Edit tour
Windows
Analysis Report
aOHLlvfakv.dll
Overview
General Information
| Sample Name: | aOHLlvfakv.dll |
| Analysis ID: | 828936 |
| MD5: | 362f48619364efe57ecd00f83d1bca62 |
| SHA1: | ae142315393512fe3f3e03dc07aed88428b6e29b |
| SHA256: | a873911592c3ce95d36e009f40bb376f587ad0ba6971a150a2ac10c87a2465f5 |
| Infos: |  |
 | |
Detection
| Score: | 96 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Classification
- System is w10x64native
loaddll64.exe (PID: 9132 cmdline: loaddll64. exe "C:\Us ers\user\D esktop\aOH Llvfakv.dl l" MD5: C676FC0263EDD17D4CE7D644B8F3FCD6) 
conhost.exe (PID: 9020 cmdline: C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68) - cmd.exe (PID: 2940 cmdline:
cmd.exe /C rundll32. exe "C:\Us ers\user\D esktop\aOH Llvfakv.dl l",#1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) 
rundll32.exe (PID: 4616 cmdline: rundll32.e xe "C:\Use rs\user\De sktop\aOHL lvfakv.dll ",#1 MD5: EF3179D498793BF4234F708D3BE28633) - regsvr32.exe (PID: 7556 cmdline:
C:\Windows \system32\ regsvr32.e xe "C:\Win dows\syste m32\HRYKmu Iti\sEzrCi JYDniwfP.d ll" MD5: B0C2FA35D14A9FAD919E99D9D75E1B9E) - regsvr32.exe (PID: 3112 cmdline:
regsvr32.e xe /s C:\U sers\user\ Desktop\aO HLlvfakv.d ll MD5: B0C2FA35D14A9FAD919E99D9D75E1B9E) - regsvr32.exe (PID: 8668 cmdline:
C:\Windows \system32\ regsvr32.e xe "C:\Win dows\syste m32\YDgQnz osNBGOURNE \pquwSRMRv DBcLA.dll" MD5: B0C2FA35D14A9FAD919E99D9D75E1B9E) - rundll32.exe (PID: 4588 cmdline:
rundll32.e xe C:\User s\user\Des ktop\aOHLl vfakv.dll, DllRegiste rServer MD5: EF3179D498793BF4234F708D3BE28633) - regsvr32.exe (PID: 9004 cmdline:
C:\Windows \system32\ regsvr32.e xe "C:\Win dows\syste m32\LwITFj \lcEQL.dll " MD5: B0C2FA35D14A9FAD919E99D9D75E1B9E) - rundll32.exe (PID: 3296 cmdline:
rundll32.e xe C:\User s\user\Des ktop\aOHLl vfakv.dll, __CPPdebug Hook MD5: EF3179D498793BF4234F708D3BE28633)
- cleanup
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| Emotet | While Emotet historically was a banking malware organized in a botnet, nowadays Emotet is mostly seen as infrastructure as a service for content delivery. For example, since mid 2018 it is used by Trickbot for installs, which may also lead to ransomware attacks using Ryuk, a combination observed several times against high-profile targets.It is always stealing information from victims but what the criminal gang behind it did, was to open up another business channel by selling their infrastructure delivering additional malicious software. From malware analysts it has been classified into epochs depending on command and control, payloads, and delivery solutions which change over time.Emotet had been taken down by authorities in January 2021, though it appears to have sprung back to life in November 2021. |
{"C2 list": ["91.121.146.47:8080", "66.228.32.31:7080", "182.162.143.56:443", "187.63.160.88:80", "167.172.199.165:8080", "164.90.222.65:443", "104.168.155.143:8080", "91.207.28.33:8080", "72.15.201.15:8080", "183.111.227.137:8080", "103.132.242.26:8080", "159.65.88.10:8080", "173.212.193.249:8080", "82.223.21.224:8080", "172.105.226.75:8080", "103.43.75.120:443", "167.172.253.162:8080", "1.234.2.232:8080", "159.89.202.34:443", "186.194.240.217:443", "185.4.135.165:8080", "139.59.126.41:443", "164.68.99.3:8080", "95.217.221.146:8080", "129.232.188.93:443", "45.176.232.124:443", "163.44.196.120:8080", "79.137.35.198:8080", "153.92.5.27:8080", "160.16.142.56:8080", "202.129.205.3:8080", "201.94.166.162:443", "119.59.103.152:8080", "153.126.146.25:7080", "188.44.20.25:443", "115.68.227.76:8080", "147.139.166.154:8080", "149.56.131.28:8080", "107.170.39.149:8080", "213.239.212.5:443", "197.242.150.244:8080", "206.189.28.199:8080", "5.135.159.50:443", "169.57.156.166:8080", "103.75.201.2:443", "110.232.117.186:8080", "94.23.45.86:4143", "45.235.8.30:8080", "101.50.0.91:8080"], "Public Key": ["RUNTMSAAAABAX3S2xNjcDD0fBno33Ln5t71eii+mofIPoXkNFOX1MeiwCh48iz97kB0mJjGGZXwardnDXKxI8GCHGNl0PFj5LpP78wADAJA=", "RUNLMSAAAADzozW1Di4r9DVWzQpMKT588RDdy7BPILP6AiDOTLYMHkSWvrQO5slbmr1OvZ2Pz+AQWzRMggQmAtO6rPH7nyx2VJJV8wAlAJA="]}| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_Emotet_1 | Yara detected Emotet | Joe Security | ||
| JoeSecurity_Emotet_1 | Yara detected Emotet | Joe Security | ||
| JoeSecurity_Emotet_1 | Yara detected Emotet | Joe Security | ||
| JoeSecurity_Emotet_1 | Yara detected Emotet | Joe Security | ||
| JoeSecurity_Emotet_1 | Yara detected Emotet | Joe Security | ||
| Click to see the 4 entries | ||||
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_Emotet_1 | Yara detected Emotet | Joe Security | ||
| JoeSecurity_Emotet_1 | Yara detected Emotet | Joe Security | ||
| JoeSecurity_Emotet_1 | Yara detected Emotet | Joe Security | ||
| JoeSecurity_Emotet_1 | Yara detected Emotet | Joe Security | ||
| JoeSecurity_Emotet_1 | Yara detected Emotet | Joe Security | ||
| Click to see the 3 entries | ||||
| Timestamp: | 192.168.11.2091.121.146.474979380802404344 03/17/23-17:41:58.374772 |
| SID: | 2404344 |
| Source Port: | 49793 |
| Destination Port: | 8080 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
| Timestamp: | 192.168.11.20182.162.143.56497994432404312 03/17/23-17:42:13.021219 |
| SID: | 2404312 |
| Source Port: | 49799 |
| Destination Port: | 443 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
| Timestamp: | 192.168.11.20167.172.199.1654980880802404308 03/17/23-17:42:27.268480 |
| SID: | 2404308 |
| Source Port: | 49808 |
| Destination Port: | 8080 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
| Timestamp: | 192.168.11.20164.90.222.65498104432404308 03/17/23-17:42:33.407520 |
| SID: | 2404308 |
| Source Port: | 49810 |
| Destination Port: | 443 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
| Timestamp: | 192.168.11.20104.168.155.1434981180802404302 03/17/23-17:42:37.517558 |
| SID: | 2404302 |
| Source Port: | 49811 |
| Destination Port: | 8080 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
| Timestamp: | 192.168.11.2066.228.32.314979570802404330 03/17/23-17:42:05.273202 |
| SID: | 2404330 |
| Source Port: | 49795 |
| Destination Port: | 7080 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
Click to jump to signature section
AV Detection |   |
|---|
| Source: | Virustotal: | Perma Link | ||
| Source: | ReversingLabs: | |||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Malware Configuration Extractor: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | Code function: | 3_2_004040E5 | |
| Source: | Code function: | 3_2_004088B7 | |
| Source: | Code function: | 3_2_004088B9 | |
| Source: | Code function: | 3_2_004111FA | |
| Source: | Code function: | 3_2_004082D0 | |
| Source: | Code function: | 3_2_00410D65 | |
| Source: | Code function: | 3_2_00420D70 | |
| Source: | Code function: | 3_2_004086C2 | |
| Source: | Code function: | 3_2_004086C4 | |
| Source: | Code function: | 3_2_004086C6 | |
| Source: | Code function: | 3_2_004086DC | |
| Source: | Code function: | 3_2_004086DE | |
| Source: | Code function: | 3_2_004086E0 | |
| Source: | Code function: | 3_2_00408704 | |
| Source: | Code function: | 4_2_004040E5 | |
| Source: | Code function: | 4_2_004088B7 | |
| Source: | Code function: | 4_2_004088B9 | |
| Source: | Code function: | 4_2_004111FA | |
| Source: | Code function: | 4_2_004082D0 | |
| Source: | Code function: | 4_2_00410D65 | |
| Source: | Code function: | 4_2_00420D70 | |
| Source: | Code function: | 4_2_004086C2 | |
| Source: | Code function: | 4_2_004086C4 | |
| Source: | Code function: | 4_2_004086C6 | |
| Source: | Code function: | 4_2_004086DC | |
| Source: | Code function: | 4_2_004086DE | |
| Source: | Code function: | 4_2_004086E0 | |
| Source: | Code function: | 4_2_00408704 | |
Networking | |
|---|
| Source: | Network Connect: | Jump to behavior | ||
| Source: | Network Connect: | Jump to behavior | ||
| Source: | Network Connect: | Jump to behavior | ||
| Source: | Network Connect: | Jump to behavior | ||
| Source: | Network Connect: | Jump to behavior | ||
| Source: | Network Connect: | Jump to behavior | ||
| Source: | Network Connect: | Jump to behavior | ||
| Source: | Network Connect: | Jump to behavior | ||
| Source: | Network Connect: | Jump to behavior | ||
| Source: | Network Connect: | Jump to behavior | ||
| Source: | Network Connect: | Jump to behavior | ||
| Source: | Network Connect: | Jump to behavior | ||
| Source: | Network Connect: | Jump to behavior | ||
| Source: | Network Connect: | Jump to behavior | ||
| Source: | Network Connect: | Jump to behavior | ||
| Source: | Network Connect: | Jump to behavior | ||
| Source: | Network Connect: | Jump to behavior | ||
| Source: | Network Connect: | Jump to behavior | ||
| Source: | Network Connect: | Jump to behavior | ||
| Source: | Network Connect: | Jump to behavior | ||
| Source: | Network Connect: | Jump to behavior | ||
| Source: | Network Connect: | Jump to behavior | ||
| Source: | Network Connect: | Jump to behavior | ||
| Source: | Network Connect: | Jump to behavior | ||
| Source: | Snort IDS: | ||
| Source: | Snort IDS: | ||
| Source: | Snort IDS: | ||
| Source: | Snort IDS: | ||
| Source: | Snort IDS: | ||
| Source: | Snort IDS: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | ASN Name: | ||
| Source: | JA3 fingerprint: | ||
| Source: | HTTP traffic detected: | ||
| Source: | IP Address: | ||
| Source: | TCP traffic: | ||
| Source: | TCP traffic: | ||
| Source: | TCP traffic: | ||
| Source: | TCP traffic: | ||
| Source: | TCP traffic: | ||
| Source: | TCP traffic: | ||
| Source: | TCP traffic: | ||
| Source: | TCP traffic: | ||
| Source: | TCP traffic: | ||
| Source: | TCP traffic: | ||
| Source: | TCP traffic: | ||
| Source: | TCP traffic: | ||
| Source: | TCP traffic: | ||
| Source: | TCP traffic: | ||
| Source: | TCP traffic: | ||
| Source: | TCP traffic: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
E-Banking Fraud | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File deleted: | Jump to behavior | ||
| Source: | File created: | Jump to behavior | ||
| Source: | Code function: | 3_2_00401730 | |
| Source: | Code function: | 3_2_0041D100 | |
| Source: | Code function: | 3_2_0042E190 | |
| Source: | Code function: | 3_2_004161A0 | |
| Source: | Code function: | 3_2_0041F200 | |
| Source: | Code function: | 3_2_00414AC0 | |
| Source: | Code function: | 3_2_004172F0 | |
| Source: | Code function: | 3_2_00440BD0 | |
| Source: | Code function: | 3_2_0040A387 | |
| Source: | Code function: | 3_2_00441BA0 | |
| Source: | Code function: | 3_2_00424C40 | |
| Source: | Code function: | 3_2_00414420 | |
| Source: | Code function: | 3_2_004165D0 | |
| Source: | Code function: | 3_2_004186C7 | |
| Source: | Code function: | 3_2_004186C9 | |
| Source: | Code function: | 3_2_004186ED | |
| Source: | Code function: | 3_2_004186FB | |
| Source: | Code function: | 3_2_004186FD | |
| Source: | Code function: | 3_2_004186FF | |
| Source: | Code function: | 3_2_0041869B | |
| Source: | Code function: | 3_2_0041869D | |
| Source: | Code function: | 3_2_0041869F | |
| Source: | Code function: | 3_2_004186A1 | |
| Source: | Code function: | 3_2_00439760 | |
| Source: | Code function: | 3_2_00418701 | |
| Source: | Code function: | 3_2_00418703 | |
| Source: | Code function: | 3_2_00418705 | |
| Source: | Code function: | 3_2_01360000 | |
| Source: | Code function: | 3_2_000000018001A000 | |
| Source: | Code function: | 3_2_000000018000CC14 | |
| Source: | Code function: | 3_2_000000018001709C | |
| Source: | Code function: | 3_2_0000000180007D6C | |
| Source: | Code function: | 3_2_000000018000263C | |
| Source: | Code function: | 3_2_0000000180018FC8 | |
| Source: | Code function: | 3_2_0000000180008BC8 | |
| Source: | Code function: | 3_2_00000001800227EC | |
| Source: | Code function: | 3_2_000000018000A7F0 | |
| Source: | Code function: | 3_2_0000000180001000 | |
| Source: | Code function: | 3_2_0000000180009408 | |
| Source: | Code function: | 3_2_0000000180007C08 | |
| Source: | Code function: | 3_2_000000018002181C | |
| Source: | Code function: | 3_2_0000000180011030 | |
| Source: | Code function: | 3_2_000000018001EC30 | |
| Source: | Code function: | 3_2_000000018000B83C | |
| Source: | Code function: | 3_2_0000000180007840 | |
| Source: | Code function: | 3_2_000000018001C44C | |
| Source: | Code function: | 3_2_0000000180025450 | |
| Source: | Code function: | 3_2_000000018001C058 | |
| Source: | Code function: | 3_2_000000018001B460 | |
| Source: | Code function: | 3_2_0000000180016C70 | |
| Source: | Code function: | 3_2_000000018000D474 | |
| Source: | Code function: | 3_2_0000000180002C78 | |
| Source: | Code function: | 3_2_000000018000C078 | |
| Source: | Code function: | 3_2_000000018000B07C | |
| Source: | Code function: | 3_2_0000000180015880 | |
| Source: | Code function: | 3_2_000000018001CC84 | |
| Source: | Code function: | 3_2_0000000180004C84 | |
| Source: | Code function: | 3_2_000000018000AC94 | |
| Source: | Code function: | 3_2_00000001800098AC | |
| Source: | Code function: | 3_2_000000018001A8B0 | |
| Source: | Code function: | 3_2_000000018000DCB8 | |
| Source: | Code function: | 3_2_00000001800294BC | |
| Source: | Code function: | 3_2_0000000180015CC4 | |
| Source: | Code function: | 3_2_000000018000F8C4 | |
| Source: | Code function: | 3_2_00000001800108CC | |
| Source: | Code function: | 3_2_00000001800080CC | |
| Source: | Code function: | 3_2_0000000180013CD4 | |
| Source: | Code function: | 3_2_00000001800014D4 | |
| Source: | Code function: | 3_2_00000001800018DC | |
| Source: | Code function: | 3_2_00000001800120E0 | |
| Source: | Code function: | 3_2_0000000180003CF4 | |
| Source: | Code function: | 3_2_00000001800090F8 | |
| Source: | Code function: | 3_2_00000001800048FC | |
| Source: | Code function: | 3_2_0000000180028500 | |
| Source: | Code function: | 3_2_000000018001610C | |
| Source: | Code function: | 3_2_0000000180029910 | |
| Source: | Code function: | 3_2_0000000180017518 | |
| Source: | Code function: | 3_2_0000000180014D20 | |
| Source: | Code function: | 3_2_0000000180011924 | |
| Source: | Code function: | 3_2_000000018001AD28 | |
| Source: | Code function: | 3_2_000000018001B130 | |
| Source: | Code function: | 3_2_0000000180007530 | |
| Source: | Code function: | 3_2_0000000180006138 | |
| Source: | Code function: | 3_2_000000018001BDA0 | |
| Source: | Code function: | 3_2_00000001800095BC | |
| Source: | Code function: | 3_2_00000001800115C8 | |
| Source: | Code function: | 3_2_000000018001D5F0 | |
| Source: | Code function: | 3_2_0000000180028A00 | |
| Source: | Code function: | 3_2_0000000180015A00 | |
| Source: | Code function: | 3_2_0000000180018E08 | |
| Source: | Code function: | 3_2_000000018001020C | |
| Source: | Code function: | 3_2_0000000180003E0C | |
| Source: | Code function: | 3_2_0000000180004214 | |
| Source: | Code function: | 3_2_000000018000461C | |
| Source: | Code function: | 3_2_0000000180018A2C | |
| Source: | Code function: | 3_2_0000000180010E2C | |
| Source: | Code function: | 3_2_000000018001662C | |
| Source: | Code function: | 3_2_000000018000BA2C | |
| Source: | Code function: | 3_2_000000018001A244 | |
| Source: | Code function: | 3_2_000000018000B258 | |
| Source: | Code function: | 3_2_000000018000F65C | |
| Source: | Code function: | 3_2_000000018000A660 | |
| Source: | Code function: | 3_2_0000000180010A70 | |
| Source: | Code function: | 3_2_0000000180003274 | |
| Source: | Code function: | 3_2_0000000180024E8C | |
| Source: | Code function: | 3_2_0000000180008A8C | |
| Source: | Code function: | 3_2_0000000180014A90 | |
| Source: | Code function: | 3_2_000000018000BE90 | |
| Source: | Code function: | 3_2_000000018000AAB8 | |
| Source: | Code function: | 3_2_0000000180004EB8 | |
| Source: | Code function: | 3_2_000000018001A6BC | |
| Source: | Code function: | 3_2_0000000180003ABC | |
| Source: | Code function: | 3_2_000000018001EAC0 | |
| Source: | Code function: | 3_2_000000018000D6CC | |
| Source: | Code function: | 3_2_00000001800196D4 | |
| Source: | Code function: | 3_2_00000001800092F0 | |
| Source: | Code function: | 3_2_000000018001E310 | |
| Source: | Code function: | 3_2_0000000180013B14 | |
| Source: | Code function: | 3_2_000000018000EF14 | |
| Source: | Code function: | 3_2_0000000180014F18 | |
| Source: | Code function: | 3_2_000000018000D33C | |
| Source: | Code function: | 3_2_000000018001E750 | |
| Source: | Code function: | 3_2_0000000180004758 | |
| Source: | Code function: | 3_2_000000018000975C | |
| Source: | Code function: | 3_2_000000018001D770 | |
| Source: | Code function: | 3_2_000000018001CF70 | |
| Source: | Code function: | 3_2_0000000180008378 | |
| Source: | Code function: | 3_2_000000018000F77C | |
| Source: | Code function: | 3_2_0000000180015384 | |
| Source: | Code function: | 3_2_0000000180001B94 | |
| Source: | Code function: | 3_2_000000018000DBA0 | |
| Source: | Code function: | 3_2_0000000180008FB0 | |
| Source: | Code function: | 3_2_0000000180018BB8 | |
| Source: | Code function: | 3_2_000000018000FFB8 | |
| Source: | Code function: | 3_2_00000001800197CC | |
| Source: | Code function: | 3_2_0000000180013FD0 | |
| Source: | Code function: | 3_2_0000000180002FD4 | |
| Source: | Code function: | 3_2_00000001800033D4 | |
| Source: | Code function: | 4_2_00401730 | |
| Source: | Code function: | 4_2_0041D100 | |
| Source: | Code function: | 4_2_0042E190 | |
| Source: | Code function: | 4_2_004161A0 | |
| Source: | Code function: | 4_2_0041F200 | |
| Source: | Code function: | 4_2_00414AC0 | |
| Source: | Code function: | 4_2_004172F0 | |
| Source: | Code function: | 4_2_00440BD0 | |
| Source: | Code function: | 4_2_0040A387 | |
| Source: | Code function: | 4_2_00441BA0 | |
| Source: | Code function: | 4_2_00424C40 | |
| Source: | Code function: | 4_2_00414420 | |
| Source: | Code function: | 4_2_004165D0 | |
| Source: | Code function: | 4_2_004186C7 | |
| Source: | Code function: | 4_2_004186C9 | |
| Source: | Code function: | 4_2_004186ED | |
| Source: | Code function: | 4_2_004186FB | |
| Source: | Code function: | 4_2_004186FD | |
| Source: | Code function: | 4_2_004186FF | |
| Source: | Code function: | 4_2_0041869B | |
| Source: | Code function: | 4_2_0041869D | |
| Source: | Code function: | 4_2_0041869F | |
| Source: | Code function: | 4_2_004186A1 | |
| Source: | Code function: | 4_2_00439760 | |
| Source: | Code function: | 4_2_00418701 | |
| Source: | Code function: | 4_2_00418703 | |
| Source: | Code function: | 4_2_00418705 | |
| Source: | Code function: | 4_2_000000018001A000 | |
| Source: | Code function: | 4_2_000000018001709C | |
| Source: | Code function: | 4_2_0000000180008BC8 | |
| Source: | Code function: | 4_2_000000018000CC14 | |
| Source: | Code function: | 4_2_0000000180007D6C | |
| Source: | Code function: | 4_2_000000018000263C | |
| Source: | Code function: | 4_2_0000000180018FC8 | |
| Source: | Code function: | 4_2_00000001800227EC | |
| Source: | Code function: | 4_2_000000018000A7F0 | |
| Source: | Code function: | 4_2_0000000180001000 | |
| Source: | Code function: | 4_2_000000018002181C | |
| Source: | Code function: | 4_2_0000000180011030 | |
| Source: | Code function: | 4_2_000000018000B83C | |
| Source: | Code function: | 4_2_0000000180007840 | |
| Source: | Code function: | 4_2_000000018001C058 | |
| Source: | Code function: | 4_2_000000018000C078 | |
| Source: | Code function: | 4_2_000000018000B07C | |
| Source: | Code function: | 4_2_0000000180015880 | |
| Source: | Code function: | 4_2_00000001800098AC | |
| Source: | Code function: | 4_2_000000018001A8B0 | |
| Source: | Code function: | 4_2_000000018000F8C4 | |
| Source: | Code function: | 4_2_00000001800108CC | |
| Source: | Code function: | 4_2_00000001800080CC | |
| Source: | Code function: | 4_2_00000001800018DC | |
| Source: | Code function: | 4_2_00000001800120E0 | |
| Source: | Code function: | 4_2_00000001800090F8 | |
| Source: | Code function: | 4_2_00000001800048FC | |
| Source: | Code function: | 4_2_000000018001610C | |
| Source: | Code function: | 4_2_0000000180029910 | |
| Source: | Code function: | 4_2_0000000180011924 | |
| Source: | Code function: | 4_2_000000018001B130 | |
| Source: | Code function: | 4_2_0000000180006138 | |
| Source: | Code function: | 4_2_0000000180028A00 | |
| Source: | Code function: | 4_2_0000000180015A00 | |
| Source: | Code function: | 4_2_000000018001020C | |
| Source: | Code function: | 4_2_0000000180004214 | |
| Source: | Code function: | 4_2_0000000180018A2C | |
| Source: | Code function: | 4_2_000000018000BA2C | |
| Source: | Code function: | 4_2_000000018001A244 | |
| Source: | Code function: | 4_2_000000018000B258 | |
| Source: | Code function: | 4_2_0000000180010A70 | |
| Source: | Code function: | 4_2_0000000180003274 | |
| Source: | Code function: | 4_2_0000000180008A8C | |
| Source: | Code function: | 4_2_0000000180014A90 | |
| Source: | Code function: | 4_2_000000018000AAB8 | |
| Source: | Code function: | 4_2_0000000180003ABC | |
| Source: | Code function: | 4_2_000000018001EAC0 | |
| Source: | Code function: | 4_2_00000001800092F0 | |
| Source: | Code function: | 4_2_000000018001E310 | |
| Source: | Code function: | 4_2_0000000180013B14 | |
| Source: | Code function: | 4_2_000000018000D33C | |
| Source: | Code function: | 4_2_0000000180008378 | |
| Source: | Code function: | 4_2_0000000180015384 | |
| Source: | Code function: | 4_2_0000000180001B94 | |
| Source: | Code function: | 4_2_000000018000DBA0 | |
| Source: | Code function: | 4_2_0000000180018BB8 | |
| Source: | Code function: | 4_2_00000001800033D4 | |
| Source: | Code function: | 4_2_0000000180009408 | |
| Source: | Code function: | 4_2_0000000180007C08 | |
| Source: | Code function: | 4_2_000000018001EC30 | |
| Source: | Code function: | 4_2_000000018001C44C | |
| Source: | Code function: | 4_2_0000000180025450 | |
| Source: | Code function: | 4_2_000000018001B460 | |
| Source: | Code function: | 4_2_0000000180016C70 | |
| Source: | Code function: | 4_2_000000018000D474 | |
| Source: | Code function: | 4_2_0000000180002C78 | |
| Source: | Code function: | 4_2_000000018001CC84 | |
| Source: | Code function: | 4_2_0000000180004C84 | |
| Source: | Code function: | 4_2_000000018000AC94 | |
| Source: | Code function: | 4_2_000000018000DCB8 | |
| Source: | Code function: | 4_2_00000001800294BC | |
| Source: | Code function: | 4_2_0000000180015CC4 | |
| Source: | Code function: | 4_2_0000000180013CD4 | |
| Source: | Code function: | 4_2_00000001800014D4 | |
| Source: | Code function: | 4_2_0000000180003CF4 | |
| Source: | Code function: | 4_2_0000000180028500 | |
| Source: | Code function: | 4_2_0000000180017518 | |
| Source: | Code function: | 4_2_0000000180014D20 | |
| Source: | Code function: | 4_2_000000018001AD28 | |
| Source: | Code function: | 4_2_0000000180007530 | |
| Source: | Code function: | 4_2_000000018001BDA0 | |
| Source: | Code function: | 4_2_00000001800095BC | |
| Source: | Code function: | 4_2_00000001800115C8 | |
| Source: | Code function: | 4_2_000000018001D5F0 | |
| Source: | Code function: | 4_2_0000000180018E08 | |
| Source: | Code function: | 4_2_0000000180003E0C | |
| Source: | Code function: | 4_2_000000018000461C | |
| Source: | Code function: | 4_2_0000000180010E2C | |
| Source: | Code function: | 4_2_000000018001662C | |
| Source: | Code function: | 4_2_000000018000F65C | |
| Source: | Code function: | 4_2_000000018000A660 | |
| Source: | Code function: | 4_2_0000000180024E8C | |
| Source: | Code function: | 4_2_000000018000BE90 | |
| Source: | Code function: | 4_2_0000000180004EB8 | |
| Source: | Code function: | 4_2_000000018001A6BC | |
| Source: | Code function: | 4_2_000000018000D6CC | |
| Source: | Code function: | 4_2_00000001800196D4 | |
| Source: | Code function: | 4_2_000000018000EF14 | |
| Source: | Code function: | 4_2_0000000180014F18 | |
| Source: | Code function: | 4_2_000000018001E750 | |
| Source: | Code function: | 4_2_0000000180004758 | |
| Source: | Code function: | 4_2_000000018000975C | |
| Source: | Code function: | 4_2_000000018001D770 | |
| Source: | Code function: | 4_2_000000018001CF70 | |
| Source: | Code function: | 4_2_000000018000F77C | |
| Source: | Code function: | 4_2_0000000180008FB0 | |
| Source: | Code function: | 4_2_000000018000FFB8 | |
| Source: | Code function: | 4_2_00000001800197CC | |
| Source: | Code function: | 4_2_0000000180013FD0 | |
| Source: | Code function: | 4_2_0000000180002FD4 | |
| Source: | Code function: | 4_2_000001B9186F0000 | |
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Virustotal: | ||
| Source: | ReversingLabs: | ||
| Source: | Static PE information: | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Key value queried: | Jump to behavior | ||
| Source: | Classification label: | ||
| Source: | File read: | Jump to behavior | ||
| Source: | Code function: | 3_2_0000000180008BC8 | |
| Source: | Process created: | ||
| Source: | Mutant created: | ||
| Source: | Mutant created: | ||
| Source: | Automated click: | ||
| Source: | Automated click: | ||
| Source: | Automated click: | ||
| Source: | Window detected: | ||
| Source: | Static file information: | ||
| Source: | Code function: | 3_2_0000000180006CAA | |
| Source: | Code function: | 3_2_00000001800180D8 | |
| Source: | Code function: | 3_2_0000000180006CDF | |
| Source: | Code function: | 3_2_000000018000A0FD | |
| Source: | Code function: | 3_2_0000000180017D2A | |
| Source: | Code function: | 3_2_0000000180017D3D | |
| Source: | Code function: | 3_2_0000000180017D4F | |
| Source: | Code function: | 3_2_0000000180009D5A | |
| Source: | Code function: | 3_2_0000000180018158 | |
| Source: | Code function: | 3_2_000000018001798F | |
| Source: | Code function: | 3_2_000000018000A1D3 | |
| Source: | Code function: | 3_2_000000018000A26F | |
