Edit tour
Windows
Analysis Report
MqN5lD3LGo.exe
Overview
General Information
| Sample name: | MqN5lD3LGo.exerenamed because original name is a hash value |
| Original sample name: | c6c9f27d335d4e47b5ea12653e806be6.exe |
| Analysis ID: | 1462554 |
| MD5: | c6c9f27d335d4e47b5ea12653e806be6 |
| SHA1: | e53242d463e2c94383ec646e7e04504b96b4d176 |
| SHA256: | 514efbae5faa43878c743c3db36f81c25ab5d6da93b879b6e88e7a63b1b19769 |
| Tags: | 32exetrojan |
| Infos: |  |
 | |
Detection
RisePro Stealer
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected RisePro Stealer
AI detected suspicious sample
Allocates memory in foreign processes
Contains functionality to inject code into remote processes
Contains functionality to inject threads in other processes
Found API chain indicative of sandbox detection
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Found stalling execution ending in API Sleep call
Injects a PE file into a foreign processes
Machine Learning detection for sample
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Checks if the current process is being debugged
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to detect sandboxes (mouse cursor move detection)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found decision node followed by non-executed suspicious APIs
Found evasive API chain (date check)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Uses the system / local time for branch decision (may execute only at specific dates)
Classification
- System is w10x64
MqN5lD3LGo.exe (PID: 4508 cmdline: "C:\Users\ user\Deskt op\MqN5lD3 LGo.exe" MD5: C6C9F27D335D4E47B5EA12653E806BE6) 
conhost.exe (PID: 6576 cmdline: C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - RegAsm.exe (PID: 4012 cmdline:
"C:\Window s\Microsof t.NET\Fram ework\v4.0 .30319\Reg Asm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13) 
WerFault.exe (PID: 3536 cmdline: C:\Windows \SysWOW64\ WerFault.e xe -u -p 4 508 -s 308 MD5: C31336C1EFC2CCB44B4326EA793040F2)
- cleanup
⊘No configs have been found
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_RiseProStealer | Yara detected RisePro Stealer | Joe Security |
⊘No Sigma rule has matched
| Timestamp: | 06/25/24-18:12:57.603058 |
| SID: | 2049060 |
| Source Port: | 49705 |
| Destination Port: | 50500 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
| Timestamp: | 06/25/24-18:12:58.145124 |
| SID: | 2046266 |
| Source Port: | 50500 |
| Destination Port: | 49705 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
| Timestamp: | 06/25/24-18:16:59.942935 |
| SID: | 2046269 |
| Source Port: | 49705 |
| Destination Port: | 50500 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
Click to jump to signature section
Show All Signature Results
AV Detection |   |
|---|
| Source: | ReversingLabs: | ||
| Source: | Integrated Neural Analysis Model: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Code function: | 3_2_004C6B00 | |
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Code function: | 0_2_000CC8CD | |
| Source: | Code function: | 3_2_004C6000 | |
| Source: | Code function: | 3_2_00432022 | |
| Source: | Code function: | 3_2_004E6770 | |
| Source: | Code function: | 3_2_004938D0 | |
| Source: | Code function: | 3_2_00493B60 | |
| Source: | Code function: | 3_2_0044FC2F | |
| Source: | Code function: | 3_2_004DFF00 | |
| Source: | Code function: | 3_2_00431F9C | |
Networking | |
|---|
| Source: | Snort IDS: | ||
| Source: | Snort IDS: | ||
| Source: | Snort IDS: | ||
| Source: | TCP traffic: | ||
| Source: | IP Address: | ||
| Source: | ASN Name: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | Code function: | 3_2_004C8590 | |
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | Process Stats: | ||
| Source: | Code function: | 0_2_000D09FC | |
| Source: | Code function: | 0_2_000C2C20 | |
| Source: | Code function: | 0_2_000CBC92 | |
| Source: | Code function: | 0_2_000D0DD4 | |
| Source: | Code function: | 0_2_000BFF04 | |
| Source: | Code function: | 0_2_000C7782 | |
| Source: | Code function: | 3_2_004E4BD0 | |
| Source: | Code function: | 3_2_0044002D | |
| Source: | Code function: | 3_2_005220D0 | |
| Source: | Code function: | 3_2_004F60E0 | |
| Source: | Code function: | 3_2_004C00A0 | |
| Source: | Code function: | 3_2_004EE170 | |
| Source: | Code function: | 3_2_00508120 | |
| Source: | Code function: | 3_2_004A6250 | |
| Source: | Code function: | 3_2_00512260 | |
| Source: | Code function: | 3_2_0040A2C0 | |
| Source: | Code function: | 3_2_0050A2B0 | |
| Source: | Code function: | 3_2_0044036F | |
| Source: | Code function: | 3_2_004A4320 | |
| Source: | Code function: | 3_2_004BE3C0 | |
| Source: | Code function: | 3_2_004F0450 | |
| Source: | Code function: | 3_2_004DE430 | |
| Source: | Code function: | 3_2_004B84D0 | |
| Source: | Code function: | 3_2_004FA480 | |
| Source: | Code function: | 3_2_00514550 | |
| Source: | Code function: | 3_2_004F85F0 | |
| Source: | Code function: | 3_2_00490600 | |
| Source: | Code function: | 3_2_00452610 | |
| Source: | Code function: | 3_2_005486C0 | |
| Source: | Code function: | 3_2_004E06D0 | |
| Source: | Code function: | 3_2_004547BF | |
| Source: | Code function: | 3_2_004F2820 | |
| Source: | Code function: | 3_2_004A88B0 | |
| Source: | Code function: | 3_2_0043C960 | |
| Source: | Code function: | 3_2_00546970 | |
| Source: | Code function: | 3_2_0043A928 | |
| Source: | Code function: | 3_2_004FA930 | |
| Source: | Code function: | 3_2_004F8B40 | |
| Source: | Code function: | 3_2_00500BA0 | |
| Source: | Code function: | 3_2_00458BB0 | |
| Source: | Code function: | 3_2_004EEC40 | |
| Source: | Code function: | 3_2_00534D40 | |
| Source: | Code function: | 3_2_004FAD00 | |
| Source: | Code function: | 3_2_00546D20 | |
| Source: | Code function: | 3_2_0053AE20 | |
| Source: | Code function: | 3_2_00458E30 | |
| Source: | Code function: | 3_2_00506EA0 | |
| Source: | Code function: | 3_2_00516EA0 | |
| Source: | Code function: | 3_2_004ECF20 | |
| Source: | Code function: | 3_2_004F2FD0 | |
| Source: | Code function: | 3_2_004D70F0 | |
| Source: | Code function: | 3_2_00493080 | |
| Source: | Code function: | 3_2_004371A0 | |
| Source: | Code function: | 3_2_005031A0 | |
| Source: | Code function: | 3_2_004A9380 | |
| Source: | Code function: | 3_2_004D1450 | |
| Source: | Code function: | 3_2_0053F550 | |
| Source: | Code function: | 3_2_0042F580 | |
| Source: | Code function: | 3_2_0048F590 | |
| Source: | Code function: | 3_2_004B3600 | |
| Source: | Code function: | 3_2_004A3610 | |
| Source: | Code function: | 3_2_004B1630 | |
| Source: | Code function: | 3_2_00547760 | |
| Source: | Code function: | 3_2_004F7730 | |
| Source: | Code function: | 3_2_004E77E0 | |
| Source: | Code function: | 3_2_00495790 | |
| Source: | Code function: | 3_2_005397B0 | |
| Source: | Code function: | 3_2_004F7960 | |
| Source: | Code function: | 3_2_0047B970 | |
| Source: | Code function: | 3_2_004EF9A0 | |
| Source: | Code function: | 3_2_004CBAC0 | |
| Source: | Code function: | 3_2_0044DA86 | |
| Source: | Code function: | 3_2_004A9B50 | |
| Source: | Code function: | 3_2_00493B60 | |
| Source: | Code function: | 3_2_004ADB20 | |
| Source: | Code function: | 3_2_0051DBB0 | |
| Source: | Code function: | 3_2_004EFC40 | |
| Source: | Code function: | 3_2_004F7C00 | |
| Source: | Code function: | 3_2_00503CC0 | |
| Source: | Code function: | 3_2_00409C90 | |
| Source: | Code function: | 3_2_004F9D70 | |
| Source: | Code function: | 3_2_004F7D00 | |
| Source: | Code function: | 3_2_00545DE0 | |
| Source: | Code function: | 3_2_00541F00 | |
| Source: | Code function: | 3_2_004C1F20 | |
| Source: | Code function: | 3_2_00501FE0 | |
| Source: | Code function: | 3_2_004FFFA0 | |
| Source: | Process created: | ||
| Source: | Binary or memory string: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Classification label: | ||
| Source: | Code function: | 3_2_005447E0 | |
| Source: | Code function: | 3_2_00544A40 | |
| Source: | Code function: | 3_2_004E06D0 | |
| Source: | Mutant created: | ||
| Source: | Mutant created: | ||
| Source: | File created: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | ReversingLabs: | ||
| Source: | String found in binary or memory: | ||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Static file information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Code function: | 3_2_004CF280 | |
| Source: | Code function: | 0_2_000B9AC2 | |
| Source: | Code function: | 3_2_00433F6C | |
| Source: | Code function: | 3_2_004EE170 | |
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
Malware Analysis System Evasion | |
|---|
| Source: | Sandbox detection routine: | graph_3-78728 | ||
| Source: | Evasive API call chain: | graph_3-78729 | ||
| Source: | Stalling execution: | graph_3-79174 | ||
| Source: | Code function: | 3_2_0045DB00 | |
| Source: | Window / User API: | Jump to behavior | ||
| Source: | Window / User API: | Jump to behavior | ||
| Source: | Decision node followed by non-executed suspicious API: | graph_3-79221 | ||
| Source: | Evasive API call chain: | graph_3-79855 | ||
| Source: | API coverage: | ||
| Source: | API coverage: | ||
| Source: | Thread sleep count: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep count: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Last function: | ||
| Source: | Last function: | ||
| Source: | Last function: | ||
| Source: | Code function: | 3_2_005449B0 | |
| Source: | Code function: | 0_2_000CC8CD | |
| Source: | Code function: | 3_2_004C6000 | |
| Source: | Code function: | 3_2_00432022 | |
| Source: | Code function: | 3_2_004E6770 | |
| Source: | Code function: | 3_2_004938D0 | |
| Source: | Code function: | 3_2_00493B60 | |
| Source: | Code function: | 3_2_0044FC2F | |
| Source: | Code function: | 3_2_004DFF00 | |
| Source: | Code function: | 3_2_00431F9C | |
| Source: | Code function: | 3_2_004580D8 | |
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Process queried: | Jump to behavior | ||
| Source: | Process queried: | Jump to behavior | ||
| Source: | Code function: | 0_2_000BDED3 | |
| Source: | Code function: | 3_2_004CF280 | |
| Source: | Code function: | 0_2_000C3A8C | |
| Source: | Code function: | 0_2_000C85C5 | |
| Source: | Code function: | 3_2_0045DB00 | |
| Source: | Code function: | 3_2_0045DB00 | |
| Source: | Code function: | 3_2_004D6280 | |
| Source: | Code function: | 3_2_004C86C0 | |
| Source: | Code function: | 3_2_004C6D80 | |
| Source: | Code function: | 3_2_004D3070 | |
| Source: | Code function: | 3_2_00495790 | |
| Source: | Code function: | 0_2_000CDAB5 | |
| Source: | Code function: | 0_2_000BA04B | |
| Source: | Code function: | 0_2_000BA105 | |
| Source: | Code function: | 0_2_000BDED3 | |
| Source: | Code function: | 0_2_000B9EEF | |
| Source: | Code function: | 3_2_00434184 | |
| Source: | Code function: | 3_2_00434311 | |
| Source: | Code function: | 3_2_0043451D | |
| Source: | Code function: | 3_2_00438A64 | |
HIPS / PFW / Operating System Protection Evasion | |
|---|
| Source: | Memory allocated: | Jump to behavior | ||
| Source: | Code function: | 0_2_007F018D | |
| Source: | Code function: | 3_2_004CF280 | |
| Source: | Memory written: | Jump to behavior | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Code function: | 0_2_000B9C95 | |
| Source: | Code function: | 0_2_000D0033 | |
| Source: | Code function: | 0_2_000CF8CA | |
| Source: | Code function: | 0_2_000C70FB | |
| Source: | Code function: | 0_2_000CF971 | |
| Source: | Code function: | 0_2_000CF9BC | |
| Source: | Code function: | 0_2_000CFA57 | |
| Source: | Code function: | 0_2_000CFAE2 | |
| Source: | Code function: | 0_2_000C6BD5 | |
| Source: | Code function: | 0_2_000CFD35 | |
| Source: | Code function: | 0_2_000CFE5E | |
| Source: | Code function: | 0_2_000CF6CF | |
| Source: | Code function: | 0_2_000CFF64 | |
| Source: | Code function: | 3_2_004E06D0 | |
| Source: | Code function: | 3_2_00452B5A | |
| Source: | Code function: | 3_2_00452D5F | |
| Source: | Code function: | 3_2_00452E51 | |
| Source: | Code function: | 3_2_00452E06 | |
| Source: | Code function: | 3_2_00452EEC | |
| Source: | Code function: | 3_2_00452F77 | |
| Source: | Code function: | 3_2_004531CA | |
| Source: | Code function: | 3_2_0044B1B1 | |
| Source: | Code function: | 3_2_004532F3 | |
| Source: | Code function: | 3_2_004533F9 | |
| Source: | Code function: | 3_2_004534CF | |
| Source: | Code function: | 3_2_0044B734 | |
| Source: | Code function: | 3_2_00431D94 | |
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Code function: | 0_2_000BA302 | |
| Source: | Code function: | 3_2_004E06D0 | |
| Source: | Code function: | 3_2_004E06D0 | |
| Source: | Code function: | 3_2_005447E0 | |
| Source: | Key value queried: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
Stealing of Sensitive Information | |
|---|
| Source: | File source: | ||
Remote Access Functionality | |
|---|
| Source: | File source: | ||
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | 2 Command and Scripting Interpreter | 1 DLL Side-Loading | 511 Process Injection | 12 Virtualization/Sandbox Evasion | OS Credential Dumping | 12 System Time Discovery | Remote Services | 1 Archive Collected Data | 2 Encrypted Channel | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
| Credentials | Domains | Default Accounts | 12 Native API | Boot or Logon Initialization Scripts | 1 DLL Side-Loading | 511 Process Injection | LSASS Memory | 151 Security Software Discovery | Remote Desktop Protocol | Data from Removable Media | 1 Non-Standard Port | Exfiltration Over Bluetooth | Network Denial of Service |
| Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | Logon Script (Windows) | 1 Deobfuscate/Decode Files or Information | Security Account Manager | 12 Virtualization/Sandbox Evasion | SMB/Windows Admin Shares | Data from Network Shared Drive | 1 Ingress Tool Transfer | Automated Exfiltration | Data Encrypted for Impact |
| Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | 2 Obfuscated Files or Information | NTDS | 1 Process Discovery | Distributed Component Object Model | Input Capture | Protocol Impersonation | Traffic Duplication | Data Destruction |
| Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | 1 Software Packing | LSA Secrets | 1 Application Window Discovery | SSH | Keylogging | Fallback Channels | Scheduled Transfer | Data Encrypted for Impact |
| Domain Properties | Botnet | Replication Through Removable Media | Scheduled Task | RC Scripts | RC Scripts | 1 DLL Side-Loading | Cached Domain Credentials | 1 Account Discovery | VNC | GUI Input Capture | Multiband Communication | Data Transfer Size Limits | Service Stop |
| DNS | Web Services | External Remote Services | Systemd Timers | Startup Items | Startup Items | Compile After Delivery | DCSync | 1 System Owner/User Discovery | Windows Remote Management | Web Portal Capture | Commonly Used Port | Exfiltration Over C2 Channel | Inhibit System Recovery |
| Network Trust Dependencies | Serverless | Drive-by Compromise | Container Orchestration Job | Scheduled Task/Job | Scheduled Task/Job | Indicator Removal from Tools | Proc Filesystem | 1 File and Directory Discovery | Cloud Services | Credential API Hooking | Application Layer Protocol | Exfiltration Over Alternative Protocol | Defacement |
| Network Topology | Malvertising | Exploit Public-Facing Application | Command and Scripting Interpreter | At | At | HTML Smuggling | /etc/passwd and /etc/shadow | 36 System Information Discovery | Direct Cloud VM Connections | Data Staged | Web Protocols | Exfiltration Over Symmetric Encrypted Non-C2 Protocol | Internal Defacement |
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetThis section contains all screenshots as thumbnails, including those not shown in the slideshow.
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 74% | ReversingLabs | Win32.Trojan.LummaStealer | ||
| 100% | Joe Sandbox ML |
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe |
⊘No contacted domains info
| Name | Source | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
| IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
|---|---|---|---|---|---|---|
| 5.42.67.8 | unknown | Russian Federation | 39493 | RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU | true |
| Joe Sandbox version: | 40.0.0 Tourmaline |
| Analysis ID: | 1462554 |
| Start date and time: | 2024-06-25 18:12:07 +02:00 |
| Joe Sandbox product: | CloudBasic |
| Overall analysis duration: | 0h 7m 22s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
| Number of analysed new started processes analysed: | 10 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Sample name: | MqN5lD3LGo.exerenamed because original name is a hash value |
| Original Sample Name: | c6c9f27d335d4e47b5ea12653e806be6.exe |
| Detection: | MAL |
| Classification: | mal100.troj.evad.winEXE@5/6@0/1 |
| EGA Information: |
|
| HCA Information: |
|
| Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
- Excluded IPs from analysis (whitelisted): 20.42.73.29
- Excluded domains from analysis (whitelisted): ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, onedsblobprdeus15.eastus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
- Not all processes where analyzed, report is missing behavior information
- VT rate limit hit for: MqN5lD3LGo.exe
| Time | Type | Description |
|---|---|---|
| 12:13:13 | API Interceptor | |
| 12:13:29 | API Interceptor |
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| 5.42.67.8 | Get hash | malicious | LummaC, RisePro Stealer, Vidar | Browse | ||
| Get hash | malicious | RisePro Stealer, Vidar | Browse | |||
| Get hash | malicious | CryptOne, GCleaner, LummaC Stealer, Mars Stealer, PureLog Stealer, RedLine, RisePro Stealer | Browse | |||
| Get hash | malicious | CryptOne, Djvu, Mars Stealer, PureLog Stealer, RedLine, RisePro Stealer, Vidar | Browse | |||
| Get hash | malicious | CryptOne, Djvu, GCleaner, LummaC Stealer, Mars Stealer, PureLog Stealer, RedLine | Browse | |||
| Get hash | malicious | LummaC, RisePro Stealer | Browse | |||
| Get hash | malicious | CryptOne, Djvu, LummaC Stealer, Mars Stealer, PureLog Stealer, RedLine, RisePro Stealer | Browse | |||
| Get hash | malicious | RisePro Stealer | Browse |
⊘No context
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU | Get hash | malicious | RedLine | Browse |
| |
| Get hash | malicious | RedLine | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | RedLine | Browse |
| ||
| Get hash | malicious | RedLine | Browse |
| ||
| Get hash | malicious | RedLine | Browse |
| ||
| Get hash | malicious | Mars Stealer, Stealc, Vidar | Browse |
| ||
| Get hash | malicious | LummaC, RisePro Stealer, Vidar | Browse |
| ||
| Get hash | malicious | PureLog Stealer, RedLine, zgRAT | Browse |
| ||
| Get hash | malicious | Amadey, PureLog Stealer | Browse |
|
⊘No context
⊘No context
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_MqN5lD3LGo.exe_75d7bb26b9feea5788cdd196fb86ebec7d54070_4703ef6b_6232b001-d7a8-4b58-a9ee-92c298c63795\Report.wer 
Download File
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 65536 |
| Entropy (8bit): | 0.7031833735538131 |
| Encrypted: | false |
| SSDEEP: | 192:PuvH3ALb0yDBFFbhjG1zuiFWZ24IO8r6:WH3ALoyDBftjkzuiFWY4IO8r |
| MD5: | 8EFFC19778CC4CEB675C1B5CEEDD70F7 |
| SHA1: | 9EA94C97AB91C6D28CB2D7D0CAD92F87EA65605D |
| SHA-256: | 8EFB9EDA0D319C5A4DB129708687DEDF2C28D1A386DF5E74C04860C3291F022E |
| SHA-512: | B5F88D19033E01F825D337BBCC59C99B346B7CA032EA37BA9A72A90A7B13D398BA5FE09334EBAECC4DB371B7E171128E874245A2D8CB871BB90934A92E887897 |
| Malicious: | true |
| Reputation: | low |
| Preview: |
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 47006 |
| Entropy (8bit): | 1.8304097743762475 |
| Encrypted: | false |
| SSDEEP: | 192:KUpgnQwPOWdHGV+8K/8EkRDCBrDpupbG4MuwTNoJb:kQwGDUj/ODCBrd0jMuA |
| MD5: | 0C32A9AF45188EA3F61B54999D05442F |
| SHA1: | 334562DBDB899BE74B51141A7286A45FDEC2D3E6 |
| SHA-256: | 2788A3A49ED71A8C5F0836AFCB2A9413517267A44E4FB27A9032C89C60FD65FA |
| SHA-512: | F635B2F17C88270CDB56C37BF82D5420056238E17EE449F9674808BC0C394BDFD978F46F2114C0C2719BBC441AC0C0018033FA861D6474328ED7DD7B05425AC5 |
| Malicious: | false |
| Reputation: | low |
| Preview: |
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 8352 |
| Entropy (8bit): | 3.706626244168962 |
| Encrypted: | false |
| SSDEEP: | 192:R6l7wVeJo5666YEIISU9YujrgmfnJjS89apr089bIUsfI4m:R6lXJO666YEHSU9YujrgmfnJjSVIHf+ |
| MD5: | 7EF2501F4632338FC348882B7421FE1D |
| SHA1: | 30C9A2D3A572EE4291005C37AF29CD75DB258FA1 |
| SHA-256: | 38ABB97F297D83DE66F710D6B1EEFB2D0F337BFD0113281C8209ABB00634F630 |
| SHA-512: | 26DC8BE284EA2D16D203123FA1F7E8A9A1FF3FF3650D52CC8FD9B5F8EE697F73D78550858801148EC37916BB278E4DB8073932C3AAA57B794A04BC4F0F5C5BE9 |
| Malicious: | false |
| Reputation: | low |
| Preview: |
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 4635 |
| Entropy (8bit): | 4.5185388407303355 |
| Encrypted: | false |
| SSDEEP: | 48:cvIwWl8zsKJg77aI9PMWpW8VYeNYm8M4J7fFb+q8vVVkOBRVd:uIjfYI7Zl7V3MJxuVkOjVd |
| MD5: | C91C770972935825DD3C8EEE1F49C985 |
| SHA1: | 1B94D76C16D51D8623D62A92BB4213A4B27D1E3D |
| SHA-256: | 70BBA580C86ECC658D40FC28DCEE52193FF19033D219B4E87CC8169621EB3F89 |
| SHA-512: | 7FEE19F60AC54A3B4D50B53B6A05C7CBCE20EDECF79F50F10780C80169AF699A34574D8D8CE134F0A66A174F4D7EFD2C4E122A9FD62C197D1E2FF16C23B1CCAB |
| Malicious: | false |
| Reputation: | low |
| Preview: |
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 1835008 |
| Entropy (8bit): | 4.421577314132633 |
| Encrypted: | false |
| SSDEEP: | 6144:NSvfpi6ceLP/9skLmb0OTMWSPHaJG8nAgeMZMMhA2fX4WABlEnNY0uhiTwb:0vloTMW+EZMM6DFyu03wb |
| MD5: | AC755C0149B41AE4185ADCD68353B26C |
| SHA1: | A25D3F3712E76A5652EBDCC864501218A7837CC7 |
| SHA-256: | 738F38D91930DB1B29F172D4CAF52A4665C84CA785F542CA2D1306B283CDFA3E |
| SHA-512: | 5F876785BFD508F2E9FD9FAC629BF424B4B3CFECD0DFFC4EDCA5A0FB6E8E9DF8FF82DEE708ACE956D53A4D51698CE84CE8016964350EA1B640BFED0B4515824E |
| Malicious: | false |
| Reputation: | low |
| Preview: |
| Process: | C:\Users\user\Desktop\MqN5lD3LGo.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 14 |
| Entropy (8bit): | 3.3248629576173565 |
| Encrypted: | false |
| SSDEEP: | 3:oJCVNV:o8/V |
| MD5: | 2C34338A8C340C46983875A53A889FC3 |
| SHA1: | 5EF486E22F88756BE456209030D46D3D94C21952 |
| SHA-256: | 511FF7ADE84BB22C9B35B62A64FC4100A1958E8D20CB795031199748A926E507 |
| SHA-512: | 61A221F599A577BC988C6CFF3319F214A62F066B5086C7D8841E8B88BC9FB6CC4F93E8E48E25382BB8148C8F26D045AD15A927ACF0742E69E24923A4659FF633 |
| Malicious: | false |
| Reputation: | low |
| Preview: |
| File type: | |
| Entropy (8bit): | 7.948024837182058 |
| TrID: |
|
| File name: | MqN5lD3LGo.exe |
| File size: | 1'870'848 bytes |
| MD5: | c6c9f27d335d4e47b5ea12653e806be6 |
| SHA1: | e53242d463e2c94383ec646e7e04504b96b4d176 |
| SHA256: | 514efbae5faa43878c743c3db36f81c25ab5d6da93b879b6e88e7a63b1b19769 |
| SHA512: | 7e00bdac39c89821b776dda372693d29e0e7188f8ef747037b971461af79545908f8fc8c9bbf7a30f1b0cc4ceea45632e91c1093e784002994808c19bd2a7347 |
| SSDEEP: | 49152:KWPLwXMkW4itwCBDtixjSzceiLYtV25Mm8eEMMd:tPLPkW4IwcOj6iLYtV+Mw8 |
| TLSH: | 6C852300F4908073C562167706E4DFB69A7EB9714B725CDB6BA44FBF4F306C09632A6A |
| File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........@.}.@.}.@.}...~.Q.}...x...}...y.V.}..sy.R.}...|.G.}.@.|...}..sx...}..s~.X.}..px.A.}..p..A.}.Rich@.}.................PE..L.. |
 | |
| Icon Hash: | 00928e8e8686b000 |
| Entrypoint: | 0x409aa5 |
| Entrypoint Section: | .text |
| Digitally signed: | false |
| Imagebase: | 0x400000 |
| Subsystem: | windows cui |
| Image File Characteristics: | EXECUTABLE_IMAGE, 32BIT_MACHINE |
| DLL Characteristics: | DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE |
| Time Stamp: | 0x66789839 [Sun Jun 23 21:48:41 2024 UTC] |
| TLS Callbacks: | |
| CLR (.Net) Version: | |
| OS Version Major: | 6 |
| OS Version Minor: | 0 |
| File Version Major: | 6 |
| File Version Minor: | 0 |
| Subsystem Version Major: | 6 |
| Subsystem Version Minor: | 0 |
| Import Hash: | e4019b337e6aa53400bb9378be49b858 |
| Instruction |
|---|
| call 00007EFC9CE8270Ah |
| jmp 00007EFC9CE81CD9h |
| mov ecx, dword ptr [ebp-0Ch] |
| mov dword ptr fs:[00000000h], ecx |
| pop ecx |
| pop edi |
| pop edi |
| pop esi |
| pop ebx |
| mov esp, ebp |
| pop ebp |
| push ecx |
| ret |
| mov ecx, dword ptr [ebp-10h] |
| xor ecx, ebp |
| call 00007EFC9CE81BC5h |
| jmp 00007EFC9CE81E42h |
| push eax |
| push dword ptr fs:[00000000h] |
| lea eax, dword ptr [esp+0Ch] |
| sub esp, dword ptr [esp+0Ch] |
| push ebx |
| push esi |
| push edi |
| mov dword ptr [eax], ebp |
| mov ebp, eax |
| mov eax, dword ptr [005C69C0h] |
| xor eax, ebp |
| push eax |
| push dword ptr [ebp-04h] |
| mov dword ptr [ebp-04h], FFFFFFFFh |
| lea eax, dword ptr [ebp-0Ch] |
| mov dword ptr fs:[00000000h], eax |
| ret |
| push eax |
| push dword ptr fs:[00000000h] |
| lea eax, dword ptr [esp+0Ch] |
| sub esp, dword ptr [esp+0Ch] |
| push ebx |
| push esi |
| push edi |
| mov dword ptr [eax], ebp |
| mov ebp, eax |
| mov eax, dword ptr [005C69C0h] |
| xor eax, ebp |
| push eax |
| mov dword ptr [ebp-10h], eax |
| push dword ptr [ebp-04h] |
| mov dword ptr [ebp-04h], FFFFFFFFh |
| lea eax, dword ptr [ebp-0Ch] |
| mov dword ptr fs:[00000000h], eax |
| ret |
| push eax |
| push dword ptr fs:[00000000h] |
| lea eax, dword ptr [esp+0Ch] |
| sub esp, dword ptr [esp+0Ch] |
| push ebx |
| push esi |
| push edi |
| mov dword ptr [eax], ebp |
| mov ebp, eax |
| mov eax, dword ptr [005C69C0h] |
| xor eax, ebp |
| push eax |
| mov dword ptr [ebp-10h], esp |
| push dword ptr [ebp-04h] |
| mov dword ptr [ebp-04h], FFFFFFFFh |
| lea eax, dword ptr [ebp-0Ch] |
| mov dword ptr fs:[00000000h], eax |
| Name | Virtual Address | Virtual Size | Is in Section |
|---|---|---|---|
| IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IMPORT | 0x33594 | 0x50 | .rdata |
| IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x1ca000 | 0x21f0 | .reloc |
| IMAGE_DIRECTORY_ENTRY_DEBUG | 0x30a68 | 0x1c | .rdata |
| IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_TLS | 0x30ac0 | 0x18 | .rdata |
| IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x309a8 | 0x40 | .rdata |
| IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IAT | 0x28000 | 0x180 | .rdata |
| IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
| Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
|---|---|---|---|---|---|---|---|---|---|
| .text | 0x1000 | 0x251c2 | 0x25200 | ad92eac1a3518c94a50c469e832eda52 | False | 0.5649134574915825 | data | 6.636592053866142 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
| .BSs | 0x27000 | 0xe1d | 0x1000 | 74293e678f0de25bb463c0dccc7904d8 | False | 0.583740234375 | data | 6.002868469254389 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
| .rdata | 0x28000 | 0xbe86 | 0xc000 | b0aa40c4aa7dfc2011d6ffe63826f1cd | False | 0.41448974609375 | data | 4.98810951337647 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .data | 0x34000 | 0x19534c | 0x194400 | 4d397285c775cfc4554c7ce0ca0071fc | False | 0.9968365897495362 | data | 7.999224560090972 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .reloc | 0x1ca000 | 0x21f0 | 0x2200 | f4f8da3f2dfcb44938435d58d7a1d96f | False | 0.7734375 | data | 6.553528678280142 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
| DLL | Import |
|---|---|
| GDI32.dll | Polyline, RectVisible |
| USER32.dll | OffsetRect |
| KERNEL32.dll | CreateFileW, HeapSize, SetStdHandle, WaitForSingleObject, CreateThread, VirtualAlloc, FreeConsole, RaiseException, InitOnceBeginInitialize, InitOnceComplete, CloseHandle, GetCurrentThreadId, ReleaseSRWLockExclusive, AcquireSRWLockExclusive, TryAcquireSRWLockExclusive, WakeAllConditionVariable, SleepConditionVariableSRW, GetLastError, FreeLibraryWhenCallbackReturns, CreateThreadpoolWork, SubmitThreadpoolWork, CloseThreadpoolWork, GetModuleHandleExW, IsProcessorFeaturePresent, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSectionEx, DeleteCriticalSection, QueryPerformanceCounter, EncodePointer, DecodePointer, MultiByteToWideChar, WideCharToMultiByte, LCMapStringEx, GetSystemTimeAsFileTime, GetModuleHandleW, GetProcAddress, GetStringTypeW, GetCPInfo, IsDebuggerPresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStartupInfoW, GetCurrentProcess, TerminateProcess, GetCurrentProcessId, InitializeSListHead, GetProcessHeap, RtlUnwind, SetLastError, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, FreeLibrary, LoadLibraryExW, ExitProcess, GetModuleFileNameW, GetStdHandle, WriteFile, GetCommandLineA, GetCommandLineW, HeapFree, HeapAlloc, CompareStringW, LCMapStringW, GetLocaleInfoW, IsValidLocale, GetUserDefaultLCID, EnumSystemLocalesW, GetFileType, GetFileSizeEx, SetFilePointerEx, FlushFileBuffers, GetConsoleOutputCP, GetConsoleMode, ReadFile, ReadConsoleW, HeapReAlloc, FindClose, FindFirstFileExW, FindNextFileW, IsValidCodePage, GetACP, GetOEMCP, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableW, WriteConsoleW |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library Node| Timestamp | Protocol | SID | Message | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|---|---|---|
