Edit tour
Windows
Analysis Report
DHL AWB COMMERCAIL INVOICE AND TRACKING DETAILS.exe
Overview
General Information
| Sample name: | DHL AWB COMMERCAIL INVOICE AND TRACKING DETAILS.exe |
| Analysis ID: | 1466656 |
| MD5: | 94f7917fd8334a283b0d5c408383e4ed |
| SHA1: | 8b1e768eb4493d907df10b29042ef2ff11727c87 |
| SHA256: | 3b0246cc2beaacf7c22ab27377a14e9d5cba3dc5b514b4f4a5e8c2eb9c20f612 |
| Tags: | DHLexeFormbook |
| Infos: |   |
 | |
Detection
AgentTesla
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected AntiVM3
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
Check if machine is in data center or colocation facility
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to log keystrokes (.Net Source)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Maps a DLL or memory area into another process
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Switches to a custom stack to bypass stack traces
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates processes with suspicious names
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Suspicious Outbound SMTP Connections
Uses 32bit PE files
Uses SMTP (mail sending)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match
Classification
- System is w10x64
DHL AWB COMMERCAIL INVOICE AND TRACKING DETAILS.exe (PID: 3640 cmdline: "C:\Users\ user\Deskt op\DHL AWB COMMERCAI L INVOICE AND TRACKI NG DETAILS .exe" MD5: 94F7917FD8334A283B0D5C408383E4ED) 
RegSvcs.exe (PID: 348 cmdline: "C:\Users\ user\Deskt op\DHL AWB COMMERCAI L INVOICE AND TRACKI NG DETAILS .exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
- KaGeys.exe (PID: 6512 cmdline:
"C:\Users\ user\AppDa ta\Roaming \KaGeys\Ka Geys.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94) 
conhost.exe (PID: 5560 cmdline: C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
- KaGeys.exe (PID: 6512 cmdline:
"C:\Users\ user\AppDa ta\Roaming \KaGeys\Ka Geys.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94) - conhost.exe (PID: 4440 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
- cleanup
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| Agent Tesla, AgentTesla | A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel. |
{"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.laboratoriosvilla.com.mx", "Username": "compras@laboratoriosvilla.com.mx", "Password": "WZ,2pliw#L)D"}| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | ||
| JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
| JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | ||
| JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
| JoeSecurity_GenericDownloader_1 | Yara detected Generic Downloader | Joe Security | ||
| Click to see the 10 entries | ||||
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
| JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | ||
| INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID | Detects executables referencing Windows vault credential objects. Observed in infostealers | ditekSHen |
| |
| JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
| JoeSecurity_GenericDownloader_1 | Yara detected Generic Downloader | Joe Security | ||
| Click to see the 6 entries | ||||
System Summary |   |
|---|
| Source: | Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): | ||
| Source: | Author: frack113: | ||
⊘No Snort rule has matched
Click to jump to signature section
Show All Signature Results
AV Detection | |
|---|
| Source: | Malware Configuration Extractor: | ||
| Source: | Virustotal: | Perma Link | ||
| Source: | ReversingLabs: | |||
| Source: | Integrated Neural Analysis Model: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Static PE information: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Code function: | 0_2_00F04696 | |
| Source: | Code function: | 0_2_00F0C9C7 | |
| Source: | Code function: | 0_2_00F0C93C | |
| Source: | Code function: | 0_2_00F0F200 | |
| Source: | Code function: | 0_2_00F0F35D | |
| Source: | Code function: | 0_2_00F0F65E | |
| Source: | Code function: | 0_2_00F03A2B | |
| Source: | Code function: | 0_2_00F03D4E | |
| Source: | Code function: | 0_2_00F0BF27 | |
Networking | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | TCP traffic: | ||
| Source: | HTTP traffic detected: | ||
| Source: | IP Address: | ||
| Source: | IP Address: | ||
| Source: | IP Address: | ||
| Source: | ASN Name: | ||
| Source: | ASN Name: | ||
| Source: | JA3 fingerprint: | ||
| Source: | DNS query: | ||
| Source: | DNS query: | ||
| Source: | DNS query: | ||
| Source: | DNS query: | ||
| Source: | TCP traffic: | ||
| Source: | HTTP traffic detected: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | Code function: | 0_2_00F125E2 | |
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
Key, Mouse, Clipboard, Microphone and Screen Capturing | |
|---|
| Source: | .Net Code: | ||
| Source: | Code function: | 0_2_00F1425A | |
| Source: | Code function: | 0_2_00F14458 | |
| Source: | Code function: | 0_2_00F1425A | |
| Source: | Code function: | 0_2_00F00219 | |
| Source: | Code function: | 0_2_00F2CDAC | |
System Summary | |
|---|
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Code function: | 0_2_00EA3B4C | |
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | memstr_acba96c3-5 | |
| Source: | String found in binary or memory: | memstr_52c122ce-c | |
| Source: | String found in binary or memory: | memstr_162f6bc7-8 | |
| Source: | String found in binary or memory: | memstr_1f26f108-5 | |
| Source: | Static PE information: | ||
| Source: | Code function: | 0_2_00F040B1 | |
| Source: | Code function: | 0_2_00EF8858 | |
| Source: | Code function: | 0_2_00F0545F | |
| Source: | Code function: | 0_2_00EAE800 | |
| Source: | Code function: | 0_2_00ECDBB5 | |
| Source: | Code function: | 0_2_00EAE060 | |
| Source: | Code function: | 0_2_00F2804A | |
| Source: | Code function: | 0_2_00EB4140 | |
| Source: | Code function: | 0_2_00EC2405 | |
| Source: | Code function: | 0_2_00ED6522 | |
| Source: | Code function: | 0_2_00ED267E | |
| Source: | Code function: | 0_2_00F20665 | |
| Source: | Code function: | 0_2_00EB6843 | |
| Source: | Code function: | 0_2_00EC283A | |
| Source: | Code function: | 0_2_00ED89DF | |
| Source: | Code function: | 0_2_00F20AE2 | |
| Source: | Code function: | 0_2_00ED6A94 | |
| Source: | Code function: | 0_2_00EB8A0E | |
| Source: | Code function: | 0_2_00F08B13 | |
| Source: | Code function: | 0_2_00EFEB07 | |
| Source: | Code function: | 0_2_00ECCD61 | |
| Source: | Code function: | 0_2_00ED7006 | |
| Source: | Code function: | 0_2_00EB3190 | |
| Source: | Code function: | 0_2_00EB710E | |
| Source: | Code function: | 0_2_00EA1287 | |
| Source: | Code function: | 0_2_00EC33C7 | |
| Source: | Code function: | 0_2_00ECF419 | |
| Source: | Code function: | 0_2_00EC16C4 | |
| Source: | Code function: | 0_2_00EB5680 | |
| Source: | Code function: | 0_2_00EB58C0 | |
| Source: | Code function: | 0_2_00EC78D3 | |
| Source: | Code function: | 0_2_00EC1BB8 | |
| Source: | Code function: | 0_2_00ED9D05 | |
| Source: | Code function: | 0_2_00EAFE40 | |
| Source: | Code function: | 0_2_00ECBFE6 | |
| Source: | Code function: | 0_2_00EC1FD0 | |
| Source: | Code function: | 0_2_011135F0 | |
| Source: | Code function: | 2_2_00FBF458 | |
| Source: | Code function: | 2_2_00FBBAF0 | |
| Source: | Code function: | 2_2_00FB4AD8 | |
| Source: | Code function: | 2_2_00FB3EC0 | |
| Source: | Code function: | 2_2_00FBAF20 | |
| Source: | Code function: | 2_2_00FB4208 | |
| Source: | Code function: | 2_2_0643BCEC | |
| Source: | Code function: | 2_2_0643A6B8 | |
| Source: | Code function: | 2_2_0643CE18 | |
| Source: | Code function: | 2_2_0643EC10 | |
| Source: | Code function: | 2_2_0645B218 | |
| Source: | Code function: | 2_2_06452350 | |
| Source: | Code function: | 2_2_064561D8 | |
| Source: | Code function: | 2_2_064551A0 | |
| Source: | Code function: | 2_2_064558E0 | |
| Source: | Code function: | 2_2_06457968 | |
| Source: | Code function: | 2_2_06457288 | |
| Source: | Code function: | 2_2_0645E388 | |
| Source: | Code function: | 2_2_06450040 | |
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Static PE information: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Cryptographic APIs: | ||
| Source: | Cryptographic APIs: | ||
| Source: | Cryptographic APIs: | ||
| Source: | Cryptographic APIs: | ||
| Source: | Cryptographic APIs: | ||
| Source: | Cryptographic APIs: | ||
| Source: | Cryptographic APIs: | ||
| Source: | Cryptographic APIs: | ||
| Source: | Classification label: | ||
| Source: | Code function: | 0_2_00F0A2D5 | |
| Source: | Code function: | 0_2_00EF8713 | |
| Source: | Code function: | 0_2_00EF8CC3 | |
| Source: | Code function: | 0_2_00F0B59E | |
| Source: | Code function: | 0_2_00F1F121 | |
| Source: | Code function: | 0_2_00F186D0 | |
| Source: | Code function: | 0_2_00EA4FE9 | |
| Source: | File created: | Jump to behavior | ||
| Source: | Mutant created: | ||
| Source: | Mutant created: | ||
| Source: | Mutant created: | ||
| Source: | File created: | Jump to behavior | ||
| Source: | Static PE information: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | File read: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Virustotal: | ||
| Source: | ReversingLabs: | ||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Key value queried: | Jump to behavior | ||
| Source: | Window detected: | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Static file information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Code function: | 0_2_00F1C304 | |
| Source: | Code function: | 0_2_00EC8B98 | |
| Source: | Code function: | 2_2_00FBF379 | |
| Source: | Code function: | 2_2_00FB759E | |
| Source: | Code function: | 2_2_00FB061A | |
| Source: | Code function: | 2_2_06436400 | |
| Source: | File created: | |||
| Source: | File created: | Jump to behavior | ||
| Source: | File created: | Jump to dropped file | ||
| Source: | Registry value created or modified: | Jump to behavior | ||
| Source: | Registry value created or modified: | Jump to behavior | ||
Hooking and other Techniques for Hiding and Protection | |
|---|
| Source: | File opened: | Jump to behavior | ||
| Source: | Code function: | 0_2_00EA4A35 | |
| Source: | Code function: | 0_2_00F255FD | |
| Source: | Code function: | 0_2_00EC33C7 | |
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
Malware Analysis System Evasion | |
|---|
| Source: | File source: | ||
| Source: | HTTP traffic detected: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | API/Special instruction interceptor: | ||
| Source: | Binary or memory string: | ||
| Source: | Memory allocated: | Jump to behavior | ||
| Source: | Memory allocated: | Jump to behavior | ||
| Source: | Memory allocated: | Jump to behavior | ||
| Source: | Memory allocated: | Jump to behavior | ||
| Source: | Memory allocated: | Jump to behavior | ||
| Source: | Memory allocated: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Window / User API: | Jump to behavior | ||
| Source: | Window / User API: | Jump to behavior | ||
| Source: | API coverage: | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | Last function: | ||
| Source: | Last function: | ||
| Source: | Code function: | 0_2_00F04696 | |
| Source: | Code function: | 0_2_00F0C9C7 | |
| Source: | Code function: | 0_2_00F0C93C | |
| Source: | Code function: | 0_2_00F0F200 | |
| Source: | Code function: | 0_2_00F0F35D | |
| Source: | Code function: | 0_2_00F0F65E | |
| Source: | Code function: | 0_2_00F03A2B | |
| Source: | Code function: | 0_2_00F03D4E | |
| Source: | Code function: | 0_2_00F0BF27 | |
| Source: | Code function: | 0_2_00EA4AFE | |
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | API call chain: | graph_0-97860 | ||
| Source: | API call chain: | graph_0-98057 | ||
Anti Debugging | |
|---|
| Source: | Code function: | 2_2_00FB7EE0 | |
| Source: | Process queried: | Jump to behavior | ||
| Source: | Code function: | 0_2_00F141FD | |
| Source: | Code function: | 0_2_00EA3B4C | |
| Source: | Code function: | 0_2_00ED5CCC | |
| Source: | Code function: | 0_2_00F1C304 | |
| Source: | Code function: | 0_2_01113480 | |
| Source: | Code function: | 0_2_011134E0 | |
| Source: | Code function: | 0_2_01111E70 | |
| Source: | Code function: | 0_2_00EF81F7 | |
| Source: | Code function: | 0_2_00ECA395 | |
| Source: | Code function: | 0_2_00ECA364 | |
| Source: | Memory allocated: | Jump to behavior | ||
HIPS / PFW / Operating System Protection Evasion | |
|---|
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | Code function: | 0_2_00EF8C93 | |
| Source: | Code function: | 0_2_00EA3B4C | |
| Source: | Code function: | 0_2_00EA4A35 | |
| Source: | Code function: | 0_2_00F04EF5 | |
| Source: | Process created: | Jump to behavior | ||
| Source: | Code function: | 0_2_00EF81F7 | |
| Source: | Code function: | 0_2_00F04C03 | |
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Code function: | 0_2_00EC886B | |
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Code function: | 0_2_00ED50D7 | |
| Source: | Code function: | 0_2_00EE2230 | |
| Source: | Code function: | 0_2_00ED418A | |
| Source: | Code function: | 0_2_00EA4AFE | |
| Source: | Key value queried: | Jump to behavior | ||
Stealing of Sensitive Information | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
Remote Access Functionality | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | Code function: | 0_2_00F16596 | |
| Source: | Code function: | 0_2_00F16A5A | |
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Gather Victim Identity Information | Acquire Infrastructure | 2 Valid Accounts | 221 Windows Management Instrumentation | 1 DLL Side-Loading | 1 Exploitation for Privilege Escalation | 11 Disable or Modify Tools | 2 OS Credential Dumping | 2 System Time Discovery | Remote Services | 11 Archive Collected Data | 2 Ingress Tool Transfer | Exfiltration Over Other Network Medium | 1 System Shutdown/Reboot |
| Credentials | Domains | Default Accounts | 1 Native API | 2 Valid Accounts | 1 DLL Side-Loading | 11 Deobfuscate/Decode Files or Information | 121 Input Capture | 1 Account Discovery | Remote Desktop Protocol | 2 Data from Local System | 11 Encrypted Channel | Exfiltration Over Bluetooth | Network Denial of Service |
| Email Addresses | DNS Server | Domain Accounts | At | 1 Registry Run Keys / Startup Folder | 2 Valid Accounts | 2 Obfuscated Files or Information | 1 Credentials in Registry | 2 File and Directory Discovery | SMB/Windows Admin Shares | 1 Email Collection | 1 Non-Standard Port | Automated Exfiltration | Data Encrypted for Impact |
| Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | 21 Access Token Manipulation | 1 DLL Side-Loading | NTDS | 138 System Information Discovery | Distributed Component Object Model | 121 Input Capture | 2 Non-Application Layer Protocol | Traffic Duplication | Data Destruction |
| Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | 212 Process Injection | 1 Masquerading | LSA Secrets | 651 Security Software Discovery | SSH | 3 Clipboard Data | 23 Application Layer Protocol | Scheduled Transfer | Data Encrypted for Impact |
| Domain Properties | Botnet | Replication Through Removable Media | Scheduled Task | RC Scripts | 1 Registry Run Keys / Startup Folder | 2 Valid Accounts | Cached Domain Credentials | 251 Virtualization/Sandbox Evasion | VNC | GUI Input Capture | Multiband Communication | Data Transfer Size Limits | Service Stop |
| DNS | Web Services | External Remote Services | Systemd Timers | Startup Items | Startup Items | 251 Virtualization/Sandbox Evasion | DCSync | 2 Process Discovery | Windows Remote Management | Web Portal Capture | Commonly Used Port | Exfiltration Over C2 Channel | Inhibit System Recovery |
| Network Trust Dependencies | Serverless | Drive-by Compromise | Container Orchestration Job | Scheduled Task/Job | Scheduled Task/Job | 21 Access Token Manipulation | Proc Filesystem | 11 Application Window Discovery | Cloud Services | Credential API Hooking | Application Layer Protocol | Exfiltration Over Alternative Protocol | Defacement |
| Network Topology | Malvertising | Exploit Public-Facing Application | Command and Scripting Interpreter | At | At | 212 Process Injection | /etc/passwd and /etc/shadow | 1 System Owner/User Discovery | Direct Cloud VM Connections | Data Staged | Web Protocols | Exfiltration Over Symmetric Encrypted Non-C2 Protocol | Internal Defacement |
| IP Addresses | Compromise Infrastructure | Supply Chain Compromise | PowerShell | Cron | Cron | 1 Hidden Files and Directories | Network Sniffing | 1 System Network Configuration Discovery | Shared Webroot | Local Data Staging | File Transfer Protocols | Exfiltration Over Asymmetric Encrypted Non-C2 Protocol | External Defacement |
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetThis section contains all screenshots as thumbnails, including those not shown in the slideshow.
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 32% | Virustotal | Browse | ||
| 39% | ReversingLabs | Win32.Trojan.Strab | ||
| 100% | Joe Sandbox ML |
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 0% | ReversingLabs | |||
| 0% | Virustotal | Browse |
⊘No Antivirus matches
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 0% | Virustotal | Browse | ||
| 0% | Virustotal | Browse | ||
| 0% | Virustotal | Browse | ||
| 0% | Virustotal | Browse |
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Virustotal | Browse | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Virustotal | Browse | ||
| 0% | Virustotal | Browse |
| Name | IP | Active | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|---|
| laboratoriosvilla.com.mx | 216.194.161.167 | true | true |
| unknown |
| api.ipify.org | 104.26.13.205 | true | false |
| unknown |
| ip-api.com | 208.95.112.1 | true | true |
| unknown |
| mail.laboratoriosvilla.com.mx | unknown | unknown | true |
| unknown |
| Name | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|
| false |
| unknown | |
| false |
| unknown |
| Name | Source | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
| IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
|---|---|---|---|---|---|---|
| 208.95.112.1 | ip-api.com | United States | 53334 | TUT-ASUS | true | |
| 104.26.13.205 | api.ipify.org | United States | 13335 | CLOUDFLARENETUS | false | |
| 216.194.161.167 | laboratoriosvilla.com.mx | United States | 22611 | IMH-WESTUS | true |
| Joe Sandbox version: | 40.0.0 Tourmaline |
| Analysis ID: | 1466656 |
| Start date and time: | 2024-07-03 08:49:33 +02:00 |
| Joe Sandbox product: | CloudBasic |
| Overall analysis duration: | 0h 8m 47s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
| Number of analysed new started processes analysed: | 10 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Sample name: | DHL AWB COMMERCAIL INVOICE AND TRACKING DETAILS.exe |
| Detection: | MAL |
| Classification: | mal100.troj.spyw.evad.winEXE@6/8@3/3 |
| EGA Information: |
|
| HCA Information: |
|
| Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
- Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
- Execution Graph export aborted for target KaGeys.exe, PID 6512 because it is empty
- Not all processes where analyzed, report is missing behavior information
- Report size exceeded maximum capacity and may have missing behavior information.
- Report size exceeded maximum capacity and may have missing disassembly code.
- Report size getting too big, too many NtOpenKeyEx calls found.
- Report size getting too big, too many NtQueryValueKey calls found.
| Time | Type | Description |
|---|---|---|
| 02:50:24 | API Interceptor | |
| 08:50:28 | Autostart | |
| 08:50:36 | Autostart |
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| 208.95.112.1 | Get hash | malicious | AgentTesla, GuLoader | Browse |
| |
| Get hash | malicious | AgentTesla | Browse |
| ||
| Get hash | malicious | AgentTesla | Browse |
| ||
| Get hash | malicious | AgentTesla | Browse |
| ||
| Get hash | malicious | AgentTesla, DarkTortilla | Browse |
| ||
| Get hash | malicious | AgentTesla | Browse |
| ||
| Get hash | malicious | AgentTesla | Browse |
| ||
| Get hash | malicious | AgentTesla, PureLog Stealer | Browse |
| ||
| Get hash | malicious | AgentTesla | Browse |
| ||
| Get hash | malicious | AgentTesla | Browse |
| ||
| 104.26.13.205 | Get hash | malicious | Ficker Stealer, Rusty Stealer | Browse |
| |
| Get hash | malicious | Targeted Ransomware, TrojanRansom | Browse |
| ||
| Get hash | malicious | Targeted Ransomware, TrojanRansom | Browse |
| ||
| Get hash | malicious | Stealit | Browse |
| ||
| Get hash | malicious | PureLog Stealer, Targeted Ransomware | Browse |
| ||
| Get hash | malicious | Stealit | Browse |
| ||
| Get hash | malicious | Stealit | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| ip-api.com | Get hash | malicious | AgentTesla, GuLoader | Browse |
| |
| Get hash | malicious | AgentTesla | Browse |
| ||
| Get hash | malicious | AgentTesla | Browse |
| ||
| Get hash | malicious | AgentTesla | Browse |
| ||
| Get hash | malicious | AgentTesla, DarkTortilla | Browse |
| ||
| Get hash | malicious | AgentTesla | Browse |
| ||
| Get hash | malicious | AgentTesla | Browse |
| ||
| Get hash | malicious | AgentTesla, PureLog Stealer | Browse |
| ||
| Get hash | malicious | AgentTesla | Browse |
| ||
| Get hash | malicious | AgentTesla | Browse |
| ||
| api.ipify.org | Get hash | malicious | AgentTesla, PureLog Stealer | Browse |
| |
| Get hash | malicious | AgentTesla | Browse |
| ||
| Get hash | malicious | AgentTesla, PureLog Stealer | Browse |
| ||
| Get hash | malicious | AgentTesla, PureLog Stealer | Browse |
| ||
| Get hash | malicious | AgentTesla | Browse |
| ||
| Get hash | malicious | AgentTesla | Browse |
| ||
| Get hash | malicious | HTMLPhisher | Browse |
| ||
| Get hash | malicious | AgentTesla, DarkTortilla | Browse |
| ||
| Get hash | malicious | AgentTesla | Browse |
| ||
| Get hash | malicious | AgentTesla | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| IMH-WESTUS | Get hash | malicious | AgentTesla | Browse |
| |
| Get hash | malicious | AgentTesla | Browse |
| ||
| Get hash | malicious | AgentTesla | Browse |
| ||
| Get hash | malicious | HTMLPhisher | Browse |
| ||
| Get hash | malicious | HTMLPhisher | Browse |
| ||
| Get hash | malicious | HTMLPhisher | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | AgentTesla | Browse |
| ||
| Get hash | malicious | AgentTesla | Browse |
| ||
| Get hash | malicious | AgentTesla | Browse |
| ||
| CLOUDFLARENETUS | Get hash | malicious | Unknown | Browse |
| |
| Get hash | malicious | AgentTesla, PureLog Stealer | Browse |
| ||
| Get hash | malicious | FormBook | Browse |
| ||
| Get hash | malicious | HTMLPhisher | Browse |
| ||
| Get hash | malicious | FormBook | Browse |
| ||
| Get hash | malicious | AgentTesla | Browse |
| ||
| Get hash | malicious | FormBook | Browse |
| ||
| Get hash | malicious | FormBook | Browse |
| ||
| Get hash | malicious | AgentTesla, PureLog Stealer | Browse |
| ||
| Get hash | malicious | PureLog Stealer, Snake Keylogger | Browse |
| ||
| TUT-ASUS | Get hash | malicious | AgentTesla, GuLoader | Browse |
| |
| Get hash | malicious | AgentTesla | Browse |
| ||
| Get hash | malicious | AgentTesla | Browse |
| ||
| Get hash | malicious | AgentTesla | Browse |
| ||
| Get hash | malicious | AgentTesla, DarkTortilla | Browse |
| ||
| Get hash | malicious | AgentTesla | Browse |
| ||
| Get hash | malicious | AgentTesla | Browse |
| ||
| Get hash | malicious | AgentTesla, PureLog Stealer | Browse |
| ||
| Get hash | malicious | AgentTesla | Browse |
| ||
| Get hash | malicious | AgentTesla | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| 3b5074b1b5d032e5620f69f9f700ff0e | Get hash | malicious | GuLoader | Browse |
| |
| Get hash | malicious | Remcos, GuLoader | Browse |
| ||
| Get hash | malicious | AgentTesla, GuLoader | Browse |
| ||
| Get hash | malicious | AgentTesla, PureLog Stealer | Browse |
| ||
| Get hash | malicious | AgentTesla, GuLoader | Browse |
| ||
| Get hash | malicious | AgentTesla | Browse |
| ||
| Get hash | malicious | AgentTesla, PureLog Stealer | Browse |
| ||
| Get hash | malicious | AgentTesla, PureLog Stealer | Browse |
| ||
| Get hash | malicious | FormBook, GuLoader | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| C:\Users\user\AppData\Roaming\KaGeys\KaGeys.exe | Get hash | malicious | AgentTesla | Browse | ||
| Get hash | malicious | AgentTesla | Browse | |||
| Get hash | malicious | AgentTesla | Browse | |||
| Get hash | malicious | AgentTesla | Browse | |||
| Get hash | malicious | AgentTesla | Browse | |||
| Get hash | malicious | AgentTesla | Browse | |||
| Get hash | malicious | AgentTesla | Browse | |||
| Get hash | malicious | AgentTesla, PureLog Stealer | Browse | |||
| Get hash | malicious | AgentTesla | Browse | |||
| Get hash | malicious | AgentTesla, RedLine, SugarDump, XWorm | Browse |
| Process: | C:\Users\user\AppData\Roaming\KaGeys\KaGeys.exe |
| File Type: | |
| Category: | modified |
| Size (bytes): | 142 |
| Entropy (8bit): | 5.090621108356562 |
| Encrypted: | false |
| SSDEEP: | 3:QHXMKa/xwwUC7WglAFXMWA2yTMGfsbNRLFS9Am12MFuAvOAsDeieVyn:Q3La/xwczlAFXMWTyAGCDLIP12MUAvvw |
| MD5: | 8C0458BB9EA02D50565175E38D577E35 |
| SHA1: | F0B50702CD6470F3C17D637908F83212FDBDB2F2 |
| SHA-256: | C578E86DB701B9AFA3626E804CF434F9D32272FF59FB32FA9A51835E5A148B53 |
| SHA-512: | 804A47494D9A462FFA6F39759480700ECBE5A7F3A15EC3A6330176ED9C04695D2684BF6BF85AB86286D52E7B727436D0BB2E8DA96E20D47740B5CE3F856B5D0F |
| Malicious: | false |
| Reputation: | high, very likely benign file |
| Preview: |
| Process: | C:\Users\user\Desktop\DHL AWB COMMERCAIL INVOICE AND TRACKING DETAILS.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 244736 |
| Entropy (8bit): | 6.60716245529181 |
| Encrypted: | false |
| SSDEEP: | 6144:iep3Lxul5nE7uXhjWhN9NjqY+v1QRoJr8I:N37uJWhdjXur8I |
| MD5: | E34395899CA90C529429B7782F4C8D70 |
| SHA1: | 6E818F8996DA705E6BAA8FC7EC12858329FA84A1 |
| SHA-256: | 5E9B6F5183975D30B2D7247316235ED9C4270E3F7BE4F5825907636EAD92A676 |
| SHA-512: | 7A8073CBBB16A4919BF8A9FB3ED9BAE67FB53233EB0DBD3EA0D90C9A7DEAE370F2D5974E8D2B96DCDA296B7CD40F8877EEA0AF0A17D3E68317CE15FBF9804318 |
| Malicious: | false |
| Reputation: | low |
| Preview: |
| Process: | C:\Users\user\Desktop\DHL AWB COMMERCAIL INVOICE AND TRACKING DETAILS.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 151054 |
| Entropy (8bit): | 7.875688617250052 |
| Encrypted: | false |
| SSDEEP: | 3072:dXqZMYTU8sPR/E0MdiZT+V8sMWyyJii1N8aUoU//VhqI87j:da+C0xZT+V8s5AcuXXVhXCj |
| MD5: | 865405B06C50C314DB6FAC4373CCBC56 |
| SHA1: | B936DD7B10193933339B558B975E9DEE09878DB3 |
| SHA-256: | 54A320EE3C78D294CD1CCC0A85BE0FA541BF8CE3181B67160E2055FF323B24EF |
| SHA-512: | DE8CB822BEDFF69079AFD197A37D8F2DBB14E2B0AD9A650635F97A1890E5173AE65029FAC7C6423E9FBE82341CC1909207BF7A88A32DB0D65ECC22F1AA109DCB |
| Malicious: | false |
| Reputation: | low |
| Preview: |
| Process: | C:\Users\user\Desktop\DHL AWB COMMERCAIL INVOICE AND TRACKING DETAILS.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 9824 |
| Entropy (8bit): | 7.5986589087356275 |
| Encrypted: | false |
| SSDEEP: | 192:65jwEiqEH1WgUJuzJkecGgJo7xocBkP/eH6exLOFyFTfvPPT:I6qEHYV0eecGGo7xocBE/c6ePTfvPr |
| MD5: | B7EB242789A017337E30B39AFC2F9EC6 |
| SHA1: | 9F1830E2A2A1C43AAA78EB25F4566CFCE89B9CFE |
| SHA-256: | 05B47EF147E25A619A4DE6D528FFB57B8B4FAD222CD82ED84E3CC360CCCEA5D9 |
| SHA-512: | 6E0468D459EE564ECBD466308F1232553E3DE3CAFC7E542C88EFECACE9227E4F8145775E47DFFE8EC7FC32515627DDC094E4FEE15D9D232861DBF77379A1A12B |
| Malicious: | false |
| Reputation: | low |
| Preview: |
| Process: | C:\Users\user\Desktop\DHL AWB COMMERCAIL INVOICE AND TRACKING DETAILS.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 28756 |
| Entropy (8bit): | 3.5885483301510295 |
| Encrypted: | false |
| SSDEEP: | 768:miTZ+2QoioGRk6ZklputwjpjBkCiw2RuJ3nXKUrvzjsNbd+IH6B34vfF3if6gyCy:miTZ+2QoioGRk6ZklputwjpjBkCiw2R5 |
| MD5: | CBDD3E6669D36E57E1DDFD29FDDD1676 |
| SHA1: | D3504178A0012DDB1646547A5B9B4879CF105A13 |
| SHA-256: | D1E02581F0B47D6B55D1A304E519E188196C8EDACD7FA9F2D0F4877952FF3FFA |
| SHA-512: | 7530AB9F0F0E46D3FE84B761E4EFA75EFE65358EAAC509D4E94F44E0789BF8FE2DFF137E67900323584BFA860AE65F14FDAC6A4D73DBFEBC55EF583445D0FCF8 |
| Malicious: | false |
| Reputation: | low |
| Preview: |
| Process: | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
| File Type: | |
| Category: | modified |
| Size (bytes): | 45984 |
| Entropy (8bit): | 6.16795797263964 |
| Encrypted: | false |
| SSDEEP: | 768:4BbSoy+SdIBf0k2dsjYg6Iq8S1GYqWH8BR:noOIBf0ddsjY/ZGyc7 |
| MD5: | 9D352BC46709F0CB5EC974633A0C3C94 |
| SHA1: | 1969771B2F022F9A86D77AC4D4D239BECDF08D07 |
| SHA-256: | 2C1EEB7097023C784C2BD040A2005A5070ED6F3A4ABF13929377A9E39FAB1390 |
| SHA-512: | 13C714244EC56BEEB202279E4109D59C2A43C3CF29F90A374A751C04FD472B45228CA5A0178F41109ED863DBD34E0879E4A21F5E38AE3D89559C57E6BE990A9B |
| Malicious: | false |
| Antivirus: |
|
| Joe Sandbox View: |
|
| Reputation: | moderate, very likely benign file |
| Preview: |
| Process: | C:\Users\user\AppData\Roaming\KaGeys\KaGeys.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 1141 |
| Entropy (8bit): | 4.442398121585593 |
| Encrypted: | false |
| SSDEEP: | 24:zKLXkhDObntKlglUEnfQtvNuNpKOK5aM9YJC:zKL0hDQntKKH1MqJC |
| MD5: | 6FB4D27A716A8851BC0505666E7C7A10 |
| SHA1: | AD2A232C6E709223532C4D1AB892303273D8C814 |
| SHA-256: | 1DC36F296CE49BDF1D560B527DB06E1E9791C10263459A67EACE706C6DDCDEAE |
| SHA-512: | 3192095C68C6B7AD94212B7BCA0563F2058BCE00C0C439B90F0E96EA2F029A37C2F2B69487591B494C1BA54697FE891E214582E392127CB8C90AB682E0D81ADB |
| Malicious: | false |
| Preview: |
| File type: | |
| Entropy (8bit): | 6.975205070022554 |
| TrID: |
|
| File name: | DHL AWB COMMERCAIL INVOICE AND TRACKING DETAILS.exe |
| File size: | 1'062'400 bytes |
| MD5: | 94f7917fd8334a283b0d5c408383e4ed |
| SHA1: | 8b1e768eb4493d907df10b29042ef2ff11727c87 |
| SHA256: | 3b0246cc2beaacf7c22ab27377a14e9d5cba3dc5b514b4f4a5e8c2eb9c20f612 |
| SHA512: | 92e649893733de391d1427f5255331acff1184c637f55339793b5c8b3fc881ae1b8f771b2528d576c1e1e041621f3c73f72b539e98842e82c0a44044b9d9feb4 |
| SSDEEP: | 24576:SAHnh+eWsN3skA4RV1Hom2KXMmHaIoQ1TwWFq6d5:Vh+ZkldoPK8YaIF1qk |
| TLSH: | 2035AD0273E1C036FFAB92739B6AF64156BC79254133852F13981DB9BD701B2263E663 |
| File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........s..R...R...R....C..P.....;.S..._@#.a..._@......_@..g...[j..[...[jo.w...R...r.............#.S..._@'.S...R.k.S.....".S...RichR.. |
 | |
| Icon Hash: | aaf3e3e3938382a0 |
| Entrypoint: | 0x42800a |
| Entrypoint Section: | .text |
| Digitally signed: | false |
| Imagebase: | 0x400000 |
| Subsystem: | windows gui |
| Image File Characteristics: | EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE |
| DLL Characteristics: | DYNAMIC_BASE, TERMINAL_SERVER_AWARE |
| Time Stamp: | 0x668499C7 [Wed Jul 3 00:22:31 2024 UTC] |
| TLS Callbacks: | |
| CLR (.Net) Version: | |
| OS Version Major: | 5 |
| OS Version Minor: | 1 |
| File Version Major: | 5 |
| File Version Minor: | 1 |
| Subsystem Version Major: | 5 |
| Subsystem Version Minor: | 1 |
| Import Hash: | afcdf79be1557326c854b6e20cb900a7 |
| Instruction |
|---|
| call 00007F6F487F326Dh |
| jmp 00007F6F487E6024h |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| push edi |
| push esi |
| mov esi, dword ptr [esp+10h] |
| mov ecx, dword ptr [esp+14h] |
| mov edi, dword ptr [esp+0Ch] |
| mov eax, ecx |
| mov edx, ecx |
| add eax, esi |
| cmp edi, esi |
| jbe 00007F6F487E61AAh |
| cmp edi, eax |
| jc 00007F6F487E650Eh |
| bt dword ptr [004C41FCh], 01h |
| jnc 00007F6F487E61A9h |
| rep movsb |
| jmp 00007F6F487E64BCh |
| cmp ecx, 00000080h |
| jc 00007F6F487E6374h |
| mov eax, edi |
| xor eax, esi |
| test eax, 0000000Fh |
| jne 00007F6F487E61B0h |
| bt dword ptr [004BF324h], 01h |
| jc 00007F6F487E6680h |
| bt dword ptr [004C41FCh], 00000000h |
| jnc 00007F6F487E634Dh |
| test edi, 00000003h |
| jne 00007F6F487E635Eh |
| test esi, 00000003h |
| jne 00007F6F487E633Dh |
| bt edi, 02h |
| jnc 00007F6F487E61AFh |
| mov eax, dword ptr [esi] |
| sub ecx, 04h |
| lea esi, dword ptr [esi+04h] |
| mov dword ptr [edi], eax |
| lea edi, dword ptr [edi+04h] |
| bt edi, 03h |
| jnc 00007F6F487E61B3h |
| movq xmm1, qword ptr [esi] |
| sub ecx, 08h |
| lea esi, dword ptr [esi+08h] |
| movq qword ptr [edi], xmm1 |
| lea edi, dword ptr [edi+08h] |
| test esi, 00000007h |
| je 00007F6F487E6205h |
| bt esi, 03h |
| Programming Language: |
|
| Name | Virtual Address | Virtual Size | Is in Section |
|---|---|---|---|
| IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IMPORT | 0xbc0cc | 0x17c | .rdata |
| IMAGE_DIRECTORY_ENTRY_RESOURCE | 0xc8000 | 0x38e50 | .rsrc |
| IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x101000 | 0x7134 | .reloc |
| IMAGE_DIRECTORY_ENTRY_DEBUG | 0x92bc0 | 0x1c | .rdata |
| IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0xa4b50 | 0x40 | .rdata |
| IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IAT | 0x8f000 | 0x884 | .rdata |
| IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
| Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
|---|---|---|---|---|---|---|---|---|---|
| .text | 0x1000 | 0x8dfdd | 0x8e000 | 310e36668512d53489c005622bb1b4a9 | False | 0.5735602580325704 | data | 6.675248351711057 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
| .rdata | 0x8f000 | 0x2fd8e | 0x2fe00 | 748cf1ab2605ce1fd72d53d912abb68f | False | 0.32828818537859006 | data | 5.763244005758284 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .data | 0xbf000 | 0x8f74 | 0x5200 | aae9601d920f07080bdfadf43dfeff12 | False | 0.1017530487804878 | data | 1.1963819235530628 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .rsrc | 0xc8000 | 0x38e50 | 0x39000 | d322d905916c6631b0d60a158ce25371 | False | 0.8837119654605263 | data | 7.788364236930816 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .reloc | 0x101000 | 0x7134 | 0x7200 | f04128ad0f87f42830e4a6cdbc38c719 | False | 0.7617530153508771 | data | 6.783955557128661 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
| Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
|---|---|---|---|---|---|---|
| RT_ICON | 0xc85a8 | 0x128 | Device independent bitmap graphic, 16 x 32 x 4, image size 192 | English | Great Britain | 0.7466216216216216 |
| RT_ICON | 0xc86d0 | 0x128 | Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors | English | Great Britain | 0.3277027027027027 |
| RT_ICON | 0xc87f8 | 0x128 | Device independent bitmap graphic, 16 x 32 x 4, image size 192 | English | Great Britain | 0.3885135135135135 |
| RT_ICON | 0xc8920 | 0x2e8 | Device independent bitmap graphic, 32 x 64 x 4, image size 0 | English | Great Britain | 0.3333333333333333 |
| RT_ICON | 0xc8c08 | 0x128 | Device independent bitmap graphic, 16 x 32 x 4, image size 0 | English | Great Britain | 0.5 |
| RT_ICON | 0xc8d30 | 0xea8 | Device independent bitmap graphic, 48 x 96 x 8, image size 0 | English | Great Britain | 0.2835820895522388 |
| RT_ICON | 0xc9bd8 | 0x8a8 | Device independent bitmap graphic, 32 x 64 x 8, image size 0 | English | Great Britain | 0.37906137184115524 |
| RT_ICON | 0xca480 | 0x568 | Device independent bitmap graphic, 16 x 32 x 8, image size 0 | English | Great Britain | 0.23699421965317918 |
| RT_ICON | 0xca9e8 | 0x25a8 | Device independent bitmap graphic, 48 x 96 x 32, image size 0 | English | Great Britain | 0.13858921161825727 |
| RT_ICON | 0xccf90 | 0x10a8 | Device independent bitmap graphic, 32 x 64 x 32, image size 0 | English | Great Britain | 0.25070356472795496 |
| RT_ICON | 0xce038 | 0x468 | Device independent bitmap graphic, 16 x 32 x 32, image size 0 | English | Great Britain | 0.3173758865248227 |
| RT_MENU | 0xce4a0 | 0x50 | data | English | Great Britain | 0.9 |
| RT_STRING | 0xce4f0 | 0x594 | data | English | Great Britain | 0.3333333333333333 |
| RT_STRING | 0xcea84 | 0x68a | data | English | Great Britain | 0.2747909199522103 |
| RT_STRING | 0xcf110 | 0x490 | data | English | Great Britain | 0.3715753424657534 |
| RT_STRING | 0xcf5a0 | 0x5fc | data | English | Great Britain | 0.3087467362924282 |
| RT_STRING | 0xcfb9c | 0x65c | data | English | Great Britain | 0.34336609336609336 |
| RT_STRING | 0xd01f8 | 0x466 | data | English | Great Britain | 0.3605683836589698 |
| RT_STRING | 0xd0660 | 0x158 | Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0 | English | Great Britain | 0.502906976744186 |
| RT_RCDATA | 0xd07b8 | 0x30116 | data | 1.0003606147720001 | ||
| RT_GROUP_ICON | 0x1008d0 | 0x76 | data | English | Great Britain | 0.6610169491525424 |
| RT_GROUP_ICON | 0x100948 | 0x14 | data | English | Great Britain | 1.25 |
| RT_GROUP_ICON | 0x10095c | 0x14 | data | English | Great Britain | 1.15 |
| RT_GROUP_ICON | 0x100970 | 0x14 | data | English | Great Britain | 1.25 |
| RT_VERSION | 0x100984 | 0xdc | data | English | Great Britain | 0.6181818181818182 |
| RT_MANIFEST | 0x100a60 | 0x3ef | ASCII text, with CRLF line terminators | English | Great Britain | 0.5074478649453823 |
| DLL | Import |
|---|---|
| WSOCK32.dll | WSACleanup, socket, inet_ntoa, setsockopt, ntohs, recvfrom, ioctlsocket, htons, WSAStartup, __WSAFDIsSet, select, accept, listen, bind, closesocket, WSAGetLastError, recv, sendto, send, inet_addr, gethostbyname, gethostname, connect |
| VERSION.dll | GetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW |
| WINMM.dll | timeGetTime, waveOutSetVolume, mciSendStringW |
| COMCTL32.dll | ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create |
| MPR.dll | WNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W |
| WININET.dll | InternetQueryDataAvailable, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetConnectW |
| PSAPI.DLL | GetProcessMemoryInfo |
| IPHLPAPI.DLL | IcmpCreateFile, IcmpCloseHandle, IcmpSendEcho |
| USERENV.dll | DestroyEnvironmentBlock, UnloadUserProfile, CreateEnvironmentBlock, LoadUserProfileW |
| UxTheme.dll | IsThemeActive |
| KERNEL32.dll | DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, SetCurrentDirectoryW, GetLongPathNameW, GetShortPathNameW, DeleteFileW, FindNextFileW, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, GetCurrentProcess, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, LoadLibraryW, VirtualAlloc, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, GetCurrentThread, CloseHandle, GetFullPathNameW, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, WriteConsoleW, FindClose, SetEnvironmentVariableA |
| USER32.dll | AdjustWindowRectEx, CopyImage, SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, SetRect, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, MonitorFromRect, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, PeekMessageW, UnregisterHotKey, CheckMenuRadioItem, CharLowerBuffW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, LoadImageW, GetClassNameW |
| GDI32.dll | StrokePath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, GetDeviceCaps, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, DeleteDC, GetPixel, CreateDCW, GetStockObject, GetTextFaceW, CreateFontW, SetTextColor, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, StrokeAndFillPath |
| COMDLG32.dll | GetOpenFileNameW, GetSaveFileNameW |
| ADVAPI32.dll | GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, RegCreateKeyExW, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, AddAce, SetSecurityDescriptorDacl, GetUserNameW, InitiateSystemShutdownExW |
| SHELL32.dll | DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish |
| ole32.dll | CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoSetProxyBlanket, CoCreateInstanceEx, CoInitializeSecurity |
| OLEAUT32.dll | LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, RegisterTypeLib, CreateStdDispatch, DispCallFunc, VariantChangeType, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, VariantCopy, VariantClear, OleLoadPicture, QueryPathOfRegTypeLib, RegisterTypeLibForUser, UnRegisterTypeLibForUser, UnRegisterTypeLib, CreateDispTypeInfo, SysAllocString, VariantInit |
| Language of compilation system | Country where language is spoken | Map |
|---|---|---|
| English | Great Britain |  |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library Node| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Jul 3, 2024 08:50:24.675971031 CEST | 49704 | 443 | 192.168.2.5 | 104.26.13.205 |
| Jul 3, 2024 08:50:24.676074982 CEST | 443 | 49704 | 104.26.13.205 | 192.168.2.5 |
| Jul 3, 2024 08:50:24.676167011 CEST | 49704 | 443 | 192.168.2.5 | 104.26.13.205 |
| Jul 3, 2024 08:50:24.694832087 CEST | 49704 | 443 | 192.168.2.5 | 104.26.13.205 |
| Jul 3, 2024 08:50:24.694875002 CEST | 443 | 49704 | 104.26.13.205 | 192.168.2.5 |
| Jul 3, 2024 08:50:25.157649040 CEST | 443 | 49704 | 104.26.13.205 | 192.168.2.5 |
| Jul 3, 2024 08:50:25.157829046 CEST | 49704 | 443 | 192.168.2.5 | 104.26.13.205 |
| Jul 3, 2024 08:50:25.161411047 CEST | 49704 | 443 | 192.168.2.5 | 104.26.13.205 |
| Jul 3, 2024 08:50:25.161447048 CEST | 443 | 49704 | 104.26.13.205 | 192.168.2.5 |
| Jul 3, 2024 08:50:25.161719084 CEST | 443 | 49704 | 104.26.13.205 | 192.168.2.5 |
| Jul 3, 2024 08:50:25.204246044 CEST | 49704 | 443 | 192.168.2.5 | 104.26.13.205 |
| Jul 3, 2024 08:50:25.207457066 CEST | 49704 | 443 | 192.168.2.5 | 104.26.13.205 |
| Jul 3, 2024 08:50:25.248507977 CEST | 443 | 49704 | 104.26.13.205 | 192.168.2.5 |
| Jul 3, 2024 08:50:25.314979076 CEST | 443 | 49704 | 104.26.13.205 | 192.168.2.5 |
| Jul 3, 2024 08:50:25.315047979 CEST | 443 | 49704 | 104.26.13.205 | 192.168.2.5 |
| Jul 3, 2024 08:50:25.315110922 CEST | 49704 | 443 | 192.168.2.5 | 104.26.13.205 |
| Jul 3, 2024 08:50:25.333009005 CEST | 49704 | 443 | 192.168.2.5 | 104.26.13.205 |
| Jul 3, 2024 08:50:25.345383883 CEST | 49705 | 80 | 192.168.2.5 | 208.95.112.1 |
| Jul 3, 2024 08:50:25.350282907 CEST | 80 | 49705 | 208.95.112.1 | 192.168.2.5 |
| Jul 3, 2024 08:50:25.350403070 CEST | 49705 | 80 | 192.168.2.5 | 208.95.112.1 |
| Jul 3, 2024 08:50:25.350487947 CEST | 49705 | 80 | 192.168.2.5 | 208.95.112.1 |
| Jul 3, 2024 08:50:25.355401039 CEST | 80 | 49705 | 208.95.112.1 | 192.168.2.5 |
| Jul 3, 2024 08:50:25.812995911 CEST | 80 | 49705 | 208.95.112.1 | 192.168.2.5 |
| Jul 3, 2024 08:50:25.860470057 CEST | 49705 | 80 | 192.168.2.5 | 208.95.112.1 |
| Jul 3, 2024 08:50:26.338695049 CEST | 49705 | 80 | 192.168.2.5 | 208.95.112.1 |
| Jul 3, 2024 08:50:26.641642094 CEST | 49705 | 80 | 192.168.2.5 | 208.95.112.1 |
| Jul 3, 2024 08:50:26.866565943 CEST | 80 | 49705 | 208.95.112.1 | 192.168.2.5 |
| Jul 3, 2024 08:50:26.866683960 CEST | 49705 | 80 | 192.168.2.5 | 208.95.112.1 |
| Jul 3, 2024 08:50:26.866777897 CEST | 80 | 49705 | 208.95.112.1 | 192.168.2.5 |
| Jul 3, 2024 08:50:26.866851091 CEST | 49705 | 80 | 192.168.2.5 | 208.95.112.1 |
| Jul 3, 2024 08:50:26.866859913 CEST | 80 | 49705 | 208.95.112.1 | 192.168.2.5 |
| Jul 3, 2024 08:50:26.866942883 CEST | 49705 | 80 | 192.168.2.5 | 208.95.112.1 |
| Jul 3, 2024 08:50:26.867171049 CEST | 80 | 49705 | 208.95.112.1 | 192.168.2.5 |
| Jul 3, 2024 08:50:26.867408991 CEST | 80 | 49705 | 208.95.112.1 | 192.168.2.5 |
| Jul 3, 2024 08:50:26.867512941 CEST | 49705 | 80 | 192.168.2.5 | 208.95.112.1 |
| Jul 3, 2024 08:50:27.201354027 CEST | 49706 | 587 | 192.168.2.5 | 216.194.161.167 |
| Jul 3, 2024 08:50:27.208563089 CEST | 587 | 49706 | 216.194.161.167 | 192.168.2.5 |
| Jul 3, 2024 08:50:27.208672047 CEST | 49706 | 587 | 192.168.2.5 | 216.194.161.167 |
| Jul 3, 2024 08:50:27.766865969 CEST | 587 | 49706 | 216.194.161.167 | 192.168.2.5 |
| Jul 3, 2024 08:50:27.767138958 CEST | 49706 | 587 | 192.168.2.5 | 216.194.161.167 |
| Jul 3, 2024 08:50:27.772017956 CEST | 587 | 49706 | 216.194.161.167 | 192.168.2.5 |
| Jul 3, 2024 08:50:28.146859884 CEST | 587 | 49706 | 216.194.161.167 | 192.168.2.5 |
| Jul 3, 2024 08:50:28.146946907 CEST | 587 | 49706 | 216.194.161.167 | 192.168.2.5 |
| Jul 3, 2024 08:50:28.147002935 CEST | 49706 | 587 | 192.168.2.5 | 216.194.161.167 |
| Jul 3, 2024 08:50:28.147118092 CEST | 49706 | 587 | 192.168.2.5 | 216.194.161.167 |
| Jul 3, 2024 08:50:28.152544022 CEST | 587 | 49706 | 216.194.161.167 | 192.168.2.5 |
| Jul 3, 2024 08:50:28.313728094 CEST | 587 | 49706 | 216.194.161.167 | 192.168.2.5 |
| Jul 3, 2024 08:50:28.314184904 CEST | 49706 | 587 | 192.168.2.5 | 216.194.161.167 |
| Jul 3, 2024 08:50:28.319240093 CEST | 587 | 49706 | 216.194.161.167 | 192.168.2.5 |
| Jul 3, 2024 08:50:28.485704899 CEST | 587 | 49706 | 216.194.161.167 | 192.168.2.5 |
| Jul 3, 2024 08:50:28.485796928 CEST | 587 | 49706 | 216.194.161.167 | 192.168.2.5 |
| Jul 3, 2024 08:50:28.485815048 CEST | 587 | 49706 | 216.194.161.167 | 192.168.2.5 |
| Jul 3, 2024 08:50:28.485851049 CEST | 49706 | 587 | 192.168.2.5 | 216.194.161.167 |
| Jul 3, 2024 08:50:28.524178028 CEST | 49706 | 587 | 192.168.2.5 | 216.194.161.167 |
| Jul 3, 2024 08:50:28.529392958 CEST | 587 | 49706 | 216.194.161.167 | 192.168.2.5 |
| Jul 3, 2024 08:50:28.688896894 CEST | 587 | 49706 | 216.194.161.167 | 192.168.2.5 |
| Jul 3, 2024 08:50:28.691750050 CEST | 49706 | 587 | 192.168.2.5 | 216.194.161.167 |
| Jul 3, 2024 08:50:28.697259903 CEST | 587 | 49706 | 216.194.161.167 | 192.168.2.5 |
| Jul 3, 2024 08:50:28.856544018 CEST | 587 | 49706 | 216.194.161.167 | 192.168.2.5 |
| Jul 3, 2024 08:50:28.857781887 CEST | 49706 | 587 | 192.168.2.5 | 216.194.161.167 |
| Jul 3, 2024 08:50:28.863070965 CEST | 587 | 49706 | 216.194.161.167 | 192.168.2.5 |
| Jul 3, 2024 08:50:29.023797989 CEST | 587 | 49706 | 216.194.161.167 | 192.168.2.5 |
| Jul 3, 2024 08:50:29.024171114 CEST | 49706 | 587 | 192.168.2.5 | 216.194.161.167 |
| Jul 3, 2024 08:50:29.031209946 CEST | 587 | 49706 | 216.194.161.167 | 192.168.2.5 |
| Jul 3, 2024 08:50:29.194175005 CEST | 587 | 49706 | 216.194.161.167 | 192.168.2.5 |
| Jul 3, 2024 08:50:29.194521904 CEST | 49706 | 587 | 192.168.2.5 | 216.194.161.167 |
| Jul 3, 2024 08:50:29.199430943 CEST | 587 | 49706 | 216.194.161.167 | 192.168.2.5 |
| Jul 3, 2024 08:50:29.358650923 CEST | 587 | 49706 | 216.194.161.167 | 192.168.2.5 |
| Jul 3, 2024 08:50:29.358930111 CEST | 49706 | 587 | 192.168.2.5 | 216.194.161.167 |
| Jul 3, 2024 08:50:29.363945007 CEST | 587 | 49706 | 216.194.161.167 | 192.168.2.5 |
| Jul 3, 2024 08:50:29.681951046 CEST | 587 | 49706 | 216.194.161.167 | 192.168.2.5 |
| Jul 3, 2024 08:50:29.684887886 CEST | 49706 | 587 | 192.168.2.5 | 216.194.161.167 |
| Jul 3, 2024 08:50:29.689888000 CEST | 587 | 49706 | 216.194.161.167 | 192.168.2.5 |
| Jul 3, 2024 08:50:29.849570036 CEST | 587 | 49706 | 216.194.161.167 | 192.168.2.5 |
| Jul 3, 2024 08:50:29.856139898 CEST | 49706 | 587 | 192.168.2.5 | 216.194.161.167 |
| Jul 3, 2024 08:50:29.856414080 CEST | 49706 | 587 | 192.168.2.5 | 216.194.161.167 |
| Jul 3, 2024 08:50:29.856476068 CEST | 49706 | 587 | 192.168.2.5 | 216.194.161.167 |
| Jul 3, 2024 08:50:29.856573105 CEST | 49706 | 587 | 192.168.2.5 | 216.194.161.167 |
| Jul 3, 2024 08:50:29.856606960 CEST | 49706 | 587 | 192.168.2.5 | 216.194.161.167 |
| Jul 3, 2024 08:50:29.856683016 CEST | 49706 | 587 | 192.168.2.5 | 216.194.161.167 |
| Jul 3, 2024 08:50:29.856707096 CEST | 49706 | 587 | 192.168.2.5 | 216.194.161.167 |
| Jul 3, 2024 08:50:29.861530066 CEST | 587 | 49706 | 216.194.161.167 | 192.168.2.5 |
| Jul 3, 2024 08:50:29.861673117 CEST | 587 | 49706 | 216.194.161.167 | 192.168.2.5 |
| Jul 3, 2024 08:50:29.861701965 CEST | 587 | 49706 | 216.194.161.167 | 192.168.2.5 |
| Jul 3, 2024 08:50:29.861829042 CEST | 587 | 49706 | 216.194.161.167 | 192.168.2.5 |
| Jul 3, 2024 08:50:29.861857891 CEST | 587 | 49706 | 216.194.161.167 | 192.168.2.5 |
| Jul 3, 2024 08:50:29.861885071 CEST | 587 | 49706 | 216.194.161.167 | 192.168.2.5 |
| Jul 3, 2024 08:50:29.861987114 CEST | 587 | 49706 | 216.194.161.167 | 192.168.2.5 |
| Jul 3, 2024 08:50:30.098651886 CEST | 587 | 49706 | 216.194.161.167 | 192.168.2.5 |
| Jul 3, 2024 08:50:30.141628981 CEST | 49706 | 587 | 192.168.2.5 | 216.194.161.167 |
| Jul 3, 2024 08:52:06.362847090 CEST | 49706 | 587 | 192.168.2.5 | 216.194.161.167 |
| Jul 3, 2024 08:52:06.367758036 CEST | 587 | 49706 | 216.194.161.167 | 192.168.2.5 |
| Jul 3, 2024 08:52:06.527513027 CEST | 587 | 49706 | 216.194.161.167 | 192.168.2.5 |
| Jul 3, 2024 08:52:06.531338930 CEST | 49706 | 587 | 192.168.2.5 | 216.194.161.167 |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Jul 3, 2024 08:50:24.577615976 CEST | 63073 | 53 | 192.168.2.5 | 1.1.1.1 |
| Jul 3, 2024 08:50:24.584476948 CEST | 53 | 63073 | 1.1.1.1 | 192.168.2.5 |
| Jul 3, 2024 08:50:25.337747097 CEST | 62035 | 53 | 192.168.2.5 | 1.1.1.1 |
| Jul 3, 2024 08:50:25.344615936 CEST | 53 | 62035 | 1.1.1.1 | 192.168.2.5 |
| Jul 3, 2024 08:50:26.338551998 CEST | 57735 | 53 | 192.168.2.5 | 1.1.1.1 |
| Jul 3, 2024 08:50:27.185787916 CEST | 53 | 57735 | 1.1.1.1 | 192.168.2.5 |
| Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|
| Jul 3, 2024 08:50:24.577615976 CEST | 192.168.2.5 | 1.1.1.1 | 0x805e | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Jul 3, 2024 08:50:25.337747097 CEST | 192.168.2.5 | 1.1.1.1 | 0x31d1 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Jul 3, 2024 08:50:26.338551998 CEST | 192.168.2.5 | 1.1.1.1 | 0x38d1 | Standard query (0) | A (IP address) | IN (0x0001) | false |
| Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|---|---|
| Jul 3, 2024 08:50:24.584476948 CEST | 1.1.1.1 | 192.168.2.5 | 0x805e | No error (0) | 104.26.13.205 | A (IP address) | IN (0x0001) | false | ||
| Jul 3, 2024 08:50:24.584476948 CEST | 1.1.1.1 | 192.168.2.5 | 0x805e | No error (0) | 172.67.74.152 | A (IP address) | IN (0x0001) | false | ||
| Jul 3, 2024 08:50:24.584476948 CEST | 1.1.1.1 | 192.168.2.5 | 0x805e | No error (0) | 104.26.12.205 | A (IP address) | IN (0x0001) | false | ||
| Jul 3, 2024 08:50:25.344615936 CEST | 1.1.1.1 | 192.168.2.5 | 0x31d1 | No error (0) | 208.95.112.1 | A (IP address) | IN (0x0001) | false | ||
| Jul 3, 2024 08:50:27.185787916 CEST | 1.1.1.1 | 192.168.2.5 | 0x38d1 | No error (0) | laboratoriosvilla.com.mx | CNAME (Canonical name) | IN (0x0001) | false | ||
| Jul 3, 2024 08:50:27.185787916 CEST | 1.1.1.1 | 192.168.2.5 | 0x38d1 | No error (0) | 216.194.161.167 | A (IP address) | IN (0x0001) | false |
|
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 0 | 192.168.2.5 | 49705 | 208.95.112.1 | 80 | 348 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| Jul 3, 2024 08:50:25.350487947 CEST | 80 | OUT | |
| Jul 3, 2024 08:50:25.812995911 CEST | 175 | IN | |
| Jul 3, 2024 08:50:26.866565943 CEST | 175 | IN | |
| Jul 3, 2024 08:50:26.866777897 CEST | 175 | IN | |
| Jul 3, 2024 08:50:26.866859913 CEST | 175 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 0 | 192.168.2.5 | 49704 | 104.26.13.205 | 443 | 348 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-07-03 06:50:25 UTC | 155 | OUT | |
| 2024-07-03 06:50:25 UTC | 211 | IN | |
| 2024-07-03 06:50:25 UTC | 11 | IN |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP | Commands |
|---|---|---|---|---|---|
| Jul 3, 2024 08:50:27.766865969 CEST | 587 | 49706 | 216.194.161.167 | 192.168.2.5 | 220-server.aipssa.com ESMTP Exim 4.96.2 #2 Tue, 02 Jul 2024 23:50:27 -0700 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail. |
| Jul 3, 2024 08:50:27.767138958 CEST | 49706 | 587 | 192.168.2.5 | 216.194.161.167 | EHLO 284992 |
| Jul 3, 2024 08:50:28.146859884 CEST | 587 | 49706 | 216.194.161.167 | 192.168.2.5 | 250-server.aipssa.com Hello 284992 [8.46.123.33] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP |
| Jul 3, 2024 08:50:28.146946907 CEST | 587 | 49706 | 216.194.161.167 | 192.168.2.5 | 250-server.aipssa.com Hello 284992 [8.46.123.33] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP |
| Jul 3, 2024 08:50:28.147118092 CEST | 49706 | 587 | 192.168.2.5 | 216.194.161.167 | STARTTLS |
| Jul 3, 2024 08:50:28.313728094 CEST | 587 | 49706 | 216.194.161.167 | 192.168.2.5 | 220 TLS go ahead |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
| Target ID: | 0 |
| Start time: | 02:50:22 |
| Start date: | 03/07/2024 |
| Path: | C:\Users\user\Desktop\DHL AWB COMMERCAIL INVOICE AND TRACKING DETAILS.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0xea0000 |
| File size: | 1'062'400 bytes |
| MD5 hash: | 94F7917FD8334A283B0D5C408383E4ED |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Yara matches: |
|
| Reputation: | low |
| Has exited: | true |
| Target ID: | 2 |
| Start time: | 02:50:23 |
| Start date: | 03/07/2024 |
| Path: | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x5e0000 |
| File size: | 45'984 bytes |
| MD5 hash: | 9D352BC46709F0CB5EC974633A0C3C94 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Yara matches: |
|
| Reputation: | high |
| Has exited: | false |
| Target ID: | 3 |
| Start time: | 02:50:36 |
| Start date: | 03/07/2024 |
| Path: | C:\Users\user\AppData\Roaming\KaGeys\KaGeys.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0xe00000 |
| File size: | 45'984 bytes |
| MD5 hash: | 9D352BC46709F0CB5EC974633A0C3C94 |
| Has elevated privileges: | false |
| Has administrator privileges: | false |
| Programmed in: | C, C++ or other language |
| Antivirus matches: |
|
| Reputation: | high |
| Has exited: | true |
| Target ID: | 4 |
| Start time: | 02:50:36 |
| Start date: | 03/07/2024 |
| Path: | C:\Windows\System32\conhost.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff6d64d0000 |
| File size: | 862'208 bytes |
| MD5 hash: | 0D698AF330FD17BEE3BF90011D49251D |
| Has elevated privileges: | false |
| Has administrator privileges: | false |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 6 |
| Start time: | 02:50:44 |
| Start date: | 03/07/2024 |
| Path: | C:\Users\user\AppData\Roaming\KaGeys\KaGeys.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x2d0000 |
| File size: | 45'984 bytes |
| MD5 hash: | 9D352BC46709F0CB5EC974633A0C3C94 |
| Has elevated privileges: | false |
| Has administrator privileges: | false |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 7 |
| Start time: | 02:50:44 |
| Start date: | 03/07/2024 |
| Path: | C:\Windows\System32\conhost.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff6d64d0000 |
| File size: | 862'208 bytes |
| MD5 hash: | 0D698AF330FD17BEE3BF90011D49251D |
| Has elevated privileges: | false |
| Has administrator privileges: | false |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
Execution Graph
| Execution Coverage: | 4% |
| Dynamic/Decrypted Code Coverage: | 1.3% |
| Signature Coverage: | 4.6% |
| Total number of Nodes: | 2000 |
| Total number of Limit Nodes: | 44 |
Graph
Function 00EA3B4C Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 153windowCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00EA4AFE Relevance: 10.7, APIs: 7, Instructions: 223COMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F04696 Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00EAE800 Relevance: 2.4, Strings: 1, Instructions: 1102COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00EB0B30 Relevance: 57.3, APIs: 27, Strings: 5, Instructions: 1300windowsleeptimeCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F093DF Relevance: 19.8, APIs: 13, Instructions: 322fileCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00EA3031 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 61windowregistryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00EA3041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54windowregistryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00EA71EB Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201registryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00EA3A58 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71windowregistryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00EA3633 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151windowtimeregistryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 011125D0 Relevance: 10.7, APIs: 7, Instructions: 239fileCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 011123B0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 140fileCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00EA410D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88windowCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00EA35B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F097E5 Relevance: 6.2, APIs: 4, Instructions: 155COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00EC493A Relevance: 6.1, APIs: 4, Instructions: 136COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F1CDF1 Relevance: 4.9, APIs: 3, Instructions: 392COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00EAF8CF Relevance: 4.7, APIs: 3, Instructions: 168comCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00EA43DB Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00EC594C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F08F97 Relevance: 4.5, APIs: 3, Instructions: 22COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00EA492E Relevance: 3.1, APIs: 2, Instructions: 59COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00EA5DF9 Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00EB2123 Relevance: 1.7, APIs: 1, Instructions: 171COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00EA766F Relevance: 1.6, APIs: 1, Instructions: 103COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00EA5C4E Relevance: 1.6, APIs: 1, Instructions: 97COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00EE00D6 Relevance: 1.6, APIs: 1, Instructions: 88COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00EA80D7 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00EA4F3D Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00EE01AF Relevance: 1.6, APIs: 1, Instructions: 63COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00EA5D20 Relevance: 1.6, APIs: 1, Instructions: 53fileCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00EC4A93 Relevance: 1.5, APIs: 1, Instructions: 36COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00EA4FAA Relevance: 1.5, APIs: 1, Instructions: 28COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00EC09D5 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F09129 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00EA5DAE Relevance: 1.5, APIs: 1, Instructions: 16COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00EC548B Relevance: 1.5, APIs: 1, Instructions: 9COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F0D2E6 Relevance: 1.4, APIs: 1, Instructions: 198COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00EC0E48 Relevance: 1.3, APIs: 1, Instructions: 94memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0111229C Relevance: 1.3, APIs: 1, Instructions: 21sleepCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 011122A0 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F2CDAC Relevance: 74.1, APIs: 40, Strings: 2, Instructions: 637windowkeyboardCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F2804A Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 571windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00EA4A35 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 131keyboardthreadwindowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F0C9C7 Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 280timefileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F0F200 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 119fileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F20AE2 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F0F35D Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 112fileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00EB6843 Relevance: 19.6, Strings: 15, Instructions: 883COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F186D0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F14458 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F03A2B Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167fileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F0F65E Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120filesleepCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00EB58C0 Relevance: 11.0, APIs: 7, Instructions: 532COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F0545F Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59shutdownCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F16596 Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00EA1287 Relevance: 7.9, APIs: 5, Instructions: 379COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F255FD Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F1C304 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F040B1 Relevance: 6.1, APIs: 4, Instructions: 65fileCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00EFEB07 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 561stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F0B59E Relevance: 4.6, APIs: 3, Instructions: 73COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00EF8CC3 Relevance: 4.6, APIs: 3, Instructions: 67COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F04C03 Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00EAE060 Relevance: 3.5, APIs: 2, Instructions: 539COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F0C93C Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F0A2D5 Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00EF8713 Relevance: 3.0, APIs: 2, Instructions: 22COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00ECF419 Relevance: 2.1, APIs: 1, Instructions: 645COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00ED267E Relevance: 1.8, APIs: 1, Instructions: 294COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F08B13 Relevance: 1.6, APIs: 1, Instructions: 68COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F04EF5 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00EF8C93 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00EE2230 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00ECA364 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00EB8A0E Relevance: .6, Instructions: 608COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00EC2405 Relevance: .3, Instructions: 345COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00EC283A Relevance: .3, Instructions: 341COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00EC1BB8 Relevance: .3, Instructions: 323COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F17B1B Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 491filecommemoryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F237F3 Relevance: 51.1, APIs: 6, Strings: 23, Instructions: 365windowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F2A849 Relevance: 49.8, APIs: 33, Instructions: 274COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00EA2C18 Relevance: 49.5, APIs: 27, Strings: 1, Instructions: 486windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F177BE Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 284windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F28C44 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 401windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F24B16 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00EA27D9 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 286windowtimeCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F24069 Relevance: 28.3, APIs: 3, Strings: 13, Instructions: 283windowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F152F0 Relevance: 27.1, APIs: 18, Instructions: 124COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00EFAA64 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F2A428 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F2C8EE Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 181windowfileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F24619 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 251windowCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F2BAB8 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 197windowlibraryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F0A45A Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F2C49C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F1762D Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F048F3 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networkCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F05217 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F0D7F8 Relevance: 18.3, APIs: 12, Instructions: 283comCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00EFC72A Relevance: 18.2, APIs: 12, Instructions: 174COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00EA201B Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00EA21A5 Relevance: 18.1, APIs: 12, Instructions: 132COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F273C1 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F2772A Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00EC7040 Relevance: 16.8, APIs: 11, Instructions: 258COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F15A45 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00EF9471 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 82windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00EF955C Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00EF9645 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 72windowCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F18BC0 Relevance: 15.3, APIs: 10, Instructions: 324fileCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00EAFBBD Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 264comCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00EA2E26 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 186windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F2C27C Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 149windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F18F5B Relevance: 13.9, APIs: 