| Source: | Code function: | 3_2_0000000180009E8E | |
| Source: | Code function: | 3_2_0000000180017EBC | |
| Source: | Code function: | 3_2_000000018001C732 | |
| Source: | Code function: | 4_2_00000001800180D8 | |
| Source: | Code function: | 4_2_000000018000A0FD | |
| Source: | Code function: | 4_2_0000000180018158 | |
| Source: | Code function: | 4_2_000000018001798F | |
| Source: | Code function: | 4_2_000000018000A1D3 | |
| Source: | Code function: | 4_2_000000018000A26F | |
| Source: | Code function: | 4_2_0000000180006CAA | |
| Source: | Code function: | 4_2_0000000180006CDF | |
| Source: | Code function: | 4_2_0000000180017D2A | |
| Source: | Code function: | 4_2_0000000180017D3D | |
| Source: | Code function: | 4_2_0000000180017D4F | |
| Source: | Code function: | 4_2_0000000180009D5A | |
| Source: | Code function: | 4_2_0000000180009E8E | |
| Source: | Code function: | 4_2_0000000180017EBC | |
| Source: | Code function: | 4_2_000000018001C732 | |
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Code function: | 3_2_00401C80 | |
| Source: | Process created: | ||
| Source: | PE file moved: | Jump to behavior | ||
Hooking and other Techniques for Hiding and Protection | |
|---|
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Last function: | ||
| Source: | API coverage: | ||
| Source: | API coverage: | ||
| Source: | Process information queried: | Jump to behavior | ||
| Source: | API call chain: | graph_3-30019 | ||
| Source: | API call chain: | graph_4-30021 | ||
| Source: | File Volume queried: | Jump to behavior | ||
| Source: | File Volume queried: | Jump to behavior | ||
| Source: | File Volume queried: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | Code function: | 3_2_00401C80 | |
| Source: | Code function: | 3_2_00448C90 | |
| Source: | Process queried: | Jump to behavior | ||
HIPS / PFW / Operating System Protection Evasion | |
|---|
| Source: | Network Connect: | Jump to behavior | ||
| Source: | Network Connect: | Jump to behavior | ||
| Source: | Network Connect: | Jump to behavior | ||
| Source: | Network Connect: | Jump to behavior | ||
| Source: | Network Connect: | Jump to behavior | ||
| Source: | Network Connect: | Jump to behavior | ||
| Source: | Network Connect: | Jump to behavior | ||
| Source: | Network Connect: | Jump to behavior | ||
| Source: | Network Connect: | Jump to behavior | ||
| Source: | Network Connect: | Jump to behavior | ||
| Source: | Network Connect: | Jump to behavior | ||
| Source: | Network Connect: | Jump to behavior | ||
| Source: | Network Connect: | Jump to behavior | ||
| Source: | Network Connect: | Jump to behavior | ||
| Source: | Network Connect: | Jump to behavior | ||
| Source: | Network Connect: | Jump to behavior | ||
| Source: | Network Connect: | Jump to behavior | ||
| Source: | Network Connect: | Jump to behavior | ||
| Source: | Network Connect: | Jump to behavior | ||
| Source: | Network Connect: | Jump to behavior | ||
| Source: | Network Connect: | Jump to behavior | ||
| Source: | Network Connect: | Jump to behavior | ||
| Source: | Network Connect: | Jump to behavior | ||
| Source: | Network Connect: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Code function: | 3_2_0043F160 | |
| Source: | Code function: | 3_2_00440BD0 | |
| Source: | Code function: | 3_2_00441BA0 | |
| Source: | Code function: | 3_2_0043FC60 | |
| Source: | Code function: | 3_2_0043FDE0 | |
| Source: | Code function: | 3_2_00440610 | |
| Source: | Code function: | 4_2_0043F160 | |
| Source: | Code function: | 4_2_00440BD0 | |
| Source: | Code function: | 4_2_00441BA0 | |
| Source: | Code function: | 4_2_0043FC60 | |
| Source: | Code function: | 4_2_0043FDE0 | |
| Source: | Code function: | 4_2_00440610 | |
| Source: | Key value queried: | Jump to behavior | ||
| Source: | Code function: | 3_2_00446AA0 | |
Stealing of Sensitive Information | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Valid Accounts | 1 Native API | 1 DLL Side-Loading | 111 Process Injection | 2 Masquerading | OS Credential Dumping | 21 Security Software Discovery | Remote Services | 1 Archive Collected Data | Exfiltration Over Other Network Medium | 11 Encrypted Channel | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | Modify System Partition |
| Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | 1 DLL Side-Loading | 2 Virtualization/Sandbox Evasion | LSASS Memory | 2 Virtualization/Sandbox Evasion | Remote Desktop Protocol | Data from Removable Media | Exfiltration Over Bluetooth | 1 Non-Standard Port | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
| Domain Accounts | At (Linux) | Logon Script (Windows) | Logon Script (Windows) | 111 Process Injection | Security Account Manager | 2 Process Discovery | SMB/Windows Admin Shares | Data from Network Shared Drive | Automated Exfiltration | 1 Non-Application Layer Protocol | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
| Local Accounts | At (Windows) | Logon Script (Mac) | Logon Script (Mac) | 1 Deobfuscate/Decode Files or Information | NTDS | 1 File and Directory Discovery | Distributed Component Object Model | Input Capture | Scheduled Transfer | 12 Application Layer Protocol | SIM Card Swap | Carrier Billing Fraud | |
| Cloud Accounts | Cron | Network Logon Script | Network Logon Script | 1 Hidden Files and Directories | LSA Secrets | 24 System Information Discovery | SSH | Keylogging | Data Transfer Size Limits | Fallback Channels | Manipulate Device Communication | Manipulate App Store Rankings or Ratings | |
| Replication Through Removable Media | Launchd | Rc.common | Rc.common | 3 Obfuscated Files or Information | Cached Domain Credentials | System Owner/User Discovery | VNC | GUI Input Capture | Exfiltration Over C2 Channel | Multiband Communication | Jamming or Denial of Service | Abuse Accessibility Features | |
| External Remote Services | Scheduled Task | Startup Items | Startup Items | 1 Regsvr32 | DCSync | Network Sniffing | Windows Remote Management | Web Portal Capture | Exfiltration Over Alternative Protocol | Commonly Used Port | Rogue Wi-Fi Access Points | Data Encrypted for Impact | |
| Drive-by Compromise | Command and Scripting Interpreter | Scheduled Task/Job | Scheduled Task/Job | 1 Rundll32 | Proc Filesystem | Network Service Scanning | Shared Webroot | Credential API Hooking | Exfiltration Over Symmetric Encrypted Non-C2 Protocol | Application Layer Protocol | Downgrade to Insecure Protocols | Generate Fraudulent Advertising Revenue | |
| Exploit Public-Facing Application | PowerShell | At (Linux) | At (Linux) | 1 DLL Side-Loading | /etc/passwd and /etc/shadow | System Network Connections Discovery | Software Deployment Tools | Data Staged | Exfiltration Over Asymmetric Encrypted Non-C2 Protocol | Web Protocols | Rogue Cellular Base Station | Data Destruction | |
| Supply Chain Compromise | AppleScript | At (Windows) | At (Windows) | 1 File Deletion | Network Sniffing | Process Discovery | Taint Shared Content | Local Data Staging | Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol | File Transfer Protocols | Data Encrypted for Impact |
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetThis section contains all screenshots as thumbnails, including those not shown in the slideshow.
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 54% | Virustotal | Browse | ||
| 28% | ReversingLabs | Win64.Trojan.Emotetcrypt |
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware |
| Name | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|
| true |
| unknown |
| Name | Source | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
| IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
|---|---|---|---|---|---|---|
| 110.232.117.186 | unknown | Australia | 56038 | RACKCORP-APRackCorpAU | true | |
| 103.132.242.26 | unknown | India | 45117 | INPL-IN-APIshansNetworkIN | true | |
| 104.168.155.143 | unknown | United States | 54290 | HOSTWINDSUS | true | |
| 79.137.35.198 | unknown | France | 16276 | OVHFR | true | |
| 115.68.227.76 | unknown | Korea Republic of | 38700 | SMILESERV-AS-KRSMILESERVKR | true | |
| 163.44.196.120 | unknown | Singapore | 135161 | GMO-Z-COM-THGMO-ZcomNetDesignHoldingsCoLtdSG | true | |
| 206.189.28.199 | unknown | United States | 14061 | DIGITALOCEAN-ASNUS | true | |
| 107.170.39.149 | unknown | United States | 14061 | DIGITALOCEAN-ASNUS | true | |
| 66.228.32.31 | unknown | United States | 63949 | LINODE-APLinodeLLCUS | true | |
| 185.4.135.165 | unknown | Greece | 199246 | TOPHOSTGR | true | |
| 197.242.150.244 | unknown | South Africa | 37611 | AfrihostZA | true | |
| 183.111.227.137 | unknown | Korea Republic of | 4766 | KIXS-AS-KRKoreaTelecomKR | true | |
| 45.176.232.124 | unknown | Colombia | 267869 | CABLEYTELECOMUNICACIONESDECOLOMBIASASCABLETELCOC | true | |
| 169.57.156.166 | unknown | United States | 36351 | SOFTLAYERUS | true | |
| 164.68.99.3 | unknown | Germany | 51167 | CONTABODE | true | |
| 139.59.126.41 | unknown | Singapore | 14061 | DIGITALOCEAN-ASNUS | true | |
| 167.172.253.162 | unknown | United States | 14061 | DIGITALOCEAN-ASNUS | true | |
| 167.172.199.165 | unknown | United States | 14061 | DIGITALOCEAN-ASNUS | true | |
| 202.129.205.3 | unknown | Thailand | 45328 | NIPA-AS-THNIPATECHNOLOGYCOLTDTH | true | |
| 147.139.166.154 | unknown | United States | 45102 | CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC | true | |
| 153.92.5.27 | unknown | Germany | 47583 | AS-HOSTINGERLT | true | |
| 159.65.88.10 | unknown | United States | 14061 | DIGITALOCEAN-ASNUS | true | |
| 172.105.226.75 | unknown | United States | 63949 | LINODE-APLinodeLLCUS | true | |
| 101.50.0.91 | unknown | Indonesia | 55688 | BEON-AS-IDPTBeonIntermediaID | true | |
| 164.90.222.65 | unknown | United States | 14061 | DIGITALOCEAN-ASNUS | true | |
| 213.239.212.5 | unknown | Germany | 24940 | HETZNER-ASDE | true | |
| 5.135.159.50 | unknown | France | 16276 | OVHFR | true | |
| 186.194.240.217 | unknown | Brazil | 262733 | NetceteraTelecomunicacoesLtdaBR | true | |
| 119.59.103.152 | unknown | Thailand | 56067 | METRABYTE-TH453LadplacoutJorakhaebuaTH | true | |
| 159.89.202.34 | unknown | United States | 14061 | DIGITALOCEAN-ASNUS | true | |
| 91.121.146.47 | unknown | France | 16276 | OVHFR | true | |
| 160.16.142.56 | unknown | Japan | 9370 | SAKURA-BSAKURAInternetIncJP | true | |
| 201.94.166.162 | unknown | Brazil | 28573 | CLAROSABR | true | |
| 91.207.28.33 | unknown | Kyrgyzstan | 39819 | PROHOSTKG | true | |
| 103.75.201.2 | unknown | Thailand | 133496 | CDNPLUSCOLTD-AS-APCDNPLUSCOLTDTH | true | |
| 103.43.75.120 | unknown | Japan | 20473 | AS-CHOOPAUS | true | |
| 188.44.20.25 | unknown | Macedonia | 57374 | GIV-ASMK | true | |
| 45.235.8.30 | unknown | Brazil | 267405 | WIKINETTELECOMUNICACOESBR | true | |
| 153.126.146.25 | unknown | Japan | 7684 | SAKURA-ASAKURAInternetIncJP | true | |
| 72.15.201.15 | unknown | United States | 13649 | ASN-VINSUS | true | |
| 187.63.160.88 | unknown | Brazil | 28169 | BITCOMPROVEDORDESERVICOSDEINTERNETLTDABR | true | |
| 173.212.193.249 | unknown | Germany | 51167 | CONTABODE | true | |
| 82.223.21.224 | unknown | Spain | 8560 | ONEANDONE-ASBrauerstrasse48DE | true | |
| 95.217.221.146 | unknown | Germany | 24940 | HETZNER-ASDE | true | |
| 149.56.131.28 | unknown | Canada | 16276 | OVHFR | true | |
| 182.162.143.56 | unknown | Korea Republic of | 3786 | LGDACOMLGDACOMCorporationKR | true | |
| 1.234.2.232 | unknown | Korea Republic of | 9318 | SKB-ASSKBroadbandCoLtdKR | true | |
| 129.232.188.93 | unknown | South Africa | 37153 | xneeloZA | true | |
| 94.23.45.86 | unknown | France | 16276 | OVHFR | true |
| Joe Sandbox Version: | 37.0.0 Beryl |
| Analysis ID: | 828936 |
| Start date and time: | 2023-03-17 17:36:40 +01:00 |
| Joe Sandbox Product: | CloudBasic |
| Overall analysis duration: | 0h 14m 38s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, IE 11, Chrome 93, Firefox 91, Adobe Reader DC 21, Java 8 Update 301 |
| Number of analysed new started processes analysed: | 21 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Sample file name: | aOHLlvfakv.dll |
| Detection: | MAL |
| Classification: | mal96.troj.evad.winDLL@18/2@0/49 |
| EGA Information: |
|
| HDC Information: |
|
| HCA Information: |
|
| Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SgrmBroker.exe, MoUsoCoreWorker.exe, svchost.exe
- Excluded IPs from analysis (whitelisted): 8.248.139.254, 8.248.135.254, 8.248.117.254, 8.253.204.249, 67.26.137.254
- Excluded domains from analysis (whitelisted): wdcpalt.microsoft.com, fg.download.windowsupdate.com.c.footprint.net, fs.microsoft.com, login.live.com, ctldl.windowsupdate.com, wdcp.microsoft.com, wu-bg-shim.trafficmanager.net
- Not all processes where analyzed, report is missing behavior information
- Report creation exceeded maximum time and may have missing disassembly code information.
- Report size exceeded maximum capacity and may have missing behavior information.
- Report size getting too big, too many NtOpenKeyEx calls found.
- Report size getting too big, too many NtProtectVirtualMemory calls found.
- Report size getting too big, too many NtQueryValueKey calls found.
| Time | Type | Description |
|---|---|---|
| 17:42:00 | API Interceptor |
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| 110.232.117.186 | Get hash | malicious | Emotet | Browse | ||
| Get hash | malicious | Emotet | Browse | |||
| Get hash | malicious | Emotet | Browse | |||
| Get hash | malicious | Emotet | Browse | |||
| Get hash | malicious | Emotet | Browse | |||
| Get hash | malicious | Emotet | Browse | |||
| Get hash | malicious | Emotet | Browse | |||
| Get hash | malicious | Emotet | Browse | |||
| Get hash | malicious | Emotet | Browse | |||
| Get hash | malicious | Emotet | Browse | |||
| Get hash | malicious | Emotet | Browse | |||
| Get hash | malicious | Emotet | Browse | |||
| Get hash | malicious | Emotet | Browse | |||
| Get hash | malicious | Emotet | Browse | |||
| Get hash | malicious | Emotet | Browse | |||
| Get hash | malicious | Emotet | Browse | |||
| Get hash | malicious | Emotet | Browse | |||
| Get hash | malicious | Emotet | Browse | |||
| Get hash | malicious | Emotet | Browse | |||
| Get hash | malicious | Emotet | Browse |
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| RACKCORP-APRackCorpAU | Get hash | malicious | Emotet | Browse |
| |
| Get hash | malicious | Emotet | Browse |
| ||
| Get hash | malicious | Emotet | Browse |
| ||
| Get hash | malicious | Emotet | Browse |
| ||
| Get hash | malicious | Emotet | Browse |
| ||
| Get hash | malicious | Emotet | Browse |
| ||
| Get hash | malicious | Emotet | Browse |
| ||
| Get hash | malicious | Emotet | Browse |
| ||
| Get hash | malicious | Emotet | Browse |
| ||
| Get hash | malicious | Emotet | Browse |
| ||
| Get hash | malicious | Emotet | Browse |
| ||
| Get hash | malicious | Emotet | Browse |
| ||
| Get hash | malicious | Emotet | Browse |
| ||
| Get hash | malicious | Emotet | Browse |
| ||
| Get hash | malicious | Emotet | Browse |
| ||
| Get hash | malicious | Emotet | Browse |
| ||
| Get hash | malicious | Emotet | Browse |
| ||
| Get hash | malicious | Emotet | Browse |
| ||
| Get hash | malicious | Emotet | Browse |
| ||
| Get hash | malicious | Emotet | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| 72a589da586844d7f0818ce684948eea | Get hash | malicious | Emotet | Browse |
| |
| Get hash | malicious | Emotet | Browse |
| ||
| Get hash | malicious | Emotet | Browse |
| ||
| Get hash | malicious | Trickbot | Browse |
| ||
| Get hash | malicious | Trickbot | Browse |
| ||
| Get hash | malicious | Trickbot | Browse |
| ||
| Get hash | malicious | Trickbot | Browse |
| ||
| Get hash | malicious | Trickbot | Browse |
| ||
| Get hash | malicious | Trickbot | Browse |
| ||
| Get hash | malicious | Trickbot | Browse |
| ||
| Get hash | malicious | TrickBot | Browse |
| ||
| Get hash | malicious | TrickBot | Browse |
| ||
| Get hash | malicious | TrickBot | Browse |
| ||
| Get hash | malicious | TrickBot | Browse |
| ||
| Get hash | malicious | TrickBot | Browse |
| ||
| Get hash | malicious | TrickBot | Browse |
| ||
| Get hash | malicious | TrickBot | Browse |
| ||
| Get hash | malicious | TrickBot | Browse |
| ||
| Get hash | malicious | TrickBot | Browse |
| ||
| Get hash | malicious | TrickBot | Browse |
|
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506 
Download File
| Process: | C:\Windows\System32\regsvr32.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 62582 |
| Entropy (8bit): | 7.996063107774368 |
| Encrypted: | true |
| SSDEEP: | 1536:Jk3XPi43VgGp0gB2itudTSRAn/TWTdWftu:CHa43V5p022iZ4CgA |
| MD5: | E71C8443AE0BC2E282C73FAEAD0A6DD3 |
| SHA1: | 0C110C1B01E68EDFACAEAE64781A37B1995FA94B |
| SHA-256: | 95B0A5ACC5BF70D3ABDFD091D0C9F9063AA4FDE65BD34DBF16786082E1992E72 |
| SHA-512: | B38458C7FA2825AFB72794F374827403D5946B1132E136A0CE075DFD351277CF7D957C88DC8A1E4ADC3BCAE1FA8010DAE3831E268E910D517691DE24326391A6 |
| Malicious: | false |
| Preview: |
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506
Download File
| Process: | C:\Windows\System32\regsvr32.exe |
| File Type: | |
| Category: | modified |
| Size (bytes): | 328 |
| Entropy (8bit): | 3.1335351732898324 |
| Encrypted: | false |
| SSDEEP: | 6:kKNLry/7UN+SkQlPlEGYRMY9z+4KlDA3RUecZUt:9CvkPlE99SNxAhUext |
| MD5: | 141ADD778B4D9D765C44061B65895A5C |
| SHA1: | B04B46DFF42488E393A9DC339242CFAEC02D4B4D |
| SHA-256: | F6E040EEB2079A3E39E26EA4B0C633250A3E0A756F2FC31F47FFF07852014F61 |
| SHA-512: | 74A62B27AA08D8A394883C1FE03CDC002D0FC00C8C09146E9C721EF9CE955B8F7ECF0ED108144B3AA2CDB31F0C85D6004FBC5959ACD43F73D4FBA02567505657 |
| Malicious: | false |
| Preview: |
| File type: | |
| Entropy (8bit): | 0.018845395989010114 |
| TrID: |
|
| File name: | aOHLlvfakv.dll |
| File size: | 571122142 |
| MD5: | 362f48619364efe57ecd00f83d1bca62 |
| SHA1: | ae142315393512fe3f3e03dc07aed88428b6e29b |
| SHA256: | a873911592c3ce95d36e009f40bb376f587ad0ba6971a150a2ac10c87a2465f5 |
| SHA512: | 1ed6695b6bfdce048697963812deafcde28f7c4397af824fc6ffeda03c5ad282b52728620bb2b81a2caa782a8e91f1e888687aaf1727323d2c8365edf8c9a33a |
| SSDEEP: | |
| TLSH: | |
| File Content Preview: | MZP.....................@...............................................!..L.!..This program must be run under Win32..$7....................................................................................................................................... |
 | |
| Icon Hash: | 74f0e4ecccdce0e4 |
| Entrypoint: | 0x401300 |
| Entrypoint Section: | .text |
| Digitally signed: | false |
| Imagebase: | 0x400000 |
| Subsystem: | windows cui |
| Image File Characteristics: | EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, DEBUG_STRIPPED, DLL |
| DLL Characteristics: | |
| Time Stamp: | 0x64078C02 [Tue Mar 7 19:09:54 2023 UTC] |
| TLS Callbacks: | |
| CLR (.Net) Version: | |
| OS Version Major: | 5 |
| OS Version Minor: | 2 |
| File Version Major: | 5 |
| File Version Minor: | 2 |
| Subsystem Version Major: | 5 |
| Subsystem Version Minor: | 2 |
| Import Hash: | c73bbc818ceb2fafea2b25df17dec187 |
| Instruction |
|---|
| dec eax |
| sub esp, 28h |
| dec eax |
| mov eax, ecx |
| mov dword ptr [00050D8Bh], edx |
| dec esp |
| mov dword ptr [00050D88h], eax |
| dec eax |
| mov dword ptr [00050D75h], eax |
| dec eax |
| cmp edx, 01h |
| jne 00007F6B510E3691h |
| call 00007F6B511191CFh |
| call 00007F6B51114D8Ah |
| call 00007F6B511191D5h |
| dec eax |
| lea eax, dword ptr [00050CC9h] |
| dec eax |
| lea ecx, dword ptr [00047372h] |
| dec eax |
| mov dword ptr [eax+30h], ecx |
| dec eax |
| lea ecx, dword ptr [FFFFFCB7h] |
| dec eax |
| mov dword ptr [eax], ecx |
| dec eax |
| lea ecx, dword ptr [FFFFFF59h] |
| dec eax |
| mov dword ptr [eax+08h], ecx |
| dec eax |
| lea ecx, dword ptr [FFFFFF4Eh] |
| dec eax |
| mov dword ptr [eax+10h], ecx |
| dec eax |
| lea ecx, dword ptr [FFFFFF8Bh] |
| dec eax |
| mov dword ptr [eax+18h], ecx |
| dec eax |
| lea ecx, dword ptr [0004617Ch] |
| dec eax |
| mov dword ptr [eax+68h], ecx |
| dec eax |
| lea ecx, dword ptr [00046571h] |
| dec eax |
| mov dword ptr [eax+70h], ecx |
| dec eax |
| lea ecx, dword ptr [00046596h] |
| dec eax |
| mov dword ptr [eax+78h], ecx |
| dec eax |
| lea ecx, dword ptr [00046B3Bh] |
| dec eax |
| mov dword ptr [eax+00000080h], ecx |
| dec eax |
| lea ecx, dword ptr [0005D2EDh] |
| dec eax |
| mov dword ptr [eax+50h], ecx |
| mov dword ptr [eax+20h], 00000001h |
| dec eax |
| mov ecx, eax |
| dec eax |
| mov edx, dword ptr [00050CD8h] |
| inc esp |
| mov eax, dword ptr [00050CD9h] |
| dec esp |
| mov ecx, dword ptr [00050CD6h] |
| call 00007F6B510E373Ah |
| Name | Virtual Address | Virtual Size | Is in Section |
|---|---|---|---|
| IMAGE_DIRECTORY_ENTRY_EXPORT | 0x81000 | 0x69 | .edata |
| IMAGE_DIRECTORY_ENTRY_IMPORT | 0x80000 | 0xb38 | .idata |
| IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x82000 | 0x2be00 | .rsrc |
| IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x76000 | 0x3a38 | .pdata |
| IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BASERELOC | 0xae000 | 0x11b4 | .reloc |
| IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IAT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
| Name | Virtual Address | Virtual Size | Raw Size | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
|---|---|---|---|---|---|---|---|---|
| .text | 0x1000 | 0x4c4c8 | 0x4c600 | False | 0.4390311732815057 | data | 6.348222298404593 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
| .rodata | 0x4e000 | 0x3600 | 0x3600 | False | 0.3231336805555556 | data | 5.09617814286108 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .data | 0x52000 | 0x22de0 | 0xe400 | False | 0.17931058114035087 | data | 2.348309483365582 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .tls | 0x75000 | 0x5d0 | 0x600 | False | 0.013020833333333334 | data | 0.0 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .pdata | 0x76000 | 0x3a38 | 0x3c00 | False | 0.4626953125 | data | 5.526910649754969 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .xdata | 0x7a000 | 0x5fd0 | 0x6000 | False | 0.14701334635416666 | shared library | 4.906149317469979 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .idata | 0x80000 | 0xb38 | 0xc00 | False | 0.2919921875 | data | 3.959226833867136 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .edata | 0x81000 | 0x69 | 0x200 | False | 0.181640625 | data | 1.2134297058839834 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .rsrc | 0x82000 | 0x2be00 | 0x2be00 | False | 0.8775151353276354 | data | 7.859341694371929 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .reloc | 0xae000 | 0x11b4 | 0x1200 | False | 0.6178385416666666 | data | 5.813939662419332 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ |
| Name | RVA | Size | Type | Language | Country |
|---|---|---|---|---|---|
| VNRKGF | 0x82184 | 0xa2c | data | English | United States |
| VNRKGF | 0x82bb0 | 0x2b000 | data | English | United States |
| RT_RCDATA | 0xadbb0 | 0x10 | data | ||
| RT_RCDATA | 0xadbc0 | 0x2 | data | English | United States |
| RT_VERSION | 0xadbc4 | 0x1f4 | data | English | United States |