| 06/25/24-18:12:57.603058 | TCP | 2049060 | ET TROJAN RisePro TCP Heartbeat Packet | 49705 | 50500 | 192.168.2.5 | 5.42.67.8 |
| 06/25/24-18:12:58.145124 | TCP | 2046266 | ET TROJAN [ANY.RUN] RisePro TCP (Token) | 50500 | 49705 | 5.42.67.8 | 192.168.2.5 |
| 06/25/24-18:16:59.942935 | TCP | 2046269 | ET TROJAN [ANY.RUN] RisePro TCP (Activity) | 49705 | 50500 | 192.168.2.5 | 5.42.67.8 |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Jun 25, 2024 18:12:57.589859962 CEST | 49705 | 50500 | 192.168.2.5 | 5.42.67.8 |
| Jun 25, 2024 18:12:57.594804049 CEST | 50500 | 49705 | 5.42.67.8 | 192.168.2.5 |
| Jun 25, 2024 18:12:57.594891071 CEST | 49705 | 50500 | 192.168.2.5 | 5.42.67.8 |
| Jun 25, 2024 18:12:57.603058100 CEST | 49705 | 50500 | 192.168.2.5 | 5.42.67.8 |
| Jun 25, 2024 18:12:57.607947111 CEST | 50500 | 49705 | 5.42.67.8 | 192.168.2.5 |
| Jun 25, 2024 18:12:58.145123959 CEST | 50500 | 49705 | 5.42.67.8 | 192.168.2.5 |
| Jun 25, 2024 18:12:58.194113016 CEST | 49705 | 50500 | 192.168.2.5 | 5.42.67.8 |
| Jun 25, 2024 18:13:01.287981987 CEST | 49705 | 50500 | 192.168.2.5 | 5.42.67.8 |
| Jun 25, 2024 18:13:01.292901039 CEST | 50500 | 49705 | 5.42.67.8 | 192.168.2.5 |
| Jun 25, 2024 18:13:32.631783962 CEST | 49705 | 50500 | 192.168.2.5 | 5.42.67.8 |
| Jun 25, 2024 18:13:32.636841059 CEST | 50500 | 49705 | 5.42.67.8 | 192.168.2.5 |
| Jun 25, 2024 18:13:51.444434881 CEST | 49705 | 50500 | 192.168.2.5 | 5.42.67.8 |
| Jun 25, 2024 18:13:51.451287031 CEST | 50500 | 49705 | 5.42.67.8 | 192.168.2.5 |
| Jun 25, 2024 18:14:00.835055113 CEST | 49705 | 50500 | 192.168.2.5 | 5.42.67.8 |
| Jun 25, 2024 18:14:00.841197014 CEST | 50500 | 49705 | 5.42.67.8 | 192.168.2.5 |
| Jun 25, 2024 18:14:03.975673914 CEST | 49705 | 50500 | 192.168.2.5 | 5.42.67.8 |
| Jun 25, 2024 18:14:03.980700016 CEST | 50500 | 49705 | 5.42.67.8 | 192.168.2.5 |
| Jun 25, 2024 18:14:07.101018906 CEST | 49705 | 50500 | 192.168.2.5 | 5.42.67.8 |
| Jun 25, 2024 18:14:07.107686996 CEST | 50500 | 49705 | 5.42.67.8 | 192.168.2.5 |
| Jun 25, 2024 18:14:10.241226912 CEST | 49705 | 50500 | 192.168.2.5 | 5.42.67.8 |
| Jun 25, 2024 18:14:10.246524096 CEST | 50500 | 49705 | 5.42.67.8 | 192.168.2.5 |
| Jun 25, 2024 18:14:13.366247892 CEST | 49705 | 50500 | 192.168.2.5 | 5.42.67.8 |
| Jun 25, 2024 18:14:13.371164083 CEST | 50500 | 49705 | 5.42.67.8 | 192.168.2.5 |
| Jun 25, 2024 18:14:16.506866932 CEST | 49705 | 50500 | 192.168.2.5 | 5.42.67.8 |
| Jun 25, 2024 18:14:16.511805058 CEST | 50500 | 49705 | 5.42.67.8 | 192.168.2.5 |
| Jun 25, 2024 18:14:19.647525072 CEST | 49705 | 50500 | 192.168.2.5 | 5.42.67.8 |
| Jun 25, 2024 18:14:19.652843952 CEST | 50500 | 49705 | 5.42.67.8 | 192.168.2.5 |
| Jun 25, 2024 18:14:22.788155079 CEST | 49705 | 50500 | 192.168.2.5 | 5.42.67.8 |
| Jun 25, 2024 18:14:22.793284893 CEST | 50500 | 49705 | 5.42.67.8 | 192.168.2.5 |
| Jun 25, 2024 18:14:25.929023981 CEST | 49705 | 50500 | 192.168.2.5 | 5.42.67.8 |
| Jun 25, 2024 18:14:25.934446096 CEST | 50500 | 49705 | 5.42.67.8 | 192.168.2.5 |
| Jun 25, 2024 18:14:29.053817987 CEST | 49705 | 50500 | 192.168.2.5 | 5.42.67.8 |
| Jun 25, 2024 18:14:29.058727980 CEST | 50500 | 49705 | 5.42.67.8 | 192.168.2.5 |
| Jun 25, 2024 18:14:32.178858042 CEST | 49705 | 50500 | 192.168.2.5 | 5.42.67.8 |
| Jun 25, 2024 18:14:32.183923960 CEST | 50500 | 49705 | 5.42.67.8 | 192.168.2.5 |
| Jun 25, 2024 18:14:35.319411993 CEST | 49705 | 50500 | 192.168.2.5 | 5.42.67.8 |
| Jun 25, 2024 18:14:35.324887991 CEST | 50500 | 49705 | 5.42.67.8 | 192.168.2.5 |
| Jun 25, 2024 18:14:38.460120916 CEST | 49705 | 50500 | 192.168.2.5 | 5.42.67.8 |
| Jun 25, 2024 18:14:38.465010881 CEST | 50500 | 49705 | 5.42.67.8 | 192.168.2.5 |
| Jun 25, 2024 18:14:41.600847006 CEST | 49705 | 50500 | 192.168.2.5 | 5.42.67.8 |
| Jun 25, 2024 18:14:41.608042955 CEST | 50500 | 49705 | 5.42.67.8 | 192.168.2.5 |
| Jun 25, 2024 18:14:44.725697994 CEST | 49705 | 50500 | 192.168.2.5 | 5.42.67.8 |
| Jun 25, 2024 18:14:44.730870962 CEST | 50500 | 49705 | 5.42.67.8 | 192.168.2.5 |
| Jun 25, 2024 18:14:47.866508007 CEST | 49705 | 50500 | 192.168.2.5 | 5.42.67.8 |
| Jun 25, 2024 18:14:47.871398926 CEST | 50500 | 49705 | 5.42.67.8 | 192.168.2.5 |
| Jun 25, 2024 18:14:50.991391897 CEST | 49705 | 50500 | 192.168.2.5 | 5.42.67.8 |
| Jun 25, 2024 18:14:50.996503115 CEST | 50500 | 49705 | 5.42.67.8 | 192.168.2.5 |
| Jun 25, 2024 18:14:54.132021904 CEST | 49705 | 50500 | 192.168.2.5 | 5.42.67.8 |
| Jun 25, 2024 18:14:54.136972904 CEST | 50500 | 49705 | 5.42.67.8 | 192.168.2.5 |
| Jun 25, 2024 18:14:57.256982088 CEST | 49705 | 50500 | 192.168.2.5 | 5.42.67.8 |
| Jun 25, 2024 18:14:57.261903048 CEST | 50500 | 49705 | 5.42.67.8 | 192.168.2.5 |
| Jun 25, 2024 18:15:00.382127047 CEST | 49705 | 50500 | 192.168.2.5 | 5.42.67.8 |
| Jun 25, 2024 18:15:00.387090921 CEST | 50500 | 49705 | 5.42.67.8 | 192.168.2.5 |
| Jun 25, 2024 18:15:03.522605896 CEST | 49705 | 50500 | 192.168.2.5 | 5.42.67.8 |
| Jun 25, 2024 18:15:03.527616978 CEST | 50500 | 49705 | 5.42.67.8 | 192.168.2.5 |
| Jun 25, 2024 18:15:06.647850037 CEST | 49705 | 50500 | 192.168.2.5 | 5.42.67.8 |
| Jun 25, 2024 18:15:06.652848959 CEST | 50500 | 49705 | 5.42.67.8 | 192.168.2.5 |
| Jun 25, 2024 18:15:09.772627115 CEST | 49705 | 50500 | 192.168.2.5 | 5.42.67.8 |
| Jun 25, 2024 18:15:09.777631044 CEST | 50500 | 49705 | 5.42.67.8 | 192.168.2.5 |
| Jun 25, 2024 18:15:12.913299084 CEST | 49705 | 50500 | 192.168.2.5 | 5.42.67.8 |
| Jun 25, 2024 18:15:12.918267012 CEST | 50500 | 49705 | 5.42.67.8 | 192.168.2.5 |
| Jun 25, 2024 18:15:16.038249016 CEST | 49705 | 50500 | 192.168.2.5 | 5.42.67.8 |
| Jun 25, 2024 18:15:16.043116093 CEST | 50500 | 49705 | 5.42.67.8 | 192.168.2.5 |
| Jun 25, 2024 18:15:19.179094076 CEST | 49705 | 50500 | 192.168.2.5 | 5.42.67.8 |
| Jun 25, 2024 18:15:19.186846972 CEST | 50500 | 49705 | 5.42.67.8 | 192.168.2.5 |
| Jun 25, 2024 18:15:22.305229902 CEST | 49705 | 50500 | 192.168.2.5 | 5.42.67.8 |
| Jun 25, 2024 18:15:22.310864925 CEST | 50500 | 49705 | 5.42.67.8 | 192.168.2.5 |
| Jun 25, 2024 18:15:25.429091930 CEST | 49705 | 50500 | 192.168.2.5 | 5.42.67.8 |
| Jun 25, 2024 18:15:25.434027910 CEST | 50500 | 49705 | 5.42.67.8 | 192.168.2.5 |
