Windows
Analysis Report
MqN5lD3LGo.exe
Overview
General Information
Sample name: | MqN5lD3LGo.exerenamed because original name is a hash value |
Original sample name: | c6c9f27d335d4e47b5ea12653e806be6.exe |
Analysis ID: | 1462554 |
MD5: | c6c9f27d335d4e47b5ea12653e806be6 |
SHA1: | e53242d463e2c94383ec646e7e04504b96b4d176 |
SHA256: | 514efbae5faa43878c743c3db36f81c25ab5d6da93b879b6e88e7a63b1b19769 |
Tags: | 32exetrojan |
Infos: | |
Detection
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
- System is w10x64
- MqN5lD3LGo.exe (PID: 4508 cmdline:
"C:\Users\ user\Deskt op\MqN5lD3 LGo.exe" MD5: C6C9F27D335D4E47B5EA12653E806BE6) - conhost.exe (PID: 6576 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - RegAsm.exe (PID: 4012 cmdline:
"C:\Window s\Microsof t.NET\Fram ework\v4.0 .30319\Reg Asm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13) - WerFault.exe (PID: 3536 cmdline:
C:\Windows \SysWOW64\ WerFault.e xe -u -p 4 508 -s 308 MD5: C31336C1EFC2CCB44B4326EA793040F2)
- cleanup
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_RiseProStealer | Yara detected RisePro Stealer | Joe Security |
Timestamp: | 06/25/24-18:12:57.603058 |
SID: | 2049060 |
Source Port: | 49705 |
Destination Port: | 50500 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 06/25/24-18:12:58.145124 |
SID: | 2046266 |
Source Port: | 50500 |
Destination Port: | 49705 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 06/25/24-18:16:59.942935 |
SID: | 2046269 |
Source Port: | 49705 |
Destination Port: | 50500 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Click to jump to signature section
AV Detection |
---|
Source: | ReversingLabs: |
Source: | Integrated Neural Analysis Model: |
Source: | Joe Sandbox ML: |
Source: | Code function: | 3_2_004C6B00 |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Binary string: | ||
Source: | Binary string: |
Source: | Code function: | 0_2_000CC8CD | |
Source: | Code function: | 3_2_004C6000 | |
Source: | Code function: | 3_2_00432022 | |
Source: | Code function: | 3_2_004E6770 | |
Source: | Code function: | 3_2_004938D0 | |
Source: | Code function: | 3_2_00493B60 | |
Source: | Code function: | 3_2_0044FC2F | |
Source: | Code function: | 3_2_004DFF00 | |
Source: | Code function: | 3_2_00431F9C |
Networking |
---|
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: |
Source: | TCP traffic: |
Source: | IP Address: |
Source: | ASN Name: |
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: |
Source: | Code function: | 3_2_004C8590 |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | Process Stats: |
Source: | Code function: | 0_2_000D09FC | |
Source: | Code function: | 0_2_000C2C20 | |
Source: | Code function: | 0_2_000CBC92 | |
Source: | Code function: | 0_2_000D0DD4 | |
Source: | Code function: | 0_2_000BFF04 | |
Source: | Code function: | 0_2_000C7782 | |
Source: | Code function: | 3_2_004E4BD0 | |
Source: | Code function: | 3_2_0044002D | |
Source: | Code function: | 3_2_005220D0 | |
Source: | Code function: | 3_2_004F60E0 | |
Source: | Code function: | 3_2_004C00A0 | |
Source: | Code function: | 3_2_004EE170 | |
Source: | Code function: | 3_2_00508120 | |
Source: | Code function: | 3_2_004A6250 | |
Source: | Code function: | 3_2_00512260 | |
Source: | Code function: | 3_2_0040A2C0 | |
Source: | Code function: | 3_2_0050A2B0 | |
Source: | Code function: | 3_2_0044036F | |
Source: | Code function: | 3_2_004A4320 | |
Source: | Code function: | 3_2_004BE3C0 | |
Source: | Code function: | 3_2_004F0450 | |
Source: | Code function: | 3_2_004DE430 | |
Source: | Code function: | 3_2_004B84D0 | |
Source: | Code function: | 3_2_004FA480 | |
Source: | Code function: | 3_2_00514550 | |
Source: | Code function: | 3_2_004F85F0 | |
Source: | Code function: | 3_2_00490600 | |
Source: | Code function: | 3_2_00452610 | |
Source: | Code function: | 3_2_005486C0 | |
Source: | Code function: | 3_2_004E06D0 | |
Source: | Code function: | 3_2_004547BF | |
Source: | Code function: | 3_2_004F2820 | |
Source: | Code function: | 3_2_004A88B0 | |
Source: | Code function: | 3_2_0043C960 | |
Source: | Code function: | 3_2_00546970 | |
Source: | Code function: | 3_2_0043A928 | |
Source: | Code function: | 3_2_004FA930 | |
Source: | Code function: | 3_2_004F8B40 | |
Source: | Code function: | 3_2_00500BA0 | |
Source: | Code function: | 3_2_00458BB0 | |
Source: | Code function: | 3_2_004EEC40 | |
Source: | Code function: | 3_2_00534D40 | |
Source: | Code function: | 3_2_004FAD00 | |
Source: | Code function: | 3_2_00546D20 | |
Source: | Code function: | 3_2_0053AE20 | |
Source: | Code function: | 3_2_00458E30 | |
Source: | Code function: | 3_2_00506EA0 | |
Source: | Code function: | 3_2_00516EA0 | |
Source: | Code function: | 3_2_004ECF20 | |
Source: | Code function: | 3_2_004F2FD0 | |
Source: | Code function: | 3_2_004D70F0 | |
Source: | Code function: | 3_2_00493080 | |
Source: | Code function: | 3_2_004371A0 | |
Source: | Code function: | 3_2_005031A0 | |
Source: | Code function: | 3_2_004A9380 | |
Source: | Code function: | 3_2_004D1450 | |
Source: | Code function: | 3_2_0053F550 | |
Source: | Code function: | 3_2_0042F580 | |
Source: | Code function: | 3_2_0048F590 | |
Source: | Code function: | 3_2_004B3600 | |
Source: | Code function: | 3_2_004A3610 | |
Source: | Code function: | 3_2_004B1630 | |
Source: | Code function: | 3_2_00547760 | |
Source: | Code function: | 3_2_004F7730 | |
Source: | Code function: | 3_2_004E77E0 | |
Source: | Code function: | 3_2_00495790 | |
Source: | Code function: | 3_2_005397B0 | |
Source: | Code function: | 3_2_004F7960 | |
Source: | Code function: | 3_2_0047B970 | |
Source: | Code function: | 3_2_004EF9A0 | |
Source: | Code function: | 3_2_004CBAC0 | |
Source: | Code function: | 3_2_0044DA86 | |
Source: | Code function: | 3_2_004A9B50 | |
Source: | Code function: | 3_2_00493B60 | |
Source: | Code function: | 3_2_004ADB20 | |
Source: | Code function: | 3_2_0051DBB0 | |
Source: | Code function: | 3_2_004EFC40 | |
Source: | Code function: | 3_2_004F7C00 | |
Source: | Code function: | 3_2_00503CC0 | |
Source: | Code function: | 3_2_00409C90 | |
Source: | Code function: | 3_2_004F9D70 | |
Source: | Code function: | 3_2_004F7D00 | |
Source: | Code function: | 3_2_00545DE0 | |
Source: | Code function: | 3_2_00541F00 | |
Source: | Code function: | 3_2_004C1F20 | |
Source: | Code function: | 3_2_00501FE0 | |
Source: | Code function: | 3_2_004FFFA0 |
Source: | Process created: |
Source: | Binary or memory string: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Classification label: |
Source: | Code function: | 3_2_005447E0 |
Source: | Code function: | 3_2_00544A40 |
