Edit tour
Windows
Analysis Report
StretchInstall.exe
Overview
General Information
| Sample name: | StretchInstall.exe |
| Analysis ID: | 1467084 |
| MD5: | 3f82a2195043cd2877b674cb321e2cf7 |
| SHA1: | c2925fed17cba166db7164abdc0eb1f41de9717d |
| SHA256: | 8f77b3b68bdfa80e0688a09c5e08ed765b6783192f4792524b8a1eec7ed7b608 |
| Infos: |  |
 | |
Detection
| Score: | 24 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 0% |
Signatures
Contains functionality to register a low level keyboard hook
Installs a global keyboard hook
Checks for available system drives (often done to infect USB drives)
Contains functionality for read data from the clipboard
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to create guard pages, often used to hinder reverse usering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to launch a program with higher privileges
Contains functionality to query locales information (e.g. system language)
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected potential crypto function
Drops PE files
Extensive use of GetProcAddress (often used to hide API calls)
Found dropped PE file which has not been started or loaded
Found evaded block containing many API calls
Found evasive API chain checking for process token information
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Installs a global mouse hook
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Potential key logger detected (key state polling based)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Classification
- System is w10x64
StretchInstall.exe (PID: 884 cmdline: "C:\Users\ user\Deskt op\Stretch Install.ex e" MD5: 3F82A2195043CD2877B674CB321E2CF7) 
setup.exe (PID: 5788 cmdline: C:\Users\u ser\AppDat a\Local\Te mp\IXP000. TMP\setup. exe MD5: E98B8B16179129CC1B75C3D0A7B67CD4) 
msiexec.exe (PID: 5040 cmdline: "C:\Window s\SysWOW64 \msiexec.e xe" -I "C: \Users\use r\AppData\ Local\Temp \IXP000.TM P\StretchW are.msi" MD5: 9D09DC1EDA745A5F87553048E57620CF)
- msiexec.exe (PID: 6936 cmdline:
C:\Windows \system32\ msiexec.ex e /V MD5: E5DA170027542E25EDE42FC54C929077)
rundll32.exe (PID: 2156 cmdline: "C:\Window s\system32 \rundll32. exe" C:\Wi ndows\syst em32\advpa ck.dll,Del NodeRunDLL 32 "C:\Use rs\user\Ap pData\Loca l\Temp\IXP 000.TMP\" MD5: EF3179D498793BF4234F708D3BE28633)
StchCtrl.exe (PID: 3360 cmdline: "C:\Progra m Files (x 86)\Shelte r Publicat ions\Stret chWare\Stc hCtrl.exe" MD5: A76894A90372756D69A9F51704EF43F5)
- cleanup
⊘No configs have been found
⊘No yara matches
| Source: | Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): | ||
⊘No Snort rule has matched
Click to jump to signature section
Show All Signature Results
| Source: | Code function: | 0_2_01006205 | |
| Source: | Static PE information: | ||
| Source: | File created: | Jump to behavior | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | Code function: | 0_2_01002A96 | |
| Source: | Code function: | 2_2_00D2DE9F | |
| Source: | Code function: | 11_2_00F83089 | |
| Source: | Code function: | 11_2_00F83477 | |
| Source: | Code function: | 11_2_00F7D99C | |
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
Key, Mouse, Clipboard, Microphone and Screen Capturing |   |
|---|
| Source: | Code function: | 11_2_73F712A0 | |
| Source: | Windows user hook set: | Jump to behavior | ||
| Source: | Windows user hook set: | Jump to behavior | ||
| Source: | Code function: | 11_2_0100969E | |
| Source: | Code function: | 11_2_00F7A00F | |
| Source: | Windows user hook set: | Jump to behavior | ||
| Source: | Code function: | 11_2_00FC0035 | |
| Source: | Code function: | 11_2_00FB235A | |
| Source: | Code function: | 11_2_00F94665 | |
| Source: | Code function: | 11_2_00F927D9 | |
| Source: | Code function: | 11_2_00FC0BF8 | |
| Source: | Code function: | 11_2_00F6F1C6 | |
| Source: | Code function: | 11_2_00FB3910 | |
| Source: | Code function: | 11_2_00F6DAD0 | |
| Source: | Code function: | 11_2_00F6DA80 | |
| Source: | Code function: | 11_2_00FDBC1B | |
| Source: | Code function: | 11_2_00F75E51 | |
| Source: | Code function: | 11_2_00FCDF74 | |
| Source: | Code function: | 11_2_73F71160 | |
| Source: | Code function: | 0_2_01002251 | |
| Source: | Code function: | 0_2_010019C3 | |
| Source: | Code function: | 2_2_00D4509A | |
| Source: | Code function: | 2_2_00D41C67 | |
| Source: | Code function: | 11_2_00F61CE0 | |
| Source: | File created: | Jump to behavior | ||
| Source: | File created: | Jump to behavior | ||
| Source: | File created: | Jump to behavior | ||
| Source: | File created: | Jump to behavior | ||
| Source: | File created: | Jump to behavior | ||
| Source: | File created: | Jump to behavior | ||
| Source: | File deleted: | Jump to behavior | ||
| Source: | Code function: | 0_2_0100871A | |
| Source: | Code function: | 0_2_01009A1F | |
| Source: | Code function: | 0_2_01008A3E | |
| Source: | Code function: | 0_2_01009175 | |
| Source: | Code function: | 0_2_01008DBD | |
| Source: | Code function: | 0_2_010095E5 | |
| Source: | Code function: | 2_2_00D4509A | |
| Source: | Code function: | 2_2_00D611BB | |
| Source: | Code function: | 2_2_00D64334 | |
| Source: | Code function: | 2_2_00D5C5BF | |
| Source: | Code function: | 2_2_00D62656 | |
| Source: | Code function: | 2_2_00D6070F | |
| Source: | Code function: | 2_2_00D6189C | |
| Source: | Code function: | 2_2_00D51A79 | |
| Source: | Code function: | 2_2_00D60C65 | |
| Source: | Code function: | 2_2_00D50DF0 | |
| Source: | Code function: | 11_2_00FE40F6 | |
| Source: | Code function: | 11_2_00FA421B | |
| Source: | Code function: | 11_2_0100A9CA | |
| Source: | Code function: | 11_2_00FE4A45 | |
| Source: | Code function: | 11_2_00FE2E85 | |
| Source: | Code function: | 11_2_00F972BF | |
| Source: | Code function: | 11_2_0106353C | |
| Source: | Code function: | 11_2_01071C17 | |
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Binary or memory string: | ||
| Source: | Static PE information: | ||
| Source: | Classification label: | ||
| Source: | Code function: | 0_2_0100456A | |
| Source: | Code function: | 0_2_010019C3 | |
| Source: | Code function: | 0_2_01006A45 | |
| Source: | Code function: | 2_2_00D43221 | |
| Source: | Code function: | 11_2_00F85619 | |
| Source: | Code function: | 0_2_01004819 | |
| Source: | File created: | Jump to behavior | ||
| Source: | File created: | Jump to behavior | ||
| Source: | Mutant created: | ||
| Source: | File created: | Jump to behavior | ||
| Source: | Static PE information: | ||
| Source: | File read: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Process created: | ||
| Source: | String found in binary or memory: | ||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Key value queried: | Jump to behavior | ||
| Source: | LNK file: | ||
| Source: | Automated click: | ||
| Source: | Automated click: | ||
| Source: | Automated click: | ||
| Source: | Window detected: | ||
| Source: | Static file information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Code function: | 0_2_01006205 | |
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Code function: | 2_2_00D53248 | |
| Source: | Code function: | 2_2_00D4F47C | |
| Source: | Code function: | 11_2_00FEC1D7 | |
| Source: | Code function: | 11_2_01062F68 | |
| Source: | Code function: | 11_2_01062EED | |
| Source: | Code function: | 11_2_6BCF2298 | |
| Source: | Code function: | 11_2_73F725C8 | |
| Source: | File created: | Jump to dropped file | ||
| Source: | File created: | Jump to dropped file | ||
| Source: | File created: | Jump to dropped file | ||
| Source: | File created: | Jump to dropped file | ||
| Source: | File created: | Jump to dropped file | ||
| Source: | Code function: | 0_2_010026E2 | |
| Source: | File created: | Jump to behavior | ||
| Source: | File created: | Jump to behavior | ||
| Source: | File created: | Jump to behavior | ||
| Source: | Registry value created or modified: | Jump to behavior | ||
| Source: | Registry value created or modified: | Jump to behavior | ||
| Source: | Registry value created or modified: | Jump to behavior | ||
| Source: | Registry value created or modified: | Jump to behavior | ||
| Source: | Registry value created or modified: | Jump to behavior | ||
| Source: | Registry value created or modified: | Jump to behavior | ||
| Source: | Code function: | 11_2_00FD6205 | |
| Source: | Code function: | 11_2_00FD0420 | |
| Source: | Code function: | 11_2_00FCE541 | |
| Source: | Code function: | 11_2_00F9AD43 | |
| Source: | Code function: | 11_2_00FCEFD0 | |
| Source: | Code function: | 11_2_00FCEFD0 | |
| Source: | Code function: | 11_2_00FCEFD0 | |
| Source: | Code function: | 11_2_00FCF2D0 | |
| Source: | Code function: | 11_2_00FCF85B | |
| Source: | Code function: | 11_2_00F6F9C7 | |
| Source: | Code function: | 11_2_00F8FDC9 | |
| Source: | Code function: | 11_2_00F8FE6D | |
| Source: | Code function: | 11_2_00FAFE0D | |
| Source: | Code function: | 11_2_00F865FF | |
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Code function: | 2_2_00D43221 | |
| Source: | Dropped PE file which has not been started: | Jump to dropped file | ||
| Source: | Evaded block: | graph_2-28535 | ||
| Source: | Check user administrative privileges: | graph_0-3700 | ||
| Source: | API coverage: | ||
| Source: | File Volume queried: | Jump to behavior | ||
| Source: | File Volume queried: | Jump to behavior | ||
| Source: | File Volume queried: | Jump to behavior | ||
| Source: | File Volume queried: | Jump to behavior | ||
| Source: | File Volume queried: | Jump to behavior | ||
| Source: | File Volume queried: | Jump to behavior | ||
| Source: | File Volume queried: | Jump to behavior | ||
| Source: | File Volume queried: | Jump to behavior | ||
| Source: | File Volume queried: | Jump to behavior | ||
| Source: | File Volume queried: | Jump to behavior | ||
| Source: | File Volume queried: | Jump to behavior | ||
| Source: | File Volume queried: | Jump to behavior | ||
| Source: | File Volume queried: | Jump to behavior | ||
| Source: | File Volume queried: | Jump to behavior | ||
| Source: | File Volume queried: | Jump to behavior | ||
| Source: | File Volume queried: | Jump to behavior | ||
| Source: | File Volume queried: | Jump to behavior | ||
| Source: | File Volume queried: | Jump to behavior | ||
| Source: | File Volume queried: | Jump to behavior | ||
| Source: | File Volume queried: | Jump to behavior | ||
| Source: | File Volume queried: | Jump to behavior | ||
| Source: | Code function: | 0_2_01002A96 | |
| Source: | Code function: | 2_2_00D2DE9F | |
| Source: | Code function: | 11_2_00F83089 | |
| Source: | Code function: | 11_2_00F83477 | |
| Source: | Code function: | 11_2_00F7D99C | |
| Source: | Code function: | 0_2_010052D4 | |
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | API call chain: | graph_0-3511 | ||
| Source: | API call chain: | graph_2-28175 | ||
| Source: | API call chain: | graph_11-85008 | ||
| Source: | Process information queried: | Jump to behavior | ||
| Source: | Code function: | 2_2_00D55243 | |
| Source: | Code function: | 2_2_00D43221 | |
| Source: | Code function: | 11_2_0106333A | |
| Source: | Code function: | 0_2_01006205 | |
| Source: | Code function: | 2_2_00D66CAC | |
| Source: | Code function: | 0_2_010064DE | |
| Source: | Code function: | 2_2_00D55243 | |
| Source: | Code function: | 2_2_00D4EF49 | |
| Source: | Code function: | 11_2_01060BBE | |
| Source: | Code function: | 11_2_01068E21 | |
| Source: | Code function: | 11_2_6BCF3EF6 | |
| Source: | Code function: | 11_2_6BCF3719 | |
| Source: | Code function: | 11_2_73F74226 | |
| Source: | Code function: | 11_2_73F73A49 | |
| Source: | Code function: | 2_2_00D2B0F4 | |
| Source: | Process created: | Jump to behavior | ||
| Source: | Code function: | 0_2_01001760 | |
| Source: | Code function: | 2_2_00D5C081 | |
| Source: | Code function: | 2_2_00D60070 | |
| Source: | Code function: | 2_2_00D5C021 | |
| Source: | Code function: | 2_2_00D601AF | |
| Source: | Code function: | 2_2_00D5C257 | |
| Source: | Code function: | 2_2_00D563CD | |
| Source: | Code function: | 2_2_00D5C3C9 | |
| Source: | Code function: | 2_2_00D5C388 | |
| Source: | Code function: | 2_2_00D5C31C | |
| Source: | Code function: | 2_2_00D5B67C | |
| Source: | Code function: | 2_2_00D5B974 | |
| Source: | Code function: | 2_2_00D4FADD | |
| Source: | Code function: | 2_2_00D5AA0C | |
| Source: | Code function: | 2_2_00D5DC25 | |
| Source: | Code function: | 2_2_00D5DD04 | |
| Source: | Code function: | 2_2_00D5BE6C | |
| Source: | Code function: | 2_2_00D5BF75 | |
| Source: | Code function: | 11_2_00F7F6EB | |
| Source: | Code function: | 11_2_00FB5CD0 | |
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Code function: | 0_2_0100646B | |
| Source: | Code function: | 11_2_01069115 | |
| Source: | Code function: | 0_2_0100488C | |
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Gather Victim Identity Information | Acquire Infrastructure | 1 Replication Through Removable Media | 3 Native API | 1 DLL Side-Loading | 1 Exploitation for Privilege Escalation | 1 Disable or Modify Tools | 231 Input Capture | 2 System Time Discovery | Remote Services | 1 Archive Collected Data | 2 Encrypted Channel | Exfiltration Over Other Network Medium | 1 System Shutdown/Reboot |
| Credentials | Domains | Default Accounts | 2 Command and Scripting Interpreter | 11 Registry Run Keys / Startup Folder | 1 DLL Side-Loading | 1 Deobfuscate/Decode Files or Information | LSASS Memory | 11 Peripheral Device Discovery | Remote Desktop Protocol | 231 Input Capture | Junk Data | Exfiltration Over Bluetooth | Network Denial of Service |
| Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | 1 Access Token Manipulation | 2 Obfuscated Files or Information | Security Account Manager | 3 File and Directory Discovery | SMB/Windows Admin Shares | 1 Clipboard Data | Steganography | Automated Exfiltration | Data Encrypted for Impact |
| Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | 11 Process Injection | 1 DLL Side-Loading | NTDS | 26 System Information Discovery | Distributed Component Object Model | Input Capture | Protocol Impersonation | Traffic Duplication | Data Destruction |
| Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | 11 Registry Run Keys / Startup Folder | 1 File Deletion | LSA Secrets | 3 Security Software Discovery | SSH | Keylogging | Fallback Channels | Scheduled Transfer | Data Encrypted for Impact |
| Domain Properties | Botnet | Replication Through Removable Media | Scheduled Task | RC Scripts | RC Scripts | 12 Masquerading | Cached Domain Credentials | 2 Process Discovery | VNC | GUI Input Capture | Multiband Communication | Data Transfer Size Limits | Service Stop |
| DNS | Web Services | External Remote Services | Systemd Timers | Startup Items | Startup Items | 1 Access Token Manipulation | DCSync | 1 Application Window Discovery | Windows Remote Management | Web Portal Capture | Commonly Used Port | Exfiltration Over C2 Channel | Inhibit System Recovery |
| Network Trust Dependencies | Serverless | Drive-by Compromise | Container Orchestration Job | Scheduled Task/Job | Scheduled Task/Job | 11 Process Injection | Proc Filesystem | System Owner/User Discovery | Cloud Services | Credential API Hooking | Application Layer Protocol | Exfiltration Over Alternative Protocol | Defacement |
| Network Topology | Malvertising | Exploit Public-Facing Application | Command and Scripting Interpreter | At | At | 1 Rundll32 | /etc/passwd and /etc/shadow | Network Sniffing | Direct Cloud VM Connections | Data Staged | Web Protocols | Exfiltration Over Symmetric Encrypted Non-C2 Protocol | Internal Defacement |
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetThis section contains all screenshots as thumbnails, including those not shown in the slideshow.
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 0% | ReversingLabs |
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 0% | ReversingLabs | |||
| 0% | ReversingLabs | |||
| 3% | ReversingLabs | |||
| 0% | ReversingLabs | |||
| 0% | ReversingLabs |
⊘No Antivirus matches
⊘No Antivirus matches
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe |
⊘No contacted domains info
| Name | Source | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown |
⊘No contacted IP infos
| Joe Sandbox version: | 40.0.0 Tourmaline |
| Analysis ID: | 1467084 |
| Start date and time: | 2024-07-03 17:31:48 +02:00 |
| Joe Sandbox product: | CloudBasic |
| Overall analysis duration: | 0h 6m 14s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
| Number of analysed new started processes analysed: | 15 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Sample name: | StretchInstall.exe |
| Detection: | SUS |
| Classification: | sus24.spyw.evad.winEXE@8/29@0/0 |
| EGA Information: |
|
| HCA Information: |
|
| Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe, svchost.exe
- Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, slscr.update.microsoft.com, tile-service.weather.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
- Report size exceeded maximum capacity and may have missing disassembly code.
- Report size getting too big, too many NtOpenKeyEx calls found.
- Report size getting too big, too many NtProtectVirtualMemory calls found.
- Report size getting too big, too many NtQueryValueKey calls found.
- VT rate limit hit for: StretchInstall.exe
| Time | Type | Description |
|---|---|---|
| 17:32:50 | Autostart |
| Process: | C:\Windows\System32\msiexec.exe |
| File Type: | |
| Category: | modified |
| Size (bytes): | 10894 |
| Entropy (8bit): | 5.688535433953687 |
| Encrypted: | false |
| SSDEEP: | 96:/Qo39yI9r99o9V9v9zT93983L0KqtW9WgbzHeQzmeU/tqTCsThqe9vU/tqTC6jxM:/3tyOxY7Fltgtze3xkOIzckOkzamLp+ |
| MD5: | 1626F09FF90BA3951D815412FA08FD41 |
| SHA1: | 38FD5096D78B35DA38FFBFF2C8EA35DC85E579C0 |
| SHA-256: | 7AF1E75A1618912AD5C7B2C2D7224F008CB8D1B43EB32036CC8189B7A798F89F |
| SHA-512: | 3BB9C0BF75A3B81A15987575DD55A5EC480B104F1F57A7C204BBFD3F6711360C6634CAFAE43B0FA9147A5C4CB352191C52BBFD43F3B9FC0F20F7FBCB1C7ACB06 |
| Malicious: | false |
| Reputation: | low |
| Preview: |
| Process: | C:\Windows\System32\msiexec.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 2295296 |
| Entropy (8bit): | 6.461904278761 |
| Encrypted: | false |
| SSDEEP: | 49152:LasSoJRpdg+aorhnTglGh83+I+SzmOdoHAy8VrmYh0mTESwccJx1j8YNwqR:EoJRpdgArhnThhk+I+SzmOdoHAykB7Tq |
| MD5: | A76894A90372756D69A9F51704EF43F5 |
| SHA1: | FB6153D9AFBB9C4068631CDFA883D2BABB956C4F |
| SHA-256: | 51DBD9DDC4A4FE7FD1812F5474684C55FDD448568472C4226E908F9197FC6CD7 |
| SHA-512: | 21B935E747AA956861AACED82A568EE6F6A8C864EEA8EEAEB636FE45927BF4136CB876F9B90CBD5882B65A560C4DC52850046699C6737E75D56ED96D306E887A |
| Malicious: | true |
| Antivirus: |
|
| Reputation: | low |
| Preview: |
| Process: | C:\Windows\System32\msiexec.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 2380800 |
| Entropy (8bit): | 6.472919522974936 |
| Encrypted: | false |
| SSDEEP: | 49152:vL1vJuzusEWjh5XFYi/46de9+HbRO/KSgvta3QPSANa0kXrtlTOJx1j8YN8G:1JuznEMFDrde9+HbRO/KSgvtGbA80kX0 |
| MD5: | 50FB5019BAF9E418ED82F08B515F7BCD |
| SHA1: | DF44CAF83D2A972470950A2E0BBD1588BDD72DC8 |
| SHA-256: | 3321E9D85BCEC22FF895D9A01A29DCAD5DDBF143A2AE525BA5B151ABD87C3719 |
| SHA-512: | 031AF32656F219472B2011895600A488D626C29D802544DB8A9B87511BE4A18554A6FCB919300002BC3B0854FF8414C0AD352A0A3325A4D910C2EA112B84F5CE |
| Malicious: | false |
| Antivirus: |
|
| Reputation: | low |
| Preview: |
| Process: | C:\Windows\System32\msiexec.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 36864 |
| Entropy (8bit): | 5.791916877493206 |
| Encrypted: | false |
| SSDEEP: | 384:29/1HRo2/RdlheclCUo1wRn0vMdZoFbWhU8N/lvH+1nu6EDHkCNu1/NCcvy+rNar:2nRzCv1e0+iNWhDDfmnTEDjcvy0avjo |
| MD5: | 0735585D8C460E8C7F1797EBB06B837B |
| SHA1: | 409DA2D7504D9603DD8F3260BD95C77E19317BA1 |
| SHA-256: | C6E8A615111A880D7D100DB340A84C8C8DBE3E34D5C7AD5E58071CA15FD137A0 |
| SHA-512: | 95759D9BBCD07BC19665FDFB2348C2C39B65550D0BE394F631147D8E052B6FF0D75B4A983716CEE02C06BBFDD437B4CD03E1DAA84C865B416796BF699FC8DE59 |
| Malicious: | true |
| Antivirus: |
|
| Reputation: | low |
| Preview: |
| Process: | C:\Windows\System32\msiexec.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 1590272 |
| Entropy (8bit): | 5.180953186200703 |
| Encrypted: | false |
| SSDEEP: | 24576:a+tb1k07WWcKpDftXIrbsv1tB6RT1dfYddcca:Dtb1kwWulftXIHsvt6RT1dfYddcca |
| MD5: | 3D24CB6438DC5393F19BBFA17AAA4F22 |
| SHA1: | 7B44D9CEDA2A8DE770FECC8B185408E3D6F4A654 |
| SHA-256: | 56900FC785F2AFBF3166CBA269D7D7C4DCECCFFD6B161A4F7EC05CCDA9C3C421 |
| SHA-512: | 350EA91C0F16EC2DFD70F22C10A249BE351242A4FE3187C946BC046760CAC3D2DAC2266C2CE1D25FD6104205A9E2485AC4806F055FD73884EB4EBCFBE46C0558 |
| Malicious: | false |
| Antivirus: |
|
| Reputation: | low |
| Preview: |
| Process: | C:\Windows\System32\msiexec.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 2550 |
| Entropy (8bit): | 4.0424826344288345 |
| Encrypted: | false |
| SSDEEP: | 48:2wMHOta08t7E/gbN1pv6u8StVHzKGVV2jw3:RMHOtJyg4DCSrz3VE+ |
| MD5: | 8656713F2A6B60114A263052F9495402 |
| SHA1: | 26A0899A07B23794DC205B6DFA52168D20EF3035 |
| SHA-256: | BCF09453E0E3CE2A39A4E901087191E48744ED9AC05EEA6803676BD9E5C202E6 |
| SHA-512: | 3543E9F5D1BEB8D9ED3735E05E36309E623AB73CD628CBF45E15D1005C928D96B53C72920DBE6AE6D2E772E193B8577EF6CB3EEF61B532E6D701558F9854F26A |
| Malicious: | false |
| Reputation: | low |
| Preview: |
| Process: | C:\Users\user\Desktop\StretchInstall.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 2834944 |
| Entropy (8bit): | 7.900119741375992 |
| Encrypted: | false |
| SSDEEP: | 49152:HcABtONA2wfOL0M5mpSGM8gSpdB5HqMMjw7NSSa1iqzAyQMdc:hOTwfOLIwX8g+dnqwZSSaogQ0c |
| MD5: | C0CCB7C257F4E3B0262A40D3D22E8BD3 |
| SHA1: | 6C89D90276E17B406FC4FBF85A5EF9D183A5EB5B |
| SHA-256: | D1B9E44DDCDF5569B8137D2919585D6FF6FA4147DA13F2EC49DB4E31BE8035FB |
| SHA-512: | D39E417B2AC944405D011CD8309552A9E43F78958BA7EF61AB16F00C05EA06E35708B72390F9D08DC02D9F2E149B7C389A744046E02547B9061165B619A23822 |
| Malicious: | false |
| Reputation: | low |
| Preview: |
| Process: | C:\Users\user\Desktop\StretchInstall.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 428032 |
| Entropy (8bit): | 6.243157878229617 |
| Encrypted: | false |
| SSDEEP: | 6144:CqIpd/w8ylWKxavR+dJ1oMBClrbMAo+nhmuFfvY0SHZvuD3SojDuUlXkeO:C7IRWDvFa+nhmuF3Y0scSeDuUlX9 |
| MD5: | E98B8B16179129CC1B75C3D0A7B67CD4 |
| SHA1: | 582AEA512EAE1D66DE970138B09B1ADC436481C1 |
| SHA-256: | 71D63A47476D65CE1724808C7AADB62595465E031854E9AAA4A788F5492BF2B8 |
| SHA-512: | 10358EB6A53C9B47AB1E5B49E561B2BCF3A4DFC072A323B764D5FD7D46BC2D64375A6A1CB150A01516E697ED3E8CBAB6A0A32AC3F41599980A3BECFC1F0508D1 |
| Malicious: | false |
| Antivirus: |
|
| Reputation: | low |
| Preview: |
| Process: | C:\Users\user\AppData\Local\Temp\IXP000.TMP\setup.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 4242 |
| Entropy (8bit): | 3.6186884067376806 |
| Encrypted: | false |
| SSDEEP: | 48:kl82sPb1YR+OLjGl8AjfFeqo+ULTaA1kSrB8rDCQ+yl8Akcq+++f+++wMxeqU+cf:s8t4e8AMrBbBsCw8AbF3PHhlB |
| MD5: | 9863274684E75C035E043FC4B0F5F917 |
| SHA1: | E7884230594BB420EECF7DCB9337142F93792DBD |
| SHA-256: | 5988D18122F84E1A29FCD963D5136F3BA600E5E371B1071F7C2A3ED689F9025B |
| SHA-512: | 5B42091847603DBCAF11EB4F016E80568D2B42D53EE85B64D306B836F459A8149BE90AD5AD628B1229AE92C3F0FD90E422D06373C4A38D10DE3D75B363AF435B |
| Malicious: | false |
| Reputation: | low |
| Preview: |
C:\Users\user\AppData\Roaming\Microsoft\Installer\{1D2F2573-A76A-47DA-BB96-6860D17CC45B}\_24275761ADC5B212D44AB6.exe
Download File
| Process: | C:\Windows\System32\msiexec.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 2550 |
| Entropy (8bit): | 4.045124870638817 |
| Encrypted: | false |
| SSDEEP: | 48:GwM7Ota08t7E/gbN1pv6u8StVHzKGVV2jw3:hM7OtJyg4DCSrz3VE+ |
| MD5: | EF7DF15155B2C6E56F94FA17835AE00D |
| SHA1: | 11788F7E640A20EC7C22DDC1BADD9829D959097C |
| SHA-256: | 69E8709BE6D1693CCAA63A1A4A967CD6C189F97DED447AC20A4D364738D74861 |
| SHA-512: | 235651D393D3771AE22E880DCED3BDB7026323710447B7346A1388C87FF6D015B88585531F9C56B6B81D896087B00745AAD3E36F6FF83A5D86C1F387BA6A01A3 |
| Malicious: | false |
| Reputation: | low |
| Preview: |
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StretchWare\Stretch.lnk
Download File
| Process: | C:\Windows\System32\msiexec.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 3087 |
| Entropy (8bit): | 2.934094798075439 |
| Encrypted: | false |
| SSDEEP: | 24:8A2h1lX4gOGExEUYzHo4KnNYzHbxcdE5kNYzHbx2dSsIdu1wdNYzHbx:8R1lq+DzzKuz2dEWuzUdSsIdu1wduz |
| MD5: | B9C1DE8D6B049089B898BAABDD9A1314 |
| SHA1: | 6934A9ADB551B3DE4CF61310640CDEA76259FBE0 |
| SHA-256: | 96A6D4FD065560373BDD228FB4D5960C0D106C468E4EFA5F806E18C80E4E036A |
| SHA-512: | A365EDD81B013951E0FAB9DA040F961A812DB901F2BAA055DFEC36633A79FA503C85C0EEDE2C2EC77021A084C03729C56F62B0993BDA4690550A0563767D5427 |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\System32\msiexec.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 2834944 |
| Entropy (8bit): | 7.900119741375992 |
| Encrypted: | false |
| SSDEEP: | 49152:HcABtONA2wfOL0M5mpSGM8gSpdB5HqMMjw7NSSa1iqzAyQMdc:hOTwfOLIwX8g+dnqwZSSaogQ0c |
| MD5: | C0CCB7C257F4E3B0262A40D3D22E8BD3 |
| SHA1: | 6C89D90276E17B406FC4FBF85A5EF9D183A5EB5B |
| SHA-256: | D1B9E44DDCDF5569B8137D2919585D6FF6FA4147DA13F2EC49DB4E31BE8035FB |
| SHA-512: | D39E417B2AC944405D011CD8309552A9E43F78958BA7EF61AB16F00C05EA06E35708B72390F9D08DC02D9F2E149B7C389A744046E02547B9061165B619A23822 |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\System32\msiexec.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 2834944 |
| Entropy (8bit): | 7.900119741375992 |
| Encrypted: | false |
| SSDEEP: | 49152:HcABtONA2wfOL0M5mpSGM8gSpdB5HqMMjw7NSSa1iqzAyQMdc:hOTwfOLIwX8g+dnqwZSSaogQ0c |
| MD5: | C0CCB7C257F4E3B0262A40D3D22E8BD3 |
| SHA1: | 6C89D90276E17B406FC4FBF85A5EF9D183A5EB5B |
| SHA-256: | D1B9E44DDCDF5569B8137D2919585D6FF6FA4147DA13F2EC49DB4E31BE8035FB |
| SHA-512: | D39E417B2AC944405D011CD8309552A9E43F78958BA7EF61AB16F00C05EA06E35708B72390F9D08DC02D9F2E149B7C389A744046E02547B9061165B619A23822 |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\System32\msiexec.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 7080 |
| Entropy (8bit): | 5.704924142091014 |
| Encrypted: | false |
| SSDEEP: | 96:6QoHLCMkPF/hUAyZuQTnqDquV9M7OtJyg4DCSrz3VEEO/LgHejqJZL+EdrEPvwqY:63rVyJhvoeDquV9/KDCAheeB1WvwL |
| MD5: | A5C3C7FDD6EB95C3F092061E4BC48ED9 |
| SHA1: | 03CD339FFCF445BD2657DF87512C67E563669D36 |
| SHA-256: | AEA1C93F83613D120F9F89019A44394D389068E5A36B12AE0679E733C314BA51 |
| SHA-512: | DF0283630802064AB2945AF4A2DACC0649C1039E2DA4BA5553C18A1DC3C38F58FE354EB49BDD3E5A528F5F763194B175CA71F25928AEFBD6975C5DF98F1F80A1 |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\System32\msiexec.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 20480 |
| Entropy (8bit): | 1.16423746488061 |
| Encrypted: | false |
| SSDEEP: | 12:JSbX72Fj0liAGiLIlHVRpih/7777777777777777777777777vDHFi0xl0i8Q:JFQI5yYF |
| MD5: | 71B84B26FCE5F331AE26405016D5FE7C |
| SHA1: | A33555D21B87766537D793820DEC22965AC11C5A |
| SHA-256: | 8FD18A94AD0FBD34AF119E5633C367930345896315B605B7BC23F4A40467BEDE |
| SHA-512: | 9501885EECF6CBBE0B9C6B4B71CE954B40D897036DFD3334D3445618687F71947A122D3F1412D6F2EC2848C93C15F89E23921746F590B49AA2F4AF912D6E00B7 |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\System32\msiexec.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 20480 |
| Entropy (8bit): | 1.6011932875234902 |
| Encrypted: | false |
| SSDEEP: | 48:78PhUuRc06WXJgnT5NNjcSkdEcU/Cy9Jc+rjSkdE5U/Cy9vT0bjz:ihU1jnTNcviCIOiCn |
| MD5: | 7EDD94909C86C7B8EA84F0B6CBC7DA63 |
| SHA1: | 2C25D60D3505338C822C186776DAB43C7F2408AC |
| SHA-256: | C6329CFF99B0B391C2FAAF9625A609EE18903F97EEA4024CA61F2ACA6FE8A60A |
| SHA-512: | E90A98FED1881A2A8FEC5284466C974E012CBEAA2956992094E79BF4601A1873AEF17B578E59047C7A3F249E388BF37A9F8E27AFEA07B42149CB65BF814B1ED4 |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\System32\msiexec.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 360001 |
| Entropy (8bit): | 5.3629895564192775 |
| Encrypted: | false |
| SSDEEP: | 1536:6qELG7gK+RaOOp3LCCpfmLgYI66xgFF9Sq8K6MAS2OMUHl6Gin327D22A26KgauU:zTtbmkExhMJCIpEJ |
| MD5: | F02EBEEF3D283221E0FFC3CFF0402D4D |
| SHA1: | 1F18EE9CA732D97F46E3C9EC422A8626B33BC078 |
| SHA-256: | 04BCDD7D3DA47D2D58E0639EEE732F5F05A6CDB33CBBB7C5E1019D3C4CC17344 |
| SHA-512: | EA420BAAB69EB9B8DE35144E9BD9EEDB60C090C1648EE98109D3D4A59410B38DD9C82EE7DB753CA29A6D27094D17CE17F98B5D474E9D64687B5330B523812B18 |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\System32\msiexec.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 32768 |
| Entropy (8bit): | 1.2788844367346557 |
| Encrypted: | false |
| SSDEEP: | 48:9TcuNNveFXJHT5LNjcSkdEcU/Cy9Jc+rjSkdE5U/Cy9vT0bjz:FclvTDcviCIOiCn |
| MD5: | EC882B8404962AA1A3E1739DA987A3EE |
| SHA1: | 116AF12D753E542D082EDFE4D904DC1A37080360 |
| SHA-256: | EBA4DB0BB25FF2FD41D9377E24F9DAD67452654031A6A6651BDA692C4AD3E300 |
| SHA-512: | C0E7BF6F136DF40528F3BD1590C90E2AC3CBB5F102B2A05D9875A6B6C6425376EBD59C734B47C2972616CC305A5F5AEA1E5D8A0A84A4A4E603CB693EEB66627E |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\System32\msiexec.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 32768 |