| Jun 25, 2024 18:15:28.554105997 CEST | 49705 | 50500 | 192.168.2.5 | 5.42.67.8 |
| Jun 25, 2024 18:15:28.559413910 CEST | 50500 | 49705 | 5.42.67.8 | 192.168.2.5 |
| Jun 25, 2024 18:15:31.679120064 CEST | 49705 | 50500 | 192.168.2.5 | 5.42.67.8 |
| Jun 25, 2024 18:15:31.683969021 CEST | 50500 | 49705 | 5.42.67.8 | 192.168.2.5 |
| Jun 25, 2024 18:15:34.819679022 CEST | 49705 | 50500 | 192.168.2.5 | 5.42.67.8 |
| Jun 25, 2024 18:15:34.825444937 CEST | 50500 | 49705 | 5.42.67.8 | 192.168.2.5 |
| Jun 25, 2024 18:15:37.960181952 CEST | 49705 | 50500 | 192.168.2.5 | 5.42.67.8 |
| Jun 25, 2024 18:15:37.965126038 CEST | 50500 | 49705 | 5.42.67.8 | 192.168.2.5 |
| Jun 25, 2024 18:15:41.100912094 CEST | 49705 | 50500 | 192.168.2.5 | 5.42.67.8 |
| Jun 25, 2024 18:15:41.108592033 CEST | 50500 | 49705 | 5.42.67.8 | 192.168.2.5 |
| Jun 25, 2024 18:15:44.225826025 CEST | 49705 | 50500 | 192.168.2.5 | 5.42.67.8 |
| Jun 25, 2024 18:15:44.230895042 CEST | 50500 | 49705 | 5.42.67.8 | 192.168.2.5 |
| Jun 25, 2024 18:15:47.366687059 CEST | 49705 | 50500 | 192.168.2.5 | 5.42.67.8 |
| Jun 25, 2024 18:15:47.371661901 CEST | 50500 | 49705 | 5.42.67.8 | 192.168.2.5 |
| Jun 25, 2024 18:15:50.491511106 CEST | 49705 | 50500 | 192.168.2.5 | 5.42.67.8 |
| Jun 25, 2024 18:15:50.497765064 CEST | 50500 | 49705 | 5.42.67.8 | 192.168.2.5 |
| Jun 25, 2024 18:15:53.632509947 CEST | 49705 | 50500 | 192.168.2.5 | 5.42.67.8 |
| Jun 25, 2024 18:15:53.824331999 CEST | 50500 | 49705 | 5.42.67.8 | 192.168.2.5 |
| Jun 25, 2024 18:15:56.757078886 CEST | 49705 | 50500 | 192.168.2.5 | 5.42.67.8 |
| Jun 25, 2024 18:15:56.761936903 CEST | 50500 | 49705 | 5.42.67.8 | 192.168.2.5 |
| Jun 25, 2024 18:15:59.897741079 CEST | 49705 | 50500 | 192.168.2.5 | 5.42.67.8 |
| Jun 25, 2024 18:15:59.903954029 CEST | 50500 | 49705 | 5.42.67.8 | 192.168.2.5 |
| Jun 25, 2024 18:16:03.046962023 CEST | 49705 | 50500 | 192.168.2.5 | 5.42.67.8 |
| Jun 25, 2024 18:16:03.052200079 CEST | 50500 | 49705 | 5.42.67.8 | 192.168.2.5 |
| Jun 25, 2024 18:16:06.163400888 CEST | 49705 | 50500 | 192.168.2.5 | 5.42.67.8 |
| Jun 25, 2024 18:16:06.367072105 CEST | 50500 | 49705 | 5.42.67.8 | 192.168.2.5 |
| Jun 25, 2024 18:16:09.288505077 CEST | 49705 | 50500 | 192.168.2.5 | 5.42.67.8 |
| Jun 25, 2024 18:16:09.298954964 CEST | 50500 | 49705 | 5.42.67.8 | 192.168.2.5 |
| Jun 25, 2024 18:16:12.429179907 CEST | 49705 | 50500 | 192.168.2.5 | 5.42.67.8 |
| Jun 25, 2024 18:16:12.434616089 CEST | 50500 | 49705 | 5.42.67.8 | 192.168.2.5 |
| Jun 25, 2024 18:16:15.554155111 CEST | 49705 | 50500 | 192.168.2.5 | 5.42.67.8 |
| Jun 25, 2024 18:16:15.559185982 CEST | 50500 | 49705 | 5.42.67.8 | 192.168.2.5 |
| Jun 25, 2024 18:16:18.694617033 CEST | 49705 | 50500 | 192.168.2.5 | 5.42.67.8 |
| Jun 25, 2024 18:16:18.700160027 CEST | 50500 | 49705 | 5.42.67.8 | 192.168.2.5 |
| Jun 25, 2024 18:16:21.835403919 CEST | 49705 | 50500 | 192.168.2.5 | 5.42.67.8 |
| Jun 25, 2024 18:16:21.840472937 CEST | 50500 | 49705 | 5.42.67.8 | 192.168.2.5 |
| Jun 25, 2024 18:16:24.976248980 CEST | 49705 | 50500 | 192.168.2.5 | 5.42.67.8 |
| Jun 25, 2024 18:16:24.981411934 CEST | 50500 | 49705 | 5.42.67.8 | 192.168.2.5 |
| Jun 25, 2024 18:16:28.100905895 CEST | 49705 | 50500 | 192.168.2.5 | 5.42.67.8 |
| Jun 25, 2024 18:16:28.105873108 CEST | 50500 | 49705 | 5.42.67.8 | 192.168.2.5 |
| Jun 25, 2024 18:16:31.241559029 CEST | 49705 | 50500 | 192.168.2.5 | 5.42.67.8 |
| Jun 25, 2024 18:16:31.246587038 CEST | 50500 | 49705 | 5.42.67.8 | 192.168.2.5 |
| Jun 25, 2024 18:16:34.366552114 CEST | 49705 | 50500 | 192.168.2.5 | 5.42.67.8 |
| Jun 25, 2024 18:16:34.371695995 CEST | 50500 | 49705 | 5.42.67.8 | 192.168.2.5 |
| Jun 25, 2024 18:16:37.491601944 CEST | 49705 | 50500 | 192.168.2.5 | 5.42.67.8 |
| Jun 25, 2024 18:16:37.496442080 CEST | 50500 | 49705 | 5.42.67.8 | 192.168.2.5 |
| Jun 25, 2024 18:16:40.616661072 CEST | 49705 | 50500 | 192.168.2.5 | 5.42.67.8 |
| Jun 25, 2024 18:16:40.621546984 CEST | 50500 | 49705 | 5.42.67.8 | 192.168.2.5 |
| Jun 25, 2024 18:16:43.757167101 CEST | 49705 | 50500 | 192.168.2.5 | 5.42.67.8 |
| Jun 25, 2024 18:16:43.762044907 CEST | 50500 | 49705 | 5.42.67.8 | 192.168.2.5 |
| Jun 25, 2024 18:16:46.897917032 CEST | 49705 | 50500 | 192.168.2.5 | 5.42.67.8 |
| Jun 25, 2024 18:16:46.907032013 CEST | 50500 | 49705 | 5.42.67.8 | 192.168.2.5 |
| Jun 25, 2024 18:16:50.038639069 CEST | 49705 | 50500 | 192.168.2.5 | 5.42.67.8 |
| Jun 25, 2024 18:16:50.043551922 CEST | 50500 | 49705 | 5.42.67.8 | 192.168.2.5 |
| Jun 25, 2024 18:16:53.163711071 CEST | 49705 | 50500 | 192.168.2.5 | 5.42.67.8 |
| Jun 25, 2024 18:16:53.168991089 CEST | 50500 | 49705 | 5.42.67.8 | 192.168.2.5 |
| Jun 25, 2024 18:16:56.288558960 CEST | 49705 | 50500 | 192.168.2.5 | 5.42.67.8 |
| Jun 25, 2024 18:16:56.293798923 CEST | 50500 | 49705 | 5.42.67.8 | 192.168.2.5 |
| Jun 25, 2024 18:16:59.942934990 CEST | 49705 | 50500 | 192.168.2.5 | 5.42.67.8 |
| Jun 25, 2024 18:16:59.951035023 CEST | 50500 | 49705 | 5.42.67.8 | 192.168.2.5 |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Jun 25, 2024 18:13:16.644701004 CEST | 53 | 57576 | 1.1.1.1 | 192.168.2.5 |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
| Target ID: | 0 |
| Start time: | 12:12:55 |
| Start date: | 25/06/2024 |
| Path: | C:\Users\user\Desktop\MqN5lD3LGo.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0xb0000 |
| File size: | 1'870'848 bytes |
| MD5 hash: | C6C9F27D335D4E47B5EA12653E806BE6 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | low |
| Has exited: | true |
| Target ID: | 1 |
| Start time: | 12:12:55 |
| Start date: | 25/06/2024 |
| Path: | C:\Windows\System32\conhost.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff6d64d0000 |
| File size: | 862'208 bytes |
| MD5 hash: | 0D698AF330FD17BEE3BF90011D49251D |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 3 |
| Start time: | 12:12:55 |
| Start date: | 25/06/2024 |
| Path: | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0xf90000 |
| File size: | 65'440 bytes |
| MD5 hash: | 0D5DF43AF2916F47D00C1573797C1A13 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | false |
| Target ID: | 6 |
| Start time: | 12:12:55 |
| Start date: | 25/06/2024 |
| Path: | C:\Windows\SysWOW64\WerFault.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x1e0000 |
| File size: | 483'680 bytes |
| MD5 hash: | C31336C1EFC2CCB44B4326EA793040F2 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
Execution Graph
| Execution Coverage: | 4.2% |
| Dynamic/Decrypted Code Coverage: | 0.3% |
| Signature Coverage: | 3% |
| Total number of Nodes: | 2000 |
| Total number of Limit Nodes: | 52 |
Graph
Function 007F018D Relevance: 42.3, APIs: 10, Strings: 14, Instructions: 282threadinjectionmemoryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000D7AB0 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 122synchronizationthreadCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000C74F3 Relevance: 3.1, APIs: 2, Instructions: 65COMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000C663B Relevance: 3.0, APIs: 2, Instructions: 22memoryCOMMONLIBRARYCODE
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000B8522 Relevance: 1.6, APIs: 1, Instructions: 108COMMON
Download Yara Rule
Control-flow Graph
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000D7C30 Relevance: 1.3, APIs: 1, Instructions: 94memoryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000CFE5E Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMONLIBRARYCODE
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000CF6CF Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 251COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000C7782 Relevance: 6.3, APIs: 4, Instructions: 337COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000B9EEF Relevance: 6.1, APIs: 4, Instructions: 70COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000CFAE2 Relevance: 4.7, APIs: 3, Instructions: 205COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000C2C20 Relevance: 3.4, APIs: 2, Instructions: 449COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000B9C95 Relevance: 1.6, APIs: 1, Instructions: 147COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000CC8CD Relevance: 1.6, APIs: 1, Instructions: 140COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000CFD35 Relevance: 1.6, APIs: 1, Instructions: 83COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000BFF04 Relevance: 1.6, Strings: 1, Instructions: 314COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000CFF64 Relevance: 1.5, APIs: 1, Instructions: 45COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000CF8CA Relevance: 1.5, APIs: 1, Instructions: 43COMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000BA04B Relevance: 1.5, APIs: 1, Instructions: 3COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000CDAB5 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000D0DD4 Relevance: .3, Instructions: 317COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000C85C5 Relevance: .0, Instructions: 22COMMONLIBRARYCODE
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000C3A8C Relevance: .0, Instructions: 12COMMONLIBRARYCODE
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000B944A Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 19libraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000BCE32 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 303COMMONLIBRARYCODE
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000CB294 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 298COMMONLIBRARYCODE
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000B9120 Relevance: 12.2, APIs: 8, Instructions: 175COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000C6D9E Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000C3AAE Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000C9475 Relevance: 7.7, APIs: 5, Instructions: 202COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000B7072 Relevance: 7.6, APIs: 5, Instructions: 116threadCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000B7C88 Relevance: 7.6, APIs: 5, Instructions: 65COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000BDBC7 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000B4740 Relevance: 6.2, APIs: 4, Instructions: 169COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000B5B50 Relevance: 6.1, APIs: 4, Instructions: 133COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000CC68A Relevance: 6.1, APIs: 4, Instructions: 82COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000C31C4 Relevance: 6.1, APIs: 4, Instructions: 79COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000CD620 Relevance: 6.1, APIs: 4, Instructions: 74COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000CECB6 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 113COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000BD1D7 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000B23C0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMONLIBRARYCODE
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Execution Graph
| Execution Coverage: | 1.2% |
| Dynamic/Decrypted Code Coverage: | 0% |
| Signature Coverage: | 2.7% |
| Total number of Nodes: | 789 |
| Total number of Limit Nodes: | 13 |
Graph
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0045DB00 Relevance: 7.7, APIs: 5, Instructions: 156sleepCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00442CD3 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 273COMMONLIBRARYCODE
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00448910 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 292COMMONLIBRARYCODE
Download Yara Rule
Control-flow Graph
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00409280 Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 382libraryloadernetworkCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004E6CA0 Relevance: 6.1, APIs: 4, Instructions: 75COMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0045098D Relevance: 6.1, APIs: 4, Instructions: 74COMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004E57F0 Relevance: 3.4, APIs: 2, Instructions: 350COMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00438E02 Relevance: 1.7, APIs: 1, Instructions: 157COMMON
Download Yara Rule
Control-flow Graph
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004E7330 Relevance: 1.6, APIs: 1, Instructions: 122COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0044AC7F Relevance: 1.6, APIs: 1, Instructions: 54COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004E5D00 Relevance: 1.6, APIs: 1, Instructions: 51COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0044B094 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004E06D0 Relevance: 83.9, APIs: 43, Strings: 3, Instructions: 3428registrytimeprocessCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004CF280 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 240injectionmemorysynchronizationCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00432022 Relevance: 15.2, APIs: 10, Instructions: 200fileCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004534CF Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 182COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 005447E0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 81windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00452B5A Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 254COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004532F3 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMONLIBRARYCODE
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043C960 Relevance: 6.5, APIs: 4, Instructions: 455COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004C6000 Relevance: 6.3, APIs: 4, Instructions: 310fileCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004938D0 Relevance: 6.2, APIs: 4, Instructions: 207fileCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00434184 Relevance: 6.1, APIs: 4, Instructions: 70COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 005449B0 Relevance: 6.1, APIs: 4, Instructions: 55timeCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004580D8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMONLIBRARYCODE
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00431D94 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32windowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00544A40 Relevance: 3.1, APIs: 2, Instructions: 87COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004E90C0 Relevance: 33.7, APIs: 18, Strings: 1, Instructions: 423libraryloaderthreadCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004D6790 Relevance: 19.9, APIs: 13, Instructions: 424fileCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004EEA40 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 148memorystringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004579E3 Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 147COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004D6BA0 Relevance: 15.2, APIs: 10, Instructions: 164fileCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004377C6 Relevance: 14.3, APIs: 4, Strings: 4, Instructions: 303COMMONLIBRARYCODE
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004E4720 Relevance: 14.3, APIs: 6, Strings: 2, Instructions: 291registryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004335D8 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 19libraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0044BB66 Relevance: 10.8, APIs: 7, Instructions: 329COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00545050 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 86windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0044B37E Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00458023 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 45libraryloaderCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00443633 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 42libraryloaderCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00455EBC Relevance: 9.2, APIs: 6, Instructions: 248COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0044520B Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 370COMMONLIBRARYCODE
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004D6D90 Relevance: 9.1, APIs: 6, Instructions: 101COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043756F Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 168COMMONLIBRARYCODE
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00544DE0 Relevance: 7.7, APIs: 5, Instructions: 208fileCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004E9A70 Relevance: 7.7, APIs: 5, Instructions: 181memorylibraryloaderCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00432BC8 Relevance: 7.6, APIs: 5, Instructions: 116threadCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00544B20 Relevance: 7.6, APIs: 5, Instructions: 98COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0048F4D0 Relevance: 7.6, APIs: 5, Instructions: 69processCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00437B6B Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 112COMMONLIBRARYCODE
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00438587 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00443A09 Relevance: 6.1, APIs: 4, Instructions: 132COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004E55A0 Relevance: 6.1, APIs: 4, Instructions: 121COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0044F9EC Relevance: 6.1, APIs: 4, Instructions: 82COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00545330 Relevance: 6.1, APIs: 4, Instructions: 81COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00545920 Relevance: 6.1, APIs: 4, Instructions: 76fileCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 005459E0 Relevance: 6.1, APIs: 4, Instructions: 66fileCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00545770 Relevance: 6.1, APIs: 4, Instructions: 61fileCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00431F0C Relevance: 6.0, APIs: 4, Instructions: 44COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 005458C0 Relevance: 6.0, APIs: 4, Instructions: 35fileCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00481BC0 Relevance: 6.0, APIs: 4, Instructions: 20synchronizationthreadCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004C7070 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 325fileCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00408F20 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 272libraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004036E0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 178COMMONLIBRARYCODE
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0044EA2E Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 151fileCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004327B6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMONLIBRARYCODE
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00404C20 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44memoryCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043361D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 27timeCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0044B7F4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 26COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0044B5DE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22memoryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|