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON
C-Code - Quality: 100% |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 73EC10E0 Relevance: 5.1, APIs: 4, Instructions: 102memoryCOMMON
C-Code - Quality: 100% |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00405A68 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON
C-Code - Quality: 100% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |