Windows
Analysis Report
file.exe
Overview
General Information
Detection
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
- System is w10x64
- file.exe (PID: 1544 cmdline:
C:\Users\u ser\Deskto p\file.exe MD5: 856572778608242656795BD15CC3683C) - zjlxnt.exe (PID: 5320 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\zjlxnt .exe" C:\U sers\user\ AppData\Lo cal\Temp\a naictjg.ct e MD5: A22E128E1C66E8E76F2F05CA2D81A8F1) - conhost.exe (PID: 4496 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - zjlxnt.exe (PID: 6076 cmdline:
C:\Users\u ser\AppDat a\Local\Te mp\zjlxnt. exe MD5: A22E128E1C66E8E76F2F05CA2D81A8F1)
- cleanup
Name | Description | Attribution | Blogpost URLs | Link |
---|---|---|---|---|
Agent Tesla, AgentTesla | A .NET based keylogger and RAT readily available to actors. Logs keystrokes and the host's clipboard and beacons this information back to the C2. |
{"Exfil Mode": "SMTP", "Host": "us2.smtp.mailhostbox.com", "Username": "log3@forrwel.net", "Password": "HNnNLPY3 "}
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | ||
JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | ||
JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security |
Click to jump to signature section
AV Detection |
---|
Source: | ReversingLabs: | |||
Source: | Virustotal: | Perma Link |
Source: | ReversingLabs: | |||
Source: | Virustotal: | Perma Link |
Source: | Joe Sandbox ML: |
Source: | Avira: | ||
Source: | Avira: |
Source: | Malware Configuration Extractor: |
Compliance |
---|
Source: | Unpacked PE file: |
Source: | Unpacked PE file: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Binary string: | ||
Source: | Binary string: |
Source: | Code function: | 0_2_00405D74 | |
Source: | Code function: | 0_2_0040699E | |
Source: | Code function: | 0_2_0040290B | |
Source: | Code function: | 1_2_004089F8 | |
Source: | Code function: | 3_2_00406715 |
Source: | IP Address: |
Source: | TCP traffic: |
Source: | TCP traffic: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | DNS traffic detected: |
Source: | Code function: | 0_2_00405809 |
Source: | Static PE information: |
Source: | Code function: | 0_2_00403640 |
Source: | Code function: | 0_2_00406D5F | |
Source: | Code function: | 1_2_00410371 | |
Source: | Code function: | 3_2_0040CBD1 | |
Source: | Code function: | 3_2_02177238 | |
Source: | Code function: | 3_2_0217C2D0 | |
Source: | Code function: | 3_2_02177E50 | |
Source: | Code function: | 3_2_021702C2 | |
Source: | Code function: | 3_2_02177580 | |
Source: | Code function: | 3_2_0521AA2B |
Source: | ReversingLabs: | ||
Source: | Virustotal: |
Source: | File read: | Jump to behavior |
Source: | Static PE information: |
Source: | Key opened: | Jump to behavior |
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior |
Source: | Key value queried: | Jump to behavior |
Source: | Code function: | 0_2_00403640 |
Source: | WMI Queries: | ||
Source: | WMI Queries: |
Source: | File created: | Jump to behavior |
Source: | Classification label: |
Source: | Code function: | 0_2_004021AA |
Source: | File read: | Jump to behavior |
Source: | Code function: | 0_2_00404AB5 |
Source: | Section loaded: | Jump to behavior |
Source: | Mutant created: |
Source: | Code function: | 3_2_0040147B |
Source: | Command line argument: | 1_2_00410940 |
Source: | File read: | Jump to behavior | ||
Source: | File read: | Jump to behavior |
Source: | Key opened: | Jump to behavior |
Source: | Static PE information: |
Source: | Binary string: | ||
Source: | Binary string: |
Data Obfuscation |
---|
Source: | Unpacked PE file: |
Source: | Unpacked PE file: |
Source: | Unpacked PE file: |
Source: | Code function: | 1_2_00410AB7 | |
Source: | Code function: | 3_2_0040D2F4 | |
Source: | Code function: | 3_2_02171B79 |
Source: | File created: | Jump to dropped file |
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior |
Malware Analysis System Evasion |
---|
Source: | WMI Queries: |
Source: | WMI Queries: |
Source: | Thread sleep count: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior |
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior |
Source: | Window / User API: | Jump to behavior |
Source: | WMI Queries: | ||
Source: | WMI Queries: |
Source: | Code function: | 0_2_00405D74 | |
Source: | Code function: | 0_2_0040699E | |
Source: | Code function: | 0_2_0040290B | |
Source: | Code function: | 1_2_004089F8 | |
Source: | Code function: | 3_2_00406715 |
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior |
Source: | API call chain: | graph_0-3480 | ||
Source: | API call chain: | graph_3-30853 |
Source: | Code function: | 1_2_0040636B |
Source: | Code function: | 1_2_0040B0AF |
Source: | Process token adjusted: | Jump to behavior |
Source: | Memory allocated: | Jump to behavior |
Source: | Code function: | 1_2_004018F8 | |
Source: | Code function: | 1_2_0040636B | |
Source: | Code function: | 1_2_00401BF3 | |
Source: | Code function: | 1_2_00401796 | |
Source: | Code function: | 3_2_00401E16 | |
Source: | Code function: | 3_2_00401C83 | |
Source: | Code function: | 3_2_004060A4 | |
Source: | Code function: | 3_2_00401F2A |
HIPS / PFW / Operating System Protection Evasion |
---|
Source: | Section loaded: | Jump to behavior |
Source: | Process created: | Jump to behavior |
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior |
Source: | Code function: | 1_2_00401A05 |
Source: | Key value queried: | Jump to behavior |
Source: | Code function: | 1_2_0040167D |
Source: | Code function: | 0_2_00403640 |
Source: | Code function: | 3_2_0217F418 |
Stealing of Sensitive Information |
---|
Source: | File source: | ||
Source: | File source: |
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior |
Source: | Key opened: | Jump to behavior |
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior |
Source: | File source: | ||
Source: | File source: |
Remote Access Functionality |
---|
Source: | File source: | ||
Source: | File source: |
Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Valid Accounts | 211 Windows Management Instrumentation | Path Interception | 1 Access Token Manipulation | 1 Disable or Modify Tools | 1 OS Credential Dumping | 1 System Time Discovery | Remote Services | 1 Archive Collected Data | Exfiltration Over Other Network Medium | 1 Encrypted Channel | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | 1 System Shutdown/Reboot |
Default Accounts | 2 Command and Scripting Interpreter | Boot or Logon Initialization Scripts | 111 Process Injection | 1 Deobfuscate/Decode Files or Information | 1 Credentials in Registry | 1 Account Discovery | Remote Desktop Protocol | 1 Data from Local System | Exfiltration Over Bluetooth | 1 Non-Standard Port | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
Domain Accounts | At (Linux) | Logon Script (Windows) | Logon Script (Windows) | 2 Obfuscated Files or Information | Security Account Manager | 2 File and Directory Discovery | SMB/Windows Admin Shares | 1 Email Collection | Automated Exfiltration | 1 Non-Application Layer Protocol | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
Local Accounts | At (Windows) | Logon Script (Mac) | Logon Script (Mac) | 31 Software Packing | NTDS | 127 System Information Discovery | Distributed Component Object Model | 1 Clipboard Data | Scheduled Transfer | 11 Application Layer Protocol | SIM Card Swap | Carrier Billing Fraud | |
Cloud Accounts | Cron | Network Logon Script | Network Logon Script | 131 Virtualization/Sandbox Evasion | LSA Secrets | 23 Security Software Discovery | SSH | Keylogging | Data Transfer Size Limits | Fallback Channels | Manipulate Device Communication | Manipulate App Store Rankings or Ratings | |
Replication Through Removable Media | Launchd | Rc.common | Rc.common | 1 Access Token Manipulation | Cached Domain Credentials | 131 Virtualization/Sandbox Evasion | VNC | GUI Input Capture | Exfiltration Over C2 Channel | Multiband Communication | Jamming or Denial of Service | Abuse Accessibility Features | |
External Remote Services | Scheduled Task | Startup Items | Startup Items | 111 Process Injection | DCSync | 1 Application Window Discovery | Windows Remote Management | Web Portal Capture | Exfiltration Over Alternative Protocol | Commonly Used Port | Rogue Wi-Fi Access Points | Data Encrypted for Impact | |
Drive-by Compromise | Command and Scripting Interpreter | Scheduled Task/Job | Scheduled Task/Job | Indicator Removal from Tools | Proc Filesystem | 1 System Owner/User Discovery | Shared Webroot | Credential API Hooking | Exfiltration Over Symmetric Encrypted Non-C2 Protocol | Application Layer Protocol | Downgrade to Insecure Protocols | Generate Fraudulent Advertising Revenue | |
Exploit Public-Facing Application | PowerShell | At (Linux) | At (Linux) | Masquerading | /etc/passwd and /etc/shadow | 1 Remote System Discovery | Software Deployment Tools | Data Staged | Exfiltration Over Asymmetric Encrypted Non-C2 Protocol | Web Protocols | Rogue Cellular Base Station | Data Destruction |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
49% | ReversingLabs | Win32.Trojan.Nemesis | ||
48% | Virustotal | Browse | ||
100% | Joe Sandbox ML |
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
42% | ReversingLabs | Win32.Trojan.FormBook | ||
35% | Virustotal | Browse |
Source | Detection | Scanner | Label | Link | Download |
---|---|---|---|---|---|
100% | Avira | TR/Spy.Gen8 | Download File | ||
100% | Avira | TR/Spy.Gen8 | Download File |
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe |
Name | IP | Active | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|---|
us2.smtp.mailhostbox.com | 208.91.199.224 | true | false | high |
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false | high | |||
false | high | |||
false |
| unknown | ||
false |
| unknown |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
208.91.199.224 | us2.smtp.mailhostbox.com | United States | 394695 | PUBLIC-DOMAIN-REGISTRYUS | false |
Joe Sandbox Version: | 37.0.0 Beryl |
Analysis ID: | 830908 |
Start date and time: | 2023-03-20 19:42:10 +01:00 |
Joe Sandbox Product: | CloudBasic |
Overall analysis duration: | 0h 8m 4s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211 |
Number of analysed new started processes analysed: | 7 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Sample file name: | file.exe |
Detection: | MAL |
Classification: | mal100.troj.spyw.evad.winEXE@6/4@1/1 |
EGA Information: |
|
HDC Information: |
|
HCA Information: |
|
Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, conhost.exe
- Not all processes where analyzed, report is missing behavior information
- Report creation exceeded maximum time and may have missing disassembly code information.
- Report size getting too big, too many NtAllocateVirtualMemory calls found.
- Report size getting too big, too many NtQueryValueKey calls found.
Time | Type | Description |
---|---|---|
19:43:17 | API Interceptor |
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
208.91.199.224 | Get hash | malicious | AgentTesla, zgRAT | Browse | ||
Get hash | malicious | AgentTesla | Browse | |||
Get hash | malicious | AgentTesla | Browse | |||
Get hash | malicious | AgentTesla | Browse | |||
Get hash | malicious | AgentTesla, zgRAT | Browse | |||
Get hash | malicious | AgentTesla | Browse | |||
Get hash | malicious | AgentTesla | Browse | |||
Get hash | malicious | AgentTesla | Browse | |||
Get hash | malicious | AgentTesla | Browse | |||
Get hash | malicious | AgentTesla | Browse | |||
Get hash | malicious | AgentTesla | Browse | |||
Get hash | malicious | AgentTesla | Browse | |||
Get hash | malicious | AgentTesla | Browse | |||
Get hash | malicious | AgentTesla | Browse | |||
Get hash | malicious | AgentTesla | Browse | |||
Get hash | malicious | AgentTesla | Browse | |||
Get hash | malicious | AgentTesla, zgRAT | Browse | |||
Get hash | malicious | AgentTesla, zgRAT | Browse | |||
Get hash | malicious | AgentTesla | Browse | |||
Get hash | malicious | AgentTesla | Browse |
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
us2.smtp.mailhostbox.com | Get hash | malicious | AgentTesla, zgRAT | Browse |
| |
Get hash | malicious | AgentTesla | Browse |
| ||
Get hash | malicious | AgentTesla, zgRAT | Browse |
| ||
Get hash | malicious | AgentTesla | Browse |
| ||
Get hash | malicious | AgentTesla | Browse |
| ||
Get hash | malicious | AgentTesla | Browse |
| ||
Get hash | malicious | AgentTesla | Browse |
| ||
Get hash | malicious | AgentTesla | Browse |
| ||
Get hash | malicious | AgentTesla | Browse |
| ||
Get hash | malicious | AgentTesla | Browse |
| ||
Get hash | malicious | AgentTesla | Browse |
| ||
Get hash | malicious | AgentTesla, zgRAT | Browse |
| ||
Get hash | malicious | AgentTesla | Browse |
| ||
Get hash | malicious | AgentTesla, zgRAT | Browse |
| ||
Get hash | malicious | AgentTesla | Browse |
| ||
Get hash | malicious | AgentTesla | Browse |
| ||
Get hash | malicious | AgentTesla | Browse |
| ||
Get hash | malicious | AgentTesla | Browse |
| ||
Get hash | malicious | AgentTesla | Browse |
| ||
Get hash | malicious | AgentTesla, zgRAT | Browse |
|
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
PUBLIC-DOMAIN-REGISTRYUS | Get hash | malicious | AgentTesla, zgRAT | Browse |
| |
Get hash | malicious | AgentTesla | Browse |
| ||
Get hash | malicious | AgentTesla, zgRAT | Browse |
| ||
Get hash | malicious | AgentTesla | Browse |
| ||
Get hash | malicious | AgentTesla | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | AgentTesla | Browse |
| ||
Get hash | malicious | AgentTesla | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | AgentTesla | Browse |
| ||
Get hash | malicious | AgentTesla, zgRAT | Browse |
| ||
Get hash | malicious | FormBook | Browse |
| ||
Get hash | malicious | AgentTesla | Browse |
| ||
Get hash | malicious | AgentTesla | Browse |
| ||
Get hash | malicious | AgentTesla | Browse |
| ||
Get hash | malicious | FormBook | Browse |
| ||
Get hash | malicious | HTMLPhisher | Browse |
| ||
Get hash | malicious | AgentTesla | Browse |
| ||
Get hash | malicious | AgentTesla | Browse |
| ||
Get hash | malicious | AgentTesla | Browse |
|
Process: | C:\Users\user\Desktop\file.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 6061 |
Entropy (8bit): | 7.152729915217053 |
Encrypted: | false |
SSDEEP: | 96:Farc6oYBg/DrYuvk2XO5oSwsnP+ZjVe9LWKdUdAAU0HJsUV7scbvbz4LUtnnIgAf:FarcRZ3hX1ShnP2jE9LXdEAARpP1rbvy |
MD5: | 8009F662B5AB8050A4F5AEEAE94BA722 |
SHA1: | FE55E206DB001BF178AD87DF2BC4A6A899482D2A |
SHA-256: | 3A5D1645A4DAB4AEF75FA65EC4B7585917C1527C0B913287179168B5EF18147A |
SHA-512: | 6CB0A5BBE859263A2D97745F06AC33952C783314F6B49B7CD387B4276C947BD51EF9ADE02CEC2F0D5E38561B9895CF6DB1262F2790E1530A9FCC33879C139E26 |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Users\user\Desktop\file.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 381886 |
Entropy (8bit): | 7.672264691913513 |
Encrypted: | false |
SSDEEP: | 6144:Ntm1Z1J8zN5MoAqIIGXyCk4642/VGan7ZhhlqbK88SlI5NX1GKGsGZExocCp:NI1ix5lAmxd4P27VKlGNX1GKGsHG |
MD5: | BD05EB6029978E8A69332B07B4334349 |
SHA1: | 990D883D1827493EB50825719F585D1ABC1113FB |
SHA-256: | 02D5CDB8D67E1003EA4A6134F8C935F7EABAEF5761AB25362353400F7892483A |
SHA-512: | E6DB920547761D9E66448305DFE1984AE553DDC4DD52C50526854146C2E052604A11F4A048EA03CABB257900A1175B681AE300EA653B2D463B7CCBE026D95A19 |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Users\user\Desktop\file.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 268841 |
Entropy (8bit): | 7.971116927383392 |
Encrypted: | false |
SSDEEP: | 6144:Stm1Z1J8zN5MoAqIIGXyCk4642/VGan7ZhhlqbK88SlI5NF:SI1ix5lAmxd4P27VKlGNF |
MD5: | 3D14489C8EE3D764649F70D1A27542F9 |
SHA1: | 59E98B00E554B4E30DEF17AEBF731571F88CBFCE |
SHA-256: | 0645F4AF22D167E907F2C7CEA114D05CB45CF3CE639CECD67E66DE9D0E190701 |
SHA-512: | 65457B732E118EFA58971F670D3E6D335983914603BA84F0C774786A777C5778BD3506C76393585E55B6D7790167E2A5DECC745015452BF229FC38ED71126076 |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Users\user\Desktop\file.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 95744 |
Entropy (8bit): | 6.226201646790148 |
Encrypted: | false |
SSDEEP: | 1536:+0ZlV4KXc4OxQEsGZDmS+jtBaK/eRuZocSZUpxwkyBp+NnFsSW81kxgsWJjcdvwk:Ld4KALsGZDN+x/yuZocSTkyBw9y8eASd |
MD5: | A22E128E1C66E8E76F2F05CA2D81A8F1 |
SHA1: | 589A59B124FACC5A045FA99B334E476415E57CA2 |
SHA-256: | EE05F69606802B01D1FA5BB8BC43885F7F5F66C53893DE380F9026CD3AFAA79D |
SHA-512: | C646ED13AA87FC2345AAE5AC640CD6E3A4B46B780045C86F4A384F4AFFD7E9FD510D7F50ECF2AFBFB12F34734997077E4DC7DC46B1222A8EDE0D0D793F77468B |
Malicious: | true |
Antivirus: |
|
Reputation: | low |
Preview: |
File type: | |
Entropy (8bit): | 7.932397161868976 |
TrID: |
|
File name: | file.exe |
File size: | 316557 |
MD5: | 856572778608242656795bd15cc3683c |
SHA1: | ef79e01019b9518fa82e8dc628d416cd9ccd7817 |
SHA256: | be316d90b0e5c1f88f32fa6dc7cf5b2c760c8ea63e7ddec3e2303cccf8ae25f9 |
SHA512: | df6e4621f566ba7f067e44f87fec3b0f7350a45b71d8401e3c1eeae0c82b24594bdc54e68787e61fd53193afbc31a85c0f5c90accf606fddf0fa59f6b591f077 |
SSDEEP: | 6144:vYa6mUhRSVGVVj8vjpxMegWObBb3vztdsPTtH2vkcikg5JjzPw4312:vYYC0VGHWjpxTgDbBdebl2vkciksA |
TLSH: | B964122427E4C593C4E342317C3A9AE5A8F9FA2B1560E70F276033587935AA1E70E323 |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...Pf..Pf..Pf.*_9..Pf..Pg.LPf.*_;..Pf..sV..Pf..V`..Pf.Rich.Pf.........................PE..L.....Oa.................h...*..... |
Icon Hash: | b2a88c96b2ca6a72 |
Entrypoint: | 0x403640 |
Entrypoint Section: | .text |
Digitally signed: | false |
Imagebase: | 0x400000 |
Subsystem: | windows gui |
Image File Characteristics: | RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE |
DLL Characteristics: | DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE |
Time Stamp: | 0x614F9B1F [Sat Sep 25 21:56:47 2021 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 4 |
OS Version Minor: | 0 |
File Version Major: | 4 |
File Version Minor: | 0 |
Subsystem Version Major: | 4 |
Subsystem Version Minor: | 0 |
Import Hash: | 61259b55b8912888e90f516ca08dc514 |
Instruction |
---|
push ebp |
mov ebp, esp |
sub esp, 000003F4h |
push ebx |
push esi |
push edi |
push 00000020h |
pop edi |
xor ebx, ebx |
push 00008001h |
mov dword ptr [ebp-14h], ebx |
mov dword ptr [ebp-04h], 0040A230h |
mov dword ptr [ebp-10h], ebx |
call dword ptr [004080C8h] |
mov esi, dword ptr [004080CCh] |
lea eax, dword ptr [ebp-00000140h] |
push eax |
mov dword ptr [ebp-0000012Ch], ebx |
mov dword ptr [ebp-2Ch], ebx |
mov dword ptr [ebp-28h], ebx |
mov dword ptr [ebp-00000140h], 0000011Ch |
call esi |
test eax, eax |
jne 00007F413CC5844Ah |
lea eax, dword ptr [ebp-00000140h] |
mov dword ptr [ebp-00000140h], 00000114h |
push eax |
call esi |
mov ax, word ptr [ebp-0000012Ch] |
mov ecx, dword ptr [ebp-00000112h] |
sub ax, 00000053h |
add ecx, FFFFFFD0h |
neg ax |
sbb eax, eax |
mov byte ptr [ebp-26h], 00000004h |
not eax |
and eax, ecx |
mov word ptr [ebp-2Ch], ax |
cmp dword ptr [ebp-0000013Ch], 0Ah |
jnc 00007F413CC5841Ah |
and word ptr [ebp-00000132h], 0000h |
mov eax, dword ptr [ebp-00000134h] |
movzx ecx, byte ptr [ebp-00000138h] |
mov dword ptr [0042A318h], eax |
xor eax, eax |
mov ah, byte ptr [ebp-0000013Ch] |
movzx eax, ax |
or eax, ecx |
xor ecx, ecx |
mov ch, byte ptr [ebp-2Ch] |
movzx ecx, cx |
shl eax, 10h |
or eax, ecx |
Programming Language: |
|
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x8504 | 0xa0 | .rdata |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x3b000 | 0xcd8 | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x8000 | 0x2b0 | .rdata |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Name | Virtual Address | Virtual Size | Raw Size | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|
.text | 0x1000 | 0x6676 | 0x6800 | False | 0.6568134014423077 | data | 6.4174599871908855 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
.rdata | 0x8000 | 0x139a | 0x1400 | False | 0.4498046875 | data | 5.141066817170598 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.data | 0xa000 | 0x20378 | 0x600 | False | 0.509765625 | data | 4.110582127654237 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.ndata | 0x2b000 | 0x10000 | 0x0 | False | 0 | empty | 0.0 | IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.rsrc | 0x3b000 | 0xcd8 | 0xe00 | False | 0.4224330357142857 | data | 4.220947409031048 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
Name | RVA | Size | Type | Language | Country |
---|---|---|---|---|---|
RT_ICON | 0x3b1d8 | 0x2e8 | Device independent bitmap graphic, 32 x 64 x 4, image size 640 | English | United States |
RT_DIALOG | 0x3b4c0 | 0x100 | data | English | United States |
RT_DIALOG | 0x3b5c0 | 0x11c | data | English | United States |
RT_DIALOG | 0x3b6e0 | 0x60 | data | English | United States |
RT_GROUP_ICON | 0x3b740 | 0x14 | data | English | United States |
RT_VERSION | 0x3b758 | 0x23c | data | English | United States |
RT_MANIFEST | 0x3b998 | 0x33e | XML 1.0 document, ASCII text, with very long lines (830), with no line terminators | English | United States |
DLL | Import |
---|---|
ADVAPI32.dll | RegCreateKeyExW, RegEnumKeyW, RegQueryValueExW, RegSetValueExW, RegCloseKey, RegDeleteValueW, RegDeleteKeyW, AdjustTokenPrivileges, LookupPrivilegeValueW, OpenProcessToken, SetFileSecurityW, RegOpenKeyExW, RegEnumValueW |
SHELL32.dll | SHGetSpecialFolderLocation, SHFileOperationW, SHBrowseForFolderW, SHGetPathFromIDListW, ShellExecuteExW, SHGetFileInfoW |
ole32.dll | OleInitialize, OleUninitialize, CoCreateInstance, IIDFromString, CoTaskMemFree |
COMCTL32.dll | ImageList_Create, ImageList_Destroy, ImageList_AddMasked |
USER32.dll | GetClientRect, EndPaint, DrawTextW, IsWindowEnabled, DispatchMessageW, wsprintfA, CharNextA, CharPrevW, MessageBoxIndirectW, GetDlgItemTextW, SetDlgItemTextW, GetSystemMetrics, FillRect, AppendMenuW, TrackPopupMenu, OpenClipboard, SetClipboardData, CloseClipboard, IsWindowVisible, CallWindowProcW, GetMessagePos, CheckDlgButton, LoadCursorW, SetCursor, GetSysColor, SetWindowPos, GetWindowLongW, PeekMessageW, SetClassLongW, GetSystemMenu, EnableMenuItem, GetWindowRect, ScreenToClient, EndDialog, RegisterClassW, SystemParametersInfoW, CreateWindowExW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, CreateDialogParamW, SetTimer, SetWindowTextW, PostQuitMessage, SetForegroundWindow, ShowWindow, wsprintfW, SendMessageTimeoutW, FindWindowExW, IsWindow, GetDlgItem, SetWindowLongW, LoadImageW, GetDC, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, EmptyClipboard, CreatePopupMenu |
GDI32.dll | SetBkMode, SetBkColor, GetDeviceCaps, CreateFontIndirectW, CreateBrushIndirect, DeleteObject, SetTextColor, SelectObject |
KERNEL32.dll | GetExitCodeProcess, WaitForSingleObject, GetModuleHandleA, GetProcAddress, GetSystemDirectoryW, lstrcatW, Sleep, lstrcpyA, WriteFile, GetTempFileNameW, lstrcmpiA, RemoveDirectoryW, CreateProcessW, CreateDirectoryW, GetLastError, CreateThread, GlobalLock, GlobalUnlock, GetDiskFreeSpaceW, WideCharToMultiByte, lstrcpynW, lstrlenW, SetErrorMode, GetVersionExW, GetCommandLineW, GetTempPathW, GetWindowsDirectoryW, SetEnvironmentVariableW, CopyFileW, ExitProcess, GetCurrentProcess, GetModuleFileNameW, GetFileSize, CreateFileW, GetTickCount, MulDiv, SetFileAttributesW, GetFileAttributesW, SetCurrentDirectoryW, MoveFileW, GetFullPathNameW, GetShortPathNameW, SearchPathW, CompareFileTime, SetFileTime, CloseHandle, lstrcmpiW, lstrcmpW, ExpandEnvironmentStringsW, GlobalFree, GlobalAlloc, GetModuleHandleW, LoadLibraryExW, MoveFileExW, FreeLibrary, WritePrivateProfileStringW, GetPrivateProfileStringW, lstrlenA, MultiByteToWideChar, ReadFile, SetFilePointer, FindClose, FindNextFileW, FindFirstFileW, DeleteFileW |
Language of compilation system | Country where language is spoken | Map |
---|---|---|
English | United States |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Mar 20, 2023 19:43:18.322552919 CET | 49703 | 587 | 192.168.2.5 | 208.91.199.224 |
Mar 20, 2023 19:43:18.508263111 CET | 587 | 49703 | 208.91.199.224 | 192.168.2.5 |
Mar 20, 2023 19:43:18.508500099 CET | 49703 | 587 | 192.168.2.5 | 208.91.199.224 |
Mar 20, 2023 19:43:19.077830076 CET | 587 | 49703 | 208.91.199.224 | 192.168.2.5 |
Mar 20, 2023 19:43:19.079662085 CET | 49703 | 587 | 192.168.2.5 | 208.91.199.224 |
Mar 20, 2023 19:43:19.264877081 CET | 587 | 49703 | 208.91.199.224 | 192.168.2.5 |
Mar 20, 2023 19:43:19.265360117 CET | 587 | 49703 | 208.91.199.224 | 192.168.2.5 |
Mar 20, 2023 19:43:19.265678883 CET | 49703 | 587 | 192.168.2.5 | 208.91.199.224 |
Mar 20, 2023 19:43:19.451806068 CET | 587 | 49703 | 208.91.199.224 | 192.168.2.5 |
Mar 20, 2023 19:43:19.501507044 CET | 49703 | 587 | 192.168.2.5 | 208.91.199.224 |
Mar 20, 2023 19:43:19.687264919 CET | 587 | 49703 | 208.91.199.224 | 192.168.2.5 |
Mar 20, 2023 19:43:19.687323093 CET | 587 | 49703 | 208.91.199.224 | 192.168.2.5 |
Mar 20, 2023 19:43:19.687382936 CET | 587 | 49703 | 208.91.199.224 | 192.168.2.5 |
Mar 20, 2023 19:43:19.687422037 CET | 587 | 49703 | 208.91.199.224 | 192.168.2.5 |
Mar 20, 2023 19:43:19.687428951 CET | 49703 | 587 | 192.168.2.5 | 208.91.199.224 |
Mar 20, 2023 19:43:19.687489986 CET | 49703 | 587 | 192.168.2.5 | 208.91.199.224 |
Mar 20, 2023 19:43:19.690313101 CET | 587 | 49703 | 208.91.199.224 | 192.168.2.5 |
Mar 20, 2023 19:43:19.872652054 CET | 587 | 49703 | 208.91.199.224 | 192.168.2.5 |
Mar 20, 2023 19:43:19.872816086 CET | 49703 | 587 | 192.168.2.5 | 208.91.199.224 |
Mar 20, 2023 19:43:19.936322927 CET | 49703 | 587 | 192.168.2.5 | 208.91.199.224 |
Mar 20, 2023 19:43:20.122263908 CET | 587 | 49703 | 208.91.199.224 | 192.168.2.5 |
Mar 20, 2023 19:43:20.190968990 CET | 49703 | 587 | 192.168.2.5 | 208.91.199.224 |
Mar 20, 2023 19:43:20.376351118 CET | 587 | 49703 | 208.91.199.224 | 192.168.2.5 |
Mar 20, 2023 19:43:20.377393007 CET | 49703 | 587 | 192.168.2.5 | 208.91.199.224 |
Mar 20, 2023 19:43:20.566237926 CET | 587 | 49703 | 208.91.199.224 | 192.168.2.5 |
Mar 20, 2023 19:43:20.566880941 CET | 49703 | 587 | 192.168.2.5 | 208.91.199.224 |
Mar 20, 2023 19:43:20.757528067 CET | 587 | 49703 | 208.91.199.224 | 192.168.2.5 |
Mar 20, 2023 19:43:20.757951021 CET | 49703 | 587 | 192.168.2.5 | 208.91.199.224 |
Mar 20, 2023 19:43:20.946297884 CET | 587 | 49703 | 208.91.199.224 | 192.168.2.5 |
Mar 20, 2023 19:43:20.947021961 CET | 49703 | 587 | 192.168.2.5 | 208.91.199.224 |
Mar 20, 2023 19:43:21.157416105 CET | 587 | 49703 | 208.91.199.224 | 192.168.2.5 |
Mar 20, 2023 19:43:21.157855034 CET | 49703 | 587 | 192.168.2.5 | 208.91.199.224 |
Mar 20, 2023 19:43:21.344383001 CET | 587 | 49703 | 208.91.199.224 | 192.168.2.5 |
Mar 20, 2023 19:43:21.346679926 CET | 49703 | 587 | 192.168.2.5 | 208.91.199.224 |
Mar 20, 2023 19:43:21.346805096 CET | 49703 | 587 | 192.168.2.5 | 208.91.199.224 |
Mar 20, 2023 19:43:21.346874952 CET | 49703 | 587 | 192.168.2.5 | 208.91.199.224 |
Mar 20, 2023 19:43:21.346931934 CET | 49703 | 587 | 192.168.2.5 | 208.91.199.224 |
Mar 20, 2023 19:43:21.532103062 CET | 587 | 49703 | 208.91.199.224 | 192.168.2.5 |
Mar 20, 2023 19:43:21.532279968 CET | 587 | 49703 | 208.91.199.224 | 192.168.2.5 |
Mar 20, 2023 19:43:21.666341066 CET | 587 | 49703 | 208.91.199.224 | 192.168.2.5 |
Mar 20, 2023 19:43:21.906209946 CET | 49703 | 587 | 192.168.2.5 | 208.91.199.224 |
Mar 20, 2023 19:43:22.080671072 CET | 587 | 49703 | 208.91.199.224 | 192.168.2.5 |
Mar 20, 2023 19:43:22.080802917 CET | 49703 | 587 | 192.168.2.5 | 208.91.199.224 |
Mar 20, 2023 19:44:58.259578943 CET | 49703 | 587 | 192.168.2.5 | 208.91.199.224 |
Mar 20, 2023 19:44:58.445679903 CET | 587 | 49703 | 208.91.199.224 | 192.168.2.5 |
Mar 20, 2023 19:44:58.446547985 CET | 587 | 49703 | 208.91.199.224 | 192.168.2.5 |
Mar 20, 2023 19:44:58.446655989 CET | 49703 | 587 | 192.168.2.5 | 208.91.199.224 |
Mar 20, 2023 19:44:58.459429979 CET | 49703 | 587 | 192.168.2.5 | 208.91.199.224 |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Mar 20, 2023 19:43:18.274879932 CET | 61893 | 53 | 192.168.2.5 | 8.8.8.8 |
Mar 20, 2023 19:43:18.297280073 CET | 53 | 61893 | 8.8.8.8 | 192.168.2.5 |
Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
---|---|---|---|---|---|---|---|---|
Mar 20, 2023 19:43:18.274879932 CET | 192.168.2.5 | 8.8.8.8 | 0x9af3 | Standard query (0) | A (IP address) | IN (0x0001) | false |
Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
---|---|---|---|---|---|---|---|---|---|---|
Mar 20, 2023 19:43:18.297280073 CET | 8.8.8.8 | 192.168.2.5 | 0x9af3 | No error (0) | 208.91.199.224 | A (IP address) | IN (0x0001) | false | ||
Mar 20, 2023 19:43:18.297280073 CET | 8.8.8.8 | 192.168.2.5 | 0x9af3 | No error (0) | 208.91.199.223 | A (IP address) | IN (0x0001) | false | ||
Mar 20, 2023 19:43:18.297280073 CET | 8.8.8.8 | 192.168.2.5 | 0x9af3 | No error (0) | 208.91.198.143 | A (IP address) | IN (0x0001) | false | ||
Mar 20, 2023 19:43:18.297280073 CET | 8.8.8.8 | 192.168.2.5 | 0x9af3 | No error (0) | 208.91.199.225 | A (IP address) | IN (0x0001) | false |
Timestamp | Source Port | Dest Port | Source IP | Dest IP | Commands |
---|---|---|---|---|---|
Mar 20, 2023 19:43:19.077830076 CET | 587 | 49703 | 208.91.199.224 | 192.168.2.5 | 220 us2.outbound.mailhostbox.com ESMTP Postfix |
Mar 20, 2023 19:43:19.079662085 CET | 49703 | 587 | 192.168.2.5 | 208.91.199.224 | EHLO 035347 |
Mar 20, 2023 19:43:19.265360117 CET | 587 | 49703 | 208.91.199.224 | 192.168.2.5 | 250-us2.outbound.mailhostbox.com 250-PIPELINING 250-SIZE 41648128 250-VRFY 250-ETRN 250-STARTTLS 250-AUTH PLAIN LOGIN 250-AUTH=PLAIN LOGIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250-DSN 250 CHUNKING |
Mar 20, 2023 19:43:19.265678883 CET | 49703 | 587 | 192.168.2.5 | 208.91.199.224 | STARTTLS |
Mar 20, 2023 19:43:19.451806068 CET | 587 | 49703 | 208.91.199.224 | 192.168.2.5 | 220 2.0.0 Ready to start TLS |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
Target ID: | 0 |
Start time: | 19:43:07 |
Start date: | 20/03/2023 |
Path: | C:\Users\user\Desktop\file.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x400000 |
File size: | 316557 bytes |
MD5 hash: | 856572778608242656795BD15CC3683C |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | low |
Target ID: | 1 |
Start time: | 19:43:08 |
Start date: | 20/03/2023 |
Path: | C:\Users\user\AppData\Local\Temp\zjlxnt.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x400000 |
File size: | 95744 bytes |
MD5 hash: | A22E128E1C66E8E76F2F05CA2D81A8F1 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Antivirus matches: |
|
Reputation: | low |
Target ID: | 2 |
Start time: | 19:43:08 |
Start date: | 20/03/2023 |
Path: | C:\Windows\System32\conhost.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff7fcd70000 |
File size: | 625664 bytes |
MD5 hash: | EA777DEEA782E8B4D7C7C33BBF8A4496 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Target ID: | 3 |
Start time: | 19:43:09 |
Start date: | 20/03/2023 |
Path: | C:\Users\user\AppData\Local\Temp\zjlxnt.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x400000 |
File size: | 95744 bytes |
MD5 hash: | A22E128E1C66E8E76F2F05CA2D81A8F1 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | .Net C# or VB.NET |
Yara matches: |
|
Reputation: | low |
Execution Graph
Execution Coverage: | 15.9% |
Dynamic/Decrypted Code Coverage: | 0% |
Signature Coverage: | 16.4% |
Total number of Nodes: | 1385 |
Total number of Limit Nodes: | 25 |
Graph
Function 00403640 Relevance: 84.4, APIs: 34, Strings: 14, Instructions: 450stringfilecomCOMMON
Control-flow Graph
C-Code - Quality: 78% |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00405D74 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 148filestringCOMMON
Control-flow Graph
C-Code - Quality: 98% |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00406D5F Relevance: 5.4, APIs: 4, Instructions: 382COMMONCrypto
Control-flow Graph
C-Code - Quality: 98% |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0040699E Relevance: 3.0, APIs: 2, Instructions: 14fileCOMMON
C-Code - Quality: 100% |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 004040C5 Relevance: 61.6, APIs: 34, Strings: 1, Instructions: 357windowstringCOMMON
Control-flow Graph
C-Code - Quality: 84% |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00403D17 Relevance: 44.0, APIs: 13, Strings: 12, Instructions: 215stringregistryCOMMON
Control-flow Graph
C-Code - Quality: 96% |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 004030D0 Relevance: 23.0, APIs: 5, Strings: 8, Instructions: 204memoryCOMMON
Control-flow Graph
C-Code - Quality: 98% |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0040176F Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 145stringtimeCOMMON
Control-flow Graph
C-Code - Quality: 77% |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 004069C5 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36libraryCOMMON
Control-flow Graph
C-Code - Quality: 100% |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
C-Code - Quality: 100% |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
C-Code - Quality: 100% |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
C-Code - Quality: 100% |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0040603F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47stringCOMMON
Control-flow Graph
C-Code - Quality: 53% |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00407194 Relevance: 5.2, APIs: 4, Instructions: 236COMMON
Control-flow Graph
C-Code - Quality: 99% |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00407395 Relevance: 5.2, APIs: 4, Instructions: 208COMMON
Control-flow Graph
C-Code - Quality: 98% |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 004070AB Relevance: 5.2, APIs: 4, Instructions: 205COMMON
Control-flow Graph
C-Code - Quality: 98% |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00406BB0 Relevance: 5.2, APIs: 4, Instructions: 198COMMON
C-Code - Quality: 98% |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00406FFE Relevance: 5.2, APIs: 4, Instructions: 180COMMON
C-Code - Quality: 98% |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0040711C Relevance: 5.2, APIs: 4, Instructions: 170COMMON
C-Code - Quality: 98% |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00407068 Relevance: 5.2, APIs: 4, Instructions: 168COMMON
C-Code - Quality: 98% |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00403479 Relevance: 4.6, APIs: 3, Instructions: 101COMMON
C-Code - Quality: 93% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00405D2C Relevance: 4.5, APIs: 3, Instructions: 28fileCOMMON
C-Code - Quality: 41% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 100% |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00403371 Relevance: 3.1, APIs: 2, Instructions: 88COMMON
C-Code - Quality: 92% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 004015C1 Relevance: 3.1, APIs: 2, Instructions: 65COMMON
C-Code - Quality: 86% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON
C-Code - Quality: 69% |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00405C4B Relevance: 3.0, APIs: 2, Instructions: 24processCOMMON
C-Code - Quality: 100% |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 100% |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00406158 Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON
C-Code - Quality: 68% |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00406133 Relevance: 3.0, APIs: 2, Instructions: 13COMMON
C-Code - Quality: 100% |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00405C16 Relevance: 3.0, APIs: 2, Instructions: 9COMMON
C-Code - Quality: 100% |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0040620A Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
C-Code - Quality: 100% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 004061DB Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
C-Code - Quality: 100% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 004035F8 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
C-Code - Quality: 100% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00401FA4 Relevance: 1.3, APIs: 1, Instructions: 37COMMON
C-Code - Quality: 78% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00405809 Relevance: 66.8, APIs: 36, Strings: 2, Instructions: 284windowclipboardmemoryCOMMON
C-Code - Quality: 95% |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00404AB5 Relevance: 23.0, APIs: 10, Strings: 3, Instructions: 275stringCOMMON
C-Code - Quality: 78% |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 004021AA Relevance: 1.6, APIs: 1, Instructions: 129comCOMMON
C-Code - Quality: 67% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0040290B Relevance: 1.5, APIs: 1, Instructions: 30fileCOMMON
C-Code - Quality: 39% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00405031 Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 489windowmemoryCOMMON
C-Code - Quality: 96% |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00404783 Relevance: 37.0, APIs: 19, Strings: 2, Instructions: 204windowstringCOMMON
C-Code - Quality: 91% |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 004062AE Relevance: 26.4, APIs: 10, Strings: 5, Instructions: 130memorystringCOMMON
C-Code - Quality: 100% |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 90% |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 004066A5 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 196stringCOMMON
C-Code - Quality: 72% |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 004056CA Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 72stringwindowCOMMON
C-Code - Quality: 100% |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0040462B Relevance: 12.1, APIs: 8, Instructions: 68COMMON
C-Code - Quality: 100% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 004026EC Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 153fileCOMMON
C-Code - Quality: 87% |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 91% |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 100% |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00404F7F Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
C-Code - Quality: 100% |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00402F93 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 36timeCOMMON
C-Code - Quality: 100% |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 93% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00404E71 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 84stringCOMMON
C-Code - Quality: 77% |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 48% |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00401D81 Relevance: 7.6, APIs: 5, Instructions: 75windowCOMMON
C-Code - Quality: 77% |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00401E4E Relevance: 7.5, APIs: 5, Instructions: 43COMMON
C-Code - Quality: 73% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00401C43 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON
C-Code - Quality: 59% |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00406536 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 44registryCOMMON
C-Code - Quality: 91% |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00405F37 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON
C-Code - Quality: 58% |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0040563E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON
C-Code - Quality: 89% |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 004060BD Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON
C-Code - Quality: 100% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Execution Graph
Execution Coverage: | 7.4% |
Dynamic/Decrypted Code Coverage: | 0% |
Signature Coverage: | 0.8% |
Total number of Nodes: | 1697 |
Total number of Limit Nodes: | 44 |
Graph
Function 004018F8 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
Control-flow Graph
C-Code - Quality: 100% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0040C3B7 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 273COMMONLIBRARYCODE
Control-flow Graph
C-Code - Quality: 38% |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
C-Code - Quality: 78% |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00401000 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 74memoryCOMMON
Control-flow Graph
C-Code - Quality: 77% |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00407991 Relevance: 3.1, APIs: 2, Instructions: 65COMMON
Control-flow Graph
C-Code - Quality: 86% |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
C-Code - Quality: 88% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 004040D2 Relevance: 1.7, APIs: 1, Instructions: 157COMMON
Control-flow Graph
C-Code - Quality: 93% |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00407F0D Relevance: 1.6, APIs: 1, Instructions: 54COMMON
Control-flow Graph
C-Code - Quality: 72% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00408637 Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
Control-flow Graph
C-Code - Quality: 100% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
C-Code - Quality: 100% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0040636B Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 77COMMONLIBRARYCODE
C-Code - Quality: 81% |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00401796 Relevance: 6.1, APIs: 4, Instructions: 73COMMON
C-Code - Quality: 85% |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00401A05 Relevance: 1.6, APIs: 1, Instructions: 147COMMON
C-Code - Quality: 88% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0040B0AF Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
C-Code - Quality: 100% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0040333B Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 303COMMONLIBRARYCODE
C-Code - Quality: 71% |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0040E7BE Relevance: 12.2, APIs: 8, Instructions: 248COMMON
C-Code - Quality: 82% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 68% |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0040AC14 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE
C-Code - Quality: 100% |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 82% |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 100% |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00405907 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE
C-Code - Quality: 25% |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0040DA04 Relevance: 7.7, APIs: 5, Instructions: 197COMMON
C-Code - Quality: 58% |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 63% |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00402633 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE
C-Code - Quality: 100% |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 77% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 66% |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00408798 Relevance: 6.1, APIs: 4, Instructions: 82COMMON
C-Code - Quality: 100% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00409AD3 Relevance: 6.1, APIs: 4, Instructions: 74COMMON
C-Code - Quality: 17% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 100% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 004036E0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE
C-Code - Quality: 65% |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 100% |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Execution Graph
Execution Coverage: | 11.7% |
Dynamic/Decrypted Code Coverage: | 58.5% |
Signature Coverage: | 4.8% |
Total number of Nodes: | 188 |
Total number of Limit Nodes: | 14 |
Graph
Control-flow Graph
C-Code - Quality: 100% |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0217F418 Relevance: 1.6, APIs: 1, Instructions: 132COMMON
Control-flow Graph
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00401E16 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
Control-flow Graph
C-Code - Quality: 100% |
|
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 05213648 Relevance: 6.1, APIs: 4, Instructions: 129threadCOMMON
Control-flow Graph
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 05213658 Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON
Control-flow Graph
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0217F40C Relevance: 1.6, APIs: 1, Instructions: 137COMMON
Control-flow Graph
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 053FB1B9 Relevance: 1.6, APIs: 1, Instructions: 129COMMON
Control-flow Graph
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0217223C Relevance: 1.6, APIs: 1, Instructions: 97libraryCOMMON
Control-flow Graph
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0217455C Relevance: 1.6, APIs: 1, Instructions: 97libraryCOMMON
Control-flow Graph
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 05213878 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
Control-flow Graph
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 05213880 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
Control-flow Graph
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0521A901 Relevance: 1.6, APIs: 1, Instructions: 50COMMON
Control-flow Graph
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 004064AE Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
Control-flow Graph
C-Code - Quality: 100% |
|
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0080D5E8 Relevance: .1, Instructions: 75COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0081D01C Relevance: .1, Instructions: 72COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0080D5E3 Relevance: .1, Instructions: 56COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0081D017 Relevance: .1, Instructions: 53COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0080D01D Relevance: .0, Instructions: 45COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0080D01C Relevance: .0, Instructions: 36COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 85% |
|
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 004038EB Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 303COMMONLIBRARYCODE
C-Code - Quality: 71% |
|
APIs |
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 53% |
|
APIs |
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 004082D3 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE
C-Code - Quality: 100% |
|
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 82% |
|
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00404F84 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE
C-Code - Quality: 25% |
|
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00409AC0 Relevance: 7.7, APIs: 5, Instructions: 197COMMON
C-Code - Quality: 58% |
|
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00402BE3 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE
C-Code - Quality: 100% |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 78% |
|
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 66% |
|
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 100% |
|
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 89% |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00403C90 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE
C-Code - Quality: 65% |
|
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 004018D4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59COMMONLIBRARYCODE
C-Code - Quality: 91% |
|
APIs |
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |