Edit tour
Windows
Analysis Report
whiteee.exe
Overview
General Information
| Sample name: | whiteee.exe |
| Analysis ID: | 1465940 |
| MD5: | 9a961cdb405219d714347c06a7a6a995 |
| SHA1: | 2bf6f2e31d453c52685f8ffeaa52056aa727674d |
| SHA256: | 2cbc13099ee1ba4b8c671bfca525bb2c5c057c2fc13df105dec2852a8b672e50 |
| Infos: |  |
 | |
Detection
Snake Keylogger
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected Snake Keylogger
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
Found API chain indicative of sandbox detection
Machine Learning detection for sample
Maps a DLL or memory area into another process
Switches to a custom stack to bypass stack traces
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected Generic Downloader
Contains functionality for read data from the clipboard
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer
Yara signature match
Classification
- System is w10x64
whiteee.exe (PID: 7320 cmdline: "C:\Users\ user\Deskt op\whiteee .exe" MD5: 9A961CDB405219D714347C06A7A6A995) 
RegSvcs.exe (PID: 7336 cmdline: "C:\Users\ user\Deskt op\whiteee .exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
- cleanup
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| 404 Keylogger, Snake Keylogger | Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram. | No Attribution |
{"Exfil Mode": "SMTP", "Username": "mmcc1@cash4cars.nz", "Password": "TeZIDzFWyl7%", "Host": "mail.cash4cars.nz", "Port": "26"}| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
| JoeSecurity_GenericDownloader_1 | Yara detected Generic Downloader | Joe Security | ||
| JoeSecurity_SnakeKeylogger | Yara detected Snake Keylogger | Joe Security | ||
| Windows_Trojan_SnakeKeylogger_af3faa65 | unknown | unknown |
| |
| MAL_Envrial_Jan18_1 | Detects Encrial credential stealer malware | Florian Roth |
| |
| Click to see the 16 entries | ||||
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
| JoeSecurity_SnakeKeylogger | Yara detected Snake Keylogger | Joe Security | ||
| Windows_Trojan_SnakeKeylogger_af3faa65 | unknown | unknown |
| |
| MAL_Envrial_Jan18_1 | Detects Encrial credential stealer malware | Florian Roth |
| |
| INDICATOR_SUSPICIOUS_EXE_DotNetProcHook | Detects executables with potential process hoocking | ditekSHen |
| |
| Click to see the 15 entries | ||||
⊘No Sigma rule has matched
⊘No Snort rule has matched
Click to jump to signature section
Show All Signature Results
AV Detection |   |
|---|
| Source: | Malware Configuration Extractor: | ||
| Source: | Virustotal: | Perma Link | ||
| Source: | ReversingLabs: | |||
| Source: | Integrated Neural Analysis Model: | ||
| Source: | Joe Sandbox ML: | ||
Location Tracking | |
|---|
| Source: | DNS query: | ||
| Source: | Static PE information: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Code function: | 0_2_003DDBBE | |
| Source: | Code function: | 0_2_003E68EE | |
| Source: | Code function: | 0_2_003E698F | |
| Source: | Code function: | 0_2_003DD076 | |
| Source: | Code function: | 0_2_003DD3A9 | |
| Source: | Code function: | 0_2_003E9642 | |
| Source: | Code function: | 0_2_003E979D | |
| Source: | Code function: | 0_2_003E9B2B | |
| Source: | Code function: | 0_2_003E5C97 | |
| Source: | Code function: | 1_2_00E3F007 | |
| Source: | Code function: | 1_2_00E3F007 | |
| Source: | Code function: | 1_2_00E3E528 | |
| Source: | Code function: | 1_2_00E3EB5B | |
| Source: | Code function: | 1_2_00E3ED3C | |
| Source: | Code function: | 1_2_06568608 | |
| Source: | Code function: | 1_2_06565618 | |
| Source: | Code function: | 1_2_06565EC8 | |
| Source: | Code function: | 1_2_06566778 | |
| Source: | Code function: | 1_2_06560498 | |
| Source: | Code function: | 1_2_065674A8 | |
| Source: | Code function: | 1_2_06567D58 | |
| Source: | Code function: | 1_2_06560D48 | |
| Source: | Code function: | 1_2_06565A70 | |
| Source: | Code function: | 1_2_06566320 | |
| Source: | Code function: | 1_2_06566BD0 | |
| Source: | Code function: | 1_2_065633B8 | |
| Source: | Code function: | 1_2_065633A8 | |
| Source: | Code function: | 1_2_06567050 | |
| Source: | Code function: | 1_2_06560040 | |
| Source: | Code function: | 1_2_065608F0 | |
| Source: | Code function: | 1_2_06567900 | |
| Source: | Code function: | 1_2_06565198 | |
| Source: | Code function: | 1_2_065681B0 | |
Networking | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | IP Address: | ||
| Source: | IP Address: | ||
| Source: | IP Address: | ||
| Source: | ASN Name: | ||
| Source: | JA3 fingerprint: | ||
| Source: | DNS query: | ||
| Source: | DNS query: | ||
| Source: | DNS query: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | Code function: | 0_2_003ECE44 | |
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Code function: | 0_2_003EEAFF | |
| Source: | Code function: | 0_2_003EED6A | |
| Source: | Code function: | 0_2_003EEAFF | |
| Source: | Code function: | 0_2_003DAA57 | |
| Source: | Code function: | 0_2_00409576 | |
System Summary | |
|---|
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | memstr_0c7e4f4c-c | |
| Source: | String found in binary or memory: | memstr_32a79b55-9 | |
| Source: | String found in binary or memory: | memstr_9ff9c25d-8 | |
| Source: | String found in binary or memory: | memstr_e65ee30f-0 | |
| Source: | Code function: | 0_2_003DD5EB | |
| Source: | Code function: | 0_2_003D1201 | |
| Source: | Code function: | 0_2_003DE8F6 | |
| Source: | Code function: | 0_2_0037BF40 | |
| Source: | Code function: | 0_2_00378060 | |
| Source: | Code function: | 0_2_003E2046 | |
| Source: | Code function: | 0_2_003D8298 | |
| Source: | Code function: | 0_2_003AE4FF | |
| Source: | Code function: | 0_2_003A676B | |
| Source: | Code function: | 0_2_00404873 | |
| Source: | Code function: | 0_2_0039CAA0 | |
| Source: | Code function: | 0_2_0037CAF0 | |
| Source: | Code function: | 0_2_0038CC39 | |
| Source: | Code function: | 0_2_003A6DD9 | |
| Source: | Code function: | 0_2_0038B119 | |
| Source: | Code function: | 0_2_003791C0 | |
| Source: | Code function: | 0_2_00391394 | |
| Source: | Code function: | 0_2_00391706 | |
| Source: | Code function: | 0_2_0039781B | |
| Source: | Code function: | 0_2_00377920 | |
| Source: | Code function: | 0_2_0038997D | |
| Source: | Code function: | 0_2_003919B0 | |
| Source: | Code function: | 0_2_00397A4A | |
| Source: | Code function: | 0_2_00391C77 | |
| Source: | Code function: | 0_2_00397CA7 | |
| Source: | Code function: | 0_2_003FBE44 | |
| Source: | Code function: | 0_2_003A9EEE | |
| Source: | Code function: | 0_2_00391F32 | |
| Source: | Code function: | 0_2_010F3600 | |
| Source: | Code function: | 1_2_00E3F007 | |
| Source: | Code function: | 1_2_00E3C190 | |
| Source: | Code function: | 1_2_00E36108 | |
| Source: | Code function: | 1_2_00E3B328 | |
| Source: | Code function: | 1_2_00E3C470 | |
| Source: | Code function: | 1_2_00E3C752 | |
| Source: | Code function: | 1_2_00E36880 | |
| Source: | Code function: | 1_2_00E39858 | |
| Source: | Code function: | 1_2_00E34AD9 | |
| Source: | Code function: | 1_2_00E3CA32 | |
| Source: | Code function: | 1_2_00E3BBD2 | |
| Source: | Code function: | 1_2_00E3BEB0 | |
| Source: | Code function: | 1_2_00E3B4F2 | |
| Source: | Code function: | 1_2_00E33572 | |
| Source: | Code function: | 1_2_00E3E528 | |
| Source: | Code function: | 1_2_00E3E517 | |
| Source: | Code function: | 1_2_0656D670 | |
| Source: | Code function: | 1_2_06568608 | |
| Source: | Code function: | 1_2_0656B6E8 | |
| Source: | Code function: | 1_2_06568C51 | |
| Source: | Code function: | 1_2_0656A408 | |
| Source: | Code function: | 1_2_0656BD38 | |
| Source: | Code function: | 1_2_0656AA58 | |
| Source: | Code function: | 1_2_0656C388 | |
| Source: | Code function: | 1_2_0656D028 | |
| Source: | Code function: | 1_2_0656B0A0 | |
| Source: | Code function: | 1_2_0656C9D8 | |
| Source: | Code function: | 1_2_065611A0 | |
| Source: | Code function: | 1_2_0656D662 | |
| Source: | Code function: | 1_2_06565611 | |
| Source: | Code function: | 1_2_06565618 | |
| Source: | Code function: | 1_2_0656B6D9 | |
| Source: | Code function: | 1_2_06565EC3 | |
| Source: | Code function: | 1_2_06565EC8 | |
| Source: | Code function: | 1_2_06566773 | |
| Source: | Code function: | 1_2_06566778 | |
| Source: | Code function: | 1_2_06563730 | |
| Source: | Code function: | 1_2_06564430 | |
| Source: | Code function: | 1_2_06560493 | |
| Source: | Code function: | 1_2_06560498 | |
| Source: | Code function: | 1_2_065674A3 | |
| Source: | Code function: | 1_2_065674A8 | |
| Source: | Code function: | 1_2_06567D53 | |