Source: | Code function: | 3_2_004E06D0 |
Source: | Mutant created: | ||
Source: | Mutant created: |
Source: | File created: | Jump to behavior |
Source: | Key opened: | Jump to behavior |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | ReversingLabs: |
Source: | String found in binary or memory: |
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | Jump to behavior |
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior |
Source: | Static file information: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Binary string: | ||
Source: | Binary string: |
Source: | Code function: | 3_2_004CF280 |
Source: | Code function: | 0_2_000B9AC2 | |
Source: | Code function: | 3_2_00433F6C |
Source: | Code function: | 3_2_004EE170 |
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior |
Malware Analysis System Evasion |
---|
Source: | Sandbox detection routine: | graph_3-78728 |
Source: | Evasive API call chain: | graph_3-78729 |
Source: | Stalling execution: | graph_3-79174 |
Source: | Code function: | 3_2_0045DB00 |
Source: | Window / User API: | Jump to behavior | ||
Source: | Window / User API: | Jump to behavior |
Source: | Decision node followed by non-executed suspicious API: | graph_3-79221 |
Source: | Evasive API call chain: | graph_3-79855 |
Source: | API coverage: | ||
Source: | API coverage: |
Source: | Thread sleep count: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep count: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior |
Source: | Last function: | ||
Source: | Last function: | ||
Source: | Last function: |
Source: | Code function: | 3_2_005449B0 |
Source: | Code function: | 0_2_000CC8CD | |
Source: | Code function: | 3_2_004C6000 | |
Source: | Code function: | 3_2_00432022 | |
Source: | Code function: | 3_2_004E6770 | |
Source: | Code function: | 3_2_004938D0 | |
Source: | Code function: | 3_2_00493B60 | |
Source: | Code function: | 3_2_0044FC2F | |
Source: | Code function: | 3_2_004DFF00 | |
Source: | Code function: | 3_2_00431F9C |
Source: | Code function: | 3_2_004580D8 |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Process queried: | Jump to behavior | ||
Source: | Process queried: | Jump to behavior |
Source: | Code function: | 0_2_000BDED3 |
Source: | Code function: | 3_2_004CF280 |
Source: | Code function: | 0_2_000C3A8C | |
Source: | Code function: | 0_2_000C85C5 | |
Source: | Code function: | 3_2_0045DB00 | |
Source: | Code function: | 3_2_0045DB00 | |
Source: | Code function: | 3_2_004D6280 | |
Source: | Code function: | 3_2_004C86C0 | |
Source: | Code function: | 3_2_004C6D80 | |
Source: | Code function: | 3_2_004D3070 | |
Source: | Code function: | 3_2_00495790 |
Source: | Code function: | 0_2_000CDAB5 |
Source: | Code function: | 0_2_000BA04B | |
Source: | Code function: | 0_2_000BA105 | |
Source: | Code function: | 0_2_000BDED3 | |
Source: | Code function: | 0_2_000B9EEF | |
Source: | Code function: | 3_2_00434184 | |
Source: | Code function: | 3_2_00434311 | |
Source: | Code function: | 3_2_0043451D | |
Source: | Code function: | 3_2_00438A64 |
HIPS / PFW / Operating System Protection Evasion |
---|
Source: | Memory allocated: | Jump to behavior |
Source: | Code function: | 0_2_007F018D |
Source: | Code function: | 3_2_004CF280 |
Source: | Memory written: | Jump to behavior |
Source: | Memory written: | Jump to behavior | ||
Source: | Memory written: | Jump to behavior | ||
Source: | Memory written: | Jump to behavior | ||
Source: | Memory written: | Jump to behavior | ||
Source: | Memory written: | Jump to behavior | ||
Source: | Memory written: | Jump to behavior | ||
Source: | Memory written: | Jump to behavior |
Source: | Process created: | Jump to behavior |
Source: | Code function: | 0_2_000B9C95 |
Source: | Code function: | 0_2_000D0033 | |
Source: | Code function: | 0_2_000CF8CA | |
Source: | Code function: | 0_2_000C70FB | |
Source: | Code function: | 0_2_000CF971 | |
Source: | Code function: | 0_2_000CF9BC | |
Source: | Code function: | 0_2_000CFA57 | |
Source: | Code function: | 0_2_000CFAE2 | |
Source: | Code function: | 0_2_000C6BD5 | |
Source: | Code function: | 0_2_000CFD35 | |
Source: | Code function: | 0_2_000CFE5E | |
Source: | Code function: | 0_2_000CF6CF | |
Source: | Code function: | 0_2_000CFF64 | |
Source: | Code function: | 3_2_004E06D0 | |
Source: | Code function: | 3_2_00452B5A | |
Source: | Code function: | 3_2_00452D5F | |
Source: | Code function: | 3_2_00452E51 | |
Source: | Code function: | 3_2_00452E06 | |
Source: | Code function: | 3_2_00452EEC | |
Source: | Code function: | 3_2_00452F77 | |
Source: | Code function: | 3_2_004531CA | |
Source: | Code function: | 3_2_0044B1B1 | |
Source: | Code function: | 3_2_004532F3 | |
Source: | Code function: | 3_2_004533F9 | |
Source: | Code function: | 3_2_004534CF | |
Source: | Code function: | 3_2_0044B734 | |
Source: | Code function: | 3_2_00431D94 |
Source: | Queries volume information: | Jump to behavior |
Source: | Code function: | 0_2_000BA302 |
Source: | Code function: | 3_2_004E06D0 |
Source: | Code function: | 3_2_004E06D0 |
Source: | Code function: | 3_2_005447E0 |
Source: | Key value queried: | Jump to behavior |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Stealing of Sensitive Information |
---|
Source: | File source: |
Remote Access Functionality |
---|
Source: | File source: |
Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | 2 Command and Scripting Interpreter | 1 DLL Side-Loading | 511 Process Injection | 12 Virtualization/Sandbox Evasion | OS Credential Dumping | 12 System Time Discovery | Remote Services | 1 Archive Collected Data | 2 Encrypted Channel | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
Credentials | Domains | Default Accounts | 12 Native API | Boot or Logon Initialization Scripts | 1 DLL Side-Loading | 511 Process Injection | LSASS Memory | 151 Security Software Discovery | Remote Desktop Protocol | Data from Removable Media | 1 Non-Standard Port | Exfiltration Over Bluetooth | Network Denial of Service |
Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | Logon Script (Windows) | 1 Deobfuscate/Decode Files or Information | Security Account Manager | 12 Virtualization/Sandbox Evasion | SMB/Windows Admin Shares | Data from Network Shared Drive | 1 Ingress Tool Transfer | Automated Exfiltration | Data Encrypted for Impact |
Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | 2 Obfuscated Files or Information | NTDS | 1 Process Discovery | Distributed Component Object Model | Input Capture | Protocol Impersonation | Traffic Duplication | Data Destruction |
Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | 1 Software Packing | LSA Secrets | 1 Application Window Discovery | SSH | Keylogging | Fallback Channels | Scheduled Transfer | Data Encrypted for Impact |
Domain Properties | Botnet | Replication Through Removable Media | Scheduled Task | RC Scripts | RC Scripts | 1 DLL Side-Loading | Cached Domain Credentials | 1 Account Discovery | VNC | GUI Input Capture | Multiband Communication | Data Transfer Size Limits | Service Stop |
DNS | Web Services | External Remote Services | Systemd Timers | Startup Items | Startup Items | Compile After Delivery | DCSync | 1 System Owner/User Discovery | Windows Remote Management | Web Portal Capture | Commonly Used Port | Exfiltration Over C2 Channel | Inhibit System Recovery |
Network Trust Dependencies | Serverless | Drive-by Compromise | Container Orchestration Job | Scheduled Task/Job | Scheduled Task/Job | Indicator Removal from Tools | Proc Filesystem | 1 File and Directory Discovery | Cloud Services | Credential API Hooking | Application Layer Protocol | Exfiltration Over Alternative Protocol | Defacement |
Network Topology | Malvertising | Exploit Public-Facing Application | Command and Scripting Interpreter | At | At | HTML Smuggling | /etc/passwd and /etc/shadow | 36 System Information Discovery | Direct Cloud VM Connections | Data Staged | Web Protocols | Exfiltration Over Symmetric Encrypted Non-C2 Protocol | Internal Defacement |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
74% | ReversingLabs | Win32.Trojan.LummaStealer | ||
100% | Joe Sandbox ML |
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe |
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
5.42.67.8 | unknown | Russian Federation | 39493 | RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU | true |
Joe Sandbox version: | 40.0.0 Tourmaline |
Analysis ID: | 1462554 |
Start date and time: | 2024-06-25 18:12:07 +02:00 |
Joe Sandbox product: | CloudBasic |
Overall analysis duration: | 0h 7m 22s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
Number of analysed new started processes analysed: | 10 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Sample name: | MqN5lD3LGo.exerenamed because original name is a hash value |
Original Sample Name: | c6c9f27d335d4e47b5ea12653e806be6.exe |
Detection: | MAL |
Classification: | mal100.troj.evad.winEXE@5/6@0/1 |
EGA Information: |
|
HCA Information: |
|
Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
- Excluded IPs from analysis (whitelisted): 20.42.73.29
- Excluded domains from analysis (whitelisted): ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, onedsblobprdeus15.eastus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
- Not all processes where analyzed, report is missing behavior information
- VT rate limit hit for: MqN5lD3LGo.exe
Time | Type | Description |
---|---|---|
12:13:13 | API Interceptor | |
12:13:29 | API Interceptor |
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
5.42.67.8 | Get hash | malicious | LummaC, RisePro Stealer, Vidar | Browse | ||
Get hash | malicious | RisePro Stealer, Vidar | Browse | |||
Get hash | malicious | CryptOne, GCleaner, LummaC Stealer, Mars Stealer, PureLog Stealer, RedLine, RisePro Stealer | Browse | |||
Get hash | malicious | CryptOne, Djvu, Mars Stealer, PureLog Stealer, RedLine, RisePro Stealer, Vidar | Browse | |||
Get hash | malicious | CryptOne, Djvu, GCleaner, LummaC Stealer, Mars Stealer, PureLog Stealer, RedLine | Browse | |||
Get hash | malicious | LummaC, RisePro Stealer | Browse | |||
Get hash | malicious | CryptOne, Djvu, LummaC Stealer, Mars Stealer, PureLog Stealer, RedLine, RisePro Stealer | Browse | |||
Get hash | malicious | RisePro Stealer | Browse |
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU | Get hash | malicious | RedLine | Browse |
| |
Get hash | malicious | RedLine | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | RedLine | Browse |
| ||
Get hash | malicious | RedLine | Browse |
| ||
Get hash | malicious | RedLine | Browse |
| ||
Get hash | malicious | Mars Stealer, Stealc, Vidar | Browse |
| ||
Get hash | malicious | LummaC, RisePro Stealer, Vidar | Browse |
| ||
Get hash | malicious | PureLog Stealer, RedLine, zgRAT | Browse |
| ||
Get hash | malicious | Amadey, PureLog Stealer | Browse |
|
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_MqN5lD3LGo.exe_75d7bb26b9feea5788cdd196fb86ebec7d54070_4703ef6b_6232b001-d7a8-4b58-a9ee-92c298c63795\Report.wer
Download File
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 65536 |
Entropy (8bit): | 0.7031833735538131 |
Encrypted: | false |
SSDEEP: | 192:PuvH3ALb0yDBFFbhjG1zuiFWZ24IO8r6:WH3ALoyDBftjkzuiFWY4IO8r |
MD5: | 8EFFC19778CC4CEB675C1B5CEEDD70F7 |
SHA1: | 9EA94C97AB91C6D28CB2D7D0CAD92F87EA65605D |
SHA-256: | 8EFB9EDA0D319C5A4DB129708687DEDF2C28D1A386DF5E74C04860C3291F022E |
SHA-512: | B5F88D19033E01F825D337BBCC59C99B346B7CA032EA37BA9A72A90A7B13D398BA5FE09334EBAECC4DB371B7E171128E874245A2D8CB871BB90934A92E887897 |
Malicious: | true |
Reputation: | low |
Preview: |
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 47006 |
Entropy (8bit): | 1.8304097743762475 |
Encrypted: | false |
SSDEEP: | 192:KUpgnQwPOWdHGV+8K/8EkRDCBrDpupbG4MuwTNoJb:kQwGDUj/ODCBrd0jMuA |
MD5: | 0C32A9AF45188EA3F61B54999D05442F |
SHA1: | 334562DBDB899BE74B51141A7286A45FDEC2D3E6 |
SHA-256: | 2788A3A49ED71A8C5F0836AFCB2A9413517267A44E4FB27A9032C89C60FD65FA |
SHA-512: | F635B2F17C88270CDB56C37BF82D5420056238E17EE449F9674808BC0C394BDFD978F46F2114C0C2719BBC441AC0C0018033FA861D6474328ED7DD7B05425AC5 |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 8352 |
Entropy (8bit): | 3.706626244168962 |
Encrypted: | false |
SSDEEP: | 192:R6l7wVeJo5666YEIISU9YujrgmfnJjS89apr089bIUsfI4m:R6lXJO666YEHSU9YujrgmfnJjSVIHf+ |
MD5: | 7EF2501F4632338FC348882B7421FE1D |
SHA1: | 30C9A2D3A572EE4291005C37AF29CD75DB258FA1 |
SHA-256: | 38ABB97F297D83DE66F710D6B1EEFB2D0F337BFD0113281C8209ABB00634F630 |
SHA-512: | 26DC8BE284EA2D16D203123FA1F7E8A9A1FF3FF3650D52CC8FD9B5F8EE697F73D78550858801148EC37916BB278E4DB8073932C3AAA57B794A04BC4F0F5C5BE9 |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 4635 |
Entropy (8bit): | 4.5185388407303355 |
Encrypted: | false |
SSDEEP: | 48:cvIwWl8zsKJg77aI9PMWpW8VYeNYm8M4J7fFb+q8vVVkOBRVd:uIjfYI7Zl7V3MJxuVkOjVd |
MD5: | C91C770972935825DD3C8EEE1F49C985 |
SHA1: | 1B94D76C16D51D8623D62A92BB4213A4B27D1E3D |
SHA-256: | 70BBA580C86ECC658D40FC28DCEE52193FF19033D219B4E87CC8169621EB3F89 |
SHA-512: | 7FEE19F60AC54A3B4D50B53B6A05C7CBCE20EDECF79F50F10780C80169AF699A34574D8D8CE134F0A66A174F4D7EFD2C4E122A9FD62C197D1E2FF16C23B1CCAB |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 1835008 |
Entropy (8bit): | 4.421577314132633 |