9, Instructions: 438COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F288B4 Relevance: 13.7, APIs: 9, Instructions: 168COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00EF9B50 Relevance: 13.6, APIs: 9, Instructions: 66sleepkeyboardwindowCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F26FEF Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 143windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F03226 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 82windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F04534 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00EA2A5B Relevance: 12.1, APIs: 8, Instructions: 129COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F07368 Relevance: 12.1, APIs: 8, Instructions: 101fileCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F26442 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00EFC072 Relevance: 12.1, APIs: 8, Instructions: 92COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00EA1424 Relevance: 10.7, APIs: 7, Instructions: 219COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F0589F Relevance: 10.6, APIs: 7, Instructions: 138timeCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F038AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111filestringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F27500 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F2653C Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00EFE0B5 Relevance: 10.6, APIs: 7, Instructions: 90memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F2783C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00EC41C9 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 24libraryloaderCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00EC429E Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F0675A Relevance: 9.2, APIs: 6, Instructions: 205COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F25A20 Relevance: 9.2, APIs: 6, Instructions: 160windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00EFF3DD Relevance: 9.2, APIs: 6, Instructions: 159COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F026F9 Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00EA1765 Relevance: 9.1, APIs: 6, Instructions: 113COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F2B958 Relevance: 9.1, APIs: 6, Instructions: 109windowCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F173B1 Relevance: 9.1, APIs: 6, Instructions: 97COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00EF8D5B Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00EF8AF9 Relevance: 9.1, APIs: 6, Instructions: 65processCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F2C19A Relevance: 9.0, APIs: 6, Instructions: 49COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F074D2 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00EF8E74 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F02F86 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195windowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00EFDA5D Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 121comlibraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F02C42 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00EF9372 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F11B21 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 86networkCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F26656 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F0703E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F0710C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00EFA52F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 68windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F1EE69 Relevance: 7.7, APIs: 5, Instructions: 247COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F0E7DC Relevance: 7.6, APIs: 5, Instructions: 135COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F2A2C5 Relevance: 7.6, APIs: 5, Instructions: 130COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00EF6920 Relevance: 7.6, APIs: 5, Instructions: 97windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00EFB6AF Relevance: 7.6, APIs: 5, Instructions: 88windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F2B405 Relevance: 7.6, APIs: 5, Instructions: 85COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00EF97E9 Relevance: 7.6, APIs: 5, Instructions: 84windowCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00EA12F3 Relevance: 7.6, APIs: 5, Instructions: 67COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00EFC161 Relevance: 7.6, APIs: 5, Instructions: 61COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F04D35 Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadwindowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00EF874A Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F054E6 Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00EF7652 Relevance: 7.5, APIs: 5, Instructions: 48stringCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00EF85F1 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00EF8652 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00EA13B0 Relevance: 7.5, APIs: 5, Instructions: 29COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F27648 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90windowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F26F1F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F2797D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00EA4C95 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00EA4D94 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00EA4D61 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F21072 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F193F5 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00EF76C5 Relevance: 6.3, APIs: 4, Instructions: 333COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F1E33E Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F183A8 Relevance: 6.3, APIs: 4, Instructions: 267COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00EF7A78 Relevance: 6.2, APIs: 4, Instructions: 231COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00EF6DF3 Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F29A63 Relevance: 6.1, APIs: 4, Instructions: 140COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F1672D Relevance: 6.1, APIs: 4, Instructions: 116COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F0BA5F Relevance: 6.1, APIs: 4, Instructions: 111fileCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F28AC0 Relevance: 6.1, APIs: 4, Instructions: 109COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F2ADF1 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F25175 Relevance: 6.1, APIs: 4, Instructions: 95COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F2C788 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00EC0BD0 Relevance: 6.1, APIs: 4, Instructions: 79COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00EF8B9E Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F11A5B Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00EFE1AF Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F1667C Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00EF9023 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00EA1290 Relevance: 6.1, APIs: 4, Instructions: 59COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F01652 Relevance: 6.1, APIs: 4, Instructions: 51sleepCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F2B57F Relevance: 6.0, APIs: 4, Instructions: 47COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F2B8EF Relevance: 6.0, APIs: 4, Instructions: 40processCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F06E7C Relevance: 6.0, APIs: 4, Instructions: 33COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F2C00C Relevance: 6.0, APIs: 4, Instructions: 31COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00EA2218 Relevance: 6.0, APIs: 4, Instructions: 23COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00EF8C5A Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00EE2187 Relevance: 6.0, APIs: 4, Instructions: 20COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00EE219B Relevance: 6.0, APIs: 4, Instructions: 19COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F0B217 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201shareCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00EB2AB7 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F12882 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F02D91 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88windowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F26943 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F26B8F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F02E9E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F124CA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F180A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55networkCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00EF92E7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00EF91DF Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00EF9264 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00EF81BC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F25BEB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|