| DLL | Import |
|---|---|
| KERNEL32 | AddVectoredExceptionHandler, CloseHandle, CreateDirectoryA, CreateFileA, CreateFileW, DeleteCriticalSection, DeleteFileA, EnterCriticalSection, ExitProcess, FreeEnvironmentStringsA, GetACP, GetCPInfo, GetCurrentProcessId, GetCurrentThreadId, GetDateFormatA, GetEnvironmentStrings, GetFileAttributesA, GetFileAttributesW, GetFileSize, GetFileType, GetLastError, GetLocalTime, GetLocaleInfoA, GetModuleFileNameA, GetModuleHandleA, GetOEMCP, GetProcAddress, GetProcessHeap, GetStartupInfoA, GetStdHandle, GetStringTypeA, GetStringTypeW, GetSystemDefaultLangID, GetSystemInfo, GetTickCount, GetTimeZoneInformation, GetUserDefaultLCID, GetVersion, GetVersionExA, HeapAlloc, HeapFree, InitializeCriticalSection, InitializeCriticalSectionAndSpinCount, IsDBCSLeadByteEx, IsDebuggerPresent, IsValidLocale, LCMapStringA, LeaveCriticalSection, LoadLibraryA, LoadLibraryW, LocalFileTimeToFileTime, MultiByteToWideChar, RaiseException, ReadFile, RemoveDirectoryA, RemoveVectoredExceptionHandler, RtlCaptureContext, SetConsoleCtrlHandler, SetEndOfFile, SetFilePointer, SetFileTime, SetHandleCount, SetLastError, SetThreadLocale, Sleep, SleepEx, SystemTimeToFileTime, TlsAlloc, TlsFree, TlsGetValue, TlsSetValue, VirtualAlloc, VirtualFree, VirtualQuery, WideCharToMultiByte, WriteFile, RtlRestoreContext, RtlUnwindEx |
| USER32 | EnumThreadWindows, MessageBoxA, wsprintfA |
| Name | Ordinal | Address |
|---|---|---|
| DllRegisterServer | 1 | 0x401da0 |
| __CPPdebugHook | 2 | 0x474aa0 |
| Language of compilation system | Country where language is spoken | Map |
|---|---|---|
| English | United States |  |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library Node| Timestamp | Protocol | SID | Message | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|---|---|---|
| 192.168.11.2091.121.146.474979380802404344 03/17/23-17:41:58.374772 | TCP | 2404344 | ET CNC Feodo Tracker Reported CnC Server TCP group 23 | 49793 | 8080 | 192.168.11.20 | 91.121.146.47 |
| 192.168.11.20182.162.143.56497994432404312 03/17/23-17:42:13.021219 | TCP | 2404312 | ET CNC Feodo Tracker Reported CnC Server TCP group 7 | 49799 | 443 | 192.168.11.20 | 182.162.143.56 |
| 192.168.11.20167.172.199.1654980880802404308 03/17/23-17:42:27.268480 | TCP | 2404308 | ET CNC Feodo Tracker Reported CnC Server TCP group 5 | 49808 | 8080 | 192.168.11.20 | 167.172.199.165 |
| 192.168.11.20164.90.222.65498104432404308 03/17/23-17:42:33.407520 | TCP | 2404308 | ET CNC Feodo Tracker Reported CnC Server TCP group 5 | 49810 | 443 | 192.168.11.20 | 164.90.222.65 |
| 192.168.11.20104.168.155.1434981180802404302 03/17/23-17:42:37.517558 | TCP | 2404302 | ET CNC Feodo Tracker Reported CnC Server TCP group 2 | 49811 | 8080 | 192.168.11.20 | 104.168.155.143 |
| 192.168.11.2066.228.32.314979570802404330 03/17/23-17:42:05.273202 | TCP | 2404330 | ET CNC Feodo Tracker Reported CnC Server TCP group 16 | 49795 | 7080 | 192.168.11.20 | 66.228.32.31 |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Mar 17, 2023 17:41:58.374772072 CET | 49793 | 8080 | 192.168.11.20 | 91.121.146.47 |
| Mar 17, 2023 17:41:58.394654989 CET | 8080 | 49793 | 91.121.146.47 | 192.168.11.20 |
| Mar 17, 2023 17:41:58.394908905 CET | 49793 | 8080 | 192.168.11.20 | 91.121.146.47 |
| Mar 17, 2023 17:41:58.396826982 CET | 49793 | 8080 | 192.168.11.20 | 91.121.146.47 |
| Mar 17, 2023 17:41:58.416774988 CET | 8080 | 49793 | 91.121.146.47 | 192.168.11.20 |
| Mar 17, 2023 17:41:58.438533068 CET | 8080 | 49793 | 91.121.146.47 | 192.168.11.20 |
| Mar 17, 2023 17:41:58.438611031 CET | 8080 | 49793 | 91.121.146.47 | 192.168.11.20 |
| Mar 17, 2023 17:41:58.438812971 CET | 49793 | 8080 | 192.168.11.20 | 91.121.146.47 |
| Mar 17, 2023 17:41:58.441060066 CET | 49793 | 8080 | 192.168.11.20 | 91.121.146.47 |
| Mar 17, 2023 17:41:58.461968899 CET | 8080 | 49793 | 91.121.146.47 | 192.168.11.20 |
| Mar 17, 2023 17:41:58.506763935 CET | 49793 | 8080 | 192.168.11.20 | 91.121.146.47 |
| Mar 17, 2023 17:41:59.256028891 CET | 49793 | 8080 | 192.168.11.20 | 91.121.146.47 |
| Mar 17, 2023 17:41:59.256028891 CET | 49793 | 8080 | 192.168.11.20 | 91.121.146.47 |
| Mar 17, 2023 17:41:59.276854038 CET | 8080 | 49793 | 91.121.146.47 | 192.168.11.20 |
| Mar 17, 2023 17:42:01.236709118 CET | 8080 | 49793 | 91.121.146.47 | 192.168.11.20 |
| Mar 17, 2023 17:42:01.287337065 CET | 49793 | 8080 | 192.168.11.20 | 91.121.146.47 |
| Mar 17, 2023 17:42:04.236349106 CET | 8080 | 49793 | 91.121.146.47 | 192.168.11.20 |
| Mar 17, 2023 17:42:04.236385107 CET | 8080 | 49793 | 91.121.146.47 | 192.168.11.20 |
| Mar 17, 2023 17:42:04.236536980 CET | 49793 | 8080 | 192.168.11.20 | 91.121.146.47 |
| Mar 17, 2023 17:42:04.236789942 CET | 49793 | 8080 | 192.168.11.20 | 91.121.146.47 |
| Mar 17, 2023 17:42:04.236789942 CET | 49793 | 8080 | 192.168.11.20 | 91.121.146.47 |
| Mar 17, 2023 17:42:04.256392956 CET | 8080 | 49793 | 91.121.146.47 | 192.168.11.20 |
| Mar 17, 2023 17:42:04.256506920 CET | 8080 | 49793 | 91.121.146.47 | 192.168.11.20 |
| Mar 17, 2023 17:42:05.273201942 CET | 49795 | 7080 | 192.168.11.20 | 66.228.32.31 |
| Mar 17, 2023 17:42:05.365420103 CET | 7080 | 49795 | 66.228.32.31 | 192.168.11.20 |
| Mar 17, 2023 17:42:05.880079031 CET | 49795 | 7080 | 192.168.11.20 | 66.228.32.31 |
| Mar 17, 2023 17:42:05.972516060 CET | 7080 | 49795 | 66.228.32.31 | 192.168.11.20 |
| Mar 17, 2023 17:42:06.473604918 CET | 49795 | 7080 | 192.168.11.20 | 66.228.32.31 |
| Mar 17, 2023 17:42:06.565701962 CET | 7080 | 49795 | 66.228.32.31 | 192.168.11.20 |
| Mar 17, 2023 17:42:07.067228079 CET | 49795 | 7080 | 192.168.11.20 | 66.228.32.31 |
| Mar 17, 2023 17:42:07.159077883 CET | 7080 | 49795 | 66.228.32.31 | 192.168.11.20 |
| Mar 17, 2023 17:42:07.660923004 CET | 49795 | 7080 | 192.168.11.20 | 66.228.32.31 |
| Mar 17, 2023 17:42:07.753176928 CET | 7080 | 49795 | 66.228.32.31 | 192.168.11.20 |
| Mar 17, 2023 17:42:13.021219015 CET | 49799 | 443 | 192.168.11.20 | 182.162.143.56 |
| Mar 17, 2023 17:42:13.021243095 CET | 443 | 49799 | 182.162.143.56 | 192.168.11.20 |
| Mar 17, 2023 17:42:13.021507025 CET | 49799 | 443 | 192.168.11.20 | 182.162.143.56 |
| Mar 17, 2023 17:42:13.021766901 CET | 49799 | 443 | 192.168.11.20 | 182.162.143.56 |
| Mar 17, 2023 17:42:13.021780014 CET | 443 | 49799 | 182.162.143.56 | 192.168.11.20 |
| Mar 17, 2023 17:42:13.262397051 CET | 443 | 49799 | 182.162.143.56 | 192.168.11.20 |
| Mar 17, 2023 17:42:13.263051987 CET | 49800 | 443 | 192.168.11.20 | 182.162.143.56 |
| Mar 17, 2023 17:42:13.263098955 CET | 443 | 49800 | 182.162.143.56 | 192.168.11.20 |
| Mar 17, 2023 17:42:13.263350010 CET | 49800 | 443 | 192.168.11.20 | 182.162.143.56 |
| Mar 17, 2023 17:42:13.263613939 CET | 49800 | 443 | 192.168.11.20 | 182.162.143.56 |
| Mar 17, 2023 17:42:13.263655901 CET | 443 | 49800 | 182.162.143.56 | 192.168.11.20 |
| Mar 17, 2023 17:42:13.506201982 CET | 443 | 49800 | 182.162.143.56 | 192.168.11.20 |
| Mar 17, 2023 17:42:13.506864071 CET | 49801 | 443 | 192.168.11.20 | 182.162.143.56 |
| Mar 17, 2023 17:42:13.506884098 CET | 443 | 49801 | 182.162.143.56 | 192.168.11.20 |
| Mar 17, 2023 17:42:13.507070065 CET | 49801 | 443 | 192.168.11.20 | 182.162.143.56 |
| Mar 17, 2023 17:42:13.507759094 CET | 49801 | 443 | 192.168.11.20 | 182.162.143.56 |
| Mar 17, 2023 17:42:13.507816076 CET | 443 | 49801 | 182.162.143.56 | 192.168.11.20 |
| Mar 17, 2023 17:42:13.508106947 CET | 49801 | 443 | 192.168.11.20 | 182.162.143.56 |
| Mar 17, 2023 17:42:18.770060062 CET | 49802 | 80 | 192.168.11.20 | 187.63.160.88 |
| Mar 17, 2023 17:42:18.991063118 CET | 80 | 49802 | 187.63.160.88 | 192.168.11.20 |
| Mar 17, 2023 17:42:19.501975060 CET | 49802 | 80 | 192.168.11.20 | 187.63.160.88 |
| Mar 17, 2023 17:42:19.722867966 CET | 80 | 49802 | 187.63.160.88 | 192.168.11.20 |
| Mar 17, 2023 17:42:20.236145973 CET | 49802 | 80 | 192.168.11.20 | 187.63.160.88 |
| Mar 17, 2023 17:42:20.457137108 CET | 80 | 49802 | 187.63.160.88 | 192.168.11.20 |
| Mar 17, 2023 17:42:20.970432043 CET | 49802 | 80 | 192.168.11.20 | 187.63.160.88 |
| Mar 17, 2023 17:42:21.191561937 CET | 80 | 49802 | 187.63.160.88 | 192.168.11.20 |
| Mar 17, 2023 17:42:21.704818010 CET | 49802 | 80 | 192.168.11.20 | 187.63.160.88 |
| Mar 17, 2023 17:42:21.925785065 CET | 80 | 49802 | 187.63.160.88 | 192.168.11.20 |
| Mar 17, 2023 17:42:27.268480062 CET | 49808 | 8080 | 192.168.11.20 | 167.172.199.165 |
| Mar 17, 2023 17:42:27.428508043 CET | 8080 | 49808 | 167.172.199.165 | 192.168.11.20 |
| Mar 17, 2023 17:42:27.428760052 CET | 49808 | 8080 | 192.168.11.20 | 167.172.199.165 |
| Mar 17, 2023 17:42:27.429096937 CET | 49808 | 8080 | 192.168.11.20 | 167.172.199.165 |
| Mar 17, 2023 17:42:27.588521957 CET | 8080 | 49808 | 167.172.199.165 | 192.168.11.20 |
| Mar 17, 2023 17:42:27.598985910 CET | 8080 | 49808 | 167.172.199.165 | 192.168.11.20 |
| Mar 17, 2023 17:42:27.599060059 CET | 8080 | 49808 | 167.172.199.165 | 192.168.11.20 |
| Mar 17, 2023 17:42:27.599360943 CET | 49808 | 8080 | 192.168.11.20 | 167.172.199.165 |
| Mar 17, 2023 17:42:27.602097034 CET | 49808 | 8080 | 192.168.11.20 | 167.172.199.165 |
| Mar 17, 2023 17:42:27.762232065 CET | 8080 | 49808 | 167.172.199.165 | 192.168.11.20 |
| Mar 17, 2023 17:42:27.812634945 CET | 49808 | 8080 | 192.168.11.20 | 167.172.199.165 |
| Mar 17, 2023 17:42:28.055224895 CET | 49808 | 8080 | 192.168.11.20 | 167.172.199.165 |
| Mar 17, 2023 17:42:28.255151033 CET | 8080 | 49808 | 167.172.199.165 | 192.168.11.20 |
| Mar 17, 2023 17:42:28.880906105 CET | 8080 | 49808 | 167.172.199.165 | 192.168.11.20 |
| Mar 17, 2023 17:42:28.921806097 CET | 49808 | 8080 | 192.168.11.20 | 167.172.199.165 |
| Mar 17, 2023 17:42:31.878376961 CET | 8080 | 49808 | 167.172.199.165 | 192.168.11.20 |
| Mar 17, 2023 17:42:31.878443956 CET | 8080 | 49808 | 167.172.199.165 | 192.168.11.20 |
| Mar 17, 2023 17:42:31.878724098 CET | 49808 | 8080 | 192.168.11.20 | 167.172.199.165 |
| Mar 17, 2023 17:42:31.878724098 CET | 49808 | 8080 | 192.168.11.20 | 167.172.199.165 |
| Mar 17, 2023 17:42:31.878724098 CET | 49808 | 8080 | 192.168.11.20 | 167.172.199.165 |
| Mar 17, 2023 17:42:32.038175106 CET | 8080 | 49808 | 167.172.199.165 | 192.168.11.20 |
| Mar 17, 2023 17:42:32.038233042 CET | 8080 | 49808 | 167.172.199.165 | 192.168.11.20 |
| Mar 17, 2023 17:42:33.266638041 CET | 49810 | 443 | 192.168.11.20 | 164.90.222.65 |