Encrypted: | false |
SSDEEP: | 6144:NSvfpi6ceLP/9skLmb0OTMWSPHaJG8nAgeMZMMhA2fX4WABlEnNY0uhiTwb:0vloTMW+EZMM6DFyu03wb |
MD5: | AC755C0149B41AE4185ADCD68353B26C |
SHA1: | A25D3F3712E76A5652EBDCC864501218A7837CC7 |
SHA-256: | 738F38D91930DB1B29F172D4CAF52A4665C84CA785F542CA2D1306B283CDFA3E |
SHA-512: | 5F876785BFD508F2E9FD9FAC629BF424B4B3CFECD0DFFC4EDCA5A0FB6E8E9DF8FF82DEE708ACE956D53A4D51698CE84CE8016964350EA1B640BFED0B4515824E |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Users\user\Desktop\MqN5lD3LGo.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 14 |
Entropy (8bit): | 3.3248629576173565 |
Encrypted: | false |
SSDEEP: | 3:oJCVNV:o8/V |
MD5: | 2C34338A8C340C46983875A53A889FC3 |
SHA1: | 5EF486E22F88756BE456209030D46D3D94C21952 |
SHA-256: | 511FF7ADE84BB22C9B35B62A64FC4100A1958E8D20CB795031199748A926E507 |
SHA-512: | 61A221F599A577BC988C6CFF3319F214A62F066B5086C7D8841E8B88BC9FB6CC4F93E8E48E25382BB8148C8F26D045AD15A927ACF0742E69E24923A4659FF633 |
Malicious: | false |
Reputation: | low |
Preview: |
File type: | |
Entropy (8bit): | 7.948024837182058 |
TrID: |
|
File name: | MqN5lD3LGo.exe |
File size: | 1'870'848 bytes |
MD5: | c6c9f27d335d4e47b5ea12653e806be6 |
SHA1: | e53242d463e2c94383ec646e7e04504b96b4d176 |
SHA256: | 514efbae5faa43878c743c3db36f81c25ab5d6da93b879b6e88e7a63b1b19769 |
SHA512: | 7e00bdac39c89821b776dda372693d29e0e7188f8ef747037b971461af79545908f8fc8c9bbf7a30f1b0cc4ceea45632e91c1093e784002994808c19bd2a7347 |
SSDEEP: | 49152:KWPLwXMkW4itwCBDtixjSzceiLYtV25Mm8eEMMd:tPLPkW4IwcOj6iLYtV+Mw8 |
TLSH: | 6C852300F4908073C562167706E4DFB69A7EB9714B725CDB6BA44FBF4F306C09632A6A |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........@.}.@.}.@.}...~.Q.}...x...}...y.V.}..sy.R.}...|.G.}.@.|...}..sx...}..s~.X.}..px.A.}..p..A.}.Rich@.}.................PE..L.. |
Icon Hash: | 00928e8e8686b000 |
Entrypoint: | 0x409aa5 |
Entrypoint Section: | .text |
Digitally signed: | false |
Imagebase: | 0x400000 |
Subsystem: | windows cui |
Image File Characteristics: | EXECUTABLE_IMAGE, 32BIT_MACHINE |
DLL Characteristics: | DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE |
Time Stamp: | 0x66789839 [Sun Jun 23 21:48:41 2024 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 6 |
OS Version Minor: | 0 |
File Version Major: | 6 |
File Version Minor: | 0 |
Subsystem Version Major: | 6 |
Subsystem Version Minor: | 0 |
Import Hash: | e4019b337e6aa53400bb9378be49b858 |
Instruction |
---|
call 00007EFC9CE8270Ah |
jmp 00007EFC9CE81CD9h |
mov ecx, dword ptr [ebp-0Ch] |
mov dword ptr fs:[00000000h], ecx |
pop ecx |
pop edi |
pop edi |
pop esi |
pop ebx |
mov esp, ebp |
pop ebp |
push ecx |
ret |
mov ecx, dword ptr [ebp-10h] |
xor ecx, ebp |
call 00007EFC9CE81BC5h |
jmp 00007EFC9CE81E42h |
push eax |
push dword ptr fs:[00000000h] |
lea eax, dword ptr [esp+0Ch] |
sub esp, dword ptr [esp+0Ch] |
push ebx |
push esi |
push edi |
mov dword ptr [eax], ebp |
mov ebp, eax |
mov eax, dword ptr [005C69C0h] |
xor eax, ebp |
push eax |
push dword ptr [ebp-04h] |
mov dword ptr [ebp-04h], FFFFFFFFh |
lea eax, dword ptr [ebp-0Ch] |
mov dword ptr fs:[00000000h], eax |
ret |
push eax |
push dword ptr fs:[00000000h] |
lea eax, dword ptr [esp+0Ch] |
sub esp, dword ptr [esp+0Ch] |
push ebx |
push esi |
push edi |
mov dword ptr [eax], ebp |
mov ebp, eax |
mov eax, dword ptr [005C69C0h] |
xor eax, ebp |
push eax |
mov dword ptr [ebp-10h], eax |
push dword ptr [ebp-04h] |
mov dword ptr [ebp-04h], FFFFFFFFh |
lea eax, dword ptr [ebp-0Ch] |
mov dword ptr fs:[00000000h], eax |
ret |
push eax |
push dword ptr fs:[00000000h] |
lea eax, dword ptr [esp+0Ch] |
sub esp, dword ptr [esp+0Ch] |
push ebx |
push esi |
push edi |
mov dword ptr [eax], ebp |
mov ebp, eax |
mov eax, dword ptr [005C69C0h] |
xor eax, ebp |
push eax |
mov dword ptr [ebp-10h], esp |
push dword ptr [ebp-04h] |
mov dword ptr [ebp-04h], FFFFFFFFh |
lea eax, dword ptr [ebp-0Ch] |
mov dword ptr fs:[00000000h], eax |
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x33594 | 0x50 | .rdata |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x1ca000 | 0x21f0 | .reloc |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x30a68 | 0x1c | .rdata |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x30ac0 | 0x18 | .rdata |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x309a8 | 0x40 | .rdata |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x28000 | 0x180 | .rdata |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|---|
.text | 0x1000 | 0x251c2 | 0x25200 | ad92eac1a3518c94a50c469e832eda52 | False | 0.5649134574915825 | data | 6.636592053866142 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
.BSs | 0x27000 | 0xe1d | 0x1000 | 74293e678f0de25bb463c0dccc7904d8 | False | 0.583740234375 | data | 6.002868469254389 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
.rdata | 0x28000 | 0xbe86 | 0xc000 | b0aa40c4aa7dfc2011d6ffe63826f1cd | False | 0.41448974609375 | data | 4.98810951337647 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.data | 0x34000 | 0x19534c | 0x194400 | 4d397285c775cfc4554c7ce0ca0071fc | False | 0.9968365897495362 | data | 7.999224560090972 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.reloc | 0x1ca000 | 0x21f0 | 0x2200 | f4f8da3f2dfcb44938435d58d7a1d96f | False | 0.7734375 | data | 6.553528678280142 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
DLL | Import |
---|---|
GDI32.dll | Polyline, RectVisible |
USER32.dll | OffsetRect |
KERNEL32.dll | CreateFileW, HeapSize, SetStdHandle, WaitForSingleObject, CreateThread, VirtualAlloc, FreeConsole, RaiseException, InitOnceBeginInitialize, InitOnceComplete, CloseHandle, GetCurrentThreadId, ReleaseSRWLockExclusive, AcquireSRWLockExclusive, TryAcquireSRWLockExclusive, WakeAllConditionVariable, SleepConditionVariableSRW, GetLastError, FreeLibraryWhenCallbackReturns, CreateThreadpoolWork, SubmitThreadpoolWork, CloseThreadpoolWork, GetModuleHandleExW, IsProcessorFeaturePresent, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSectionEx, DeleteCriticalSection, QueryPerformanceCounter, EncodePointer, DecodePointer, MultiByteToWideChar, WideCharToMultiByte, LCMapStringEx, GetSystemTimeAsFileTime, GetModuleHandleW, GetProcAddress, GetStringTypeW, GetCPInfo, IsDebuggerPresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStartupInfoW, GetCurrentProcess, TerminateProcess, GetCurrentProcessId, InitializeSListHead, GetProcessHeap, RtlUnwind, SetLastError, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, FreeLibrary, LoadLibraryExW, ExitProcess, GetModuleFileNameW, GetStdHandle, WriteFile, GetCommandLineA, GetCommandLineW, HeapFree, HeapAlloc, CompareStringW, LCMapStringW, GetLocaleInfoW, IsValidLocale, GetUserDefaultLCID, EnumSystemLocalesW, GetFileType, GetFileSizeEx, SetFilePointerEx, FlushFileBuffers, GetConsoleOutputCP, GetConsoleMode, ReadFile, ReadConsoleW, HeapReAlloc, FindClose, FindFirstFileExW, FindNextFileW, IsValidCodePage, GetACP, GetOEMCP, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableW, WriteConsoleW |
Timestamp | Protocol | SID | Message | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|---|---|---|
06/25/24-18:12:57.603058 | TCP | 2049060 | ET TROJAN RisePro TCP Heartbeat Packet | 49705 | 50500 | 192.168.2.5 | 5.42.67.8 |
06/25/24-18:12:58.145124 | TCP | 2046266 | ET TROJAN [ANY.RUN] RisePro TCP (Token) | 50500 | 49705 | 5.42.67.8 | 192.168.2.5 |
06/25/24-18:16:59.942935 | TCP | 2046269 | ET TROJAN [ANY.RUN] RisePro TCP (Activity) | 49705 | 50500 | 192.168.2.5 | 5.42.67.8 |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Jun 25, 2024 18:12:57.589859962 CEST | 49705 | 50500 | 192.168.2.5 | 5.42.67.8 |
Jun 25, 2024 18:12:57.594804049 CEST | 50500 | 49705 | 5.42.67.8 | 192.168.2.5 |
Jun 25, 2024 18:12:57.594891071 CEST | 49705 | 50500 | 192.168.2.5 | 5.42.67.8 |
Jun 25, 2024 18:12:57.603058100 CEST | 49705 | 50500 | 192.168.2.5 | 5.42.67.8 |
Jun 25, 2024 18:12:57.607947111 CEST | 50500 | 49705 | 5.42.67.8 | 192.168.2.5 |
Jun 25, 2024 18:12:58.145123959 CEST | 50500 | 49705 | 5.42.67.8 | 192.168.2.5 |
Jun 25, 2024 18:12:58.194113016 CEST | 49705 | 50500 | 192.168.2.5 | 5.42.67.8 |
Jun 25, 2024 18:13:01.287981987 CEST | 49705 | 50500 | 192.168.2.5 | 5.42.67.8 |
Jun 25, 2024 18:13:01.292901039 CEST | 50500 | 49705 | 5.42.67.8 | 192.168.2.5 |
Jun 25, 2024 18:13:32.631783962 CEST | 49705 | 50500 | 192.168.2.5 | 5.42.67.8 |
Jun 25, 2024 18:13:32.636841059 CEST | 50500 | 49705 | 5.42.67.8 | 192.168.2.5 |
Jun 25, 2024 18:13:51.444434881 CEST | 49705 | 50500 | 192.168.2.5 | 5.42.67.8 |
Jun 25, 2024 18:13:51.451287031 CEST | 50500 | 49705 | 5.42.67.8 | 192.168.2.5 |
Jun 25, 2024 18:14:00.835055113 CEST | 49705 | 50500 | 192.168.2.5 | 5.42.67.8 |
Jun 25, 2024 18:14:00.841197014 CEST | 50500 | 49705 | 5.42.67.8 | 192.168.2.5 |
Jun 25, 2024 18:14:03.975673914 CEST | 49705 | 50500 | 192.168.2.5 | 5.42.67.8 |
Jun 25, 2024 18:14:03.980700016 CEST | 50500 | 49705 | 5.42.67.8 | 192.168.2.5 |
Jun 25, 2024 18:14:07.101018906 CEST | 49705 | 50500 | 192.168.2.5 | 5.42.67.8 |
Jun 25, 2024 18:14:07.107686996 CEST | 50500 | 49705 | 5.42.67.8 | 192.168.2.5 |
Jun 25, 2024 18:14:10.241226912 CEST | 49705 | 50500 | 192.168.2.5 | 5.42.67.8 |
Jun 25, 2024 18:14:10.246524096 CEST | 50500 | 49705 | 5.42.67.8 | 192.168.2.5 |
Jun 25, 2024 18:14:13.366247892 CEST | 49705 | 50500 | 192.168.2.5 | 5.42.67.8 |
Jun 25, 2024 18:14:13.371164083 CEST | 50500 | 49705 | 5.42.67.8 | 192.168.2.5 |
Jun 25, 2024 18:14:16.506866932 CEST | 49705 | 50500 | 192.168.2.5 | 5.42.67.8 |
Jun 25, 2024 18:14:16.511805058 CEST | 50500 | 49705 | 5.42.67.8 | 192.168.2.5 |
Jun 25, 2024 18:14:19.647525072 CEST | 49705 | 50500 | 192.168.2.5 | 5.42.67.8 |
Jun 25, 2024 18:14:19.652843952 CEST | 50500 | 49705 | 5.42.67.8 | 192.168.2.5 |
Jun 25, 2024 18:14:22.788155079 CEST | 49705 | 50500 | 192.168.2.5 | 5.42.67.8 |
Jun 25, 2024 18:14:22.793284893 CEST | 50500 | 49705 | 5.42.67.8 | 192.168.2.5 |
Jun 25, 2024 18:14:25.929023981 CEST | 49705 | 50500 | 192.168.2.5 | 5.42.67.8 |
Jun 25, 2024 18:14:25.934446096 CEST | 50500 | 49705 | 5.42.67.8 | 192.168.2.5 |
Jun 25, 2024 18:14:29.053817987 CEST | 49705 | 50500 | 192.168.2.5 | 5.42.67.8 |
Jun 25, 2024 18:14:29.058727980 CEST | 50500 | 49705 | 5.42.67.8 | 192.168.2.5 |
Jun 25, 2024 18:14:32.178858042 CEST | 49705 | 50500 | 192.168.2.5 | 5.42.67.8 |
Jun 25, 2024 18:14:32.183923960 CEST | 50500 | 49705 | 5.42.67.8 | 192.168.2.5 |
Jun 25, 2024 18:14:35.319411993 CEST | 49705 | 50500 | 192.168.2.5 | 5.42.67.8 |
Jun 25, 2024 18:14:35.324887991 CEST | 50500 | 49705 | 5.42.67.8 | 192.168.2.5 |
Jun 25, 2024 18:14:38.460120916 CEST | 49705 | 50500 | 192.168.2.5 | 5.42.67.8 |
Jun 25, 2024 18:14:38.465010881 CEST | 50500 | 49705 | 5.42.67.8 | 192.168.2.5 |
Jun 25, 2024 18:14:41.600847006 CEST | 49705 | 50500 | 192.168.2.5 | 5.42.67.8 |
Jun 25, 2024 18:14:41.608042955 CEST | 50500 | 49705 | 5.42.67.8 | 192.168.2.5 |
Jun 25, 2024 18:14:44.725697994 CEST | 49705 | 50500 | 192.168.2.5 | 5.42.67.8 |
Jun 25, 2024 18:14:44.730870962 CEST | 50500 | 49705 | 5.42.67.8 | 192.168.2.5 |
Jun 25, 2024 18:14:47.866508007 CEST | 49705 | 50500 | 192.168.2.5 | 5.42.67.8 |
Jun 25, 2024 18:14:47.871398926 CEST | 50500 | 49705 | 5.42.67.8 | 192.168.2.5 |
Jun 25, 2024 18:14:50.991391897 CEST | 49705 | 50500 | 192.168.2.5 | 5.42.67.8 |
Jun 25, 2024 18:14:50.996503115 CEST | 50500 | 49705 | 5.42.67.8 | 192.168.2.5 |
Jun 25, 2024 18:14:54.132021904 CEST | 49705 | 50500 | 192.168.2.5 | 5.42.67.8 |
Jun 25, 2024 18:14:54.136972904 CEST | 50500 | 49705 | 5.42.67.8 | 192.168.2.5 |
Jun 25, 2024 18:14:57.256982088 CEST | 49705 | 50500 | 192.168.2.5 | 5.42.67.8 |
Jun 25, 2024 18:14:57.261903048 CEST | 50500 | 49705 | 5.42.67.8 | 192.168.2.5 |
Jun 25, 2024 18:15:00.382127047 CEST | 49705 | 50500 | 192.168.2.5 | 5.42.67.8 |
Jun 25, 2024 18:15:00.387090921 CEST | 50500 | 49705 | 5.42.67.8 | 192.168.2.5 |
Jun 25, 2024 18:15:03.522605896 CEST | 49705 | 50500 | 192.168.2.5 | 5.42.67.8 |
Jun 25, 2024 18:15:03.527616978 CEST | 50500 | 49705 | 5.42.67.8 | 192.168.2.5 |
Jun 25, 2024 18:15:06.647850037 CEST | 49705 | 50500 | 192.168.2.5 | 5.42.67.8 |
Jun 25, 2024 18:15:06.652848959 CEST | 50500 | 49705 | 5.42.67.8 | 192.168.2.5 |
Jun 25, 2024 18:15:09.772627115 CEST | 49705 | 50500 | 192.168.2.5 | 5.42.67.8 |
Jun 25, 2024 18:15:09.777631044 CEST | 50500 | 49705 | 5.42.67.8 | 192.168.2.5 |
Jun 25, 2024 18:15:12.913299084 CEST | 49705 | 50500 | 192.168.2.5 | 5.42.67.8 |
Jun 25, 2024 18:15:12.918267012 CEST | 50500 | 49705 | 5.42.67.8 | 192.168.2.5 |
Jun 25, 2024 18:15:16.038249016 CEST | 49705 | 50500 | 192.168.2.5 | 5.42.67.8 |
Jun 25, 2024 18:15:16.043116093 CEST | 50500 | 49705 | 5.42.67.8 | 192.168.2.5 |
Jun 25, 2024 18:15:19.179094076 CEST | 49705 | 50500 | 192.168.2.5 | 5.42.67.8 |
Jun 25, 2024 18:15:19.186846972 CEST | 50500 | 49705 | 5.42.67.8 | 192.168.2.5 |
Jun 25, 2024 18:15:22.305229902 CEST | 49705 | 50500 | 192.168.2.5 | 5.42.67.8 |
Jun 25, 2024 18:15:22.310864925 CEST | 50500 | 49705 | 5.42.67.8 | 192.168.2.5 |
Jun 25, 2024 18:15:25.429091930 CEST | 49705 | 50500 | 192.168.2.5 | 5.42.67.8 |
Jun 25, 2024 18:15:25.434027910 CEST | 50500 | 49705 | 5.42.67.8 | 192.168.2.5 |
Jun 25, 2024 18:15:28.554105997 CEST | 49705 | 50500 | 192.168.2.5 | 5.42.67.8 |
Jun 25, 2024 18:15:28.559413910 CEST | 50500 | 49705 | 5.42.67.8 | 192.168.2.5 |
Jun 25, 2024 18:15:31.679120064 CEST | 49705 | 50500 | 192.168.2.5 | 5.42.67.8 |
Jun 25, 2024 18:15:31.683969021 CEST | 50500 | 49705 | 5.42.67.8 | 192.168.2.5 |
Jun 25, 2024 18:15:34.819679022 CEST | 49705 | 50500 | 192.168.2.5 | 5.42.67.8 |
Jun 25, 2024 18:15:34.825444937 CEST | 50500 | 49705 | 5.42.67.8 | 192.168.2.5 |
Jun 25, 2024 18:15:37.960181952 CEST | 49705 | 50500 | 192.168.2.5 | 5.42.67.8 |
Jun 25, 2024 18:15:37.965126038 CEST | 50500 | 49705 | 5.42.67.8 | 192.168.2.5 |
Jun 25, 2024 18:15:41.100912094 CEST | 49705 | 50500 | 192.168.2.5 | 5.42.67.8 |
Jun 25, 2024 18:15:41.108592033 CEST | 50500 | 49705 | 5.42.67.8 | 192.168.2.5 |
Jun 25, 2024 18:15:44.225826025 CEST | 49705 | 50500 | 192.168.2.5 | 5.42.67.8 |
Jun 25, 2024 18:15:44.230895042 CEST | 50500 | 49705 | 5.42.67.8 | 192.168.2.5 |
Jun 25, 2024 18:15:47.366687059 CEST | 49705 | 50500 | 192.168.2.5 | 5.42.67.8 |
Jun 25, 2024 18:15:47.371661901 CEST | 50500 | 49705 | 5.42.67.8 | 192.168.2.5 |
Jun 25, 2024 18:15:50.491511106 CEST | 49705 | 50500 | 192.168.2.5 | 5.42.67.8 |
Jun 25, 2024 18:15:50.497765064 CEST | 50500 | 49705 | 5.42.67.8 | 192.168.2.5 |
Jun 25, 2024 18:15:53.632509947 CEST | 49705 | 50500 | 192.168.2.5 | 5.42.67.8 |
Jun 25, 2024 18:15:53.824331999 CEST | 50500 | 49705 | 5.42.67.8 | 192.168.2.5 |
Jun 25, 2024 18:15:56.757078886 CEST | 49705 | 50500 | 192.168.2.5 | 5.42.67.8 |
Jun 25, 2024 18:15:56.761936903 CEST | 50500 | 49705 | 5.42.67.8 | 192.168.2.5 |
Jun 25, 2024 18:15:59.897741079 CEST | 49705 | 50500 | 192.168.2.5 | 5.42.67.8 |
Jun 25, 2024 18:15:59.903954029 CEST | 50500 | 49705 | 5.42.67.8 | 192.168.2.5 |
Jun 25, 2024 18:16:03.046962023 CEST | 49705 | 50500 | 192.168.2.5 | 5.42.67.8 |
Jun 25, 2024 18:16:03.052200079 CEST | 50500 | 49705 | 5.42.67.8 | 192.168.2.5 |
Jun 25, 2024 18:16:06.163400888 CEST | 49705 | 50500 | 192.168.2.5 | 5.42.67.8 |
Jun 25, 2024 18:16:06.367072105 CEST | 50500 | 49705 | 5.42.67.8 | 192.168.2.5 |
Jun 25, 2024 18:16:09.288505077 CEST | 49705 | 50500 | 192.168.2.5 | 5.42.67.8 |
Jun 25, 2024 18:16:09.298954964 CEST | 50500 | 49705 | 5.42.67.8 | 192.168.2.5 |
Jun 25, 2024 18:16:12.429179907 CEST | 49705 | 50500 | 192.168.2.5 | 5.42.67.8 |
Jun 25, 2024 18:16:12.434616089 CEST | 50500 | 49705 | 5.42.67.8 | 192.168.2.5 |
Jun 25, 2024 18:16:15.554155111 CEST | 49705 | 50500 | 192.168.2.5 | 5.42.67.8 |
Jun 25, 2024 18:16:15.559185982 CEST | 50500 | 49705 | 5.42.67.8 | 192.168.2.5 |
Jun 25, 2024 18:16:18.694617033 CEST | 49705 | 50500 | 192.168.2.5 | 5.42.67.8 |
Jun 25, 2024 18:16:18.700160027 CEST | 50500 | 49705 | 5.42.67.8 | 192.168.2.5 |
Jun 25, 2024 18:16:21.835403919 CEST | 49705 | 50500 | 192.168.2.5 | 5.42.67.8 |
Jun 25, 2024 18:16:21.840472937 CEST | 50500 | 49705 | 5.42.67.8 | 192.168.2.5 |
Jun 25, 2024 18:16:24.976248980 CEST | 49705 | 50500 | 192.168.2.5 | 5.42.67.8 |
Jun 25, 2024 18:16:24.981411934 CEST | 50500 | 49705 | 5.42.67.8 | 192.168.2.5 |
Jun 25, 2024 18:16:28.100905895 CEST | 49705 | 50500 | 192.168.2.5 | 5.42.67.8 |
Jun 25, 2024 18:16:28.105873108 CEST | 50500 | 49705 | 5.42.67.8 | 192.168.2.5 |
Jun 25, 2024 18:16:31.241559029 CEST | 49705 | 50500 | 192.168.2.5 | 5.42.67.8 |
Jun 25, 2024 18:16:31.246587038 CEST | 50500 | 49705 | 5.42.67.8 | 192.168.2.5 |
Jun 25, 2024 18:16:34.366552114 CEST | 49705 | 50500 | 192.168.2.5 | 5.42.67.8 |
Jun 25, 2024 18:16:34.371695995 CEST | 50500 | 49705 | 5.42.67.8 | 192.168.2.5 |
Jun 25, 2024 18:16:37.491601944 CEST | 49705 | 50500 | 192.168.2.5 | 5.42.67.8 |
Jun 25, 2024 18:16:37.496442080 CEST | 50500 | 49705 | 5.42.67.8 | 192.168.2.5 |
Jun 25, 2024 18:16:40.616661072 CEST | 49705 | 50500 | 192.168.2.5 | 5.42.67.8 |
Jun 25, 2024 18:16:40.621546984 CEST | 50500 | 49705 | 5.42.67.8 | 192.168.2.5 |
Jun 25, 2024 18:16:43.757167101 CEST | 49705 | 50500 | 192.168.2.5 | 5.42.67.8 |
Jun 25, 2024 18:16:43.762044907 CEST | 50500 | 49705 | 5.42.67.8 | 192.168.2.5 |
Jun 25, 2024 18:16:46.897917032 CEST | 49705 | 50500 | 192.168.2.5 | 5.42.67.8 |
Jun 25, 2024 18:16:46.907032013 CEST | 50500 | 49705 | 5.42.67.8 | 192.168.2.5 |
Jun 25, 2024 18:16:50.038639069 CEST | 49705 | 50500 | 192.168.2.5 | 5.42.67.8 |
Jun 25, 2024 18:16:50.043551922 CEST | 50500 | 49705 | 5.42.67.8 | 192.168.2.5 |
Jun 25, 2024 18:16:53.163711071 CEST | 49705 | 50500 | 192.168.2.5 | 5.42.67.8 |
Jun 25, 2024 18:16:53.168991089 CEST | 50500 | 49705 | 5.42.67.8 | 192.168.2.5 |
Jun 25, 2024 18:16:56.288558960 CEST | 49705 | 50500 | 192.168.2.5 | 5.42.67.8 |
Jun 25, 2024 18:16:56.293798923 CEST | 50500 | 49705 | 5.42.67.8 | 192.168.2.5 |
Jun 25, 2024 18:16:59.942934990 CEST | 49705 | 50500 | 192.168.2.5 | 5.42.67.8 |
Jun 25, 2024 18:16:59.951035023 CEST | 50500 | 49705 | 5.42.67.8 | 192.168.2.5 |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Jun 25, 2024 18:13:16.644701004 CEST | 53 | 57576 | 1.1.1.1 | 192.168.2.5 |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
Target ID: | 0 |
Start time: | 12:12:55 |
Start date: | 25/06/2024 |
Path: | C:\Users\user\Desktop\MqN5lD3LGo.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0xb0000 |
File size: | 1'870'848 bytes |
MD5 hash: | C6C9F27D335D4E47B5EA12653E806BE6 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | low |
Has exited: | true |
Target ID: | 1 |
Start time: | 12:12:55 |
Start date: | 25/06/2024 |
Path: | C:\Windows\System32\conhost.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff6d64d0000 |
File size: | 862'208 bytes |
MD5 hash: | 0D698AF330FD17BEE3BF90011D49251D |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Target ID: | 3 |
Start time: | 12:12:55 |
Start date: | 25/06/2024 |
Path: | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0xf90000 |
File size: | 65'440 bytes |
MD5 hash: | 0D5DF43AF2916F47D00C1573797C1A13 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | false |
Target ID: | 6 |
Start time: | 12:12:55 |
Start date: | 25/06/2024 |
Path: | C:\Windows\SysWOW64\WerFault.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x1e0000 |
File size: | 483'680 bytes |
MD5 hash: | C31336C1EFC2CCB44B4326EA793040F2 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Execution Graph
Execution Coverage: | 4.2% |
Dynamic/Decrypted Code Coverage: | 0.3% |
Signature Coverage: | 3% |
Total number of Nodes: | 2000 |
Total number of Limit Nodes: | 52 |
Graph
Function 007F018D Relevance: 42.3, APIs: 10, Strings: 14, Instructions: 282threadinjectionmemoryCOMMON
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 000D7AB0 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 122synchronizationthreadCOMMON
Control-flow Graph
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 000C74F3 Relevance: 3.1, APIs: 2, Instructions: 65COMMON
Control-flow Graph
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 000C663B Relevance: 3.0, APIs: 2, Instructions: 22memoryCOMMONLIBRARYCODE
Control-flow Graph
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 000B8522 Relevance: 1.6, APIs: 1, Instructions: 108COMMON
Control-flow Graph
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 000D7C30 Relevance: 1.3, APIs: 1, Instructions: 94memoryCOMMON
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 000CFE5E Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMONLIBRARYCODE
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 000CF6CF Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 251COMMONLIBRARYCODE
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 000C7782 Relevance: 6.3, APIs: 4, Instructions: 337COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 000B9EEF Relevance: 6.1, APIs: 4, Instructions: 70COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 000CFAE2 Relevance: 4.7, APIs: 3, Instructions: 205COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 000C2C20 Relevance: 3.4, APIs: 2, Instructions: 449COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 000B9C95 Relevance: 1.6, APIs: 1, Instructions: 147COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 000CC8CD Relevance: 1.6, APIs: 1, Instructions: 140COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 000CFD35 Relevance: 1.6, APIs: 1, Instructions: 83COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 000BFF04 Relevance: 1.6, Strings: 1, Instructions: 314COMMON
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 000CFF64 Relevance: 1.5, APIs: 1, Instructions: 45COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 000CF8CA Relevance: 1.5, APIs: 1, Instructions: 43COMMON
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 000BA04B Relevance: 1.5, APIs: 1, Instructions: 3COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 000CDAB5 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 000D0DD4 Relevance: .3, Instructions: 317COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 000C85C5 Relevance: .0, Instructions: 22COMMONLIBRARYCODE
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 000C3A8C Relevance: .0, Instructions: 12COMMONLIBRARYCODE
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 000B944A Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 19libraryloaderCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 000BCE32 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 303COMMONLIBRARYCODE
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 000CB294 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 298COMMONLIBRARYCODE
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 000B9120 Relevance: 12.2, APIs: 8, Instructions: 175COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 000C6D9E Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 000C3AAE Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 000C9475 Relevance: 7.7, APIs: 5, Instructions: 202COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 000B7072 Relevance: 7.6, APIs: 5, Instructions: 116threadCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 000B7C88 Relevance: 7.6, APIs: 5, Instructions: 65COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 000BDBC7 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 000B4740 Relevance: 6.2, APIs: 4, Instructions: 169COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 000B5B50 Relevance: 6.1, APIs: 4, Instructions: 133COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 000CC68A Relevance: 6.1, APIs: 4, Instructions: 82COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 000C31C4 Relevance: 6.1, APIs: 4, Instructions: 79COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 000CD620 Relevance: 6.1, APIs: 4, Instructions: 74COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 000CECB6 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 113COMMONLIBRARYCODE
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 000BD1D7 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 000B23C0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMONLIBRARYCODE
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Execution Graph
Execution Coverage: | 1.2% |
Dynamic/Decrypted Code Coverage: | 0% |
Signature Coverage: | 2.7% |
Total number of Nodes: | 789 |
Total number of Limit Nodes: | 13 |
Graph
Control-flow Graph
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0045DB00 Relevance: 7.7, APIs: 5, Instructions: 156sleepCOMMON
Control-flow Graph
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00442CD3 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 273COMMONLIBRARYCODE
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00448910 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 292COMMONLIBRARYCODE
Control-flow Graph
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00409280 Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 382libraryloadernetworkCOMMON
Control-flow Graph
APIs |
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004E6CA0 Relevance: 6.1, APIs: 4, Instructions: 75COMMON
Control-flow Graph
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0045098D Relevance: 6.1, APIs: 4, Instructions: 74COMMON
Control-flow Graph
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004E57F0 Relevance: 3.4, APIs: 2, Instructions: 350COMMON
Control-flow Graph
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00438E02 Relevance: 1.7, APIs: 1, Instructions: 157COMMON
Control-flow Graph
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004E7330 Relevance: 1.6, APIs: 1, Instructions: 122COMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0044AC7F Relevance: 1.6, APIs: 1, Instructions: 54COMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004E5D00 Relevance: 1.6, APIs: 1, Instructions: 51COMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0044B094 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004E06D0 Relevance: 83.9, APIs: 43, Strings: 3, Instructions: 3428registrytimeprocessCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004CF280 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 240injectionmemorysynchronizationCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00432022 Relevance: 15.2, APIs: 10, Instructions: 200fileCOMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004534CF Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 182COMMONLIBRARYCODE
APIs |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 005447E0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 81windowCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00452B5A Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 254COMMONLIBRARYCODE
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004532F3 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMONLIBRARYCODE
APIs |
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0043C960 Relevance: 6.5, APIs: 4, Instructions: 455COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004C6000 Relevance: 6.3, APIs: 4, Instructions: 310fileCOMMON
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004938D0 Relevance: 6.2, APIs: 4, Instructions: 207fileCOMMON
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00434184 Relevance: 6.1, APIs: 4, Instructions: 70COMMON
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 005449B0 Relevance: 6.1, APIs: 4, Instructions: 55timeCOMMON
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004580D8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMONLIBRARYCODE
APIs |
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00431D94 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32windowCOMMON
APIs |
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00544A40 Relevance: 3.1, APIs: 2, Instructions: 87COMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004E90C0 Relevance: 33.7, APIs: 18, Strings: 1, Instructions: 423libraryloaderthreadCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004D6790 Relevance: 19.9, APIs: 13, Instructions: 424fileCOMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004EEA40 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 148memorystringCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004579E3 Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 147COMMONLIBRARYCODE
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004D6BA0 Relevance: 15.2, APIs: 10, Instructions: 164fileCOMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004377C6 Relevance: 14.3, APIs: 4, Strings: 4, Instructions: 303COMMONLIBRARYCODE
APIs |
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004E4720 Relevance: 14.3, APIs: 6, Strings: 2, Instructions: 291registryCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004335D8 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 19libraryloaderCOMMON
APIs |
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0044BB66 Relevance: 10.8, APIs: 7, Instructions: 329COMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00545050 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 86windowCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0044B37E Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00458023 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 45libraryloaderCOMMONLIBRARYCODE
APIs |
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00443633 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 42libraryloaderCOMMONLIBRARYCODE
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00455EBC Relevance: 9.2, APIs: 6, Instructions: 248COMMON
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0044520B Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 370COMMONLIBRARYCODE
APIs |
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004D6D90 Relevance: 9.1, APIs: 6, Instructions: 101COMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0043756F Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 168COMMONLIBRARYCODE
APIs |
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00544DE0 Relevance: 7.7, APIs: 5, Instructions: 208fileCOMMON
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004E9A70 Relevance: 7.7, APIs: 5, Instructions: 181memorylibraryloaderCOMMON
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00432BC8 Relevance: 7.6, APIs: 5, Instructions: 116threadCOMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00544B20 Relevance: 7.6, APIs: 5, Instructions: 98COMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0048F4D0 Relevance: 7.6, APIs: 5, Instructions: 69processCOMMON
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00437B6B Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 112COMMONLIBRARYCODE
APIs |
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00438587 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE
APIs |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00443A09 Relevance: 6.1, APIs: 4, Instructions: 132COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004E55A0 Relevance: 6.1, APIs: 4, Instructions: 121COMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0044F9EC Relevance: 6.1, APIs: 4, Instructions: 82COMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00545330 Relevance: 6.1, APIs: 4, Instructions: 81COMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00545920 Relevance: 6.1, APIs: 4, Instructions: 76fileCOMMON
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 005459E0 Relevance: 6.1, APIs: 4, Instructions: 66fileCOMMON
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00545770 Relevance: 6.1, APIs: 4, Instructions: 61fileCOMMON
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00431F0C Relevance: 6.0, APIs: 4, Instructions: 44COMMON
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 005458C0 Relevance: 6.0, APIs: 4, Instructions: 35fileCOMMON
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00481BC0 Relevance: 6.0, APIs: 4, Instructions: 20synchronizationthreadCOMMON
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004C7070 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 325fileCOMMON
APIs |
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00408F20 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 272libraryloaderCOMMON
APIs |
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004036E0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 178COMMONLIBRARYCODE
APIs |
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0044EA2E Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 151fileCOMMONLIBRARYCODE
APIs |
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004327B6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMONLIBRARYCODE
APIs |
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00404C20 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44memoryCOMMON
APIs |
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0043361D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 27timeCOMMONLIBRARYCODE
APIs |
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0044B7F4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 26COMMONLIBRARYCODE
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0044B5DE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22memoryCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|