| Source: | Code function: | 1_2_06567D58 | |
| Source: | Code function: | 1_2_06560D48 | |
| Source: | Code function: | 1_2_06560D3B | |
| Source: | Code function: | 1_2_0656BD28 | |
| Source: | Code function: | 1_2_065685F8 | |
| Source: | Code function: | 1_2_0656AA48 | |
| Source: | Code function: | 1_2_06565A70 | |
| Source: | Code function: | 1_2_06565A60 | |
| Source: | Code function: | 1_2_0656C378 | |
| Source: | Code function: | 1_2_0656631B | |
| Source: | Code function: | 1_2_06566320 | |
| Source: | Code function: | 1_2_06566BD0 | |
| Source: | Code function: | 1_2_06566BCB | |
| Source: | Code function: | 1_2_0656A3F8 | |
| Source: | Code function: | 1_2_065633B8 | |
| Source: | Code function: | 1_2_065633A8 | |
| Source: | Code function: | 1_2_06567050 | |
| Source: | Code function: | 1_2_06560040 | |
| Source: | Code function: | 1_2_0656704B | |
| Source: | Code function: | 1_2_06562818 | |
| Source: | Code function: | 1_2_0656D018 | |
| Source: | Code function: | 1_2_06562807 | |
| Source: | Code function: | 1_2_0656003B | |
| Source: | Code function: | 1_2_065608F0 | |
| Source: | Code function: | 1_2_065678F0 | |
| Source: | Code function: | 1_2_065608E3 | |
| Source: | Code function: | 1_2_0656B08F | |
| Source: | Code function: | 1_2_06567900 | |
| Source: | Code function: | 1_2_0656C9C8 | |
| Source: | Code function: | 1_2_06565198 | |
| Source: | Code function: | 1_2_0656518B | |
| Source: | Code function: | 1_2_065681B0 | |
| Source: | Code function: | 1_2_065681AB | |
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Static PE information: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Cryptographic APIs: | ||
| Source: | Cryptographic APIs: | ||
| Source: | Cryptographic APIs: | ||
| Source: | Cryptographic APIs: | ||
| Source: | Classification label: | ||
| Source: | Code function: | 0_2_003E37B5 | |
| Source: | Code function: | 0_2_003D10BF | |
| Source: | Code function: | 0_2_003D16C3 | |
| Source: | Code function: | 0_2_003E51CD | |
| Source: | Code function: | 0_2_003FA67C | |
| Source: | Code function: | 0_2_003E648E | |
| Source: | Code function: | 0_2_003742A2 | |
| Source: | Mutant created: | ||
| Source: | File created: | Jump to behavior | ||
| Source: | Static PE information: | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | Virustotal: | ||
| Source: | ReversingLabs: | ||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Static file information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Code function: | 0_2_003742DE | |
| Source: | Code function: | 0_2_00390A89 | |
| Source: | Code function: | 0_2_0038F98E | |
| Source: | Code function: | 0_2_00401C41 | |
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
Malware Analysis System Evasion | |
|---|
| Source: | Sandbox detection routine: | graph_0-97347 | ||
| Source: | API/Special instruction interceptor: | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Window / User API: | Jump to behavior | ||
| Source: | Window / User API: | Jump to behavior | ||
| Source: | API coverage: | ||
| Source: | Code function: | 0_2_003DDBBE | |
| Source: | Code function: | 0_2_003E68EE | |
| Source: | Code function: | 0_2_003E698F | |
| Source: | Code function: | 0_2_003DD076 | |
| Source: | Code function: | 0_2_003DD3A9 | |
| Source: | Code function: | 0_2_003E9642 | |
| Source: | Code function: | 0_2_003E979D | |
| Source: | Code function: | 0_2_003E9B2B | |
| Source: | Code function: | 0_2_003E5C97 | |
| Source: | Code function: | 0_2_003742DE | |
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | Code function: | 0_2_003EEAA2 | |
| Source: | Code function: | 0_2_003A2622 | |
| Source: | Code function: | 0_2_003742DE | |
| Source: | Code function: | 0_2_00394CE8 | |
| Source: | Code function: | 0_2_010F3490 | |
| Source: | Code function: | 0_2_010F34F0 | |
| Source: | Code function: | 0_2_010F1E70 | |
| Source: | Code function: | 0_2_003D0B62 | |
| Source: | Code function: | 0_2_003A2622 | |
| Source: | Code function: | 0_2_0039083F | |
| Source: | Code function: | 0_2_003909D5 | |
| Source: | Code function: | 0_2_00390C21 | |
| Source: | Memory allocated: | Jump to behavior | ||
HIPS / PFW / Operating System Protection Evasion | |
|---|
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | Code function: | 0_2_003D1201 | |
| Source: | Code function: | 0_2_003B2BA5 | |
| Source: | Code function: | 0_2_003DB226 | |
| Source: | Code function: | 0_2_003F22DA | |
| Source: | Process created: | Jump to behavior | ||
| Source: | Code function: | 0_2_003D0B62 | |
| Source: | Code function: | 0_2_003D1663 | |
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Code function: | 0_2_00390698 | |
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Code function: | 0_2_003E8195 | |
| Source: | Code function: | 0_2_003CD27A | |
| Source: | Code function: | 0_2_003ABB6F | |
| Source: | Code function: | 0_2_003742DE | |
| Source: | Key value queried: | Jump to behavior | ||
Stealing of Sensitive Information | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
Remote Access Functionality | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | Code function: | 0_2_003F1204 | |
| Source: | Code function: | 0_2_003F1806 | |
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Gather Victim Identity Information | Acquire Infrastructure | 2 Valid Accounts | 1 Native API | 1 DLL Side-Loading | 1 Exploitation for Privilege Escalation | 11 Disable or Modify Tools | 1 OS Credential Dumping | 2 System Time Discovery | Remote Services | 11 Archive Collected Data | 2 Ingress Tool Transfer | Exfiltration Over Other Network Medium | 1 System Shutdown/Reboot |
| Credentials | Domains | Default Accounts | Scheduled Task/Job | 2 Valid Accounts | 1 DLL Side-Loading | 11 Deobfuscate/Decode Files or Information | 21 Input Capture | 1 Account Discovery | Remote Desktop Protocol | 1 Data from Local System | 11 Encrypted Channel | Exfiltration Over Bluetooth | Network Denial of Service |
| Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | 2 Valid Accounts | 3 Obfuscated Files or Information | Security Account Manager | 1 File and Directory Discovery | SMB/Windows Admin Shares | 1 Email Collection | 2 Non-Application Layer Protocol | Automated Exfiltration | Data Encrypted for Impact |
| Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | 21 Access Token Manipulation | 1 DLL Side-Loading | NTDS | 127 System Information Discovery | Distributed Component Object Model | 21 Input Capture | 13 Application Layer Protocol | Traffic Duplication | Data Destruction |
| Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | 212 Process Injection | 2 Valid Accounts | LSA Secrets | 221 Security Software Discovery | SSH | 3 Clipboard Data | Fallback Channels | Scheduled Transfer | Data Encrypted for Impact |
| Domain Properties | Botnet | Replication Through Removable Media | Scheduled Task | RC Scripts | RC Scripts | 111 Virtualization/Sandbox Evasion | Cached Domain Credentials | 111 Virtualization/Sandbox Evasion | VNC | GUI Input Capture | Multiband Communication | Data Transfer Size Limits | Service Stop |
| DNS | Web Services | External Remote Services | Systemd Timers | Startup Items | Startup Items | 21 Access Token Manipulation | DCSync | 2 Process Discovery | Windows Remote Management | Web Portal Capture | Commonly Used Port | Exfiltration Over C2 Channel | Inhibit System Recovery |
| Network Trust Dependencies | Serverless | Drive-by Compromise | Container Orchestration Job | Scheduled Task/Job | Scheduled Task/Job | 212 Process Injection | Proc Filesystem | 11 Application Window Discovery | Cloud Services | Credential API Hooking | Application Layer Protocol | Exfiltration Over Alternative Protocol | Defacement |
| Network Topology | Malvertising | Exploit Public-Facing Application | Command and Scripting Interpreter | At | At | HTML Smuggling | /etc/passwd and /etc/shadow | 1 System Owner/User Discovery | Direct Cloud VM Connections | Data Staged | Web Protocols | Exfiltration Over Symmetric Encrypted Non-C2 Protocol | Internal Defacement |
| IP Addresses | Compromise Infrastructure | Supply Chain Compromise | PowerShell | Cron | Cron | Dynamic API Resolution | Network Sniffing | 1 System Network Configuration Discovery | Shared Webroot | Local Data Staging | File Transfer Protocols | Exfiltration Over Asymmetric Encrypted Non-C2 Protocol | External Defacement |
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetThis section contains all screenshots as thumbnails, including those not shown in the slideshow.
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 42% | Virustotal | Browse | ||
| 37% | ReversingLabs | Win32.Trojan.Strab | ||
| 100% | Joe Sandbox ML |
⊘No Antivirus matches
⊘No Antivirus matches
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 0% | Virustotal | Browse | ||
| 0% | Virustotal | Browse | ||
| 1% | Virustotal | Browse | ||
| 3% | Virustotal | Browse |
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 0% | URL Reputation | safe | ||
| 0% | Virustotal | Browse | ||
| 1% | Virustotal | Browse | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Virustotal | Browse | ||
| 1% | Virustotal | Browse | ||
| 0% | Virustotal | Browse | ||
| 0% | Virustotal | Browse | ||
| 0% | Virustotal | Browse |
| Name | IP | Active | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|---|
| reallyfreegeoip.org | 188.114.97.3 | true | true |
| unknown |
| checkip.dyndns.com | 193.122.6.168 | true | false |
| unknown |
| checkip.dyndns.org | unknown | unknown | true |
| unknown |
| 56.126.166.20.in-addr.arpa | unknown | unknown | true |
| unknown |
| Name | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|
| false |
| unknown | |
| false |
| unknown |
| Name | Source | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
| IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
|---|---|---|---|---|---|---|
| 188.114.97.3 | reallyfreegeoip.org | European Union | 13335 | CLOUDFLARENETUS | true | |
| 193.122.6.168 | checkip.dyndns.com | United States | 31898 | ORACLE-BMC-31898US | false |
| Joe Sandbox version: | 40.0.0 Tourmaline |
| Analysis ID: | 1465940 |
| Start date and time: | 2024-07-02 09:53:38 +02:00 |
| Joe Sandbox product: | CloudBasic |
| Overall analysis duration: | 0h 7m 53s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
| Number of analysed new started processes analysed: | 7 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Sample name: | whiteee.exe |
| Detection: | MAL |
| Classification: | mal100.troj.spyw.evad.winEXE@3/4@3/2 |
| EGA Information: |
|
| HCA Information: |
|
| Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
- Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
- Execution Graph export aborted for target RegSvcs.exe, PID 7336 because it is empty
- Not all processes where analyzed, report is missing behavior information
- Report size exceeded maximum capacity and may have missing disassembly code.
- Report size getting too big, too many NtOpenKeyEx calls found.
- Report size getting too big, too many NtQueryValueKey calls found.
- Report size getting too big, too many NtReadVirtualMemory calls found.
| Time | Type | Description |
|---|---|---|
| 03:54:27 | API Interceptor |
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| 188.114.97.3 | Get hash | malicious | AgentTesla, PureLog Stealer | Browse |
| |
| Get hash | malicious | HTMLPhisher | Browse |
| ||
| Get hash | malicious | FormBook | Browse |
| ||
| Get hash | malicious | DCRat, PureLog Stealer, zgRAT | Browse |
| ||
| Get hash | malicious | FormBook | Browse |
| ||
| Get hash | malicious | FormBook | Browse |
| ||
| Get hash | malicious | DCRat, PureLog Stealer, zgRAT | Browse |
| ||
| Get hash | malicious | DCRat, PureLog Stealer, zgRAT | Browse |
| ||
| Get hash | malicious | AgentTesla, PureLog Stealer | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| 193.122.6.168 | Get hash | malicious | Snake Keylogger | Browse |
| |
| Get hash | malicious | Snake Keylogger | Browse |
| ||
| Get hash | malicious | Snake Keylogger | Browse |
| ||
| Get hash | malicious | Snake Keylogger | Browse |
| ||
| Get hash | malicious | Snake Keylogger | Browse |
| ||
| Get hash | malicious | Snake Keylogger | Browse |
| ||
| Get hash | malicious | Snake Keylogger | Browse |
| ||
| Get hash | malicious | Snake Keylogger | Browse |
| ||
| Get hash | malicious | Snake Keylogger | Browse |
| ||
| Get hash | malicious | Snake Keylogger | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| reallyfreegeoip.org | Get hash | malicious | Snake Keylogger | Browse |
| |
| Get hash | malicious | Snake Keylogger | Browse |
| ||
| Get hash | malicious | Snake Keylogger | Browse |
| ||
| Get hash | malicious | PureLog Stealer, Snake Keylogger | Browse |
| ||
| Get hash | malicious | Snake Keylogger | Browse |
| ||
| Get hash | malicious | Snake Keylogger | Browse |
| ||
| Get hash | malicious | Snake Keylogger | Browse |
| ||
| Get hash | malicious | Snake Keylogger | Browse |
| ||
| Get hash | malicious | Snake Keylogger | Browse |
| ||
| checkip.dyndns.com | Get hash | malicious | Snake Keylogger | Browse |
| |
| Get hash | malicious | Snake Keylogger | Browse |
| ||
| Get hash | malicious | Snake Keylogger | Browse |
| ||
| Get hash | malicious | Snake Keylogger | Browse |
| ||
| Get hash | malicious | PureLog Stealer, Snake Keylogger | Browse |
| ||
| Get hash | malicious | Snake Keylogger | Browse |
| ||
| Get hash | malicious | Snake Keylogger | Browse |
| ||
| Get hash | malicious | Snake Keylogger | Browse |
| ||
| Get hash | malicious | Snake Keylogger | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| ORACLE-BMC-31898US | Get hash | malicious | Mirai | Browse |
| |
| Get hash | malicious | Snake Keylogger | Browse |
| ||
| Get hash | malicious | Mirai | Browse |
| ||
| Get hash | malicious | Mirai | Browse |
| ||
| Get hash | malicious | Snake Keylogger | Browse |
| ||
| Get hash | malicious | PureLog Stealer, Snake Keylogger | Browse |
| ||
| Get hash | malicious | Snake Keylogger | Browse |
| ||
| Get hash | malicious | Snake Keylogger | Browse |
| ||
| Get hash | malicious | Snake Keylogger | Browse |
| ||
| CLOUDFLARENETUS | Get hash | malicious | Unknown | Browse |
| |
| Get hash | malicious | AgentTesla, PureLog Stealer | Browse |
| ||
| Get hash | malicious | HTMLPhisher | Browse |
| ||
| Get hash | malicious | AgentTesla, PureLog Stealer | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | GuLoader | Browse |
| ||
| Get hash | malicious | AgentTesla | Browse |
| ||
| Get hash | malicious | AgentTesla | Browse |
| ||
| Get hash | malicious | HTMLPhisher | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| 54328bd36c14bd82ddaa0c04b25ed9ad | Get hash | malicious | Snake Keylogger | Browse |
| |
| Get hash | malicious | Snake Keylogger | Browse |
| ||
| Get hash | malicious | PureLog Stealer, Snake Keylogger | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Snake Keylogger | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Snake Keylogger | Browse |
| ||
| Get hash | malicious | Snake Keylogger | Browse |
|
⊘No context
| Process: | C:\Users\user\Desktop\whiteee.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 94302 |
| Entropy (8bit): | 7.917642664391931 |
| Encrypted: | false |
| SSDEEP: | 1536:93QKWvqNhX1wt2JN7uYBIErjo51aDJwzLqQO7uS585KsZOE5omTbGb:JQKMqNhlwt2JNyeDJ4LqQO7uSaL5Tab |
| MD5: | 08E69F513E7135B7F341730C2EB9AE0C |
| SHA1: | F1C465DB20849547B40408A3D10476D6FB7588B2 |
| SHA-256: | CB38FA0173C8D4328AE2D6B3ECAFF70EB2A370788768AA1C75F5E2900DDE0F3B |
| SHA-512: | 1916976DCBE1F93D647DD5737574AF05F2CE05892C47C9A958DAA32D0000F1ADD0FED98907C19F0D1AA2F274E48E1EBA65EBF0C7F9B7A386C0C09CA6BDD2B65A |
| Malicious: | false |
| Reputation: | low |
| Preview: |
| Process: | C:\Users\user\Desktop\whiteee.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 9756 |
| Entropy (8bit): | 7.59858423713064 |
| Encrypted: | false |
| SSDEEP: | 192:Zj4X4BSXRq4D63ILqnXTj9aiAjtFMw5V8vdjE6TH8XyMBMEuVV:l4oBSfD6YLCTEbjMwYvdkyJEI |
| MD5: | E6437615E55D65F684E3B1225B1A154D |
| SHA1: | 6626CBA35D589C334597BEF3B683134A2B731529 |
| SHA-256: | 14422302512F449ABD823C0E3AE8BFEACC008597714B8FA010DDFE1DB8BFC73A |
| SHA-512: | FC315B301BFEB27C8070D793F2224F146F42222EEA21C658686B096D9F23AF4569CE938AF0AAF8D1879BB0780DE4957F9E7C7116144EC24780029ED8DE1AFAAF |
| Malicious: | false |
| Reputation: | low |
| Preview: |
| Process: | C:\Users\user\Desktop\whiteee.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 28680 |
| Entropy (8bit): | 3.5819791737673996 |
| Encrypted: | false |
| SSDEEP: | 384:YzJejro12+7eXZdNPlWrqGjfOtr+KJmJEcouNlLmmuN0b0mTTqLOTHhC:YNegs6eXDNPlWrGtwJEcouNpuXIT0KC |
| MD5: | A327834B411331A2A30DD0982B1B0FD0 |
| SHA1: | CFED37E33A24005D85BF1C9F70ED67AB517F8FBF |
| SHA-256: | 5E9FA4E8A141D8720FF63B2ADD4A8D22046F1B8A177725FE2F89852AC1F2AF55 |
| SHA-512: | 84BB685943B0953137BC1F676C66CE950815BB2D076AB2E51AD91F5EF4522A74322A329D89C3917361F6F08C53F00FE5E36A76C01B45D7871F9FD8B25EA04B20 |
| Malicious: | false |
| Reputation: | low |
| Preview: |
| Process: | C:\Users\user\Desktop\whiteee.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 133120 |
| Entropy (8bit): | 6.981698798475341 |
| Encrypted: | false |
| SSDEEP: | 3072:mdfi0JI5x2QxTz0qJteWhqUZXxLYGlaCB4I5WHn1:mdXeDlQetThqokMaCaIEV |
| MD5: | 4C2A282BAB95F9DA2CFE55CEF1A10DF4 |
| SHA1: | 4B1DCC4B7D0DD47E643B423480C0DB7BF55FDBD6 |
| SHA-256: | 45F186D0F1364BAC390B52C5E872CC731EB18D754151EF096D82A16FC73BB819 |
| SHA-512: | 76DD642F670ED04992E42C09EC7003E3EDF5E49B6870E869C1257A115AF2F8EFBAD1DB6BF05591114114212F4353B1556C522622A6085DD5B78761DDE6A5AD52 |
| Malicious: | false |
| Reputation: | low |
| Preview: |
| File type: | |
| Entropy (8bit): | 6.789821451267343 |
| TrID: |
|
| File name: | whiteee.exe |
| File size: | 1'078'272 bytes |
| MD5: | 9a961cdb405219d714347c06a7a6a995 |
| SHA1: | 2bf6f2e31d453c52685f8ffeaa52056aa727674d |
| SHA256: | 2cbc13099ee1ba4b8c671bfca525bb2c5c057c2fc13df105dec2852a8b672e50 |
| SHA512: | c016af696bf4b3eb6d27a61afc6760eee7d50624ee198e9d64562564ee6f5243508edf215b5325010ee9a484cbe4d218bc6beb52eefe9a548738022e82fedf3f |
| SSDEEP: | 24576:tqDEvCTbMWu7rQYlBQcBiT6rprG8af3BG5kPJ:tTvC/MTQYxsWR7afJ |
| TLSH: | 70358D03738D822EFF9A91721B76E23146BC6F270123A55F32D85D7EB970165063E6E2 |
| File Content Preview: | MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z.... |
 | |
| Icon Hash: | 6ced8d96b2ace4b2 |
| Entrypoint: | 0x420577 |
| Entrypoint Section: | .text |
| Digitally signed: | false |
| Imagebase: | 0x400000 |
| Subsystem: | windows gui |
| Image File Characteristics: | EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE |
| DLL Characteristics: | DYNAMIC_BASE, TERMINAL_SERVER_AWARE |
| Time Stamp: | 0x66834214 [Mon Jul 1 23:56:04 2024 UTC] |
| TLS Callbacks: | |
| CLR (.Net) Version: | |
| OS Version Major: | 5 |
| OS Version Minor: | 1 |
| File Version Major: | 5 |
| File Version Minor: | 1 |
| Subsystem Version Major: | 5 |
| Subsystem Version Minor: | 1 |
| Import Hash: | 948cc502fe9226992dce9417f952fce3 |
| Instruction |
|---|
| call 00007F10688B7A73h |
| jmp 00007F10688B737Fh |
| push ebp |
| mov ebp, esp |
| push esi |
| push dword ptr [ebp+08h] |
| mov esi, ecx |
| call 00007F10688B755Dh |
| mov dword ptr [esi], 0049FDF0h |
| mov eax, esi |
| pop esi |
| pop ebp |
| retn 0004h |
| and dword ptr [ecx+04h], 00000000h |
| mov eax, ecx |
| and dword ptr [ecx+08h], 00000000h |
| mov dword ptr [ecx+04h], 0049FDF8h |
| mov dword ptr [ecx], 0049FDF0h |
| ret |
| push ebp |
| mov ebp, esp |
| push esi |
| push dword ptr [ebp+08h] |
| mov esi, ecx |
| call 00007F10688B752Ah |
| mov dword ptr [esi], 0049FE0Ch |
| mov eax, esi |
| pop esi |
| pop ebp |
| retn 0004h |
| and dword ptr [ecx+04h], 00000000h |
| mov eax, ecx |
| and dword ptr [ecx+08h], 00000000h |
| mov dword ptr [ecx+04h], 0049FE14h |
| mov dword ptr [ecx], 0049FE0Ch |
| ret |
| push ebp |
| mov ebp, esp |
| push esi |
| mov esi, ecx |
| lea eax, dword ptr [esi+04h] |
| mov dword ptr [esi], 0049FDD0h |
| and dword ptr [eax], 00000000h |
| and dword ptr [eax+04h], 00000000h |
| push eax |
| mov eax, dword ptr [ebp+08h] |
| add eax, 04h |
| push eax |
| call 00007F10688BA11Dh |
| pop ecx |
| pop ecx |
| mov eax, esi |
| pop esi |
| pop ebp |
| retn 0004h |
| lea eax, dword ptr [ecx+04h] |
| mov dword ptr [ecx], 0049FDD0h |
| push eax |
| call 00007F10688BA168h |
| pop ecx |
| ret |
| push ebp |
| mov ebp, esp |
| push esi |
| mov esi, ecx |
| lea eax, dword ptr [esi+04h] |
| mov dword ptr [esi], 0049FDD0h |
| push eax |
| call 00007F10688BA151h |
| test byte ptr [ebp+08h], 00000001h |
| pop ecx |
| Programming Language: |
|
| Name | Virtual Address | Virtual Size | Is in Section |
|---|---|---|---|
| IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IMPORT | 0xc8e64 | 0x17c | .rdata |
| IMAGE_DIRECTORY_ENTRY_RESOURCE | 0xd4000 | 0x309d4 | .rsrc |
| IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x105000 | 0x7594 | .reloc |
| IMAGE_DIRECTORY_ENTRY_DEBUG | 0xb0ff0 | 0x1c | .rdata |
| IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_TLS | 0xc3400 | 0x18 | .rdata |
| IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0xb1010 | 0x40 | .rdata |
| IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IAT | 0x9c000 | 0x894 | .rdata |
| IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
| Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
|---|---|---|---|---|---|---|---|---|---|
| .text | 0x1000 | 0x9ab1d | 0x9ac00 | 0a1473f3064dcbc32ef93c5c8a90f3a6 | False | 0.565500681542811 | data | 6.668273581389308 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
| .rdata | 0x9c000 | 0x2fb82 | 0x2fc00 | c9cf2468b60bf4f80f136ed54b3989fb | False | 0.35289185209424084 | data | 5.691811547483722 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .data | 0xcc000 | 0x706c | 0x4800 | 53b9025d545d65e23295e30afdbd16d9 | False | 0.04356553819444445 | DOS executable (block device driver @\273\) | 0.5846666986982398 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .rsrc | 0xd4000 | 0x309d4 | 0x30a00 | 53b90fe8965d1e582c974302cca02fb6 | False | 0.6482567480719794 | data | 7.032311781909001 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .reloc | 0x105000 | 0x7594 | 0x7600 | c68ee8931a32d45eb82dc450ee40efc3 | False | 0.7628111758474576 | data | 6.7972128181359786 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
| Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
|---|---|---|---|---|---|---|
| RT_ICON | 0xd4458 | 0x128 | Device independent bitmap graphic, 16 x 32 x 4, image size 192 | English | Great Britain | 0.7466216216216216 |
| RT_ICON | 0xd4580 | 0x128 | Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors | English | Great Britain | 0.3277027027027027 |
| RT_ICON | 0xd46a8 | 0x128 | Device independent bitmap graphic, 16 x 32 x 4, image size 192 | English | Great Britain | 0.3885135135135135 |
| RT_ICON | 0xd47d0 | 0x10828 | Device independent bitmap graphic, 128 x 256 x 32, image size 65536, resolution 34556 x 34556 px/m | English | Great Britain | 0.07952797823258015 |
| RT_MENU | 0xe4ff8 | 0x50 | data | English | Great Britain | 0.9 |
| RT_STRING | 0xe5048 | 0x594 | data | English | Great Britain | 0.3333333333333333 |
| RT_STRING | 0xe55dc | 0x68a | data | English | Great Britain | 0.2735961768219833 |
| RT_STRING | 0xe5c68 | 0x490 | data | English | Great Britain | 0.3715753424657534 |
| RT_STRING | 0xe60f8 | 0x5fc | data | English | Great Britain | 0.3087467362924282 |
| RT_STRING | 0xe66f4 | 0x65c | data | English | Great Britain | 0.34336609336609336 |
| RT_STRING | 0xe6d50 | 0x466 | data | English | Great Britain | 0.3605683836589698 |
| RT_STRING | 0xe71b8 | 0x158 | Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0 | English | Great Britain | 0.502906976744186 |
| RT_RCDATA | 0xe7310 | 0x1d176 | data | 1.0003860420618003 | ||
| RT_GROUP_ICON | 0x104488 | 0x14 | data | English | Great Britain | 1.25 |
| RT_GROUP_ICON | 0x10449c | 0x14 | data | English | Great Britain | 1.25 |
| RT_GROUP_ICON | 0x1044b0 | 0x14 | data | English | Great Britain | 1.15 |
| RT_GROUP_ICON | 0x1044c4 | 0x14 | data | English | Great Britain | 1.25 |
| RT_VERSION | 0x1044d8 | 0x10c | data | English | Great Britain | 0.5970149253731343 |
| RT_MANIFEST | 0x1045e4 | 0x3ef | ASCII text, with CRLF line terminators | English | Great Britain | 0.5074478649453823 |
| DLL | Import |
|---|---|
| WSOCK32.dll | gethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect |
| VERSION.dll | GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW |
| WINMM.dll | timeGetTime, waveOutSetVolume, mciSendStringW |
| COMCTL32.dll | ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create |
| MPR.dll | WNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W |
| WININET.dll | HttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable |
| PSAPI.DLL | GetProcessMemoryInfo |
| IPHLPAPI.DLL | IcmpSendEcho, IcmpCloseHandle, IcmpCreateFile |
| USERENV.dll | DestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile |
| UxTheme.dll | IsThemeActive |
| KERNEL32.dll | DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW |
| USER32.dll | GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient |
| GDI32.dll | EndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath |
| COMDLG32.dll | GetSaveFileNameW, GetOpenFileNameW |
| ADVAPI32.dll | GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW |
| SHELL32.dll | DragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW |
| ole32.dll | CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket |
| OLEAUT32.dll | CreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture |
| Language of compilation system | Country where language is spoken | Map |
|---|---|---|
| English | Great Britain |  |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library Node| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Jul 2, 2024 09:54:26.952009916 CEST | 49730 | 80 | 192.168.2.4 | 193.122.6.168 |
| Jul 2, 2024 09:54:26.956883907 CEST | 80 | 49730 | 193.122.6.168 | 192.168.2.4 |
| Jul 2, 2024 09:54:26.957026005 CEST | 49730 | 80 | 192.168.2.4 | 193.122.6.168 |
| Jul 2, 2024 09:54:26.957138062 CEST | 49730 | 80 | 192.168.2.4 | 193.122.6.168 |
| Jul 2, 2024 09:54:26.962318897 CEST | 80 | 49730 | 193.122.6.168 | 192.168.2.4 |
| Jul 2, 2024 09:54:27.591464996 CEST | 80 | 49730 | 193.122.6.168 | 192.168.2.4 |
| Jul 2, 2024 09:54:27.615267038 CEST | 49730 | 80 | 192.168.2.4 | 193.122.6.168 |
| Jul 2, 2024 09:54:27.620173931 CEST | 80 | 49730 | 193.122.6.168 | 192.168.2.4 |
| Jul 2, 2024 09:54:27.802650928 CEST | 80 | 49730 | 193.122.6.168 | 192.168.2.4 |
| Jul 2, 2024 09:54:27.854101896 CEST | 49730 | 80 | 192.168.2.4 | 193.122.6.168 |
| Jul 2, 2024 09:54:27.864638090 CEST | 49731 | 443 | 192.168.2.4 | 188.114.97.3 |
| Jul 2, 2024 09:54:27.864675999 CEST | 443 | 49731 | 188.114.97.3 | 192.168.2.4 |
| Jul 2, 2024 09:54:27.864742994 CEST | 49731 | 443 | 192.168.2.4 | 188.114.97.3 |
| Jul 2, 2024 09:54:27.873584032 CEST | 49731 | 443 | 192.168.2.4 | 188.114.97.3 |
| Jul 2, 2024 09:54:27.873594999 CEST | 443 | 49731 | 188.114.97.3 | 192.168.2.4 |
| Jul 2, 2024 09:54:28.369517088 CEST | 443 | 49731 | 188.114.97.3 | 192.168.2.4 |
| Jul 2, 2024 09:54:28.369602919 CEST | 49731 | 443 | 192.168.2.4 | 188.114.97.3 |
| Jul 2, 2024 09:54:28.375020981 CEST | 49731 | 443 | 192.168.2.4 | 188.114.97.3 |
| Jul 2, 2024 09:54:28.375035048 CEST | 443 | 49731 | 188.114.97.3 | 192.168.2.4 |
| Jul 2, 2024 09:54:28.375300884 CEST | 443 | 49731 | 188.114.97.3 | 192.168.2.4 |
| Jul 2, 2024 09:54:28.416838884 CEST | 49731 | 443 | 192.168.2.4 | 188.114.97.3 |
| Jul 2, 2024 09:54:28.423181057 CEST | 49731 | 443 | 192.168.2.4 | 188.114.97.3 |
| Jul 2, 2024 09:54:28.464500904 CEST | 443 | 49731 | 188.114.97.3 | 192.168.2.4 |
| Jul 2, 2024 09:54:28.535621881 CEST | 443 | 49731 | 188.114.97.3 | 192.168.2.4 |
| Jul 2, 2024 09:54:28.535717010 CEST | 443 | 49731 | 188.114.97.3 | 192.168.2.4 |
| Jul 2, 2024 09:54:28.535900116 CEST | 49731 | 443 | 192.168.2.4 | 188.114.97.3 |
| Jul 2, 2024 09:54:28.541799068 CEST | 49731 | 443 | 192.168.2.4 | 188.114.97.3 |
| Jul 2, 2024 09:54:28.544725895 CEST | 49730 | 80 | 192.168.2.4 | 193.122.6.168 |
| Jul 2, 2024 09:54:28.549573898 CEST | 80 | 49730 | 193.122.6.168 | 192.168.2.4 |
| Jul 2, 2024 09:54:28.733041048 CEST | 80 | 49730 | 193.122.6.168 | 192.168.2.4 |
| Jul 2, 2024 09:54:28.735745907 CEST | 49732 | 443 | 192.168.2.4 | 188.114.97.3 |
| Jul 2, 2024 09:54:28.735775948 CEST | 443 | 49732 | 188.114.97.3 | 192.168.2.4 |
| Jul 2, 2024 09:54:28.735896111 CEST | 49732 | 443 | 192.168.2.4 | 188.114.97.3 |
| Jul 2, 2024 09:54:28.736105919 CEST | 49732 | 443 | 192.168.2.4 | 188.114.97.3 |
| Jul 2, 2024 09:54:28.736120939 CEST | 443 | 49732 | 188.114.97.3 | 192.168.2.4 |
| Jul 2, 2024 09:54:28.775952101 CEST | 49730 | 80 | 192.168.2.4 | 193.122.6.168 |
| Jul 2, 2024 09:54:29.210735083 CEST | 443 | 49732 | 188.114.97.3 | 192.168.2.4 |
| Jul 2, 2024 09:54:29.212488890 CEST | 49732 | 443 | 192.168.2.4 | 188.114.97.3 |
| Jul 2, 2024 09:54:29.212506056 CEST | 443 | 49732 | 188.114.97.3 | 192.168.2.4 |
| Jul 2, 2024 09:54:29.364985943 CEST | 443 | 49732 | 188.114.97.3 | 192.168.2.4 |
| Jul 2, 2024 09:54:29.365082979 CEST | 443 | 49732 | 188.114.97.3 | 192.168.2.4 |
| Jul 2, 2024 09:54:29.365155935 CEST | 49732 | 443 | 192.168.2.4 | 188.114.97.3 |
| Jul 2, 2024 09:54:29.365729094 CEST | 49732 | 443 | 192.168.2.4 | 188.114.97.3 |
| Jul 2, 2024 09:54:29.368902922 CEST | 49730 | 80 | 192.168.2.4 | 193.122.6.168 |
| Jul 2, 2024 09:54:29.370198011 CEST | 49733 | 80 | 192.168.2.4 | 193.122.6.168 |
| Jul 2, 2024 09:54:29.375358105 CEST | 80 | 49733 | 193.122.6.168 | 192.168.2.4 |
| Jul 2, 2024 09:54:29.375435114 CEST | 49733 | 80 | 192.168.2.4 | 193.122.6.168 |
| Jul 2, 2024 09:54:29.375497103 CEST | 49733 | 80 | 192.168.2.4 | 193.122.6.168 |
| Jul 2, 2024 09:54:29.375535011 CEST | 80 | 49730 | 193.122.6.168 | 192.168.2.4 |
| Jul 2, 2024 09:54:29.375583887 CEST | 49730 | 80 | 192.168.2.4 | 193.122.6.168 |
| Jul 2, 2024 09:54:29.380410910 CEST | 80 | 49733 | 193.122.6.168 | 192.168.2.4 |
| Jul 2, 2024 09:54:30.077723980 CEST | 80 | 49733 | 193.122.6.168 | 192.168.2.4 |
| Jul 2, 2024 09:54:30.078860044 CEST | 49734 | 443 | 192.168.2.4 | 188.114.97.3 |
| Jul 2, 2024 09:54:30.078896046 CEST | 443 | 49734 | 188.114.97.3 | 192.168.2.4 |
| Jul 2, 2024 09:54:30.078973055 CEST | 49734 | 443 | 192.168.2.4 | 188.114.97.3 |
| Jul 2, 2024 09:54:30.079211950 CEST | 49734 | 443 | 192.168.2.4 | 188.114.97.3 |
| Jul 2, 2024 09:54:30.079222918 CEST | 443 | 49734 | 188.114.97.3 | 192.168.2.4 |
| Jul 2, 2024 09:54:30.119700909 CEST | 49733 | 80 | 192.168.2.4 | 193.122.6.168 |
| Jul 2, 2024 09:54:30.546875000 CEST | 443 | 49734 | 188.114.97.3 | 192.168.2.4 |
| Jul 2, 2024 09:54:30.548466921 CEST | 49734 | 443 | 192.168.2.4 | 188.114.97.3 |
| Jul 2, 2024 09:54:30.548497915 CEST | 443 | 49734 | 188.114.97.3 | 192.168.2.4 |
| Jul 2, 2024 09:54:30.674258947 CEST | 443 | 49734 | 188.114.97.3 | 192.168.2.4 |
| Jul 2, 2024 09:54:30.674348116 CEST | 443 | 49734 | 188.114.97.3 | 192.168.2.4 |
| Jul 2, 2024 09:54:30.674412966 CEST | 49734 | 443 | 192.168.2.4 | 188.114.97.3 |
| Jul 2, 2024 09:54:30.674931049 CEST | 49734 | 443 | 192.168.2.4 | 188.114.97.3 |
| Jul 2, 2024 09:54:30.679080009 CEST | 49735 | 80 | 192.168.2.4 | 193.122.6.168 |
| Jul 2, 2024 09:54:30.683907032 CEST | 80 | 49735 | 193.122.6.168 | 192.168.2.4 |
| Jul 2, 2024 09:54:30.683990955 CEST | 49735 | 80 | 192.168.2.4 | 193.122.6.168 |
| Jul 2, 2024 09:54:30.684071064 CEST | 49735 | 80 | 192.168.2.4 | 193.122.6.168 |
| Jul 2, 2024 09:54:30.689568996 CEST | 80 | 49735 | 193.122.6.168 | 192.168.2.4 |
| Jul 2, 2024 09:54:31.321958065 CEST | 80 | 49735 | 193.122.6.168 | 192.168.2.4 |
| Jul 2, 2024 09:54:31.323283911 CEST | 49736 | 443 | 192.168.2.4 | 188.114.97.3 |
| Jul 2, 2024 09:54:31.323317051 CEST | 443 | 49736 | 188.114.97.3 | 192.168.2.4 |
| Jul 2, 2024 09:54:31.323394060 CEST | 49736 | 443 | 192.168.2.4 | 188.114.97.3 |
| Jul 2, 2024 09:54:31.323617935 CEST | 49736 | 443 | 192.168.2.4 | 188.114.97.3 |
| Jul 2, 2024 09:54:31.323633909 CEST | 443 | 49736 | 188.114.97.3 | 192.168.2.4 |
| Jul 2, 2024 09:54:31.369812012 CEST | 49735 | 80 | 192.168.2.4 | 193.122.6.168 |
| Jul 2, 2024 09:54:31.787070036 CEST | 443 | 49736 | 188.114.97.3 | 192.168.2.4 |
| Jul 2, 2024 09:54:31.788564920 CEST | 49736 | 443 | 192.168.2.4 | 188.114.97.3 |
| Jul 2, 2024 09:54:31.788592100 CEST | 443 | 49736 | 188.114.97.3 | 192.168.2.4 |
| Jul 2, 2024 09:54:31.939837933 CEST | 443 | 49736 | 188.114.97.3 | 192.168.2.4 |
| Jul 2, 2024 09:54:31.939913988 CEST | 443 | 49736 | 188.114.97.3 | 192.168.2.4 |
| Jul 2, 2024 09:54:31.939965010 CEST | 49736 | 443 | 192.168.2.4 | 188.114.97.3 |
| Jul 2, 2024 09:54:31.940423965 CEST | 49736 | 443 | 192.168.2.4 | 188.114.97.3 |
| Jul 2, 2024 09:54:31.943430901 CEST | 49735 | 80 | 192.168.2.4 | 193.122.6.168 |
| Jul 2, 2024 09:54:31.944395065 CEST | 49737 | 80 | 192.168.2.4 | 193.122.6.168 |
| Jul 2, 2024 09:54:31.949563026 CEST | 80 | 49737 | 193.122.6.168 | 192.168.2.4 |
| Jul 2, 2024 09:54:31.949651003 CEST | 80 | 49735 | 193.122.6.168 | 192.168.2.4 |
| Jul 2, 2024 09:54:31.949702978 CEST | 49737 | 80 | 192.168.2.4 | 193.122.6.168 |
| Jul 2, 2024 09:54:31.949728012 CEST | 49735 | 80 | 192.168.2.4 | 193.122.6.168 |
| Jul 2, 2024 09:54:31.949815035 CEST | 49737 | 80 | 192.168.2.4 | 193.122.6.168 |
| Jul 2, 2024 09:54:31.954617977 CEST | 80 | 49737 | 193.122.6.168 | 192.168.2.4 |
| Jul 2, 2024 09:54:32.590656042 CEST | 80 | 49737 | 193.122.6.168 | 192.168.2.4 |
| Jul 2, 2024 09:54:32.592087984 CEST | 49738 | 443 | 192.168.2.4 | 188.114.97.3 |
| Jul 2, 2024 09:54:32.592112064 CEST | 443 | 49738 | 188.114.97.3 | 192.168.2.4 |
| Jul 2, 2024 09:54:32.592179060 CEST | 49738 | 443 | 192.168.2.4 | 188.114.97.3 |
| Jul 2, 2024 09:54:32.592421055 CEST | 49738 | 443 | 192.168.2.4 | 188.114.97.3 |
| Jul 2, 2024 09:54:32.592432976 CEST | 443 | 49738 | 188.114.97.3 | 192.168.2.4 |
| Jul 2, 2024 09:54:32.635338068 CEST | 49737 | 80 | 192.168.2.4 | 193.122.6.168 |
| Jul 2, 2024 09:54:33.066376925 CEST | 443 | 49738 | 188.114.97.3 | 192.168.2.4 |
| Jul 2, 2024 09:54:33.067858934 CEST | 49738 | 443 | 192.168.2.4 | 188.114.97.3 |
| Jul 2, 2024 09:54:33.067883015 CEST | 443 | 49738 | 188.114.97.3 | 192.168.2.4 |
| Jul 2, 2024 09:54:33.192188025 CEST | 443 | 49738 | 188.114.97.3 | 192.168.2.4 |
| Jul 2, 2024 09:54:33.192250013 CEST | 443 | 49738 | 188.114.97.3 | 192.168.2.4 |
| Jul 2, 2024 09:54:33.192301989 CEST | 49738 | 443 | 192.168.2.4 | 188.114.97.3 |
| Jul 2, 2024 09:54:33.192662954 CEST | 49738 | 443 | 192.168.2.4 | 188.114.97.3 |
| Jul 2, 2024 09:54:33.195447922 CEST | 49737 | 80 | 192.168.2.4 | 193.122.6.168 |
| Jul 2, 2024 09:54:33.196407080 CEST | 49739 | 80 | 192.168.2.4 | 193.122.6.168 |
| Jul 2, 2024 09:54:33.201359987 CEST | 80 | 49737 | 193.122.6.168 | 192.168.2.4 |
| Jul 2, 2024 09:54:33.201426029 CEST | 49737 | 80 | 192.168.2.4 | 193.122.6.168 |
| Jul 2, 2024 09:54:33.202235937 CEST | 80 | 49739 | 193.122.6.168 | 192.168.2.4 |
| Jul 2, 2024 09:54:33.202347994 CEST | 49739 | 80 | 192.168.2.4 | 193.122.6.168 |
| Jul 2, 2024 09:54:33.202431917 CEST | 49739 | 80 | 192.168.2.4 | 193.122.6.168 |
| Jul 2, 2024 09:54:33.208538055 CEST | 80 | 49739 | 193.122.6.168 | 192.168.2.4 |
| Jul 2, 2024 09:54:33.841557980 CEST | 80 | 49739 | 193.122.6.168 | 192.168.2.4 |
| Jul 2, 2024 09:54:33.842823029 CEST | 49740 | 443 | 192.168.2.4 | 188.114.97.3 |
| Jul 2, 2024 09:54:33.842861891 CEST | 443 | 49740 | 188.114.97.3 | 192.168.2.4 |
| Jul 2, 2024 09:54:33.842947006 CEST | 49740 | 443 | 192.168.2.4 | 188.114.97.3 |
| Jul 2, 2024 09:54:33.843190908 CEST | 49740 | 443 | 192.168.2.4 | 188.114.97.3 |
| Jul 2, 2024 09:54:33.843202114 CEST | 443 | 49740 | 188.114.97.3 | 192.168.2.4 |
| Jul 2, 2024 09:54:33.885453939 CEST | 49739 | 80 | 192.168.2.4 | 193.122.6.168 |
| Jul 2, 2024 09:54:34.311857939 CEST | 443 | 49740 | 188.114.97.3 | 192.168.2.4 |
| Jul 2, 2024 09:54:34.314580917 CEST | 49740 | 443 | 192.168.2.4 | 188.114.97.3 |
| Jul 2, 2024 09:54:34.314604044 CEST | 443 | 49740 | 188.114.97.3 | 192.168.2.4 |
| Jul 2, 2024 09:54:34.454984903 CEST | 443 | 49740 | 188.114.97.3 | 192.168.2.4 |
| Jul 2, 2024 09:54:34.455037117 CEST | 443 | 49740 | 188.114.97.3 | 192.168.2.4 |
| Jul 2, 2024 09:54:34.455096960 CEST | 49740 | 443 | 192.168.2.4 | 188.114.97.3 |
| Jul 2, 2024 09:54:34.455508947 CEST | 49740 | 443 | 192.168.2.4 | 188.114.97.3 |
| Jul 2, 2024 09:54:34.458550930 CEST | 49739 | 80 | 192.168.2.4 | 193.122.6.168 |
| Jul 2, 2024 09:54:34.459732056 CEST | 49741 | 80 | 192.168.2.4 | 193.122.6.168 |
| Jul 2, 2024 09:54:34.464507103 CEST | 80 | 49739 | 193.122.6.168 | 192.168.2.4 |
| Jul 2, 2024 09:54:34.464575052 CEST | 49739 | 80 | 192.168.2.4 | 193.122.6.168 |
| Jul 2, 2024 09:54:34.464658976 CEST | 80 | 49741 | 193.122.6.168 | 192.168.2.4 |
| Jul 2, 2024 09:54:34.464734077 CEST | 49741 | 80 | 192.168.2.4 | 193.122.6.168 |
| Jul 2, 2024 09:54:34.464793921 CEST | 49741 | 80 | 192.168.2.4 | 193.122.6.168 |
| Jul 2, 2024 09:54:34.469630003 CEST | 80 | 49741 | 193.122.6.168 | 192.168.2.4 |
| Jul 2, 2024 09:54:35.102057934 CEST | 80 | 49741 | 193.122.6.168 | 192.168.2.4 |
| Jul 2, 2024 09:54:35.103156090 CEST | 49742 | 443 | 192.168.2.4 | 188.114.97.3 |
| Jul 2, 2024 09:54:35.103199005 CEST | 443 | 49742 | 188.114.97.3 | 192.168.2.4 |
| Jul 2, 2024 09:54:35.103261948 CEST | 49742 | 443 | 192.168.2.4 | 188.114.97.3 |
| Jul 2, 2024 09:54:35.103502035 CEST | 49742 | 443 | 192.168.2.4 | 188.114.97.3 |
| Jul 2, 2024 09:54:35.103518009 CEST | 443 | 49742 | 188.114.97.3 | 192.168.2.4 |
| Jul 2, 2024 09:54:35.150958061 CEST | 49741 | 80 | 192.168.2.4 | 193.122.6.168 |
| Jul 2, 2024 09:54:35.579931974 CEST | 443 | 49742 | 188.114.97.3 | 192.168.2.4 |
| Jul 2, 2024 09:54:35.581551075 CEST | 49742 | 443 | 192.168.2.4 | 188.114.97.3 |
| Jul 2, 2024 09:54:35.581581116 CEST | 443 | 49742 | 188.114.97.3 | 192.168.2.4 |
| Jul 2, 2024 09:54:35.705929041 CEST | 443 | 49742 | 188.114.97.3 | 192.168.2.4 |
| Jul 2, 2024 09:54:35.705997944 CEST | 443 | 49742 | 188.114.97.3 | 192.168.2.4 |
| Jul 2, 2024 09:54:35.706052065 CEST | 49742 | 443 | 192.168.2.4 | 188.114.97.3 |
| Jul 2, 2024 09:54:35.708117008 CEST | 49742 | 443 | 192.168.2.4 | 188.114.97.3 |
| Jul 2, 2024 09:54:35.711590052 CEST | 49741 | 80 | 192.168.2.4 | 193.122.6.168 |
| Jul 2, 2024 09:54:35.712743044 CEST | 49743 | 80 | 192.168.2.4 | 193.122.6.168 |
| Jul 2, 2024 09:54:35.717230082 CEST | 80 | 49741 | 193.122.6.168 | 192.168.2.4 |
| Jul 2, 2024 09:54:35.717292070 CEST | 49741 | 80 | 192.168.2.4 | 193.122.6.168 |
| Jul 2, 2024 09:54:35.717577934 CEST | 80 | 49743 | 193.122.6.168 | 192.168.2.4 |
| Jul 2, 2024 09:54:35.717638016 CEST | 49743 | 80 | 192.168.2.4 | 193.122.6.168 |
| Jul 2, 2024 09:54:35.717850924 CEST | 49743 | 80 | 192.168.2.4 | 193.122.6.168 |
| Jul 2, 2024 09:54:35.723162889 CEST | 80 | 49743 | 193.122.6.168 | 192.168.2.4 |
| Jul 2, 2024 09:54:36.359414101 CEST | 80 | 49743 | 193.122.6.168 | 192.168.2.4 |
| Jul 2, 2024 09:54:36.373446941 CEST | 49744 | 443 | 192.168.2.4 | 188.114.97.3 |
| Jul 2, 2024 09:54:36.373505116 CEST | 443 | 49744 | 188.114.97.3 | 192.168.2.4 |
| Jul 2, 2024 09:54:36.373577118 CEST | 49744 | 443 | 192.168.2.4 | 188.114.97.3 |
| Jul 2, 2024 09:54:36.380245924 CEST | 49744 | 443 | 192.168.2.4 | 188.114.97.3 |
| Jul 2, 2024 09:54:36.380261898 CEST | 443 | 49744 | 188.114.97.3 | 192.168.2.4 |
| Jul 2, 2024 09:54:36.403595924 CEST | 49743 | 80 | 192.168.2.4 | 193.122.6.168 |
| Jul 2, 2024 09:54:36.846780062 CEST | 443 | 49744 | 188.114.97.3 | 192.168.2.4 |
| Jul 2, 2024 09:54:36.848429918 CEST | 49744 | 443 | 192.168.2.4 | 188.114.97.3 |
| Jul 2, 2024 09:54:36.848457098 CEST | 443 | 49744 | 188.114.97.3 | 192.168.2.4 |
| Jul 2, 2024 09:54:36.987566948 CEST | 443 | 49744 | 188.114.97.3 | 192.168.2.4 |
| Jul 2, 2024 09:54:36.987653971 CEST | 443 | 49744 | 188.114.97.3 | 192.168.2.4 |
| Jul 2, 2024 09:54:36.987694025 CEST | 49744 | 443 | 192.168.2.4 | 188.114.97.3 |
| Jul 2, 2024 09:54:36.988120079 CEST | 49744 | 443 | 192.168.2.4 | 188.114.97.3 |
| Jul 2, 2024 09:55:35.030750990 CEST | 80 | 49733 | 193.122.6.168 | 192.168.2.4 |
| Jul 2, 2024 09:55:35.030827999 CEST | 49733 | 80 | 192.168.2.4 | 193.122.6.168 |
| Jul 2, 2024 09:55:41.359831095 CEST | 80 | 49743 | 193.122.6.168 | 192.168.2.4 |
| Jul 2, 2024 09:55:41.360004902 CEST | 49743 | 80 | 192.168.2.4 | 193.122.6.168 |
| Jul 2, 2024 09:56:16.385663033 CEST | 49743 | 80 | 192.168.2.4 | 193.122.6.168 |
| Jul 2, 2024 09:56:16.390964031 CEST | 80 | 49743 | 193.122.6.168 | 192.168.2.4 |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Jul 2, 2024 09:54:26.938918114 CEST | 60294 | 53 | 192.168.2.4 | 1.1.1.1 |
| Jul 2, 2024 09:54:26.947499990 CEST | 53 | 60294 | 1.1.1.1 | 192.168.2.4 |
| Jul 2, 2024 09:54:27.844763994 CEST | 59144 | 53 | 192.168.2.4 | 1.1.1.1 |
| Jul 2, 2024 09:54:27.864085913 CEST | 53 | 59144 | 1.1.1.1 | 192.168.2.4 |
| Jul 2, 2024 09:54:59.861407995 CEST | 53 | 61614 | 162.159.36.2 | 192.168.2.4 |
| Jul 2, 2024 09:55:00.338304043 CEST | 64060 | 53 | 192.168.2.4 | 1.1.1.1 |
| Jul 2, 2024 09:55:00.347007990 CEST | 53 | 64060 | 1.1.1.1 | 192.168.2.4 |
| Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|
| Jul 2, 2024 09:54:26.938918114 CEST | 192.168.2.4 | 1.1.1.1 | 0xbb6f | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Jul 2, 2024 09:54:27.844763994 CEST | 192.168.2.4 | 1.1.1.1 | 0xf943 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Jul 2, 2024 09:55:00.338304043 CEST | 192.168.2.4 | 1.1.1.1 | 0xe57a | Standard query (0) | PTR (Pointer record) | IN (0x0001) | false |
| Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|---|---|
| Jul 2, 2024 09:54:26.947499990 CEST | 1.1.1.1 | 192.168.2.4 | 0xbb6f | No error (0) | checkip.dyndns.com | CNAME (Canonical name) | IN (0x0001) | false | ||
| Jul 2, 2024 09:54:26.947499990 CEST | 1.1.1.1 | 192.168.2.4 | 0xbb6f | No error (0) | 193.122.6.168 | A (IP address) | IN (0x0001) | false | ||
| Jul 2, 2024 09:54:26.947499990 CEST | 1.1.1.1 | 192.168.2.4 | 0xbb6f | No error (0) | 132.226.8.169 | A (IP address) | IN (0x0001) | false | ||
| Jul 2, 2024 09:54:26.947499990 CEST | 1.1.1.1 | 192.168.2.4 | 0xbb6f | No error (0) | 158.101.44.242 | A (IP address) | IN (0x0001) | false | ||
| Jul 2, 2024 09:54:26.947499990 CEST | 1.1.1.1 | 192.168.2.4 | 0xbb6f | No error (0) | 193.122.130.0 | A (IP address) | IN (0x0001) | false | ||
| Jul 2, 2024 09:54:26.947499990 CEST | 1.1.1.1 | 192.168.2.4 | 0xbb6f | No error (0) | 132.226.247.73 | A (IP address) | IN (0x0001) | false | ||
| Jul 2, 2024 09:54:27.864085913 CEST | 1.1.1.1 | 192.168.2.4 | 0xf943 | No error (0) | 188.114.97.3 | A (IP address) | IN (0x0001) | false | ||
| Jul 2, 2024 09:54:27.864085913 CEST | 1.1.1.1 | 192.168.2.4 | 0xf943 | No error (0) | 188.114.96.3 | A (IP address) | IN (0x0001) | false | ||
| Jul 2, 2024 09:55:00.347007990 CEST | 1.1.1.1 | 192.168.2.4 | 0xe57a | Name error (3) | none | none | PTR (Pointer record) | IN (0x0001) | false |
|
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 0 | 192.168.2.4 | 49730 | 193.122.6.168 | 80 | 7336 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| Jul 2, 2024 09:54:26.957138062 CEST | 151 | OUT | |
| Jul 2, 2024 09:54:27.591464996 CEST | 320 | IN | |
| Jul 2, 2024 09:54:27.615267038 CEST | 127 | OUT | |
| Jul 2, 2024 09:54:27.802650928 CEST | 320 | IN | |
| Jul 2, 2024 09:54:28.544725895 CEST | 127 | OUT | |
| Jul 2, 2024 09:54:28.733041048 CEST | 320 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 1 | 192.168.2.4 | 49733 | 193.122.6.168 | 80 | 7336 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| Jul 2, 2024 09:54:29.375497103 CEST | 127 | OUT | |
| Jul 2, 2024 09:54:30.077723980 CEST | 320 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 2 | 192.168.2.4 | 49735 | 193.122.6.168 | 80 | 7336 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| Jul 2, 2024 09:54:30.684071064 CEST | 151 | OUT | |
| Jul 2, 2024 09:54:31.321958065 CEST | 320 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 3 | 192.168.2.4 | 49737 | 193.122.6.168 | 80 | 7336 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| Jul 2, 2024 09:54:31.949815035 CEST | 151 | OUT | |
| Jul 2, 2024 09:54:32.590656042 CEST | 320 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 4 | 192.168.2.4 | 49739 | 193.122.6.168 | 80 | 7336 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| Jul 2, 2024 09:54:33.202431917 CEST | 151 | OUT | |
| Jul 2, 2024 09:54:33.841557980 CEST | 320 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 5 | 192.168.2.4 | 49741 | 193.122.6.168 | 80 | 7336 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| Jul 2, 2024 09:54:34.464793921 CEST | 151 | OUT | |
| Jul 2, 2024 09:54:35.102057934 CEST | 320 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 6 | 192.168.2.4 | 49743 | 193.122.6.168 | 80 | 7336 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| Jul 2, 2024 09:54:35.717850924 CEST | 151 | OUT | |
| Jul 2, 2024 09:54:36.359414101 CEST | 320 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 0 | 192.168.2.4 | 49731 | 188.114.97.3 | 443 | 7336 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-07-02 07:54:28 UTC | 84 | OUT | |
| 2024-07-02 07:54:28 UTC | 720 | IN | |
| 2024-07-02 07:54:28 UTC | 340 | IN | |
| 2024-07-02 07:54:28 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 1 | 192.168.2.4 | 49732 | 188.114.97.3 | 443 | 7336 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-07-02 07:54:29 UTC | 60 | OUT | |
| 2024-07-02 07:54:29 UTC | 704 | IN | |
| 2024-07-02 07:54:29 UTC | 340 | IN | |
| 2024-07-02 07:54:29 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 2 | 192.168.2.4 | 49734 | 188.114.97.3 | 443 | 7336 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-07-02 07:54:30 UTC | 60 | OUT | |
| 2024-07-02 07:54:30 UTC | 706 | IN | |
| 2024-07-02 07:54:30 UTC | 340 | IN | |
| 2024-07-02 07:54:30 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 3 | 192.168.2.4 | 49736 | 188.114.97.3 | 443 | 7336 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-07-02 07:54:31 UTC | 84 | OUT | |
| 2024-07-02 07:54:31 UTC | 700 | IN | |
| 2024-07-02 07:54:31 UTC | 340 | IN | |
| 2024-07-02 07:54:31 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 4 | 192.168.2.4 | 49738 | 188.114.97.3 | 443 | 7336 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-07-02 07:54:33 UTC | 84 | OUT | |
| 2024-07-02 07:54:33 UTC | 708 | IN | |
| 2024-07-02 07:54:33 UTC | 340 | IN | |
| 2024-07-02 07:54:33 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 5 | 192.168.2.4 | 49740 | 188.114.97.3 | 443 | 7336 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-07-02 07:54:34 UTC | 84 | OUT | |
| 2024-07-02 07:54:34 UTC | 704 | IN | |
| 2024-07-02 07:54:34 UTC | 340 | IN | |
| 2024-07-02 07:54:34 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 6 | 192.168.2.4 | 49742 | 188.114.97.3 | 443 | 7336 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-07-02 07:54:35 UTC | 84 | OUT | |
| 2024-07-02 07:54:35 UTC | 714 | IN | |
| 2024-07-02 07:54:35 UTC | 340 | IN | |
| 2024-07-02 07:54:35 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 7 | 192.168.2.4 | 49744 | 188.114.97.3 | 443 | 7336 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-07-02 07:54:36 UTC | 60 | OUT | |
| 2024-07-02 07:54:36 UTC | 704 | IN | |
| 2024-07-02 07:54:36 UTC | 340 | IN | |
| 2024-07-02 07:54:36 UTC | 5 | IN |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
| Target ID: | 0 |
| Start time: | 03:54:24 |
| Start date: | 02/07/2024 |
| Path: | C:\Users\user\Desktop\whiteee.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x370000 |
| File size: | 1'078'272 bytes |
| MD5 hash: | 9A961CDB405219D714347C06A7A6A995 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Yara matches: |
|
| Reputation: | low |
| Has exited: | true |
| Target ID: | 1 |
| Start time: | 03:54:25 |
| Start date: | 02/07/2024 |
| Path: | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x810000 |
| File size: | 45'984 bytes |
| MD5 hash: | 9D352BC46709F0CB5EC974633A0C3C94 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Yara matches: |
|
| Reputation: | high |
| Has exited: | false |
Execution Graph
| Execution Coverage: | 3.4% |
| Dynamic/Decrypted Code Coverage: | 0.4% |
| Signature Coverage: | 4.8% |
| Total number of Nodes: | 2000 |
| Total number of Limit Nodes: | 39 |
Graph
Function 003742DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235libraryloaderCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0037BF40 Relevance: 2.4, Strings: 1, Instructions: 1178COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0037D730 Relevance: 21.6, APIs: 14, Instructions: 625windowsleeptimeCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00372CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53windowregistryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 003A8D45 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 300COMMONLIBRARYCODE
Download Yara Rule
Control-flow Graph
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 003B065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMONLIBRARYCODE
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0037344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201registryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00372B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63windowregistryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00373170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145windowtimeregistryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 010F25E0 Relevance: 10.7, APIs: 7, Instructions: 239fileCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 010F23B0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 146fileCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 003E2947 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 003A5AA9 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 186COMMONLIBRARYCODE
Download Yara Rule
Control-flow Graph
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00373B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58registryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00373923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94windowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 003F7F59 Relevance: 4.9, APIs: 3, Instructions: 430COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 003710F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 003754C6 Relevance: 4.6, APIs: 3, Instructions: 103COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00373837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00375745 Relevance: 3.1, APIs: 2, Instructions: 56fileCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00374ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 003A8402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00379A40 Relevance: 1.6, APIs: 1, Instructions: 53fileCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0039E602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 003A4C7D Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 003A3820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00374F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00372DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 003E2693 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00372B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00371CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 003E744A Relevance: 1.5, APIs: 1, Instructions: 220COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0038FC70 Relevance: 1.3, APIs: 1, Instructions: 94memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 010F22A0 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00409576 Relevance: 74.1, APIs: 39, Strings: 3, Instructions: 625windowkeyboardCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00404873 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0038F98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 003E698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 003E9642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 003E979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 003E8195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 003DD076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 003EED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 003DE8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 003DD3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 003F22DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 003E9B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0038997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00401C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00378060 Relevance: 7.4, Strings: 5, Instructions: 1151COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 003D8298 Relevance: 6.6, APIs: 1, Strings: 3, Instructions: 568stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 003ABB6F Relevance: 6.1, APIs: 4, Instructions: 90timeCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 003E51CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 003D16C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 003DD5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 003D1663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0039CAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0037CAF0 Relevance: 3.2, Strings: 2, Instructions: 659COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 003E68EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 003E37B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 003D10BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0038B119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 003909D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0039781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 003E2046 Relevance: 1.3, Strings: 1, Instructions: 72COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 003A6DD9 Relevance: .6, Instructions: 637COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0038CC39 Relevance: .6, Instructions: 635COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00377920 Relevance: .6, Instructions: 563COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 003791C0 Relevance: .5, Instructions: 475COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00391C77 Relevance: .3, Instructions: 254COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 003919B0 Relevance: .2, Instructions: 240COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00397A4A Relevance: .2, Instructions: 237COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00391706 Relevance: .2, Instructions: 232COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 010F3600 Relevance: .1, Instructions: 92COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 010F3490 Relevance: .0, Instructions: 35COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 010F34F0 Relevance: .0, Instructions: 35COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 010F1E70 Relevance: .0, Instructions: 6COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 003F2ADE Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004070D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00388D85 Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 480windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 003F2711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00400FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00388891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 003FC3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040911E Relevance: 24.7, APIs: 10, Strings: 4, Instructions: 181windowfileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0037326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00406CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 003EC476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 003E14BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 003FB60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 003F255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 003D365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 003FCC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 003DE6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00388BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00389838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 003D96E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 003D06DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 003F3C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 003E7A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 003F055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 003F372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00403C46 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 003A2C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00371410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332comCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00375BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 003EC253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 003D989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 003D209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 003ACE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 003D25A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00403886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 003DBC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 003DC874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 003DED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0038F8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00402D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 003D5622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 003B1522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 003E1187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0038948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 003A542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 003DCF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00402DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 003D7726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 003D77FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 003E04D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 003E05A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004040AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 003DDA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 003E096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 003A01B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 003A61FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 003CF7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0038920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 003E07EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004081DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 003D4C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 003D175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 003D14CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00408A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 003D51FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 003C7439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 003D1874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 003DC5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 003D719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00402F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00394D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00374E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00374E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 003FA387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 003D8BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 003E8AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00406B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 003E3874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405706 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 003F0930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 003ACDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00389639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 003D5711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 003D000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 003DE97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 003D10F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 003D0FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 003D1014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 003E030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 003A22A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 003895C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 003A0F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 003A8A61 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 124COMMONLIBRARYCODE
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 003D2716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 003DC27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 003D6E71 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 92memoryCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 003F304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00404653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004037B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004041EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 003D2F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 003CD3A0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 30libraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 003D007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 003F342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 003D0436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00406278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 003AB41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 003E56D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 003AD8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004052C1 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00407674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004016DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 003DD4DC Relevance: 6.1, APIs: 4, Instructions: 86processCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00408FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 003DD2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 003D1571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00402782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 003D78F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405660 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 003D1A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 003DE1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0039D1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0037600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 003A3073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 003DB0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00408863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 003898B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 003D162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 003CD858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 003CD86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 003E4D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0038F291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 003ED0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00404537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004031EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 003ECD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00403429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 003D1BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 003D1C5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00408172 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40processCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 003D0B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00402356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00402322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|