| Mar 17, 2023 17:42:33.266664028 CET | 443 | 49810 | 164.90.222.65 | 192.168.11.20 |
| Mar 17, 2023 17:42:33.266859055 CET | 49810 | 443 | 192.168.11.20 | 164.90.222.65 |
| Mar 17, 2023 17:42:33.267117977 CET | 49810 | 443 | 192.168.11.20 | 164.90.222.65 |
| Mar 17, 2023 17:42:33.267132044 CET | 443 | 49810 | 164.90.222.65 | 192.168.11.20 |
| Mar 17, 2023 17:42:33.404678106 CET | 443 | 49810 | 164.90.222.65 | 192.168.11.20 |
| Mar 17, 2023 17:42:33.404896021 CET | 49810 | 443 | 192.168.11.20 | 164.90.222.65 |
| Mar 17, 2023 17:42:33.406138897 CET | 49810 | 443 | 192.168.11.20 | 164.90.222.65 |
| Mar 17, 2023 17:42:33.406156063 CET | 443 | 49810 | 164.90.222.65 | 192.168.11.20 |
| Mar 17, 2023 17:42:33.406534910 CET | 443 | 49810 | 164.90.222.65 | 192.168.11.20 |
| Mar 17, 2023 17:42:33.407407999 CET | 49810 | 443 | 192.168.11.20 | 164.90.222.65 |
| Mar 17, 2023 17:42:33.448353052 CET | 443 | 49810 | 164.90.222.65 | 192.168.11.20 |
| Mar 17, 2023 17:42:33.604700089 CET | 443 | 49810 | 164.90.222.65 | 192.168.11.20 |
| Mar 17, 2023 17:42:33.604796886 CET | 443 | 49810 | 164.90.222.65 | 192.168.11.20 |
| Mar 17, 2023 17:42:33.605035067 CET | 49810 | 443 | 192.168.11.20 | 164.90.222.65 |
| Mar 17, 2023 17:42:33.606838942 CET | 49810 | 443 | 192.168.11.20 | 164.90.222.65 |
| Mar 17, 2023 17:42:33.606838942 CET | 49810 | 443 | 192.168.11.20 | 164.90.222.65 |
| Mar 17, 2023 17:42:33.606858015 CET | 443 | 49810 | 164.90.222.65 | 192.168.11.20 |
| Mar 17, 2023 17:42:33.606863976 CET | 443 | 49810 | 164.90.222.65 | 192.168.11.20 |
| Mar 17, 2023 17:42:37.517558098 CET | 49811 | 8080 | 192.168.11.20 | 104.168.155.143 |
| Mar 17, 2023 17:42:37.672061920 CET | 8080 | 49811 | 104.168.155.143 | 192.168.11.20 |
| Mar 17, 2023 17:42:38.185431004 CET | 49811 | 8080 | 192.168.11.20 | 104.168.155.143 |
| Mar 17, 2023 17:42:38.340004921 CET | 8080 | 49811 | 104.168.155.143 | 192.168.11.20 |
| Mar 17, 2023 17:42:38.841558933 CET | 49811 | 8080 | 192.168.11.20 | 104.168.155.143 |
| Mar 17, 2023 17:42:38.996213913 CET | 8080 | 49811 | 104.168.155.143 | 192.168.11.20 |
| Mar 17, 2023 17:42:39.497572899 CET | 49811 | 8080 | 192.168.11.20 | 104.168.155.143 |
| Mar 17, 2023 17:42:39.651925087 CET | 8080 | 49811 | 104.168.155.143 | 192.168.11.20 |
| Mar 17, 2023 17:42:40.153743029 CET | 49811 | 8080 | 192.168.11.20 | 104.168.155.143 |
| Mar 17, 2023 17:42:40.308238029 CET | 8080 | 49811 | 104.168.155.143 | 192.168.11.20 |
| Mar 17, 2023 17:42:45.763748884 CET | 49812 | 8080 | 192.168.11.20 | 91.207.28.33 |
| Mar 17, 2023 17:42:46.777282953 CET | 49812 | 8080 | 192.168.11.20 | 91.207.28.33 |
| Mar 17, 2023 17:42:48.792363882 CET | 49812 | 8080 | 192.168.11.20 | 91.207.28.33 |
| Mar 17, 2023 17:42:52.807138920 CET | 49812 | 8080 | 192.168.11.20 | 91.207.28.33 |
| Mar 17, 2023 17:43:03.822468042 CET | 49814 | 8080 | 192.168.11.20 | 72.15.201.15 |
| Mar 17, 2023 17:43:04.835772991 CET | 49814 | 8080 | 192.168.11.20 | 72.15.201.15 |
| Mar 17, 2023 17:43:06.850945950 CET | 49814 | 8080 | 192.168.11.20 | 72.15.201.15 |
| Mar 17, 2023 17:43:10.865731001 CET | 49814 | 8080 | 192.168.11.20 | 72.15.201.15 |
| Mar 17, 2023 17:43:19.772525072 CET | 49815 | 8080 | 192.168.11.20 | 183.111.227.137 |
| Mar 17, 2023 17:43:20.020836115 CET | 8080 | 49815 | 183.111.227.137 | 192.168.11.20 |
| Mar 17, 2023 17:43:20.535630941 CET | 49815 | 8080 | 192.168.11.20 | 183.111.227.137 |
| Mar 17, 2023 17:43:20.783593893 CET | 8080 | 49815 | 183.111.227.137 | 192.168.11.20 |
| Mar 17, 2023 17:43:21.285259962 CET | 49815 | 8080 | 192.168.11.20 | 183.111.227.137 |
| Mar 17, 2023 17:43:21.533147097 CET | 8080 | 49815 | 183.111.227.137 | 192.168.11.20 |
| Mar 17, 2023 17:43:22.035099030 CET | 49815 | 8080 | 192.168.11.20 | 183.111.227.137 |
| Mar 17, 2023 17:43:22.282741070 CET | 8080 | 49815 | 183.111.227.137 | 192.168.11.20 |
| Mar 17, 2023 17:43:22.784892082 CET | 49815 | 8080 | 192.168.11.20 | 183.111.227.137 |
| Mar 17, 2023 17:43:23.077965021 CET | 8080 | 49815 | 183.111.227.137 | 192.168.11.20 |
| Mar 17, 2023 17:43:28.520064116 CET | 49822 | 8080 | 192.168.11.20 | 103.132.242.26 |
| Mar 17, 2023 17:43:29.533441067 CET | 49822 | 8080 | 192.168.11.20 | 103.132.242.26 |
| Mar 17, 2023 17:43:31.548651934 CET | 49822 | 8080 | 192.168.11.20 | 103.132.242.26 |
| Mar 17, 2023 17:43:35.563338995 CET | 49822 | 8080 | 192.168.11.20 | 103.132.242.26 |
| Mar 17, 2023 17:43:43.766787052 CET | 49823 | 8080 | 192.168.11.20 | 159.65.88.10 |
| Mar 17, 2023 17:43:43.790045977 CET | 8080 | 49823 | 159.65.88.10 | 192.168.11.20 |
| Mar 17, 2023 17:43:44.295902014 CET | 49823 | 8080 | 192.168.11.20 | 159.65.88.10 |
| Mar 17, 2023 17:43:44.318840027 CET | 8080 | 49823 | 159.65.88.10 | 192.168.11.20 |
| Mar 17, 2023 17:43:44.827033997 CET | 49823 | 8080 | 192.168.11.20 | 159.65.88.10 |
| Mar 17, 2023 17:43:44.850227118 CET | 8080 | 49823 | 159.65.88.10 | 192.168.11.20 |
| Mar 17, 2023 17:43:45.358258963 CET | 49823 | 8080 | 192.168.11.20 | 159.65.88.10 |
| Mar 17, 2023 17:43:45.381469965 CET | 8080 | 49823 | 159.65.88.10 | 192.168.11.20 |
| Mar 17, 2023 17:43:45.889336109 CET | 49823 | 8080 | 192.168.11.20 | 159.65.88.10 |
| Mar 17, 2023 17:43:45.912477970 CET | 8080 | 49823 | 159.65.88.10 | 192.168.11.20 |
| Mar 17, 2023 17:43:51.265083075 CET | 49824 | 8080 | 192.168.11.20 | 173.212.193.249 |
| Mar 17, 2023 17:43:51.278083086 CET | 8080 | 49824 | 173.212.193.249 | 192.168.11.20 |
| Mar 17, 2023 17:43:51.778645039 CET | 49824 | 8080 | 192.168.11.20 | 173.212.193.249 |
| Mar 17, 2023 17:43:51.791685104 CET | 8080 | 49824 | 173.212.193.249 | 192.168.11.20 |
| Mar 17, 2023 17:43:52.294193983 CET | 49824 | 8080 | 192.168.11.20 | 173.212.193.249 |
| Mar 17, 2023 17:43:52.307445049 CET | 8080 | 49824 | 173.212.193.249 | 192.168.11.20 |
| Mar 17, 2023 17:43:52.809746027 CET | 49824 | 8080 | 192.168.11.20 | 173.212.193.249 |
| Mar 17, 2023 17:43:52.822951078 CET | 8080 | 49824 | 173.212.193.249 | 192.168.11.20 |
| Mar 17, 2023 17:43:53.325222015 CET | 49824 | 8080 | 192.168.11.20 | 173.212.193.249 |
| Mar 17, 2023 17:43:53.338465929 CET | 8080 | 49824 | 173.212.193.249 | 192.168.11.20 |
| Mar 17, 2023 17:43:58.763418913 CET | 49825 | 8080 | 192.168.11.20 | 82.223.21.224 |
| Mar 17, 2023 17:43:58.809401035 CET | 8080 | 49825 | 82.223.21.224 | 192.168.11.20 |
| Mar 17, 2023 17:43:59.323915958 CET | 49825 | 8080 | 192.168.11.20 | 82.223.21.224 |
| Mar 17, 2023 17:43:59.370287895 CET | 8080 | 49825 | 82.223.21.224 | 192.168.11.20 |
| Mar 17, 2023 17:43:59.886332035 CET | 49825 | 8080 | 192.168.11.20 | 82.223.21.224 |
| Mar 17, 2023 17:43:59.932274103 CET | 8080 | 49825 | 82.223.21.224 | 192.168.11.20 |
| Mar 17, 2023 17:44:00.432996988 CET | 49825 | 8080 | 192.168.11.20 | 82.223.21.224 |
| Mar 17, 2023 17:44:00.478863955 CET | 8080 | 49825 | 82.223.21.224 | 192.168.11.20 |
| Mar 17, 2023 17:44:00.979753017 CET | 49825 | 8080 | 192.168.11.20 | 82.223.21.224 |
| Mar 17, 2023 17:44:01.025233984 CET | 8080 | 49825 | 82.223.21.224 | 192.168.11.20 |
| Mar 17, 2023 17:44:06.511812925 CET | 49827 | 8080 | 192.168.11.20 | 172.105.226.75 |
| Mar 17, 2023 17:44:06.758227110 CET | 8080 | 49827 | 172.105.226.75 | 192.168.11.20 |
| Mar 17, 2023 17:44:07.259543896 CET | 49827 | 8080 | 192.168.11.20 | 172.105.226.75 |
| Mar 17, 2023 17:44:07.506124020 CET | 8080 | 49827 | 172.105.226.75 | 192.168.11.20 |
| Mar 17, 2023 17:44:08.009418964 CET | 49827 | 8080 | 192.168.11.20 | 172.105.226.75 |
| Mar 17, 2023 17:44:08.256293058 CET | 8080 | 49827 | 172.105.226.75 | 192.168.11.20 |
| Mar 17, 2023 17:44:08.759502888 CET | 49827 | 8080 | 192.168.11.20 | 172.105.226.75 |
| Mar 17, 2023 17:44:09.006118059 CET | 8080 | 49827 | 172.105.226.75 | 192.168.11.20 |
| Mar 17, 2023 17:44:09.509186983 CET | 49827 | 8080 | 192.168.11.20 | 172.105.226.75 |
| Mar 17, 2023 17:44:09.755721092 CET | 8080 | 49827 | 172.105.226.75 | 192.168.11.20 |
| Mar 17, 2023 17:44:15.029058933 CET | 49828 | 443 | 192.168.11.20 | 103.43.75.120 |
| Mar 17, 2023 17:44:15.029201984 CET | 443 | 49828 | 103.43.75.120 | 192.168.11.20 |
| Mar 17, 2023 17:44:15.029504061 CET | 49828 | 443 | 192.168.11.20 | 103.43.75.120 |
| Mar 17, 2023 17:44:15.029727936 CET | 49828 | 443 | 192.168.11.20 | 103.43.75.120 |
| Mar 17, 2023 17:44:15.029802084 CET | 443 | 49828 | 103.43.75.120 | 192.168.11.20 |
| Mar 17, 2023 17:44:15.311882019 CET | 443 | 49828 | 103.43.75.120 | 192.168.11.20 |
| Mar 17, 2023 17:44:15.312529087 CET | 49829 | 443 | 192.168.11.20 | 103.43.75.120 |
| Mar 17, 2023 17:44:15.312628031 CET | 443 | 49829 | 103.43.75.120 | 192.168.11.20 |
| Mar 17, 2023 17:44:15.312788010 CET | 49829 | 443 | 192.168.11.20 | 103.43.75.120 |
| Mar 17, 2023 17:44:15.313050032 CET | 49829 | 443 | 192.168.11.20 | 103.43.75.120 |
| Mar 17, 2023 17:44:15.313097954 CET | 443 | 49829 | 103.43.75.120 | 192.168.11.20 |
| Mar 17, 2023 17:44:15.592663050 CET | 443 | 49829 | 103.43.75.120 | 192.168.11.20 |
| Mar 17, 2023 17:44:15.593230963 CET | 49830 | 443 | 192.168.11.20 | 103.43.75.120 |
| Mar 17, 2023 17:44:15.593322992 CET | 443 | 49830 | 103.43.75.120 | 192.168.11.20 |
| Mar 17, 2023 17:44:15.593460083 CET | 49830 | 443 | 192.168.11.20 | 103.43.75.120 |
| Mar 17, 2023 17:44:15.593630075 CET | 49830 | 443 | 192.168.11.20 | 103.43.75.120 |
| Mar 17, 2023 17:44:15.593802929 CET | 443 | 49830 | 103.43.75.120 | 192.168.11.20 |
| Mar 17, 2023 17:44:15.594027042 CET | 49830 | 443 | 192.168.11.20 | 103.43.75.120 |
| Mar 17, 2023 17:44:21.027429104 CET | 49831 | 8080 | 192.168.11.20 | 167.172.253.162 |
| Mar 17, 2023 17:44:21.162358999 CET | 8080 | 49831 | 167.172.253.162 | 192.168.11.20 |
| Mar 17, 2023 17:44:21.662861109 CET | 49831 | 8080 | 192.168.11.20 | 167.172.253.162 |
| Mar 17, 2023 17:44:21.801440954 CET | 8080 | 49831 | 167.172.253.162 | 192.168.11.20 |
| Mar 17, 2023 17:44:22.303257942 CET | 49831 | 8080 | 192.168.11.20 | 167.172.253.162 |
| Mar 17, 2023 17:44:22.442197084 CET | 8080 | 49831 | 167.172.253.162 | 192.168.11.20 |
| Mar 17, 2023 17:44:22.943644047 CET | 49831 | 8080 | 192.168.11.20 | 167.172.253.162 |
| Mar 17, 2023 17:44:23.083183050 CET | 8080 | 49831 | 167.172.253.162 | 192.168.11.20 |
| Mar 17, 2023 17:44:23.584244013 CET | 49831 | 8080 | 192.168.11.20 | 167.172.253.162 |
| Mar 17, 2023 17:44:23.694905043 CET | 8080 | 49831 | 167.172.253.162 | 192.168.11.20 |
| Mar 17, 2023 17:44:29.022180080 CET | 49832 | 8080 | 192.168.11.20 | 1.234.2.232 |
| Mar 17, 2023 17:44:29.286112070 CET | 8080 | 49832 | 1.234.2.232 | 192.168.11.20 |
| Mar 17, 2023 17:44:29.801469088 CET | 49832 | 8080 | 192.168.11.20 | 1.234.2.232 |
| Mar 17, 2023 17:44:30.065686941 CET | 8080 | 49832 | 1.234.2.232 | 192.168.11.20 |
| Mar 17, 2023 17:44:30.567078114 CET | 49832 | 8080 | 192.168.11.20 | 1.234.2.232 |
| Mar 17, 2023 17:44:30.830735922 CET | 8080 | 49832 | 1.234.2.232 | 192.168.11.20 |
| Mar 17, 2023 17:44:31.332401037 CET | 49832 | 8080 | 192.168.11.20 | 1.234.2.232 |
| Mar 17, 2023 17:44:31.596599102 CET | 8080 | 49832 | 1.234.2.232 | 192.168.11.20 |
| Mar 17, 2023 17:44:32.097857952 CET | 49832 | 8080 | 192.168.11.20 | 1.234.2.232 |
| Mar 17, 2023 17:44:32.362013102 CET | 8080 | 49832 | 1.234.2.232 | 192.168.11.20 |
| Mar 17, 2023 17:44:37.771064997 CET | 49834 | 443 | 192.168.11.20 | 159.89.202.34 |
| Mar 17, 2023 17:44:37.771198034 CET | 443 | 49834 | 159.89.202.34 | 192.168.11.20 |
| Mar 17, 2023 17:44:37.771441936 CET | 49834 | 443 | 192.168.11.20 | 159.89.202.34 |
| Mar 17, 2023 17:44:37.771828890 CET | 49834 | 443 | 192.168.11.20 | 159.89.202.34 |
| Mar 17, 2023 17:44:37.771898985 CET | 443 | 49834 | 159.89.202.34 | 192.168.11.20 |
| Mar 17, 2023 17:44:38.054105997 CET | 443 | 49834 | 159.89.202.34 | 192.168.11.20 |
| Mar 17, 2023 17:44:38.054717064 CET | 49835 | 443 | 192.168.11.20 | 159.89.202.34 |
| Mar 17, 2023 17:44:38.054805994 CET | 443 | 49835 | 159.89.202.34 | 192.168.11.20 |
| Mar 17, 2023 17:44:38.055016994 CET | 49835 | 443 | 192.168.11.20 | 159.89.202.34 |
| Mar 17, 2023 17:44:38.055208921 CET | 49835 | 443 | 192.168.11.20 | 159.89.202.34 |
| Mar 17, 2023 17:44:38.055253029 CET | 443 | 49835 | 159.89.202.34 | 192.168.11.20 |
| Mar 17, 2023 17:44:38.340270996 CET | 443 | 49835 | 159.89.202.34 | 192.168.11.20 |
| Mar 17, 2023 17:44:38.340790033 CET | 49836 | 443 | 192.168.11.20 | 159.89.202.34 |
| Mar 17, 2023 17:44:38.340917110 CET | 443 | 49836 | 159.89.202.34 | 192.168.11.20 |
| Mar 17, 2023 17:44:38.341070890 CET | 49836 | 443 | 192.168.11.20 | 159.89.202.34 |
| Mar 17, 2023 17:44:38.341237068 CET | 49836 | 443 | 192.168.11.20 | 159.89.202.34 |
| Mar 17, 2023 17:44:38.341425896 CET | 443 | 49836 | 159.89.202.34 | 192.168.11.20 |
| Mar 17, 2023 17:44:38.341639042 CET | 49836 | 443 | 192.168.11.20 | 159.89.202.34 |
| Mar 17, 2023 17:44:43.769171953 CET | 49837 | 443 | 192.168.11.20 | 186.194.240.217 |
| Mar 17, 2023 17:44:43.769309998 CET | 443 | 49837 | 186.194.240.217 | 192.168.11.20 |
| Mar 17, 2023 17:44:43.769537926 CET | 49837 | 443 | 192.168.11.20 | 186.194.240.217 |
| Mar 17, 2023 17:44:43.769929886 CET | 49837 | 443 | 192.168.11.20 | 186.194.240.217 |
| Mar 17, 2023 17:44:43.770024061 CET | 443 | 49837 | 186.194.240.217 | 192.168.11.20 |
| Mar 17, 2023 17:44:44.004190922 CET | 443 | 49837 | 186.194.240.217 | 192.168.11.20 |
| Mar 17, 2023 17:44:44.005050898 CET | 49838 | 443 | 192.168.11.20 | 186.194.240.217 |
| Mar 17, 2023 17:44:44.005167007 CET | 443 | 49838 | 186.194.240.217 | 192.168.11.20 |
| Mar 17, 2023 17:44:44.005414963 CET | 49838 | 443 | 192.168.11.20 | 186.194.240.217 |
| Mar 17, 2023 17:44:44.005795002 CET | 49838 | 443 | 192.168.11.20 | 186.194.240.217 |
| Mar 17, 2023 17:44:44.005872011 CET | 443 | 49838 | 186.194.240.217 | 192.168.11.20 |
| Mar 17, 2023 17:44:44.241528034 CET | 443 | 49838 | 186.194.240.217 | 192.168.11.20 |
| Mar 17, 2023 17:44:44.242183924 CET | 49839 | 443 | 192.168.11.20 | 186.194.240.217 |
| Mar 17, 2023 17:44:44.242290974 CET | 443 | 49839 | 186.194.240.217 | 192.168.11.20 |
| Mar 17, 2023 17:44:44.242450953 CET | 49839 | 443 | 192.168.11.20 | 186.194.240.217 |
| Mar 17, 2023 17:44:44.242614985 CET | 49839 | 443 | 192.168.11.20 | 186.194.240.217 |
| Mar 17, 2023 17:44:44.242856979 CET | 443 | 49839 | 186.194.240.217 | 192.168.11.20 |
| Mar 17, 2023 17:44:44.243117094 CET | 49839 | 443 | 192.168.11.20 | 186.194.240.217 |
| Mar 17, 2023 17:44:49.518745899 CET | 49840 | 8080 | 192.168.11.20 | 185.4.135.165 |
| Mar 17, 2023 17:44:49.566934109 CET | 8080 | 49840 | 185.4.135.165 | 192.168.11.20 |
| Mar 17, 2023 17:44:50.078468084 CET | 49840 | 8080 | 192.168.11.20 | 185.4.135.165 |
| Mar 17, 2023 17:44:50.126694918 CET | 8080 | 49840 | 185.4.135.165 | 192.168.11.20 |
| Mar 17, 2023 17:44:50.640897036 CET | 49840 | 8080 | 192.168.11.20 | 185.4.135.165 |
| Mar 17, 2023 17:44:50.689393044 CET | 8080 | 49840 | 185.4.135.165 | 192.168.11.20 |
| Mar 17, 2023 17:44:51.203129053 CET | 49840 | 8080 | 192.168.11.20 | 185.4.135.165 |
| Mar 17, 2023 17:44:51.250773907 CET | 8080 | 49840 | 185.4.135.165 | 192.168.11.20 |
| Mar 17, 2023 17:44:51.765427113 CET | 49840 | 8080 | 192.168.11.20 | 185.4.135.165 |
| Mar 17, 2023 17:44:51.813431025 CET | 8080 | 49840 | 185.4.135.165 | 192.168.11.20 |
| Mar 17, 2023 17:44:57.266356945 CET | 49841 | 443 | 192.168.11.20 | 139.59.126.41 |
| Mar 17, 2023 17:44:57.266514063 CET | 443 | 49841 | 139.59.126.41 | 192.168.11.20 |
| Mar 17, 2023 17:44:57.266741037 CET | 49841 | 443 | 192.168.11.20 | 139.59.126.41 |
| Mar 17, 2023 17:44:57.267004967 CET | 49841 | 443 | 192.168.11.20 | 139.59.126.41 |
| Mar 17, 2023 17:44:57.267102003 CET | 443 | 49841 | 139.59.126.41 | 192.168.11.20 |
| Mar 17, 2023 17:44:58.573692083 CET | 443 | 49841 | 139.59.126.41 | 192.168.11.20 |
| Mar 17, 2023 17:44:58.574312925 CET | 49842 | 443 | 192.168.11.20 | 139.59.126.41 |
| Mar 17, 2023 17:44:58.574402094 CET | 443 | 49842 | 139.59.126.41 | 192.168.11.20 |
| Mar 17, 2023 17:44:58.574652910 CET | 49842 | 443 | 192.168.11.20 | 139.59.126.41 |
| Mar 17, 2023 17:44:58.574857950 CET | 49842 | 443 | 192.168.11.20 | 139.59.126.41 |
| Mar 17, 2023 17:44:58.574918032 CET | 443 | 49842 | 139.59.126.41 | 192.168.11.20 |
| Mar 17, 2023 17:44:58.857228994 CET | 443 | 49842 | 139.59.126.41 | 192.168.11.20 |
| Mar 17, 2023 17:44:58.860399008 CET | 49843 | 443 | 192.168.11.20 | 139.59.126.41 |
| Mar 17, 2023 17:44:58.860488892 CET | 443 | 49843 | 139.59.126.41 | 192.168.11.20 |
| Mar 17, 2023 17:44:58.860719919 CET | 49843 | 443 | 192.168.11.20 | 139.59.126.41 |
| Mar 17, 2023 17:44:58.860852957 CET | 49843 | 443 | 192.168.11.20 | 139.59.126.41 |
| Mar 17, 2023 17:44:58.861057997 CET | 443 | 49843 | 139.59.126.41 | 192.168.11.20 |
| Mar 17, 2023 17:44:58.861268997 CET | 49843 | 443 | 192.168.11.20 | 139.59.126.41 |
| Mar 17, 2023 17:45:04.264642000 CET | 49844 | 8080 | 192.168.11.20 | 164.68.99.3 |
| Mar 17, 2023 17:45:05.278199911 CET | 49844 | 8080 | 192.168.11.20 | 164.68.99.3 |
| Mar 17, 2023 17:45:07.293297052 CET | 49844 | 8080 | 192.168.11.20 | 164.68.99.3 |
| Mar 17, 2023 17:45:11.308057070 CET | 49844 | 8080 | 192.168.11.20 | 164.68.99.3 |
| Mar 17, 2023 17:45:19.823965073 CET | 49845 | 8080 | 192.168.11.20 | 95.217.221.146 |
| Mar 17, 2023 17:45:19.856082916 CET | 8080 | 49845 | 95.217.221.146 | 192.168.11.20 |
| Mar 17, 2023 17:45:20.368448019 CET | 49845 | 8080 | 192.168.11.20 | 95.217.221.146 |
| Mar 17, 2023 17:45:20.398480892 CET | 8080 | 49845 | 95.217.221.146 | 192.168.11.20 |
| Mar 17, 2023 17:45:20.899653912 CET | 49845 | 8080 | 192.168.11.20 | 95.217.221.146 |
| Mar 17, 2023 17:45:20.929902077 CET | 8080 | 49845 | 95.217.221.146 | 192.168.11.20 |
| Mar 17, 2023 17:45:21.430948019 CET | 49845 | 8080 | 192.168.11.20 | 95.217.221.146 |
| Mar 17, 2023 17:45:21.464046001 CET | 8080 | 49845 | 95.217.221.146 | 192.168.11.20 |
| Mar 17, 2023 17:45:21.977663040 CET | 49845 | 8080 | 192.168.11.20 | 95.217.221.146 |
| Mar 17, 2023 17:45:22.008155107 CET | 8080 | 49845 | 95.217.221.146 | 192.168.11.20 |
| Timestamp | Source IP | Dest IP | Checksum | Code | Type |
|---|---|---|---|---|---|
| Mar 17, 2023 17:43:28.805680990 CET | 103.132.242.26 | 192.168.11.20 | 2278 | (Unknown) | Destination Unreachable |
| Mar 17, 2023 17:43:29.806631088 CET | 103.132.242.26 | 192.168.11.20 | 2278 | (Unknown) | Destination Unreachable |
| Mar 17, 2023 17:43:31.821768999 CET | 103.132.242.26 | 192.168.11.20 | 2278 | (Unknown) | Destination Unreachable |
| Mar 17, 2023 17:43:35.836711884 CET | 103.132.242.26 | 192.168.11.20 | 2278 | (Unknown) | Destination Unreachable |
|
| Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
|---|---|---|---|---|---|
| 0 | 192.168.11.20 | 49810 | 164.90.222.65 | 443 | C:\Windows\System32\regsvr32.exe |
| Timestamp | kBytes transferred | Direction | Data |
|---|---|---|---|
| 2023-03-17 16:42:33 UTC | 0 | OUT | |
| 2023-03-17 16:42:33 UTC | 0 | IN | |
| 2023-03-17 16:42:33 UTC | 0 | IN |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
| Target ID: | 0 |
| Start time: | 17:41:20 |
| Start date: | 17/03/2023 |
| Path: | C:\Windows\System32\loaddll64.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff7a5a40000 |
| File size: | 139776 bytes |
| MD5 hash: | C676FC0263EDD17D4CE7D644B8F3FCD6 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Target ID: | 1 |
| Start time: | 17:41:20 |
| Start date: | 17/03/2023 |
| Path: | C:\Windows\System32\conhost.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff76e060000 |
| File size: | 875008 bytes |
| MD5 hash: | 81CA40085FC75BABD2C91D18AA9FFA68 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Target ID: | 2 |
| Start time: | 17:41:20 |
| Start date: | 17/03/2023 |
| Path: | C:\Windows\System32\cmd.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff785600000 |
| File size: | 289792 bytes |
| MD5 hash: | 8A2122E8162DBEF04694B9C3E0B6CDEE |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | moderate |
| Target ID: | 3 |
| Start time: | 17:41:20 |
| Start date: | 17/03/2023 |
| Path: | C:\Windows\System32\regsvr32.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff62d2c0000 |
| File size: | 25088 bytes |
| MD5 hash: | B0C2FA35D14A9FAD919E99D9D75E1B9E |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Yara matches: |
|
| Reputation: | moderate |
| Target ID: | 4 |
| Start time: | 17:41:20 |
| Start date: | 17/03/2023 |
| Path: | C:\Windows\System32\rundll32.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff6a2320000 |
| File size: | 71680 bytes |
| MD5 hash: | EF3179D498793BF4234F708D3BE28633 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Yara matches: |
|
| Reputation: | moderate |
| Target ID: | 5 |
| Start time: | 17:41:20 |
| Start date: | 17/03/2023 |
| Path: | C:\Windows\System32\rundll32.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff6a2320000 |
| File size: | 71680 bytes |
| MD5 hash: | EF3179D498793BF4234F708D3BE28633 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Yara matches: |
|
| Reputation: | moderate |
| Target ID: | 7 |
| Start time: | 17:41:22 |
| Start date: | 17/03/2023 |
| Path: | C:\Windows\System32\regsvr32.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff62d2c0000 |
| File size: | 25088 bytes |
| MD5 hash: | B0C2FA35D14A9FAD919E99D9D75E1B9E |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Yara matches: |
|
| Target ID: | 8 |
| Start time: | 17:41:22 |
| Start date: | 17/03/2023 |
| Path: | C:\Windows\System32\regsvr32.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff62d2c0000 |
| File size: | 25088 bytes |
| MD5 hash: | B0C2FA35D14A9FAD919E99D9D75E1B9E |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Target ID: | 9 |
| Start time: | 17:41:22 |
| Start date: | 17/03/2023 |
| Path: | C:\Windows\System32\regsvr32.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff62d2c0000 |
| File size: | 25088 bytes |
| MD5 hash: | B0C2FA35D14A9FAD919E99D9D75E1B9E |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Target ID: | 10 |
| Start time: | 17:41:23 |
| Start date: | 17/03/2023 |
| Path: | C:\Windows\System32\rundll32.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff6a2320000 |
| File size: | 71680 bytes |
| MD5 hash: | EF3179D498793BF4234F708D3BE28633 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
Execution Graph
| Execution Coverage: | 3.5% |
| Dynamic/Decrypted Code Coverage: | 16.4% |
| Signature Coverage: | 19.9% |
| Total number of Nodes: | 146 |
| Total number of Limit Nodes: | 3 |
Graph
Function 01360000 Relevance: 53.5, APIs: 4, Strings: 26, Instructions: 953memoryCOMMON
Control-flow Graph
| APIs |
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0043F160 Relevance: 45.9, APIs: 17, Strings: 9, Instructions: 387threadCOMMON
Control-flow Graph
| C-Code - Quality: 61% |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00401C80 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 58libraryloaderCOMMON
Control-flow Graph
| C-Code - Quality: 27% |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0000000180013988 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 105processCOMMON
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00448980 Relevance: 1.6, APIs: 1, Instructions: 54COMMON
| C-Code - Quality: 79% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00440BD0 Relevance: 158.6, APIs: 105, Instructions: 1095COMMON
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00440610 Relevance: 51.4, APIs: 34, Instructions: 414COMMON
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00441BA0 Relevance: 19.6, APIs: 13, Instructions: 149COMMON
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 53% |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00446AA0 Relevance: 9.1, APIs: 6, Instructions: 106filethreadwindowCOMMON
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 98% |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 90% |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00448C90 Relevance: 5.0, APIs: 4, Instructions: 37memoryCOMMON
| C-Code - Quality: 16% |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 97% |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 38% |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 100% |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 96% |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00420D70 Relevance: 2.7, Strings: 2, Instructions: 231COMMON
| C-Code - Quality: 67% |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 99% |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 99% |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 99% |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 99% |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 99% |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 99% |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 99% |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 99% |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 99% |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 99% |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 99% |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 99% |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 99% |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 004082D0 Relevance: 1.7, Strings: 1, Instructions: 421COMMON
| C-Code - Quality: 35% |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0043FC60 Relevance: 1.6, APIs: 1, Instructions: 102COMMON
| C-Code - Quality: 87% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 96% |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 89% |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 004111FA Relevance: 1.3, Strings: 1, Instructions: 17COMMON
| C-Code - Quality: 82% |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 000000018000B258 Relevance: .3, Instructions: 310COMMON
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0000000180001000 Relevance: .2, Instructions: 238COMMON
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00439760 Relevance: .2, Instructions: 233COMMONCrypto
| C-Code - Quality: 58% |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 000000018001020C Relevance: .2, Instructions: 230COMMON
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00414420 Relevance: .2, Instructions: 213COMMONCrypto
| C-Code - Quality: 99% |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 000000018000BA2C Relevance: .2, Instructions: 192COMMON
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 000000018001D770 Relevance: .2, Instructions: 191COMMON
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00000001800227EC Relevance: .2, Instructions: 184COMMON
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00414AC0 Relevance: .2, Instructions: 183COMMONCrypto
| C-Code - Quality: 96% |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0000000180003ABC Relevance: .2, Instructions: 173COMMON
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 000000018001E310 Relevance: .1, Instructions: 141COMMON
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 004086C2 Relevance: .1, Instructions: 139COMMON
| C-Code - Quality: 33% |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 004086DC Relevance: .1, Instructions: 139COMMON
| C-Code - Quality: 33% |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 004086DE Relevance: .1, Instructions: 139COMMON
| C-Code - Quality: 33% |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 004086E0 Relevance: .1, Instructions: 139COMMON
| C-Code - Quality: 33% |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00408704 Relevance: .1, Instructions: 139COMMON
| C-Code - Quality: 33% |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 004088B9 Relevance: .1, Instructions: 138COMMON
| C-Code - Quality: 30% |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 004086C4 Relevance: .1, Instructions: 136COMMON
| C-Code - Quality: 26% |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 004086C6 Relevance: .1, Instructions: 136COMMON
| C-Code - Quality: 26% |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 004088B7 Relevance: .1, Instructions: 129COMMON
| C-Code - Quality: 28% |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0000000180002C78 Relevance: .1, Instructions: 128COMMON
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 000000018000B83C Relevance: .1, Instructions: 119COMMON
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00000001800090F8 Relevance: .1, Instructions: 119COMMON
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0000000180015CC4 Relevance: .1, Instructions: 107COMMON
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0000000180025450 Relevance: .1, Instructions: 104COMMON
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 000000018001CC84 Relevance: .1, Instructions: 86COMMON
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0000000180018E08 Relevance: .1, Instructions: 65COMMON
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0000000180014F18 Relevance: .1, Instructions: 60COMMON
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00000001800115C8 Relevance: .1, Instructions: 54COMMON
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 004040E5 Relevance: .0, Instructions: 16COMMON
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00410D65 Relevance: .0, Instructions: 16COMMON
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 96% |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Execution Graph
| Execution Coverage: | 3.5% |
| Dynamic/Decrypted Code Coverage: | 16.4% |
| Signature Coverage: | 0% |
| Total number of Nodes: | 146 |
| Total number of Limit Nodes: | 3 |
Graph
Function 000001B9186F0000 Relevance: 53.5, APIs: 4, Strings: 26, Instructions: 953memoryCOMMON
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0043F160 Relevance: 45.9, APIs: 17, Strings: 9, Instructions: 387threadCOMMON
Control-flow Graph
| C-Code - Quality: 61% |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00401C80 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 58libraryloaderCOMMON
Control-flow Graph
| C-Code - Quality: 27% |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0000000180013988 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 105processCOMMON
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00448980 Relevance: 1.6, APIs: 1, Instructions: 54COMMON
| C-Code - Quality: 79% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00440610 Relevance: 51.4, APIs: 34, Instructions: 414COMMON
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00441BA0 Relevance: 19.6, APIs: 13, Instructions: 149COMMON
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 53% |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 96% |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00446AA0 Relevance: 9.1, APIs: 6, Instructions: 106filethreadwindowCOMMON
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00448C90 Relevance: 5.0, APIs: 4, Instructions: 37memoryCOMMON
| C-Code - Quality: 16% |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |