Edit tour
Windows
Analysis Report
tgBNtoWqIp.exe
Overview
General Information
| Sample name: | tgBNtoWqIp.exerenamed because original name is a hash value |
| Original sample name: | 934284591d9e31d5c4868a6608b88c2dd2124fdd45b0248db35f4741d4634bc7.exe |
| Analysis ID: | 1466952 |
| MD5: | f78535a3f5e84f626e1018e587b5b588 |
| SHA1: | 8200afc4d351323230fcc4b0a76b529b5d052134 |
| SHA256: | 934284591d9e31d5c4868a6608b88c2dd2124fdd45b0248db35f4741d4634bc7 |
| Tags: | exeFormbook |
| Infos: |   |
 | |
Detection
AgentTesla, PureLog Stealer
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected PureLog Stealer
.NET source code contains method to dynamically call methods (often used by packers)
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
Check if machine is in data center or colocation facility
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to log keystrokes (.Net Source)
Machine Learning detection for sample
Maps a DLL or memory area into another process
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Switches to a custom stack to bypass stack traces
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected Generic Downloader
Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evasive API chain (date check)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Suspicious Outbound SMTP Connections
Uses 32bit PE files
Uses SMTP (mail sending)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match
Classification
- System is w10x64
tgBNtoWqIp.exe (PID: 7436 cmdline: "C:\Users\ user\Deskt op\tgBNtoW qIp.exe" MD5: F78535A3F5E84F626E1018E587B5B588) 
RegSvcs.exe (PID: 7452 cmdline: "C:\Users\ user\Deskt op\tgBNtoW qIp.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
- cleanup
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| Agent Tesla, AgentTesla | A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel. |
{"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.divanrestoran.com", "Username": "info@divanrestoran.com", "Password": "Div987654-_"}| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| MALWARE_Win_RedLine | Detects RedLine infostealer | ditekSHen |
| |
| JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | ||
| JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | ||
| JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | ||
| JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
| Click to see the 20 entries | ||||
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| MALWARE_Win_RedLine | Detects RedLine infostealer | ditekSHen |
| |
| MALWARE_Win_RedLine | Detects RedLine infostealer | ditekSHen |
| |
| JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
| JoeSecurity_GenericDownloader_1 | Yara detected Generic Downloader | Joe Security | ||
| JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | ||
| Click to see the 52 entries | ||||
System Summary |   |
|---|
| Source: | Author: frack113: | ||
⊘No Snort rule has matched
Click to jump to signature section
Show All Signature Results
AV Detection | |
|---|
| Source: | Malware Configuration Extractor: | ||
| Source: | ReversingLabs: | ||
| Source: | Integrated Neural Analysis Model: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Static PE information: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Code function: | 0_2_00FC4696 | |
| Source: | Code function: | 0_2_00FCC9C7 | |
| Source: | Code function: | 0_2_00FCC93C | |
| Source: | Code function: | 0_2_00FCF200 | |
| Source: | Code function: | 0_2_00FCF35D | |
| Source: | Code function: | 0_2_00FCF65E | |
| Source: | Code function: | 0_2_00FC3A2B | |
| Source: | Code function: | 0_2_00FC3D4E | |
| Source: | Code function: | 0_2_00FCBF27 | |
Networking | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | TCP traffic: | ||
| Source: | HTTP traffic detected: | ||
| Source: | IP Address: | ||
| Source: | IP Address: | ||
| Source: | IP Address: | ||
| Source: | ASN Name: | ||
| Source: | ASN Name: | ||
| Source: | JA3 fingerprint: | ||
| Source: | DNS query: | ||
| Source: | DNS query: | ||
| Source: | DNS query: | ||
| Source: | DNS query: | ||
| Source: | TCP traffic: | ||
| Source: | HTTP traffic detected: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | Code function: | 0_2_00FD25E2 | |
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
Key, Mouse, Clipboard, Microphone and Screen Capturing | |
|---|
| Source: | .Net Code: | ||
| Source: | Code function: | 0_2_00FD425A | |
| Source: | Code function: | 0_2_00FD4458 | |
| Source: | Code function: | 0_2_00FD425A | |
| Source: | Code function: | 0_2_00FC0219 | |
| Source: | Code function: | 0_2_00FECDAC | |
System Summary | |
|---|
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Code function: | 0_2_00F63B4C | |
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | memstr_a5f78d23-0 | |
| Source: | String found in binary or memory: | memstr_15a4ada4-1 | |
| Source: | String found in binary or memory: | memstr_c0fc8129-f | |
| Source: | String found in binary or memory: | memstr_1634c994-5 | |
| Source: | Code function: | 0_2_00FC40B1 | |
| Source: | Code function: | 0_2_00FB8858 | |
| Source: | Code function: | 0_2_00FC545F | |
| Source: | Code function: | 0_2_00F6E800 | |
| Source: | Code function: | 0_2_00F8DBB5 | |
| Source: | Code function: | 0_2_00F6E060 | |
| Source: | Code function: | 0_2_00FE804A | |
| Source: | Code function: | 0_2_00F74140 | |
| Source: | Code function: | 0_2_00F82405 | |
| Source: | Code function: | 0_2_00F96522 | |
| Source: | Code function: | 0_2_00F9267E | |
| Source: | Code function: | 0_2_00FE0665 | |
| Source: | Code function: | 0_2_00F76843 | |
| Source: | Code function: | 0_2_00F8283A | |
| Source: | Code function: | 0_2_00F989DF | |
| Source: | Code function: | 0_2_00FE0AE2 | |
| Source: | Code function: | 0_2_00F96A94 | |
| Source: | Code function: | 0_2_00F78A0E | |
| Source: | Code function: | 0_2_00FC8B13 | |
| Source: | Code function: | 0_2_00FBEB07 | |
| Source: | Code function: | 0_2_00F8CD61 | |
| Source: | Code function: | 0_2_00F97006 | |
| Source: | Code function: | 0_2_00F73190 | |
| Source: | Code function: | 0_2_00F7710E | |
| Source: | Code function: | 0_2_00F61287 | |
| Source: | Code function: | 0_2_00F833C7 | |
| Source: | Code function: | 0_2_00F8F419 | |
| Source: | Code function: | 0_2_00F816C4 | |
| Source: | Code function: | 0_2_00F75680 | |
| Source: | Code function: | 0_2_00F878D3 | |
| Source: | Code function: | 0_2_00F758C0 | |
| Source: | Code function: | 0_2_00F81BB8 | |
| Source: | Code function: | 0_2_00F99D05 | |
| Source: | Code function: | 0_2_00F6FE40 | |
| Source: | Code function: | 0_2_00F8BFE6 | |
| Source: | Code function: | 0_2_00F81FD0 | |
| Source: | Code function: | 0_2_011B3600 | |
| Source: | Code function: | 1_2_00408C60 | |
| Source: | Code function: | 1_2_0040DC11 | |
| Source: | Code function: | 1_2_00407C3F | |
| Source: | Code function: | 1_2_00418CCC | |
| Source: | Code function: | 1_2_00406CA0 | |
| Source: | Code function: | 1_2_004028B0 | |
| Source: | Code function: | 1_2_0041A4BE | |
| Source: | Code function: | 1_2_00408C60 | |
| Source: | Code function: | 1_2_00418244 | |
| Source: | Code function: | 1_2_00401650 | |
| Source: | Code function: | 1_2_00402F20 | |
| Source: | Code function: | 1_2_004193C4 | |
| Source: | Code function: | 1_2_00418788 | |
| Source: | Code function: | 1_2_00402F89 | |
| Source: | Code function: | 1_2_00402B90 | |
| Source: | Code function: | 1_2_004073A0 | |
| Source: | Code function: | 1_2_0272D8C0 | |
| Source: | Code function: | 1_2_0272CCA8 | |
| Source: | Code function: | 1_2_0272CFF0 | |
| Source: | Code function: | 1_2_02721030 | |
| Source: | Code function: | 1_2_02721024 | |
| Source: | Code function: | 1_2_0612D748 | |
| Source: | Code function: | 1_2_0612A520 | |
| Source: | Code function: | 1_2_06129D58 | |
| Source: | Code function: | 1_2_0612FA00 | |
| Source: | Code function: | 1_2_06126AC8 | |
| Source: | Code function: | 1_2_06120006 | |
| Source: | Code function: | 1_2_06120040 | |
| Source: | Code function: | 1_2_06770F10 | |
| Source: | Code function: | 1_2_0677AFF8 | |
| Source: | Code function: | 1_2_06775D20 | |
| Source: | Code function: | 1_2_0677E780 | |
| Source: | Code function: | 1_2_067792D0 | |
| Source: | Code function: | 1_2_06772010 | |
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Static PE information: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Cryptographic APIs: | ||
| Source: | Cryptographic APIs: | ||
| Source: | Cryptographic APIs: | ||
| Source: | Cryptographic APIs: | ||
| Source: | Cryptographic APIs: | ||
| Source: | Cryptographic APIs: | ||
| Source: | Cryptographic APIs: | ||
| Source: | Cryptographic APIs: | ||
| Source: | Cryptographic APIs: | ||
| Source: | Cryptographic APIs: | ||
| Source: | Classification label: | ||
| Source: | Code function: | 0_2_00FCA2D5 | |
| Source: | Code function: | 0_2_00FB8713 | |
| Source: | Code function: | 0_2_00FB8CC3 | |
| Source: | Code function: | 0_2_00FCB59E | |
| Source: | Code function: | 0_2_00FDF121 | |
| Source: | Code function: | 0_2_00FD86D0 | |
| Source: | Code function: | 0_2_00F64FE9 | |
| Source: | Mutant created: | ||
| Source: | File created: | Jump to behavior | ||
| Source: | Static PE information: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | File read: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | ReversingLabs: | ||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Key value queried: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Static file information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
Data Obfuscation | |
|---|
| Source: | .Net Code: | ||
| Source: | .Net Code: | ||
| Source: | .Net Code: | ||
| Source: | .Net Code: | ||
| Source: | Code function: | 0_2_00FDC304 | |
| Source: | Code function: | 0_2_00FC871B | |
| Source: | Code function: | 0_2_00F8E951 | |
| Source: | Code function: | 0_2_00F8EA6A | |
| Source: | Code function: | 0_2_00F88B98 | |
| Source: | Code function: | 0_2_00F8EC45 | |
| Source: | Code function: | 0_2_00F8ED2E | |
| Source: | Code function: | 1_2_0041C4E2 | |
| Source: | Code function: | 1_2_00423179 | |
| Source: | Code function: | 1_2_0041C4E2 | |
| Source: | Code function: | 1_2_00423179 | |
| Source: | Code function: | 1_2_0040E230 | |
| Source: | Code function: | 1_2_0041C6BF | |
| Source: | Code function: | 1_2_0040BBA3 | |
| Source: | Code function: | 1_2_02724365 | |
| Source: | Code function: | 1_2_02724F60 | |
| Source: | Code function: | 1_2_0677ACB7 | |
| Source: | High entropy of concatenated method names: | ||
| Source: | High entropy of concatenated method names: | ||
| Source: | High entropy of concatenated method names: | ||
| Source: | High entropy of concatenated method names: | ||
| Source: | Code function: | 0_2_00F64A35 | |
| Source: | Code function: | 0_2_00FE55FD | |
| Source: | Code function: | 0_2_00F833C7 | |
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
Malware Analysis System Evasion | |
|---|
| Source: | HTTP traffic detected: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | API/Special instruction interceptor: | ||
| Source: | Binary or memory string: | ||
| Source: | Code function: | 1_2_004019F0 | |
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Window / User API: | Jump to behavior | ||
| Source: | Window / User API: | Jump to behavior | ||
| Source: | Evasive API call chain: | graph_0-99126 | ||
| Source: | API coverage: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | Code function: | 0_2_00FC4696 | |
| Source: | Code function: | 0_2_00FCC9C7 | |
| Source: | Code function: | 0_2_00FCC93C | |
| Source: | Code function: | 0_2_00FCF200 | |
| Source: | Code function: | 0_2_00FCF35D | |
| Source: | Code function: | 0_2_00FCF65E | |
| Source: | Code function: | 0_2_00FC3A2B | |
| Source: | Code function: | 0_2_00FC3D4E | |
| Source: | Code function: | 0_2_00FCBF27 | |
| Source: | Code function: | 0_2_00F64AFE | |
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | API call chain: | graph_0-97740 | ||
| Source: | API call chain: | graph_0-97814 | ||
| Source: | API call chain: | |||
Anti Debugging | |
|---|
| Source: | Code function: | 1_2_06121BF4 | |
| Source: | Process queried: | Jump to behavior | ||
| Source: | Code function: | 0_2_00FD41FD | |
| Source: | Code function: | 0_2_00F63B4C | |
| Source: | Code function: | 0_2_00F95CCC | |
| Source: | Code function: | 1_2_004019F0 | |
| Source: | Code function: | 0_2_00FDC304 | |
| Source: | Code function: | 0_2_011B3490 | |
| Source: | Code function: | 0_2_011B34F0 | |
| Source: | Code function: | 0_2_011B1E70 | |
| Source: | Code function: | 0_2_00FB81F7 | |
| Source: | Code function: | 0_2_00F8A395 | |
| Source: | Code function: | 0_2_00F8A364 | |
| Source: | Code function: | 1_2_0040CE09 | |
| Source: | Code function: | 1_2_0040E61C | |
| Source: | Code function: | 1_2_00416F6A | |
| Source: | Code function: | 1_2_004123F1 | |
| Source: | Memory allocated: | Jump to behavior | ||
HIPS / PFW / Operating System Protection Evasion | |
|---|
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | Code function: | 0_2_00FB8C93 | |
| Source: | Code function: | 0_2_00F63B4C | |
| Source: | Code function: | 0_2_00F64A35 | |
| Source: | Code function: | 0_2_00FC4EF5 | |
| Source: | Process created: | Jump to behavior | ||
| Source: | Code function: | 0_2_00FB81F7 | |
| Source: | Code function: | 0_2_00FC4C03 | |
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Code function: | 0_2_00F8886B | |
| Source: | Code function: | 1_2_00417A20 | |
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Code function: | 0_2_00F950D7 | |
| Source: | Code function: | 0_2_00FA2230 | |
| Source: | Code function: | 0_2_00F9418A | |
| Source: | Code function: | 0_2_00F64AFE | |
| Source: | Key value queried: | Jump to behavior | ||
Stealing of Sensitive Information | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
Remote Access Functionality | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | Code function: | 0_2_00FD6596 | |
| Source: | Code function: | 0_2_00FD6A5A | |
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Gather Victim Identity Information | Acquire Infrastructure | 2 Valid Accounts | 221 Windows Management Instrumentation | 1 DLL Side-Loading | 1 Exploitation for Privilege Escalation | 11 Disable or Modify Tools | 2 OS Credential Dumping | 2 System Time Discovery | Remote Services | 11 Archive Collected Data | 2 Ingress Tool Transfer | Exfiltration Over Other Network Medium | 1 System Shutdown/Reboot |
| Credentials | Domains | Default Accounts | 2 Native API | 2 Valid Accounts | 1 DLL Side-Loading | 11 Deobfuscate/Decode Files or Information | 121 Input Capture | 1 Account Discovery | Remote Desktop Protocol | 2 Data from Local System | 11 Encrypted Channel | Exfiltration Over Bluetooth | Network Denial of Service |
| Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | 2 Valid Accounts | 2 Obfuscated Files or Information | 1 Credentials in Registry | 2 File and Directory Discovery | SMB/Windows Admin Shares | 1 Email Collection | 1 Non-Standard Port | Automated Exfiltration | Data Encrypted for Impact |
| Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | 21 Access Token Manipulation | 1 Software Packing | NTDS | 148 System Information Discovery | Distributed Component Object Model | 121 Input Capture | 2 Non-Application Layer Protocol | Traffic Duplication | Data Destruction |
| Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | 212 Process Injection | 1 DLL Side-Loading | LSA Secrets | 661 Security Software Discovery | SSH | 3 Clipboard Data | 23 Application Layer Protocol | Scheduled Transfer | Data Encrypted for Impact |
| Domain Properties | Botnet | Replication Through Removable Media | Scheduled Task | RC Scripts | RC Scripts | 2 Valid Accounts | Cached Domain Credentials | 231 Virtualization/Sandbox Evasion | VNC | GUI Input Capture | Multiband Communication | Data Transfer Size Limits | Service Stop |
| DNS | Web Services | External Remote Services | Systemd Timers | Startup Items | Startup Items | 231 Virtualization/Sandbox Evasion | DCSync | 2 Process Discovery | Windows Remote Management | Web Portal Capture | Commonly Used Port | Exfiltration Over C2 Channel | Inhibit System Recovery |
| Network Trust Dependencies | Serverless | Drive-by Compromise | Container Orchestration Job | Scheduled Task/Job | Scheduled Task/Job | 21 Access Token Manipulation | Proc Filesystem | 11 Application Window Discovery | Cloud Services | Credential API Hooking | Application Layer Protocol | Exfiltration Over Alternative Protocol | Defacement |
| Network Topology | Malvertising | Exploit Public-Facing Application | Command and Scripting Interpreter | At | At | 212 Process Injection | /etc/passwd and /etc/shadow | 1 System Owner/User Discovery | Direct Cloud VM Connections | Data Staged | Web Protocols | Exfiltration Over Symmetric Encrypted Non-C2 Protocol | Internal Defacement |
| IP Addresses | Compromise Infrastructure | Supply Chain Compromise | PowerShell | Cron | Cron | Dynamic API Resolution | Network Sniffing | 1 System Network Configuration Discovery | Shared Webroot | Local Data Staging | File Transfer Protocols | Exfiltration Over Asymmetric Encrypted Non-C2 Protocol | External Defacement |
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetThis section contains all screenshots as thumbnails, including those not shown in the slideshow.
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 88% | ReversingLabs | Win32.Spyware.RedLine | ||
| 100% | Joe Sandbox ML |
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe |
| Name | IP | Active | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|---|
| divanrestoran.com | 185.149.100.122 | true | true | unknown | |
| api.ipify.org | 104.26.13.205 | true | false | unknown | |
| ip-api.com | 208.95.112.1 | true | true | unknown | |
| mail.divanrestoran.com | unknown | unknown | true | unknown |
| Name | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|
| false |
| unknown | |
| false |
| unknown |
| Name | Source | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
| IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
|---|---|---|---|---|---|---|
| 208.95.112.1 | ip-api.com | United States | 53334 | TUT-ASUS | true | |
| 104.26.13.205 | api.ipify.org | United States | 13335 | CLOUDFLARENETUS | false | |
| 185.149.100.122 | divanrestoran.com | Turkey | 209853 | VERIDYENVeridyenBilisimTeknolojileriSanayiveTicaretLi | true |
| Joe Sandbox version: | 40.0.0 Tourmaline |
| Analysis ID: | 1466952 |
| Start date and time: | 2024-07-03 15:41:06 +02:00 |
| Joe Sandbox product: | CloudBasic |
| Overall analysis duration: | 0h 9m 7s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
| Number of analysed new started processes analysed: | 6 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Sample name: | tgBNtoWqIp.exerenamed because original name is a hash value |
| Original Sample Name: | 934284591d9e31d5c4868a6608b88c2dd2124fdd45b0248db35f4741d4634bc7.exe |
| Detection: | MAL |
| Classification: | mal100.troj.spyw.evad.winEXE@3/4@3/3 |
| EGA Information: |
|
| HCA Information: |
|
| Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
- Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
- Not all processes where analyzed, report is missing behavior information
- Report size exceeded maximum capacity and may have missing disassembly code.
- Report size getting too big, too many NtOpenKeyEx calls found.
- Report size getting too big, too many NtProtectVirtualMemory calls found.
- Report size getting too big, too many NtQueryValueKey calls found.
- VT rate limit hit for: tgBNtoWqIp.exe
| Time | Type | Description |
|---|---|---|
| 09:41:58 | API Interceptor |
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| 208.95.112.1 | Get hash | malicious | AgentTesla | Browse |
| |
| Get hash | malicious | AgentTesla, PureLog Stealer | Browse |
| ||
| Get hash | malicious | AgentTesla | Browse |
| ||
| Get hash | malicious | AgentTesla, PureLog Stealer | Browse |
| ||
| Get hash | malicious | AgentTesla | Browse |
| ||
| Get hash | malicious | AgentTesla | Browse |
| ||
| Get hash | malicious | GuLoader | Browse |
| ||
| Get hash | malicious | AgentTesla | Browse |
| ||
| Get hash | malicious | GuLoader | Browse |
| ||
| Get hash | malicious | AgentTesla | Browse |
| ||
| 104.26.13.205 | Get hash | malicious | Ficker Stealer, Rusty Stealer | Browse |
| |
| Get hash | malicious | Targeted Ransomware, TrojanRansom | Browse |
| ||
| Get hash | malicious | Targeted Ransomware, TrojanRansom | Browse |
| ||
| Get hash | malicious | Stealit | Browse |
| ||
| Get hash | malicious | PureLog Stealer, Targeted Ransomware | Browse |
| ||
| Get hash | malicious | Stealit | Browse |
| ||
| Get hash | malicious | Stealit | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| ip-api.com | Get hash | malicious | AgentTesla | Browse |
| |
| Get hash | malicious | AgentTesla, PureLog Stealer | Browse |
| ||
| Get hash | malicious | AgentTesla | Browse |
| ||
| Get hash | malicious | AgentTesla, PureLog Stealer | Browse |
| ||
| Get hash | malicious | AgentTesla | Browse |
| ||
| Get hash | malicious | AgentTesla | Browse |
| ||
| Get hash | malicious | GuLoader | Browse |
| ||
| Get hash | malicious | AgentTesla | Browse |
| ||
| Get hash | malicious | GuLoader | Browse |
| ||
| Get hash | malicious | AgentTesla | Browse |
| ||
| api.ipify.org | Get hash | malicious | AgentTesla | Browse |
| |
| Get hash | malicious | AgentTesla | Browse |
| ||
| Get hash | malicious | AgentTesla, PureLog Stealer | Browse |
| ||
| Get hash | malicious | AgentTesla, PureLog Stealer | Browse |
| ||
| Get hash | malicious | AgentTesla, PureLog Stealer | Browse |
| ||
| Get hash | malicious | GuLoader | Browse |
| ||
| Get hash | malicious | AgentTesla | Browse |
| ||
| Get hash | malicious | AgentTesla | Browse |
| ||
| Get hash | malicious | AgentTesla, PureLog Stealer | Browse |
| ||
| Get hash | malicious | AgentTesla | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| CLOUDFLARENETUS | Get hash | malicious | HTMLPhisher | Browse |
| |
| Get hash | malicious | AgentTesla | Browse |
| ||
| Get hash | malicious | AgentTesla | Browse |
| ||
| Get hash | malicious | HTMLPhisher | Browse |
| ||
| Get hash | malicious | HTMLPhisher | Browse |
| ||
| Get hash | malicious | DBatLoader, FormBook | Browse |
| ||
| Get hash | malicious | FormBook | Browse |
| ||
| Get hash | malicious | AgentTesla, PureLog Stealer | Browse |
| ||
| Get hash | malicious | AgentTesla, PureLog Stealer | Browse |
| ||
| Get hash | malicious | AgentTesla, PureLog Stealer | Browse |
| ||
| VERIDYENVeridyenBilisimTeknolojileriSanayiveTicaretLi | Get hash | malicious | FormBook | Browse |
| |
| Get hash | malicious | HTMLPhisher | Browse |
| ||
| Get hash | malicious | Fake Captcha | Browse |
| ||
| Get hash | malicious | Fake Captcha | Browse |
| ||
| Get hash | malicious | AgentTesla | Browse |
| ||
| Get hash | malicious | AgentTesla | Browse |
| ||
| Get hash | malicious | HTMLPhisher | Browse |
| ||
| Get hash | malicious | FormBook | Browse |
| ||
| Get hash | malicious | FormBook | Browse |
| ||
| Get hash | malicious | AgentTesla, PureLog Stealer | Browse |
| ||
| TUT-ASUS | Get hash | malicious | AgentTesla | Browse |
| |
| Get hash | malicious | AgentTesla, PureLog Stealer | Browse |
| ||
| Get hash | malicious | AgentTesla | Browse |
| ||
| Get hash | malicious | AgentTesla, PureLog Stealer | Browse |
| ||
| Get hash | malicious | AgentTesla | Browse |
| ||
| Get hash | malicious | AgentTesla | Browse |
| ||
| Get hash | malicious | GuLoader | Browse |
| ||
| Get hash | malicious | AgentTesla | Browse |
| ||
| Get hash | malicious | GuLoader | Browse |
| ||
| Get hash | malicious | AgentTesla | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| 3b5074b1b5d032e5620f69f9f700ff0e | Get hash | malicious | AgentTesla | Browse |
| |
| Get hash | malicious | AgentTesla | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | AgentTesla, PureLog Stealer | Browse |
| ||
| Get hash | malicious | AgentTesla, PureLog Stealer | Browse |
| ||
| Get hash | malicious | AgentTesla, PureLog Stealer | Browse |
| ||
| Get hash | malicious | GuLoader | Browse |
| ||
| Get hash | malicious | AgentTesla | Browse |
| ||
| Get hash | malicious | ScreenConnect Tool | Browse |
|
⊘No context
| Process: | C:\Users\user\Desktop\tgBNtoWqIp.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 273408 |
| Entropy (8bit): | 7.901527707668303 |
| Encrypted: | false |
| SSDEEP: | 6144:0+q1+sKghUK4KARlIA3K/jRYxzpdJkPiiq5PPAfVp3u:0ZXK+FAR2A3K/sFdJkPivP0p3u |
| MD5: | D688190635E5DEAA37C8CB29376C382B |
| SHA1: | C70E95F30798DAC23C420646756B02EC75A8166A |
| SHA-256: | 637C26647510BB7AF7102A8FE14F77E0E41061DE33559AD10CD8CF0CADC8AD01 |
| SHA-512: | 8CA3D37640B1DC1026C6609A8BC7259768F9EAACE70108A4C3A31775A81C84A2B609A2DA2325AEAD93B6202B5E73D830C30F4D438B86CF1B05B7052FF1C6E6AD |
| Malicious: | false |
| Reputation: | low |
| Preview: |
| Process: | C:\Users\user\Desktop\tgBNtoWqIp.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 9844 |
| Entropy (8bit): | 7.6053992767011875 |
| Encrypted: | false |
| SSDEEP: | 192:6ZxWQa8nm1Wh8fpWAsdzNasmdge/rEfVThv5Umwg1BDOa+x7kCzUMbZJ:6Zx3a8nmYhzd0smr/rEfZhvumwg+Bh1r |
| MD5: | CEF6A7A2654179845017200F232F7430 |
| SHA1: | 07EBC32F891D320BA67684473E6B6040DD475BC2 |
| SHA-256: | 3479F0CFA3E6430F2B5396614DC07EB9C9E54F5F15E6A670FE695BF33FC975EE |
| SHA-512: | 7103ED6528598D3BDF42271DFE5097F8386F1C4587937705FDF0AD01830A1B6D2B2806EDAB727C84A0B1333A0556961CFDA0E2D7D4CB6C41D67E51D61DC43A75 |
| Malicious: | false |
| Reputation: | low |
| Preview: |
| Process: | C:\Users\user\Desktop\tgBNtoWqIp.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 28756 |
| Entropy (8bit): | 3.5911478877536767 |
| Encrypted: | false |
| SSDEEP: | 768:AiTZ+2QoioGRk6ZklputwjpjBkCiw2RuJ3nXKUrvzjsNbA+IL26cz24vfF3if6gg:AiTZ+2QoioGRk6ZklputwjpjBkCiw2Rl |
| MD5: | 95461AB4ADEC596EB5CC95C71A808E83 |
| SHA1: | 2CAFADFC9E81E7644BCEBC8F11D2CA6DA6D30805 |
| SHA-256: | AF7593795ABAF3B59194051C9825FBBFF1CBE9BB4BBA0C41D793594CE3303A94 |
| SHA-512: | F54F11B1883D6642A6DF081615C3B5681DD017D280FCB1CB597CE9C08AA31947E6E4A6CEBF451D87FEA97805660C229A8F21573AE64FA7DC3425908099F71857 |
| Malicious: | false |
| Reputation: | low |
| Preview: |
| Process: | C:\Users\user\Desktop\tgBNtoWqIp.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 273408 |
| Entropy (8bit): | 7.901527707668303 |
| Encrypted: | false |
| SSDEEP: | 6144:0+q1+sKghUK4KARlIA3K/jRYxzpdJkPiiq5PPAfVp3u:0ZXK+FAR2A3K/sFdJkPivP0p3u |
| MD5: | D688190635E5DEAA37C8CB29376C382B |
| SHA1: | C70E95F30798DAC23C420646756B02EC75A8166A |
| SHA-256: | 637C26647510BB7AF7102A8FE14F77E0E41061DE33559AD10CD8CF0CADC8AD01 |
| SHA-512: | 8CA3D37640B1DC1026C6609A8BC7259768F9EAACE70108A4C3A31775A81C84A2B609A2DA2325AEAD93B6202B5E73D830C30F4D438B86CF1B05B7052FF1C6E6AD |
| Malicious: | false |
| Reputation: | low |
| Preview: |
| File type: | |
| Entropy (8bit): | 7.193285747534876 |
| TrID: |
|
| File name: | tgBNtoWqIp.exe |
| File size: | 1'237'504 bytes |
| MD5: | f78535a3f5e84f626e1018e587b5b588 |
| SHA1: | 8200afc4d351323230fcc4b0a76b529b5d052134 |
| SHA256: | 934284591d9e31d5c4868a6608b88c2dd2124fdd45b0248db35f4741d4634bc7 |
| SHA512: | 7538b16da90041b285721ec6d626ffa8ed7fd83c39d8f03fca6657cc7474ca1cffff48b92f48871a409d9fdf48620d09e455de4f0914a4883d2435521767a455 |
| SSDEEP: | 24576:+AHnh+eWsN3skA4RV1Hom2KXMmHaHFUc7+2b1Vck0VwCRla4CTwUUF5:ph+ZkldoPK8YaHFU2pbBgwilarM |
| TLSH: | 0545BE0273D2C036FFAB92739B6AF64156BD7D254123852F13981DB9BC701B2227E663 |
| File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........s..R...R...R....C..P.....;.S..._@#.a..._@......_@..g...[j..[...[jo.w...R...r.............#.S..._@'.S...R.k.S.....".S...RichR.. |
 | |
| Icon Hash: | aaf3e3e3938382a0 |
| Entrypoint: | 0x42800a |
| Entrypoint Section: | .text |
| Digitally signed: | false |
| Imagebase: | 0x400000 |
| Subsystem: | windows gui |
| Image File Characteristics: | EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE |
| DLL Characteristics: | DYNAMIC_BASE, TERMINAL_SERVER_AWARE |
| Time Stamp: | 0x6678B03B [Sun Jun 23 23:31:07 2024 UTC] |
| TLS Callbacks: | |
| CLR (.Net) Version: | |
| OS Version Major: | 5 |
| OS Version Minor: | 1 |
| File Version Major: | 5 |
| File Version Minor: | 1 |
| Subsystem Version Major: | 5 |
| Subsystem Version Minor: | 1 |
| Import Hash: | afcdf79be1557326c854b6e20cb900a7 |
| Instruction |
|---|
| call 00007FBDAD0CC2BDh |
| jmp 00007FBDAD0BF074h |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| push edi |
| push esi |
| mov esi, dword ptr [esp+10h] |
| mov ecx, dword ptr [esp+14h] |
| mov edi, dword ptr [esp+0Ch] |
| mov eax, ecx |
| mov edx, ecx |
| add eax, esi |
| cmp edi, esi |
| jbe 00007FBDAD0BF1FAh |
| cmp edi, eax |
| jc 00007FBDAD0BF55Eh |
| bt dword ptr [004C41FCh], 01h |
| jnc 00007FBDAD0BF1F9h |
| rep movsb |
| jmp 00007FBDAD0BF50Ch |
| cmp ecx, 00000080h |
| jc 00007FBDAD0BF3C4h |
| mov eax, edi |
| xor eax, esi |
| test eax, 0000000Fh |
| jne 00007FBDAD0BF200h |
| bt dword ptr [004BF324h], 01h |
| jc 00007FBDAD0BF6D0h |
| bt dword ptr [004C41FCh], 00000000h |
| jnc 00007FBDAD0BF39Dh |
| test edi, 00000003h |
| jne 00007FBDAD0BF3AEh |
| test esi, 00000003h |
| jne 00007FBDAD0BF38Dh |
| bt edi, 02h |
| jnc 00007FBDAD0BF1FFh |
| mov eax, dword ptr [esi] |
| sub ecx, 04h |
| lea esi, dword ptr [esi+04h] |
| mov dword ptr [edi], eax |
| lea edi, dword ptr [edi+04h] |
| bt edi, 03h |
| jnc 00007FBDAD0BF203h |
| movq xmm1, qword ptr [esi] |
| sub ecx, 08h |
| lea esi, dword ptr [esi+08h] |
| movq qword ptr [edi], xmm1 |
| lea edi, dword ptr [edi+08h] |
| test esi, 00000007h |
| je 00007FBDAD0BF255h |
| bt esi, 03h |
| Programming Language: |
|
| Name | Virtual Address | Virtual Size | Is in Section |
|---|---|---|---|
| IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IMPORT | 0xbc0cc | 0x17c | .rdata |
| IMAGE_DIRECTORY_ENTRY_RESOURCE | 0xc8000 | 0x63a14 | .rsrc |
| IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x12c000 | 0x7134 | .reloc |
| IMAGE_DIRECTORY_ENTRY_DEBUG | 0x92bc0 | 0x1c | .rdata |
| IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0xa4b50 | 0x40 | .rdata |
| IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IAT | 0x8f000 | 0x884 | .rdata |
| IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
| Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
|---|---|---|---|---|---|---|---|---|---|
| .text | 0x1000 | 0x8dfdd | 0x8e000 | 310e36668512d53489c005622bb1b4a9 | False | 0.5735602580325704 | data | 6.675248351711057 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
| .rdata | 0x8f000 | 0x2fd8e | 0x2fe00 | 748cf1ab2605ce1fd72d53d912abb68f | False | 0.32828818537859006 | data | 5.763244005758284 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .data | 0xbf000 | 0x8f74 | 0x5200 | aae9601d920f07080bdfadf43dfeff12 | False | 0.1017530487804878 | data | 1.1963819235530628 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .rsrc | 0xc8000 | 0x63a14 | 0x63c00 | 846900e3ca7eb883cd78067f0a114c56 | False | 0.9333171796679198 | data | 7.907899821641048 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .reloc | 0x12c000 | 0x7134 | 0x7200 | f04128ad0f87f42830e4a6cdbc38c719 | False | 0.7617530153508771 | data | 6.783955557128661 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
| Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
|---|---|---|---|---|---|---|
| RT_ICON | 0xc85a8 | 0x128 | Device independent bitmap graphic, 16 x 32 x 4, image size 192 | English | Great Britain | 0.7466216216216216 |
| RT_ICON | 0xc86d0 | 0x128 | Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors | English | Great Britain | 0.3277027027027027 |
| RT_ICON | 0xc87f8 | 0x128 | Device independent bitmap graphic, 16 x 32 x 4, image size 192 | English | Great Britain | 0.3885135135135135 |
| RT_ICON | 0xc8920 | 0x2e8 | Device independent bitmap graphic, 32 x 64 x 4, image size 0 | English | Great Britain | 0.3333333333333333 |
| RT_ICON | 0xc8c08 | 0x128 | Device independent bitmap graphic, 16 x 32 x 4, image size 0 | English | Great Britain | 0.5 |
| RT_ICON | 0xc8d30 | 0xea8 | Device independent bitmap graphic, 48 x 96 x 8, image size 0 | English | Great Britain | 0.2835820895522388 |
| RT_ICON | 0xc9bd8 | 0x8a8 | Device independent bitmap graphic, 32 x 64 x 8, image size 0 | English | Great Britain | 0.37906137184115524 |
| RT_ICON | 0xca480 | 0x568 | Device independent bitmap graphic, 16 x 32 x 8, image size 0 | English | Great Britain | 0.23699421965317918 |
| RT_ICON | 0xca9e8 | 0x25a8 | Device independent bitmap graphic, 48 x 96 x 32, image size 0 | English | Great Britain | 0.13858921161825727 |
| RT_ICON | 0xccf90 | 0x10a8 | Device independent bitmap graphic, 32 x 64 x 32, image size 0 | English | Great Britain | 0.25070356472795496 |
| RT_ICON | 0xce038 | 0x468 | Device independent bitmap graphic, 16 x 32 x 32, image size 0 | English | Great Britain | 0.3173758865248227 |
| RT_MENU | 0xce4a0 | 0x50 | data | English | Great Britain | 0.9 |
| RT_STRING | 0xce4f0 | 0x594 | data | English | Great Britain | 0.3333333333333333 |
| RT_STRING | 0xcea84 | 0x68a | data | English | Great Britain | 0.2747909199522103 |
| RT_STRING | 0xcf110 | 0x490 | data | English | Great Britain | 0.3715753424657534 |
| RT_STRING | 0xcf5a0 | 0x5fc | data | English | Great Britain | 0.3087467362924282 |
| RT_STRING | 0xcfb9c | 0x65c | data | English | Great Britain | 0.34336609336609336 |
| RT_STRING | 0xd01f8 | 0x466 | data | English | Great Britain | 0.3605683836589698 |
| RT_STRING | 0xd0660 | 0x158 | Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0 | English | Great Britain | 0.502906976744186 |
| RT_RCDATA | 0xd07b8 | 0x5acdc | data | 1.0003253282858158 | ||
| RT_GROUP_ICON | 0x12b494 | 0x76 | data | English | Great Britain | 0.6610169491525424 |
| RT_GROUP_ICON | 0x12b50c | 0x14 | data | English | Great Britain | 1.25 |
| RT_GROUP_ICON | 0x12b520 | 0x14 | data | English | Great Britain | 1.15 |
| RT_GROUP_ICON | 0x12b534 | 0x14 | data | English | Great Britain | 1.25 |
| RT_VERSION | 0x12b548 | 0xdc | data | English | Great Britain | 0.6181818181818182 |
| RT_MANIFEST | 0x12b624 | 0x3ef | ASCII text, with CRLF line terminators | English | Great Britain | 0.5074478649453823 |
| DLL | Import |
|---|---|
| WSOCK32.dll | WSACleanup, socket, inet_ntoa, setsockopt, ntohs, recvfrom, ioctlsocket, htons, WSAStartup, __WSAFDIsSet, select, accept, listen, bind, closesocket, WSAGetLastError, recv, sendto, send, inet_addr, gethostbyname, gethostname, connect |
| VERSION.dll | GetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW |
| WINMM.dll | timeGetTime, waveOutSetVolume, mciSendStringW |
| COMCTL32.dll | ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create |
| MPR.dll | WNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W |
| WININET.dll | InternetQueryDataAvailable, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetConnectW |
| PSAPI.DLL | GetProcessMemoryInfo |
| IPHLPAPI.DLL | IcmpCreateFile, IcmpCloseHandle, IcmpSendEcho |
| USERENV.dll | DestroyEnvironmentBlock, UnloadUserProfile, CreateEnvironmentBlock, LoadUserProfileW |
| UxTheme.dll | IsThemeActive |
| KERNEL32.dll | DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, SetCurrentDirectoryW, GetLongPathNameW, GetShortPathNameW, DeleteFileW, FindNextFileW, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, GetCurrentProcess, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, LoadLibraryW, VirtualAlloc, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, GetCurrentThread, CloseHandle, GetFullPathNameW, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, WriteConsoleW, FindClose, SetEnvironmentVariableA |
| USER32.dll | AdjustWindowRectEx, CopyImage, SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, SetRect, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, MonitorFromRect, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, PeekMessageW, UnregisterHotKey, CheckMenuRadioItem, CharLowerBuffW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, LoadImageW, GetClassNameW |
| GDI32.dll | StrokePath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, GetDeviceCaps, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, DeleteDC, GetPixel, CreateDCW, GetStockObject, GetTextFaceW, CreateFontW, SetTextColor, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, StrokeAndFillPath |
| COMDLG32.dll | GetOpenFileNameW, GetSaveFileNameW |
| ADVAPI32.dll | GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, RegCreateKeyExW, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, AddAce, SetSecurityDescriptorDacl, GetUserNameW, InitiateSystemShutdownExW |
| SHELL32.dll | DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish |
| ole32.dll | CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoSetProxyBlanket, CoCreateInstanceEx, CoInitializeSecurity |
| OLEAUT32.dll | LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, RegisterTypeLib, CreateStdDispatch, DispCallFunc, VariantChangeType, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, VariantCopy, VariantClear, OleLoadPicture, QueryPathOfRegTypeLib, RegisterTypeLibForUser, UnRegisterTypeLibForUser, UnRegisterTypeLib, CreateDispTypeInfo, SysAllocString, VariantInit |
| Language of compilation system | Country where language is spoken | Map |
|---|---|---|
| English | Great Britain |  |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library Node| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Jul 3, 2024 15:41:57.903577089 CEST | 49730 | 443 | 192.168.2.4 | 104.26.13.205 |
| Jul 3, 2024 15:41:57.903624058 CEST | 443 | 49730 | 104.26.13.205 | 192.168.2.4 |
| Jul 3, 2024 15:41:57.903740883 CEST | 49730 | 443 | 192.168.2.4 | 104.26.13.205 |
| Jul 3, 2024 15:41:57.944159985 CEST | 49730 | 443 | 192.168.2.4 | 104.26.13.205 |
| Jul 3, 2024 15:41:57.944188118 CEST | 443 | 49730 | 104.26.13.205 | 192.168.2.4 |
| Jul 3, 2024 15:41:58.418356895 CEST | 443 | 49730 | 104.26.13.205 | 192.168.2.4 |
| Jul 3, 2024 15:41:58.418468952 CEST | 49730 | 443 | 192.168.2.4 | 104.26.13.205 |
| Jul 3, 2024 15:41:58.422472000 CEST | 49730 | 443 | 192.168.2.4 | 104.26.13.205 |
| Jul 3, 2024 15:41:58.422487020 CEST | 443 | 49730 | 104.26.13.205 | 192.168.2.4 |
| Jul 3, 2024 15:41:58.422780991 CEST | 443 | 49730 | 104.26.13.205 | 192.168.2.4 |
| Jul 3, 2024 15:41:58.472636938 CEST | 49730 | 443 | 192.168.2.4 | 104.26.13.205 |
| Jul 3, 2024 15:41:58.475774050 CEST | 49730 | 443 | 192.168.2.4 | 104.26.13.205 |
| Jul 3, 2024 15:41:58.516501904 CEST | 443 | 49730 | 104.26.13.205 | 192.168.2.4 |
| Jul 3, 2024 15:41:58.582717896 CEST | 443 | 49730 | 104.26.13.205 | 192.168.2.4 |
| Jul 3, 2024 15:41:58.582784891 CEST | 443 | 49730 | 104.26.13.205 | 192.168.2.4 |
| Jul 3, 2024 15:41:58.582828045 CEST | 49730 | 443 | 192.168.2.4 | 104.26.13.205 |
| Jul 3, 2024 15:41:58.592498064 CEST | 49730 | 443 | 192.168.2.4 | 104.26.13.205 |
| Jul 3, 2024 15:41:58.606018066 CEST | 49731 | 80 | 192.168.2.4 | 208.95.112.1 |
| Jul 3, 2024 15:41:58.611259937 CEST | 80 | 49731 | 208.95.112.1 | 192.168.2.4 |
| Jul 3, 2024 15:41:58.611377954 CEST | 49731 | 80 | 192.168.2.4 | 208.95.112.1 |
| Jul 3, 2024 15:41:58.611532927 CEST | 49731 | 80 | 192.168.2.4 | 208.95.112.1 |
| Jul 3, 2024 15:41:58.616312981 CEST | 80 | 49731 | 208.95.112.1 | 192.168.2.4 |
| Jul 3, 2024 15:41:59.084893942 CEST | 80 | 49731 | 208.95.112.1 | 192.168.2.4 |
| Jul 3, 2024 15:41:59.128928900 CEST | 49731 | 80 | 192.168.2.4 | 208.95.112.1 |
| Jul 3, 2024 15:41:59.624568939 CEST | 49731 | 80 | 192.168.2.4 | 208.95.112.1 |
| Jul 3, 2024 15:41:59.635926962 CEST | 80 | 49731 | 208.95.112.1 | 192.168.2.4 |
| Jul 3, 2024 15:41:59.636042118 CEST | 49731 | 80 | 192.168.2.4 | 208.95.112.1 |
| Jul 3, 2024 15:41:59.708853960 CEST | 49732 | 587 | 192.168.2.4 | 185.149.100.122 |
| Jul 3, 2024 15:41:59.722313881 CEST | 587 | 49732 | 185.149.100.122 | 192.168.2.4 |
| Jul 3, 2024 15:41:59.722387075 CEST | 49732 | 587 | 192.168.2.4 | 185.149.100.122 |
| Jul 3, 2024 15:42:01.026453018 CEST | 587 | 49732 | 185.149.100.122 | 192.168.2.4 |
| Jul 3, 2024 15:42:01.026885033 CEST | 49732 | 587 | 192.168.2.4 | 185.149.100.122 |
| Jul 3, 2024 15:42:01.031685114 CEST | 587 | 49732 | 185.149.100.122 | 192.168.2.4 |
| Jul 3, 2024 15:42:01.316344023 CEST | 587 | 49732 | 185.149.100.122 | 192.168.2.4 |
| Jul 3, 2024 15:42:01.316904068 CEST | 49732 | 587 | 192.168.2.4 | 185.149.100.122 |
| Jul 3, 2024 15:42:01.322115898 CEST | 587 | 49732 | 185.149.100.122 | 192.168.2.4 |
| Jul 3, 2024 15:42:01.595746994 CEST | 587 | 49732 | 185.149.100.122 | 192.168.2.4 |
| Jul 3, 2024 15:42:01.596421957 CEST | 49732 | 587 | 192.168.2.4 | 185.149.100.122 |
| Jul 3, 2024 15:42:01.613063097 CEST | 587 | 49732 | 185.149.100.122 | 192.168.2.4 |
| Jul 3, 2024 15:42:01.956140041 CEST | 587 | 49732 | 185.149.100.122 | 192.168.2.4 |
| Jul 3, 2024 15:42:01.956175089 CEST | 587 | 49732 | 185.149.100.122 | 192.168.2.4 |
| Jul 3, 2024 15:42:01.956188917 CEST | 587 | 49732 | 185.149.100.122 | 192.168.2.4 |
| Jul 3, 2024 15:42:01.956274986 CEST | 49732 | 587 | 192.168.2.4 | 185.149.100.122 |
| Jul 3, 2024 15:42:01.984234095 CEST | 49732 | 587 | 192.168.2.4 | 185.149.100.122 |
| Jul 3, 2024 15:42:01.990566015 CEST | 587 | 49732 | 185.149.100.122 | 192.168.2.4 |
| Jul 3, 2024 15:42:02.262160063 CEST | 587 | 49732 | 185.149.100.122 | 192.168.2.4 |
| Jul 3, 2024 15:42:02.264874935 CEST | 49732 | 587 | 192.168.2.4 | 185.149.100.122 |
| Jul 3, 2024 15:42:02.276073933 CEST | 587 | 49732 | 185.149.100.122 | 192.168.2.4 |
| Jul 3, 2024 15:42:02.554359913 CEST | 587 | 49732 | 185.149.100.122 | 192.168.2.4 |
| Jul 3, 2024 15:42:02.555479050 CEST | 49732 | 587 | 192.168.2.4 | 185.149.100.122 |
| Jul 3, 2024 15:42:02.570308924 CEST | 587 | 49732 | 185.149.100.122 | 192.168.2.4 |
| Jul 3, 2024 15:42:02.841550112 CEST | 587 | 49732 | 185.149.100.122 | 192.168.2.4 |
| Jul 3, 2024 15:42:02.841991901 CEST | 49732 | 587 | 192.168.2.4 | 185.149.100.122 |
| Jul 3, 2024 15:42:02.846838951 CEST | 587 | 49732 | 185.149.100.122 | 192.168.2.4 |
| Jul 3, 2024 15:42:03.251391888 CEST | 587 | 49732 | 185.149.100.122 | 192.168.2.4 |
| Jul 3, 2024 15:42:03.251739025 CEST | 49732 | 587 | 192.168.2.4 | 185.149.100.122 |
| Jul 3, 2024 15:42:03.256623983 CEST | 587 | 49732 | 185.149.100.122 | 192.168.2.4 |
| Jul 3, 2024 15:42:03.527324915 CEST | 587 | 49732 | 185.149.100.122 | 192.168.2.4 |
| Jul 3, 2024 15:42:03.527559996 CEST | 49732 | 587 | 192.168.2.4 | 185.149.100.122 |
| Jul 3, 2024 15:42:03.532421112 CEST | 587 | 49732 | 185.149.100.122 | 192.168.2.4 |
| Jul 3, 2024 15:42:03.839095116 CEST | 587 | 49732 | 185.149.100.122 | 192.168.2.4 |
| Jul 3, 2024 15:42:03.839411020 CEST | 49732 | 587 | 192.168.2.4 | 185.149.100.122 |
| Jul 3, 2024 15:42:03.844373941 CEST | 587 | 49732 | 185.149.100.122 | 192.168.2.4 |
| Jul 3, 2024 15:42:04.114902973 CEST | 587 | 49732 | 185.149.100.122 | 192.168.2.4 |
| Jul 3, 2024 15:42:04.115427971 CEST | 49732 | 587 | 192.168.2.4 | 185.149.100.122 |
| Jul 3, 2024 15:42:04.115473986 CEST | 49732 | 587 | 192.168.2.4 | 185.149.100.122 |
| Jul 3, 2024 15:42:04.115502119 CEST | 49732 | 587 | 192.168.2.4 | 185.149.100.122 |
| Jul 3, 2024 15:42:04.115510941 CEST | 49732 | 587 | 192.168.2.4 | 185.149.100.122 |
| Jul 3, 2024 15:42:04.120409966 CEST | 587 | 49732 | 185.149.100.122 | 192.168.2.4 |
| Jul 3, 2024 15:42:04.120421886 CEST | 587 | 49732 | 185.149.100.122 | 192.168.2.4 |
| Jul 3, 2024 15:42:04.120433092 CEST | 587 | 49732 | 185.149.100.122 | 192.168.2.4 |
| Jul 3, 2024 15:42:04.121041059 CEST | 587 | 49732 | 185.149.100.122 | 192.168.2.4 |
| Jul 3, 2024 15:42:04.582545996 CEST | 587 | 49732 | 185.149.100.122 | 192.168.2.4 |
| Jul 3, 2024 15:42:04.628880978 CEST | 49732 | 587 | 192.168.2.4 | 185.149.100.122 |
| Jul 3, 2024 15:42:04.633296967 CEST | 49732 | 587 | 192.168.2.4 | 185.149.100.122 |
| Jul 3, 2024 15:42:04.638225079 CEST | 587 | 49732 | 185.149.100.122 | 192.168.2.4 |
| Jul 3, 2024 15:42:04.911258936 CEST | 587 | 49732 | 185.149.100.122 | 192.168.2.4 |
| Jul 3, 2024 15:42:04.911919117 CEST | 49732 | 587 | 192.168.2.4 | 185.149.100.122 |
| Jul 3, 2024 15:42:04.913486958 CEST | 49733 | 587 | 192.168.2.4 | 185.149.100.122 |
| Jul 3, 2024 15:42:04.918998957 CEST | 587 | 49733 | 185.149.100.122 | 192.168.2.4 |
| Jul 3, 2024 15:42:04.919102907 CEST | 49733 | 587 | 192.168.2.4 | 185.149.100.122 |
| Jul 3, 2024 15:42:06.144145012 CEST | 587 | 49733 | 185.149.100.122 | 192.168.2.4 |
| Jul 3, 2024 15:42:06.144407034 CEST | 49733 | 587 | 192.168.2.4 | 185.149.100.122 |
| Jul 3, 2024 15:42:06.149337053 CEST | 587 | 49733 | 185.149.100.122 | 192.168.2.4 |
| Jul 3, 2024 15:42:06.430387020 CEST | 587 | 49733 | 185.149.100.122 | 192.168.2.4 |
| Jul 3, 2024 15:42:06.430567026 CEST | 49733 | 587 | 192.168.2.4 | 185.149.100.122 |
| Jul 3, 2024 15:42:06.435400963 CEST | 587 | 49733 | 185.149.100.122 | 192.168.2.4 |
| Jul 3, 2024 15:42:06.783358097 CEST | 587 | 49733 | 185.149.100.122 | 192.168.2.4 |
| Jul 3, 2024 15:42:06.784080982 CEST | 49733 | 587 | 192.168.2.4 | 185.149.100.122 |
| Jul 3, 2024 15:42:06.788837910 CEST | 587 | 49733 | 185.149.100.122 | 192.168.2.4 |
| Jul 3, 2024 15:42:07.150317907 CEST | 587 | 49733 | 185.149.100.122 | 192.168.2.4 |
| Jul 3, 2024 15:42:07.150332928 CEST | 587 | 49733 | 185.149.100.122 | 192.168.2.4 |
| Jul 3, 2024 15:42:07.150343895 CEST | 587 | 49733 | 185.149.100.122 | 192.168.2.4 |
| Jul 3, 2024 15:42:07.150440931 CEST | 49733 | 587 | 192.168.2.4 | 185.149.100.122 |
| Jul 3, 2024 15:42:07.151968956 CEST | 49733 | 587 | 192.168.2.4 | 185.149.100.122 |
| Jul 3, 2024 15:42:07.156749964 CEST | 587 | 49733 | 185.149.100.122 | 192.168.2.4 |
| Jul 3, 2024 15:42:07.438640118 CEST | 587 | 49733 | 185.149.100.122 | 192.168.2.4 |
| Jul 3, 2024 15:42:07.439644098 CEST | 49733 | 587 | 192.168.2.4 | 185.149.100.122 |
| Jul 3, 2024 15:42:07.444582939 CEST | 587 | 49733 | 185.149.100.122 | 192.168.2.4 |
| Jul 3, 2024 15:42:07.725658894 CEST | 587 | 49733 | 185.149.100.122 | 192.168.2.4 |
| Jul 3, 2024 15:42:07.725975990 CEST | 49733 | 587 | 192.168.2.4 | 185.149.100.122 |
| Jul 3, 2024 15:42:07.730844021 CEST | 587 | 49733 | 185.149.100.122 | 192.168.2.4 |
| Jul 3, 2024 15:42:08.012609005 CEST | 587 | 49733 | 185.149.100.122 | 192.168.2.4 |
| Jul 3, 2024 15:42:08.012938023 CEST | 49733 | 587 | 192.168.2.4 | 185.149.100.122 |
| Jul 3, 2024 15:42:08.017703056 CEST | 587 | 49733 | 185.149.100.122 | 192.168.2.4 |
| Jul 3, 2024 15:42:08.388463020 CEST | 587 | 49733 | 185.149.100.122 | 192.168.2.4 |
| Jul 3, 2024 15:42:08.388788939 CEST | 49733 | 587 | 192.168.2.4 | 185.149.100.122 |
| Jul 3, 2024 15:42:08.653810978 CEST | 587 | 49733 | 185.149.100.122 | 192.168.2.4 |
| Jul 3, 2024 15:42:08.653915882 CEST | 49733 | 587 | 192.168.2.4 | 185.149.100.122 |
| Jul 3, 2024 15:42:08.655102968 CEST | 587 | 49733 | 185.149.100.122 | 192.168.2.4 |
| Jul 3, 2024 15:42:08.936711073 CEST | 587 | 49733 | 185.149.100.122 | 192.168.2.4 |
| Jul 3, 2024 15:42:08.937005043 CEST | 49733 | 587 | 192.168.2.4 | 185.149.100.122 |
| Jul 3, 2024 15:42:08.941838026 CEST | 587 | 49733 | 185.149.100.122 | 192.168.2.4 |
| Jul 3, 2024 15:42:09.264983892 CEST | 587 | 49733 | 185.149.100.122 | 192.168.2.4 |
| Jul 3, 2024 15:42:09.265230894 CEST | 49733 | 587 | 192.168.2.4 | 185.149.100.122 |
| Jul 3, 2024 15:42:09.270512104 CEST | 587 | 49733 | 185.149.100.122 | 192.168.2.4 |
| Jul 3, 2024 15:42:09.553014994 CEST | 587 | 49733 | 185.149.100.122 | 192.168.2.4 |
| Jul 3, 2024 15:42:09.554876089 CEST | 49733 | 587 | 192.168.2.4 | 185.149.100.122 |
| Jul 3, 2024 15:42:09.555013895 CEST | 49733 | 587 | 192.168.2.4 | 185.149.100.122 |
| Jul 3, 2024 15:42:09.555066109 CEST | 49733 | 587 | 192.168.2.4 | 185.149.100.122 |
| Jul 3, 2024 15:42:09.555213928 CEST | 49733 | 587 | 192.168.2.4 | 185.149.100.122 |
| Jul 3, 2024 15:42:09.555392027 CEST | 49733 | 587 | 192.168.2.4 | 185.149.100.122 |
| Jul 3, 2024 15:42:09.555476904 CEST | 49733 | 587 | 192.168.2.4 | 185.149.100.122 |
| Jul 3, 2024 15:42:09.555531025 CEST | 49733 | 587 | 192.168.2.4 | 185.149.100.122 |
| Jul 3, 2024 15:42:09.555548906 CEST | 49733 | 587 | 192.168.2.4 | 185.149.100.122 |
| Jul 3, 2024 15:42:09.555573940 CEST | 49733 | 587 | 192.168.2.4 | 185.149.100.122 |
| Jul 3, 2024 15:42:09.559756994 CEST | 587 | 49733 | 185.149.100.122 | 192.168.2.4 |
| Jul 3, 2024 15:42:09.559905052 CEST | 587 | 49733 | 185.149.100.122 | 192.168.2.4 |
| Jul 3, 2024 15:42:09.559914112 CEST | 587 | 49733 | 185.149.100.122 | 192.168.2.4 |
| Jul 3, 2024 15:42:09.560026884 CEST | 587 | 49733 | 185.149.100.122 | 192.168.2.4 |
| Jul 3, 2024 15:42:09.560488939 CEST | 587 | 49733 | 185.149.100.122 | 192.168.2.4 |
| Jul 3, 2024 15:42:09.560497999 CEST | 587 | 49733 | 185.149.100.122 | 192.168.2.4 |
| Jul 3, 2024 15:42:09.560507059 CEST | 587 | 49733 | 185.149.100.122 | 192.168.2.4 |
| Jul 3, 2024 15:42:09.560514927 CEST | 587 | 49733 | 185.149.100.122 | 192.168.2.4 |
| Jul 3, 2024 15:42:09.560606956 CEST | 587 | 49733 | 185.149.100.122 | 192.168.2.4 |
| Jul 3, 2024 15:42:09.560616016 CEST | 587 | 49733 | 185.149.100.122 | 192.168.2.4 |
| Jul 3, 2024 15:42:09.560622931 CEST | 587 | 49733 | 185.149.100.122 | 192.168.2.4 |
| Jul 3, 2024 15:42:09.560631037 CEST | 587 | 49733 | 185.149.100.122 | 192.168.2.4 |
| Jul 3, 2024 15:42:10.039655924 CEST | 587 | 49733 | 185.149.100.122 | 192.168.2.4 |
| Jul 3, 2024 15:42:10.082079887 CEST | 49733 | 587 | 192.168.2.4 | 185.149.100.122 |
| Jul 3, 2024 15:42:10.318591118 CEST | 587 | 49733 | 185.149.100.122 | 192.168.2.4 |
| Jul 3, 2024 15:42:10.318705082 CEST | 49733 | 587 | 192.168.2.4 | 185.149.100.122 |
| Jul 3, 2024 15:43:44.661151886 CEST | 49733 | 587 | 192.168.2.4 | 185.149.100.122 |
| Jul 3, 2024 15:43:44.666001081 CEST | 587 | 49733 | 185.149.100.122 | 192.168.2.4 |
| Jul 3, 2024 15:43:44.949302912 CEST | 587 | 49733 | 185.149.100.122 | 192.168.2.4 |
| Jul 3, 2024 15:43:44.949841022 CEST | 49733 | 587 | 192.168.2.4 | 185.149.100.122 |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Jul 3, 2024 15:41:57.775882006 CEST | 50240 | 53 | 192.168.2.4 | 1.1.1.1 |
| Jul 3, 2024 15:41:57.783243895 CEST | 53 | 50240 | 1.1.1.1 | 192.168.2.4 |
| Jul 3, 2024 15:41:58.597548962 CEST | 51796 | 53 | 192.168.2.4 | 1.1.1.1 |
| Jul 3, 2024 15:41:58.605283976 CEST | 53 | 51796 | 1.1.1.1 | 192.168.2.4 |
| Jul 3, 2024 15:41:59.625339985 CEST | 60216 | 53 | 192.168.2.4 | 1.1.1.1 |
| Jul 3, 2024 15:41:59.706988096 CEST | 53 | 60216 | 1.1.1.1 | 192.168.2.4 |
| Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|
| Jul 3, 2024 15:41:57.775882006 CEST | 192.168.2.4 | 1.1.1.1 | 0xfe04 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Jul 3, 2024 15:41:58.597548962 CEST | 192.168.2.4 | 1.1.1.1 | 0x8f19 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Jul 3, 2024 15:41:59.625339985 CEST | 192.168.2.4 | 1.1.1.1 | 0xd15c | Standard query (0) | A (IP address) | IN (0x0001) | false |
| Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|---|---|
| Jul 3, 2024 15:41:57.783243895 CEST | 1.1.1.1 | 192.168.2.4 | 0xfe04 | No error (0) | 104.26.13.205 | A (IP address) | IN (0x0001) | false | ||
| Jul 3, 2024 15:41:57.783243895 CEST | 1.1.1.1 | 192.168.2.4 | 0xfe04 | No error (0) | 172.67.74.152 | A (IP address) | IN (0x0001) | false | ||
| Jul 3, 2024 15:41:57.783243895 CEST | 1.1.1.1 | 192.168.2.4 | 0xfe04 | No error (0) | 104.26.12.205 | A (IP address) | IN (0x0001) | false | ||
| Jul 3, 2024 15:41:58.605283976 CEST | 1.1.1.1 | 192.168.2.4 | 0x8f19 | No error (0) | 208.95.112.1 | A (IP address) | IN (0x0001) | false | ||
| Jul 3, 2024 15:41:59.706988096 CEST | 1.1.1.1 | 192.168.2.4 | 0xd15c | No error (0) | divanrestoran.com | CNAME (Canonical name) | IN (0x0001) | false | ||
| Jul 3, 2024 15:41:59.706988096 CEST | 1.1.1.1 | 192.168.2.4 | 0xd15c | No error (0) | 185.149.100.122 | A (IP address) | IN (0x0001) | false |
|
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 0 | 192.168.2.4 | 49731 | 208.95.112.1 | 80 | 7452 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| Jul 3, 2024 15:41:58.611532927 CEST | 80 | OUT | |
| Jul 3, 2024 15:41:59.084893942 CEST | 175 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 0 | 192.168.2.4 | 49730 | 104.26.13.205 | 443 | 7452 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-07-03 13:41:58 UTC | 155 | OUT | |
| 2024-07-03 13:41:58 UTC | 211 | IN | |
| 2024-07-03 13:41:58 UTC | 11 | IN |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP | Commands |
|---|---|---|---|---|---|
| Jul 3, 2024 15:42:01.026453018 CEST | 587 | 49732 | 185.149.100.122 | 192.168.2.4 | 220-ronin.veridyen.com ESMTP Exim 4.96 #2 Wed, 03 Jul 2024 16:42:00 +0300 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail. |
| Jul 3, 2024 15:42:01.026885033 CEST | 49732 | 587 | 192.168.2.4 | 185.149.100.122 | EHLO 642294 |
| Jul 3, 2024 15:42:01.316344023 CEST | 587 | 49732 | 185.149.100.122 | 192.168.2.4 | 250-ronin.veridyen.com Hello 642294 [8.46.123.33] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP |
| Jul 3, 2024 15:42:01.316904068 CEST | 49732 | 587 | 192.168.2.4 | 185.149.100.122 | STARTTLS |
| Jul 3, 2024 15:42:01.595746994 CEST | 587 | 49732 | 185.149.100.122 | 192.168.2.4 | 220 TLS go ahead |
| Jul 3, 2024 15:42:06.144145012 CEST | 587 | 49733 | 185.149.100.122 | 192.168.2.4 | 220-ronin.veridyen.com ESMTP Exim 4.96 #2 Wed, 03 Jul 2024 16:42:05 +0300 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail. |
| Jul 3, 2024 15:42:06.144407034 CEST | 49733 | 587 | 192.168.2.4 | 185.149.100.122 | EHLO 642294 |
| Jul 3, 2024 15:42:06.430387020 CEST | 587 | 49733 | 185.149.100.122 | 192.168.2.4 | 250-ronin.veridyen.com Hello 642294 [8.46.123.33] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP |
| Jul 3, 2024 15:42:06.430567026 CEST | 49733 | 587 | 192.168.2.4 | 185.149.100.122 | STARTTLS |
| Jul 3, 2024 15:42:06.783358097 CEST | 587 | 49733 | 185.149.100.122 | 192.168.2.4 | 220 TLS go ahead |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
| Target ID: | 0 |
| Start time: | 09:41:55 |
| Start date: | 03/07/2024 |
| Path: | C:\Users\user\Desktop\tgBNtoWqIp.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0xf60000 |
| File size: | 1'237'504 bytes |
| MD5 hash: | F78535A3F5E84F626E1018E587B5B588 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Yara matches: |
|
| Reputation: | low |
| Has exited: | true |
| Target ID: | 1 |
| Start time: | 09:41:56 |
| Start date: | 03/07/2024 |
| Path: | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x630000 |
| File size: | 45'984 bytes |
| MD5 hash: | 9D352BC46709F0CB5EC974633A0C3C94 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Yara matches: |
|
| Reputation: | high |
| Has exited: | false |
Execution Graph
| Execution Coverage: | 4.1% |
| Dynamic/Decrypted Code Coverage: | 0.4% |
| Signature Coverage: | 2.6% |
| Total number of Nodes: | 2000 |
| Total number of Limit Nodes: | 159 |
Graph
Function 00F63B4C Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 153windowCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F64AFE Relevance: 10.7, APIs: 7, Instructions: 223COMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FC4696 Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F6E800 Relevance: 2.4, Strings: 1, Instructions: 1102COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F70B30 Relevance: 57.3, APIs: 27, Strings: 5, Instructions: 1300windowsleeptimeCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FC93DF Relevance: 19.8, APIs: 13, Instructions: 322fileCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F63015 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 72windowregistryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F63041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54windowregistryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F671EB Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201registryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F63A58 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71windowregistryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F63633 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151windowtimeregistryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 011B25E0 Relevance: 10.7, APIs: 7, Instructions: 239fileCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 011B23B0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 144fileCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F6410D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88windowCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F635B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FC97E5 Relevance: 6.2, APIs: 4, Instructions: 155COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F8493A Relevance: 6.1, APIs: 4, Instructions: 136COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FDCDF1 Relevance: 4.9, APIs: 3, Instructions: 392COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F6F8CF Relevance: 4.7, APIs: 3, Instructions: 168comCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F643DB Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F8594C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FC8F97 Relevance: 4.5, APIs: 3, Instructions: 22COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F6492E Relevance: 3.1, APIs: 2, Instructions: 59COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F65DF9 Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F72123 Relevance: 1.7, APIs: 1, Instructions: 171COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F6766F Relevance: 1.6, APIs: 1, Instructions: 103COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F65C4E Relevance: 1.6, APIs: 1, Instructions: 97COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FA00D6 Relevance: 1.6, APIs: 1, Instructions: 88COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F64F3D Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FA01AF Relevance: 1.6, APIs: 1, Instructions: 63COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F65D20 Relevance: 1.6, APIs: 1, Instructions: 53fileCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F67F41 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F84A93 Relevance: 1.5, APIs: 1, Instructions: 36COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F64FAA Relevance: 1.5, APIs: 1, Instructions: 28COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F809D5 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FC9129 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F65DAE Relevance: 1.5, APIs: 1, Instructions: 16COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F8548B Relevance: 1.5, APIs: 1, Instructions: 9COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FCD2E6 Relevance: 1.4, APIs: 1, Instructions: 198COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F80E48 Relevance: 1.3, APIs: 1, Instructions: 94memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 011B22A0 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FECDAC Relevance: 74.1, APIs: 40, Strings: 2, Instructions: 637windowkeyboardCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FE804A Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 571windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F64A35 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 131keyboardthreadwindowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FCC9C7 Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 280timefileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FCF200 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 119fileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FE0AE2 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FCF35D Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 112fileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F76843 Relevance: 19.6, Strings: 15, Instructions: 883COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FD86D0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FD4458 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FC3A2B Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167fileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FCF65E Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120filesleepCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F758C0 Relevance: 11.0, APIs: 7, Instructions: 532COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FC545F Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59shutdownCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FD6596 Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F75680 Relevance: 8.0, APIs: 5, Instructions: 516COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F61287 Relevance: 7.9, APIs: 5, Instructions: 379COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FE55FD Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FDC304 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F73190 Relevance: 6.6, APIs: 4, Instructions: 587COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FC40B1 Relevance: 6.1, APIs: 4, Instructions: 65fileCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FBEB07 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 561stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FCB59E Relevance: 4.6, APIs: 3, Instructions: 73COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FB8CC3 Relevance: 4.6, APIs: 3, Instructions: 67COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FC4C03 Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F6E060 Relevance: 3.5, APIs: 2, Instructions: 539COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FCC93C Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FCA2D5 Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FB8713 Relevance: 3.0, APIs: 2, Instructions: 22COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F8F419 Relevance: 2.1, APIs: 1, Instructions: 645COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F9267E Relevance: 1.8, APIs: 1, Instructions: 294COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FC8B13 Relevance: 1.6, APIs: 1, Instructions: 68COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FC4EF5 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FB8C93 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FA2230 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F8A364 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F78A0E Relevance: .6, Instructions: 608COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F82405 Relevance: .3, Instructions: 345COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F8283A Relevance: .3, Instructions: 341COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F81BB8 Relevance: .3, Instructions: 323COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 011B3600 Relevance: .1, Instructions: 92COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 011B3490 Relevance: .0, Instructions: 35COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 011B34F0 Relevance: .0, Instructions: 35COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 011B1E70 Relevance: .0, Instructions: 6COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FD7B1B Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 491filecommemoryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FE37F3 Relevance: 51.1, APIs: 6, Strings: 23, Instructions: 365windowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FEA849 Relevance: 49.8, APIs: 33, Instructions: 274COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F62C18 Relevance: 49.5, APIs: 27, Strings: 1, Instructions: 486windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FD77BE Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 284windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FE8C44 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 401windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FE4B16 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F627D9 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 286windowtimeCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FE4069 Relevance: 28.3, APIs: 3, Strings: 13, Instructions: 283windowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FD52F0 Relevance: 27.1, APIs: 18, Instructions: 124COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FBAA64 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FEA428 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FEC8EE Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 181windowfileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FE4619 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 251windowCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FEBAB8 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 197windowlibraryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FCA45A Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FEC49C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FD762D Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FC48F3 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networkCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FC5217 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FCD7F8 Relevance: 18.3, APIs: 12, Instructions: 283comCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FBC72A Relevance: 18.2, APIs: 12, Instructions: 174COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F6201B Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F621A5 Relevance: 18.1, APIs: 12, Instructions: 132COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FE73C1 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FE772A Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F87040 Relevance: 16.8, APIs: 11, Instructions: 258COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FD5A45 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FB9471 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 82windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FB955C Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FB9645 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 72windowCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FD8BC0 Relevance: 15.3, APIs: 10, Instructions: 324fileCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F6FBBD Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 264comCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F62E26 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 186windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FEC27C Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 149windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FD8F5B Relevance: 13.9, APIs: 9, Instructions: 438COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FE88B4 Relevance: 13.7, APIs: 9, Instructions: 168COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FB9B50 Relevance: 13.6, APIs: 9, Instructions: 66sleepkeyboardwindowCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FE6FEF Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 143windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FC3226 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 82windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FC4534 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F62A5B Relevance: 12.1, APIs: 8, Instructions: 129COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FC7368 Relevance: 12.1, APIs: 8, Instructions: 101fileCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FE6442 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FBC072 Relevance: 12.1, APIs: 8, Instructions: 92COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F61424 Relevance: 10.7, APIs: 7, Instructions: 219COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FD6E8A Relevance: 10.7, APIs: 7, Instructions: 212COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FC589F Relevance: 10.6, APIs: 7, Instructions: 138timeCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F62344 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111keyboardCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FC38AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111filestringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FE7500 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FE653C Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FBE0B5 Relevance: 10.6, APIs: 7, Instructions: 90memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FE783C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F841C9 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 24libraryloaderCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F8429E Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FC675A Relevance: 9.2, APIs: 6, Instructions: 205COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FE5A20 Relevance: 9.2, APIs: 6, Instructions: 160windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FBF3DD Relevance: 9.2, APIs: 6, Instructions: 159COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FC26F9 Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F61765 Relevance: 9.1, APIs: 6, Instructions: 113COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FEB958 Relevance: 9.1, APIs: 6, Instructions: 109windowCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FD73B1 Relevance: 9.1, APIs: 6, Instructions: 97COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FB8D5B Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FB8AF9 Relevance: 9.1, APIs: 6, Instructions: 65processCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FEC19A Relevance: 9.0, APIs: 6, Instructions: 49COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FC74D2 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FB8E74 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FC2F86 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195windowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FBDA5D Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 121comlibraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FC2C42 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FC0FE6 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 105keyboardwindowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FC1121 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101keyboardwindowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FB9372 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FD1B21 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 86networkCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FE6656 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FC703E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FC710C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FBA52F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 68windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FDEE69 Relevance: 7.7, APIs: 5, Instructions: 247COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FCE7DC Relevance: 7.6, APIs: 5, Instructions: 135COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FEA2C5 Relevance: 7.6, APIs: 5, Instructions: 130COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FB6920 Relevance: 7.6, APIs: 5, Instructions: 97windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FBB6AF Relevance: 7.6, APIs: 5, Instructions: 88windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FEB405 Relevance: 7.6, APIs: 5, Instructions: 85COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FB97E9 Relevance: 7.6, APIs: 5, Instructions: 84windowCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F612F3 Relevance: 7.6, APIs: 5, Instructions: 67COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FBC161 Relevance: 7.6, APIs: 5, Instructions: 61COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FC4D35 Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadwindowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FB874A Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FC54E6 Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FB7652 Relevance: 7.5, APIs: 5, Instructions: 48stringCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FB85F1 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FB8652 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F613B0 Relevance: 7.5, APIs: 5, Instructions: 29COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FE7648 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90windowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FE6F1F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FE797D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F64C95 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F64D94 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F64D61 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FE1072 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FD93F5 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FB76C5 Relevance: 6.3, APIs: 4, Instructions: 333COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FDE33E Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FD83A8 Relevance: 6.3, APIs: 4, Instructions: 267COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FB7A78 Relevance: 6.2, APIs: 4, Instructions: 231COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FB6DF3 Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FE9A63 Relevance: 6.1, APIs: 4, Instructions: 140COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FD672D Relevance: 6.1, APIs: 4, Instructions: 116COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FCBA5F Relevance: 6.1, APIs: 4, Instructions: 111fileCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FE8AC0 Relevance: 6.1, APIs: 4, Instructions: 109COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FEADF1 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FE5175 Relevance: 6.1, APIs: 4, Instructions: 95COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FEC788 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F80BD0 Relevance: 6.1, APIs: 4, Instructions: 79COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FB8B9E Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FD1A5B Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FBE1AF Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FD667C Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FB9023 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F61290 Relevance: 6.1, APIs: 4, Instructions: 59COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FC1652 Relevance: 6.1, APIs: 4, Instructions: 51sleepCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FEB57F Relevance: 6.0, APIs: 4, Instructions: 47COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FEB8EF Relevance: 6.0, APIs: 4, Instructions: 40processCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FC6E7C Relevance: 6.0, APIs: 4, Instructions: 33COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FEC00C Relevance: 6.0, APIs: 4, Instructions: 31COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F62218 Relevance: 6.0, APIs: 4, Instructions: 23COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FB8C5A Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FA2187 Relevance: 6.0, APIs: 4, Instructions: 20COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FA219B Relevance: 6.0, APIs: 4, Instructions: 19COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FCB217 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201shareCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F72AB7 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FD2882 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FC2D91 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88windowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FE6943 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FE6B8F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FC2E9E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FD24CA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FD80A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55networkCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FB92E7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FB91DF Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FB9264 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FB81BC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FE5BEB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|