| Entropy (8bit): | 1.2788844367346557 |
| Encrypted: | false |
| SSDEEP: | 48:9TcuNNveFXJHT5LNjcSkdEcU/Cy9Jc+rjSkdE5U/Cy9vT0bjz:FclvTDcviCIOiCn |
| MD5: | EC882B8404962AA1A3E1739DA987A3EE |
| SHA1: | 116AF12D753E542D082EDFE4D904DC1A37080360 |
| SHA-256: | EBA4DB0BB25FF2FD41D9377E24F9DAD67452654031A6A6651BDA692C4AD3E300 |
| SHA-512: | C0E7BF6F136DF40528F3BD1590C90E2AC3CBB5F102B2A05D9875A6B6C6425376EBD59C734B47C2972616CC305A5F5AEA1E5D8A0A84A4A4E603CB693EEB66627E |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\System32\msiexec.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 512 |
| Entropy (8bit): | 0.0 |
| Encrypted: | false |
| SSDEEP: | 3:: |
| MD5: | BF619EAC0CDF3F68D496EA9344137E8B |
| SHA1: | 5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5 |
| SHA-256: | 076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560 |
| SHA-512: | DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\System32\msiexec.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 512 |
| Entropy (8bit): | 0.0 |
| Encrypted: | false |
| SSDEEP: | 3:: |
| MD5: | BF619EAC0CDF3F68D496EA9344137E8B |
| SHA1: | 5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5 |
| SHA-256: | 076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560 |
| SHA-512: | DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\System32\msiexec.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 512 |
| Entropy (8bit): | 0.0 |
| Encrypted: | false |
| SSDEEP: | 3:: |
| MD5: | BF619EAC0CDF3F68D496EA9344137E8B |
| SHA1: | 5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5 |
| SHA-256: | 076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560 |
| SHA-512: | DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\System32\msiexec.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 512 |
| Entropy (8bit): | 0.0 |
| Encrypted: | false |
| SSDEEP: | 3:: |
| MD5: | BF619EAC0CDF3F68D496EA9344137E8B |
| SHA1: | 5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5 |
| SHA-256: | 076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560 |
| SHA-512: | DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\System32\msiexec.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 32768 |
| Entropy (8bit): | 0.07173838843652341 |
| Encrypted: | false |
| SSDEEP: | 6:2/9LG7iVCnLG7iVrKOzPLHKOiqsgpJAEaVky6lhX:2F0i8n0itFzDHFi0x |
| MD5: | 4DC70082B340346C6A9579C8718C9D4D |
| SHA1: | 97831FD6D8FBB341919F6DCEE84CF68B222468C9 |
| SHA-256: | F3E15CFEFD279CDAFF7868F8E0134C5B493757E6CAE9EB9A32C71E4341FEE97C |
| SHA-512: | 15042CC9611C71B9024F3925D03CA13ED940474F4318E5DFC5A523AD834D1DA861CD5A34FAFCD827474747061EE6D2E8AD637C5A823D03C30E312C21A86943DC |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\System32\msiexec.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 20480 |
| Entropy (8bit): | 1.6011932875234902 |
| Encrypted: | false |
| SSDEEP: | 48:78PhUuRc06WXJgnT5NNjcSkdEcU/Cy9Jc+rjSkdE5U/Cy9vT0bjz:ihU1jnTNcviCIOiCn |
| MD5: | 7EDD94909C86C7B8EA84F0B6CBC7DA63 |
| SHA1: | 2C25D60D3505338C822C186776DAB43C7F2408AC |
| SHA-256: | C6329CFF99B0B391C2FAAF9625A609EE18903F97EEA4024CA61F2ACA6FE8A60A |
| SHA-512: | E90A98FED1881A2A8FEC5284466C974E012CBEAA2956992094E79BF4601A1873AEF17B578E59047C7A3F249E388BF37A9F8E27AFEA07B42149CB65BF814B1ED4 |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\System32\msiexec.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 20480 |
| Entropy (8bit): | 1.6011932875234902 |
| Encrypted: | false |
| SSDEEP: | 48:78PhUuRc06WXJgnT5NNjcSkdEcU/Cy9Jc+rjSkdE5U/Cy9vT0bjz:ihU1jnTNcviCIOiCn |
| MD5: | 7EDD94909C86C7B8EA84F0B6CBC7DA63 |
| SHA1: | 2C25D60D3505338C822C186776DAB43C7F2408AC |
| SHA-256: | C6329CFF99B0B391C2FAAF9625A609EE18903F97EEA4024CA61F2ACA6FE8A60A |
| SHA-512: | E90A98FED1881A2A8FEC5284466C974E012CBEAA2956992094E79BF4601A1873AEF17B578E59047C7A3F249E388BF37A9F8E27AFEA07B42149CB65BF814B1ED4 |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\System32\msiexec.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 512 |
| Entropy (8bit): | 0.0 |
| Encrypted: | false |
| SSDEEP: | 3:: |
| MD5: | BF619EAC0CDF3F68D496EA9344137E8B |
| SHA1: | 5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5 |
| SHA-256: | 076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560 |
| SHA-512: | DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\System32\msiexec.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 69632 |
| Entropy (8bit): | 0.1587929062369609 |
| Encrypted: | false |
| SSDEEP: | 48:Dzgb0T+SkdE5U/Cy9oSkdEcU/Cy9Jc+r3rN:DOOiCtviCO |
| MD5: | FCBC7DF33F54C706EE7498B74D91E8D1 |
| SHA1: | 89D622E0BB7BB822F36AC87DABEE9368190DBDDB |
| SHA-256: | C8F2275B6300241B6C4AE7AC186B3BD82C6787EC004CC07D1B142D27430CEA46 |
| SHA-512: | 80FBE39E26F230F1BE0A8968E56F5E98342A2F6D73B044AC1591D914D83B10FAD6DFAA9983690860970F233EC531969ABA58613998851E102E31B4DD56860020 |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\System32\msiexec.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 32768 |
| Entropy (8bit): | 1.2788844367346557 |
| Encrypted: | false |
| SSDEEP: | 48:9TcuNNveFXJHT5LNjcSkdEcU/Cy9Jc+rjSkdE5U/Cy9vT0bjz:FclvTDcviCIOiCn |
| MD5: | EC882B8404962AA1A3E1739DA987A3EE |
| SHA1: | 116AF12D753E542D082EDFE4D904DC1A37080360 |
| SHA-256: | EBA4DB0BB25FF2FD41D9377E24F9DAD67452654031A6A6651BDA692C4AD3E300 |
| SHA-512: | C0E7BF6F136DF40528F3BD1590C90E2AC3CBB5F102B2A05D9875A6B6C6425376EBD59C734B47C2972616CC305A5F5AEA1E5D8A0A84A4A4E603CB693EEB66627E |
| Malicious: | false |
| Preview: |
| File type: | |
| Entropy (8bit): | 7.994389649334824 |
| TrID: |
|
| File name: | StretchInstall.exe |
| File size: | 2'887'680 bytes |
| MD5: | 3f82a2195043cd2877b674cb321e2cf7 |
| SHA1: | c2925fed17cba166db7164abdc0eb1f41de9717d |
| SHA256: | 8f77b3b68bdfa80e0688a09c5e08ed765b6783192f4792524b8a1eec7ed7b608 |
| SHA512: | d59a78e4906a8353797091a32c12bb572b24c22e480cdea52c862a97d631d8de17e2929542bafcb67844e1c1132827b816bde2b2f8c2f1434e462f4ecafbabc8 |
| SSDEEP: | 49152:uLPKwfOe06yZwRgztRMaX4pbl7HgMN6IlvE09aH0fmqbuoahuAzXp5X6Pdq6bLdE:MiwfOeerztKaXYbtsX09aHC145uqwL2L |
| TLSH: | 05D5330196E4847AE8D80F30A4ED2D672FB4BE605572E32B91CD2AE9F4504E4BF76317 |
| File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............C...C...Cu..C...C...C0..Cu..C...Cu..C...Cu..C...CRich...C................PE..L....Q.H.....................r+.....\d..... |
 | |
| Icon Hash: | 878fd7f3b9353593 |
| Entrypoint: | 0x100645c |
| Entrypoint Section: | .text |
| Digitally signed: | false |
| Imagebase: | 0x1000000 |
| Subsystem: | windows gui |
| Image File Characteristics: | RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE |
| DLL Characteristics: | NO_SEH, TERMINAL_SERVER_AWARE |
| Time Stamp: | 0x480251CD [Sun Apr 13 18:32:45 2008 UTC] |
| TLS Callbacks: | |
| CLR (.Net) Version: | |
| OS Version Major: | 5 |
| OS Version Minor: | 1 |
| File Version Major: | 5 |
| File Version Minor: | 1 |
| Subsystem Version Major: | 5 |
| Subsystem Version Minor: | 1 |
| Import Hash: | 0ebb3c09b06b1666d307952e824c8697 |
| Instruction |
|---|
| call 00007F7CA8B2791Fh |
| jmp 00007F7CA8B2788Fh |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| mov edi, edi |
| push ebp |
| mov ebp, esp |
| sub esp, 10h |
| mov eax, dword ptr [0100B2D0h] |
| test eax, eax |
| je 00007F7CA8B27919h |
| cmp eax, 0000BB40h |
| jne 00007F7CA8B2795Fh |
| push esi |
| lea eax, dword ptr [ebp-08h] |
| push eax |
| call dword ptr [01001170h] |
| mov esi, dword ptr [ebp-04h] |
| xor esi, dword ptr [ebp-08h] |
| call dword ptr [0100116Ch] |
| xor esi, eax |
| call dword ptr [01001168h] |
| xor esi, eax |
| call dword ptr [01001164h] |
| xor esi, eax |
| lea eax, dword ptr [ebp-10h] |
| push eax |
| call dword ptr [01001160h] |
| mov eax, dword ptr [ebp-0Ch] |
| xor eax, dword ptr [ebp-10h] |
| xor eax, esi |
| and eax, 0000FFFFh |
| pop esi |
| jne 00007F7CA8B27917h |
| mov eax, 0000BB40h |
| mov dword ptr [0100B2D0h], eax |
| not eax |
| mov dword ptr [0100B2CCh], eax |
| leave |
| ret |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| cmp ecx, dword ptr [0100B2D0h] |
| jne 00007F7CA8B2791Bh |
| test ecx, FFFF0000h |
| jne 00007F7CA8B27913h |
| ret |
| jmp 00007F7CA8B2791Ah |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| mov edi, edi |
| push ebp |
| mov ebp, esp |
| sub esp, 00000330h |
| push edi |
| mov dword ptr [ebp-00000228h], eax |
| mov dword ptr [ebp-0000022Ch], ecx |
| mov dword ptr [ebp-00000230h], edx |
| mov dword ptr [ebp-00000234h], ebx |
| mov dword ptr [ebp-00000238h], esi |
| Name | Virtual Address | Virtual Size | Is in Section |
|---|---|---|---|
| IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IMPORT | 0x9d80 | 0x8c | .text |
| IMAGE_DIRECTORY_ENTRY_RESOURCE | 0xd000 | 0x2b6d4c | .rsrc |
| IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_DEBUG | 0x1230 | 0x1c | .text |
| IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IAT | 0x1000 | 0x230 | .text |
| IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
| Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
|---|---|---|---|---|---|---|---|---|---|
| .text | 0x1000 | 0x99c8 | 0x9a00 | fd7744c26c2bf4d279968be94b283b11 | False | 0.5805093344155844 | data | 6.577725502979647 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
| .data | 0xb000 | 0x1be4 | 0x400 | 99858e86526942a66950c7139f78a725 | False | 0.330078125 | data | 4.247999525438142 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .rsrc | 0xd000 | 0x2b7000 | 0x2b6e00 | bc114b0edae49996daae0b6dbad0bbc1 | unknown | unknown | unknown | unknown | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
|---|---|---|---|---|---|---|
| AVI | 0xd7a0 | 0x2e1a | RIFF (little-endian) data, AVI, 272 x 60, 10.00 fps, video: RLE 8bpp | English | United States | 0.2713099474665311 |
| RT_ICON | 0x105bc | 0x2e8 | Device independent bitmap graphic, 32 x 64 x 4, image size 512 | English | United States | 0.3709677419354839 |
| RT_ICON | 0x108a4 | 0x128 | Device independent bitmap graphic, 16 x 32 x 4, image size 128 | English | United States | 0.6081081081081081 |
| RT_DIALOG | 0x109cc | 0x2cc | data | English | United States | 0.4553072625698324 |
| RT_DIALOG | 0x10c98 | 0x18a | data | English | United States | 0.6040609137055838 |
| RT_DIALOG | 0x10e24 | 0x140 | data | English | United States | 0.565625 |
| RT_DIALOG | 0x10f64 | 0x196 | data | English | United States | 0.5960591133004927 |
| RT_DIALOG | 0x110fc | 0x10e | data | English | United States | 0.6111111111111112 |
| RT_DIALOG | 0x1120c | 0xfa | data | English | United States | 0.652 |
| RT_STRING | 0x11308 | 0x8c | Matlab v4 mat-file (little endian) l, numeric, rows 0, columns 0 | English | United States | 0.6214285714285714 |
| RT_STRING | 0x11394 | 0x520 | data | English | United States | 0.4032012195121951 |
| RT_STRING | 0x118b4 | 0x5cc | data | English | United States | 0.36455525606469 |
| RT_STRING | 0x11e80 | 0x4b0 | data | English | United States | 0.385 |
| RT_STRING | 0x12330 | 0x44a | data | English | United States | 0.3970856102003643 |
| RT_STRING | 0x1277c | 0x3ce | data | English | United States | 0.36858316221765913 |
| RT_RCDATA | 0x12b4c | 0x7 | ASCII text, with no line terminators | English | United States | 2.142857142857143 |
| RT_RCDATA | 0x12b54 | 0x2b0d3c | Microsoft Cabinet archive data, many, 2821436 bytes, 2 files, at 0x2c +A "StretchWare.msi" +A "setup.exe", ID 2436, number 1, 100 datablocks, 0x1503 compression | English | United States | 0.9957904815673828 |
| RT_RCDATA | 0x2c3890 | 0x4 | data | English | United States | 3.0 |
| RT_RCDATA | 0x2c3894 | 0x24 | data | English | United States | 0.9444444444444444 |
| RT_RCDATA | 0x2c38b8 | 0x7 | ASCII text, with no line terminators | English | United States | 2.142857142857143 |
| RT_RCDATA | 0x2c38c0 | 0x7 | ASCII text, with no line terminators | English | United States | 2.142857142857143 |
| RT_RCDATA | 0x2c38c8 | 0x4 | data | English | United States | 3.0 |
| RT_RCDATA | 0x2c38cc | 0x7 | ASCII text, with no line terminators | English | United States | 2.142857142857143 |
| RT_RCDATA | 0x2c38d4 | 0x4 | data | English | United States | 3.0 |
| RT_RCDATA | 0x2c38d8 | 0xc | data | English | United States | 1.6666666666666667 |
| RT_RCDATA | 0x2c38e4 | 0x4 | data | English | United States | 3.0 |
| RT_RCDATA | 0x2c38e8 | 0xc | data | English | United States | 1.6666666666666667 |
| RT_RCDATA | 0x2c38f4 | 0x7 | ASCII text, with no line terminators | English | United States | 2.142857142857143 |
| RT_RCDATA | 0x2c38fc | 0x7 | ASCII text, with no line terminators | English | United States | 2.142857142857143 |
| RT_GROUP_ICON | 0x2c3904 | 0x22 | data | English | United States | 1.0 |
| RT_VERSION | 0x2c3928 | 0x424 | data | English | United States | 0.42924528301886794 |
| DLL | Import |
|---|---|
| ADVAPI32.dll | FreeSid, AllocateAndInitializeSid, EqualSid, GetTokenInformation, OpenProcessToken, AdjustTokenPrivileges, LookupPrivilegeValueA, RegCloseKey, RegDeleteValueA, RegOpenKeyExA, RegSetValueExA, RegQueryValueExA, RegCreateKeyExA, RegQueryInfoKeyA |
| KERNEL32.dll | LocalFree, LocalAlloc, GetLastError, GetCurrentProcess, lstrlenA, GetModuleFileNameA, GetSystemDirectoryA, _lclose, _llseek, _lopen, WritePrivateProfileStringA, GetWindowsDirectoryA, CreateDirectoryA, GetFileAttributesA, ExpandEnvironmentStringsA, lstrcpyA, GlobalFree, GlobalUnlock, GlobalLock, GlobalAlloc, IsDBCSLeadByte, GetShortPathNameA, GetPrivateProfileStringA, GetPrivateProfileIntA, lstrcmpiA, RemoveDirectoryA, FindClose, FindNextFileA, DeleteFileA, SetFileAttributesA, lstrcmpA, FindFirstFileA, FreeResource, GetProcAddress, LoadResource, SizeofResource, FindResourceA, lstrcatA, CloseHandle, WriteFile, SetFilePointer, SetFileTime, LocalFileTimeToFileTime, DosDateTimeToFileTime, SetCurrentDirectoryA, GetTempFileNameA, ExitProcess, CreateFileA, LoadLibraryExA, lstrcpynA, GetVolumeInformationA, FormatMessageA, GetCurrentDirectoryA, GetVersionExA, GetExitCodeProcess, WaitForSingleObject, CreateProcessA, GetTempPathA, GetSystemInfo, CreateMutexA, SetEvent, CreateEventA, CreateThread, ResetEvent, TerminateThread, GetDriveTypeA, GetModuleHandleA, GetStartupInfoA, GetCommandLineA, QueryPerformanceCounter, GetTickCount, GetCurrentThreadId, GetCurrentProcessId, GetSystemTimeAsFileTime, TerminateProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, ReadFile, LoadLibraryA, GetDiskFreeSpaceA, MulDiv, EnumResourceLanguagesA, FreeLibrary, LockResource |
| GDI32.dll | GetDeviceCaps |
| USER32.dll | ExitWindowsEx, wsprintfA, CharNextA, CharUpperA, CharPrevA, SetWindowLongA, GetWindowLongA, CallWindowProcA, DispatchMessageA, MsgWaitForMultipleObjects, PeekMessageA, SendMessageA, SetWindowPos, ReleaseDC, GetDC, GetWindowRect, SendDlgItemMessageA, GetDlgItem, SetForegroundWindow, SetWindowTextA, MessageBoxA, DialogBoxIndirectParamA, ShowWindow, EnableWindow, GetDlgItemTextA, EndDialog, GetDesktopWindow, MessageBeep, SetDlgItemTextA, LoadStringA, GetSystemMetrics |
| COMCTL32.dll | |
| VERSION.dll | GetFileVersionInfoA, VerQueryValueA, GetFileVersionInfoSizeA |
| Language of compilation system | Country where language is spoken | Map |
|---|---|---|
| English | United States |  |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library Node⊘No network behavior found
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
| Target ID: | 0 |
| Start time: | 11:32:35 |
| Start date: | 03/07/2024 |
| Path: | C:\Users\user\Desktop\StretchInstall.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x1000000 |
| File size: | 2'887'680 bytes |
| MD5 hash: | 3F82A2195043CD2877B674CB321E2CF7 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | low |
| Has exited: | false |
| Target ID: | 2 |
| Start time: | 11:32:36 |
| Start date: | 03/07/2024 |
| Path: | C:\Users\user\AppData\Local\Temp\IXP000.TMP\setup.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0xd20000 |
| File size: | 428'032 bytes |
| MD5 hash: | E98B8B16179129CC1B75C3D0A7B67CD4 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Antivirus matches: |
|
| Reputation: | low |
| Has exited: | false |
| Target ID: | 3 |
| Start time: | 11:32:36 |
| Start date: | 03/07/2024 |
| Path: | C:\Windows\SysWOW64\msiexec.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x7b0000 |
| File size: | 59'904 bytes |
| MD5 hash: | 9D09DC1EDA745A5F87553048E57620CF |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | false |
| Target ID: | 4 |
| Start time: | 11:32:36 |
| Start date: | 03/07/2024 |
| Path: | C:\Windows\System32\msiexec.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff781aa0000 |
| File size: | 69'632 bytes |
| MD5 hash: | E5DA170027542E25EDE42FC54C929077 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | false |
| Target ID: | 5 |
| Start time: | 11:32:45 |
| Start date: | 03/07/2024 |
| Path: | C:\Windows\System32\rundll32.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff6c2e20000 |
| File size: | 71'680 bytes |
| MD5 hash: | EF3179D498793BF4234F708D3BE28633 |
| Has elevated privileges: | false |
| Has administrator privileges: | false |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 11 |
| Start time: | 11:32:59 |
| Start date: | 03/07/2024 |
| Path: | C:\Program Files (x86)\Shelter Publications\StretchWare\StchCtrl.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0xf60000 |
| File size: | 2'295'296 bytes |
| MD5 hash: | A76894A90372756D69A9F51704EF43F5 |
| Has elevated privileges: | false |
| Has administrator privileges: | false |
| Programmed in: | C, C++ or other language |
| Antivirus matches: |
|
| Reputation: | low |
| Has exited: | false |
Execution Graph
| Execution Coverage: | 24.8% |
| Dynamic/Decrypted Code Coverage: | 59.8% |
| Signature Coverage: | 19.5% |
| Total number of Nodes: | 1070 |
| Total number of Limit Nodes: | 51 |
Graph
Function 010026E2 Relevance: 51.0, APIs: 17, Strings: 12, Instructions: 268stringmemoryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 010052D4 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 96stringCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 01006205 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 115libraryfileloaderCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 01006A45 Relevance: 3.0, APIs: 2, Instructions: 34COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 01001AA7 Relevance: 47.4, APIs: 19, Strings: 8, Instructions: 178registrystringlibraryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 01005ABC Relevance: 40.5, APIs: 11, Strings: 12, Instructions: 274stringlibraryloaderCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 01005F21 Relevance: 31.7, APIs: 12, Strings: 6, Instructions: 239stringmemoryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0100589B Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 127threadwindowCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 010053FA Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 180synchronizationCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0100342E Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 71filestringCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 010044BD Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 64stringmemoryfileCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 01005190 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 107windowCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 01004CAE Relevance: 10.6, APIs: 7, Instructions: 96processsynchronizationwindowCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 010043EC Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 79memoryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0100645C Relevance: 7.6, APIs: 5, Instructions: 52COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 010041D8 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 60stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 010031EE Relevance: 4.5, APIs: 3, Instructions: 38timeCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0100412E Relevance: 3.1, APIs: 2, Instructions: 64fileCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 01003072 Relevance: 3.0, APIs: 2, Instructions: 47fileCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 010066CF Relevance: 3.0, APIs: 2, Instructions: 37stringCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 01004FAF Relevance: 1.5, APIs: 1, Instructions: 41COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 010047B3 Relevance: 1.5, APIs: 1, Instructions: 32COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 01003108 Relevance: 1.5, APIs: 1, Instructions: 30COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0100672A Relevance: 1.5, APIs: 1, Instructions: 14COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0100637A Relevance: 1.3, APIs: 1, Instructions: 32COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 01003275 Relevance: 1.3, APIs: 1, Instructions: 8memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0100328C Relevance: 1.3, APIs: 1, Instructions: 7COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 01001760 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 112memoryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 01002A96 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 97filestringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0100488C Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 213windowCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 010064DE Relevance: 6.1, APIs: 4, Instructions: 61COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 01009175 Relevance: .3, Instructions: 299COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 01008DBD Relevance: .3, Instructions: 299COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0100871A Relevance: .3, Instructions: 258COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 01008A3E Relevance: .3, Instructions: 257COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 010095E5 Relevance: .2, Instructions: 230COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 01009A1F Relevance: .2, Instructions: 203COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0100359C Relevance: 33.6, APIs: 14, Strings: 5, Instructions: 361stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 01003EBE Relevance: 31.6, APIs: 16, Strings: 2, Instructions: 150stringmemorywindowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 01005670 Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 185windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 01004E73 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 110libraryloaderstringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 010022AC Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 105registrystringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 01001CF4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 82registrystringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 01003AC7 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 83stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 01002410 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 124memoryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 01003D57 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 65windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 010016B4 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 63librarymemoryloaderCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 01003346 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 65filestringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 01002EFD Relevance: 12.0, APIs: 8, Instructions: 43stringCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 01002D83 Relevance: 10.6, APIs: 7, Instructions: 85COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 01004BC8 Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 74memoryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 010068B3 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 71registryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 01004DE5 Relevance: 9.1, APIs: 3, Strings: 3, Instructions: 60memoryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 01003BF2 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 62filestringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 01003CCC Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 37librarystringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 01001A5B Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22registryCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0100189D Relevance: 7.5, APIs: 5, Instructions: 48windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 01006666 Relevance: 7.5, APIs: 5, Instructions: 46stringCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 01002C91 Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Execution Graph
| Execution Coverage: | 8.3% |
| Dynamic/Decrypted Code Coverage: | 0% |
| Signature Coverage: | 1.2% |
| Total number of Nodes: | 1964 |
| Total number of Limit Nodes: | 10 |
Graph
Function 00D4509A Relevance: 91.7, APIs: 33, Strings: 18, Instructions: 2447windowmemoryshutdownCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D2B0F4 Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 94synchronizationCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D2AEA6 Relevance: 35.3, APIs: 9, Strings: 11, Instructions: 289libraryloaderCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D4B78E Relevance: 28.2, APIs: 8, Strings: 8, Instructions: 240registryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D429C4 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 159memoryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D4BDA0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 76fileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D4D303 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 47libraryloaderCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D4B43D Relevance: 9.1, APIs: 6, Instructions: 81COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D492CA Relevance: 9.0, APIs: 6, Instructions: 47COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D42C06 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 97registryCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D4CDA4 Relevance: 7.6, APIs: 5, Instructions: 67libraryCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D4BAC9 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 108memoryCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D4A6F0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 50memoryCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D4EE13 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D47EE0 Relevance: 6.0, APIs: 4, Instructions: 43windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D2ABA6 Relevance: 4.6, APIs: 3, Instructions: 66memoryCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D47E82 Relevance: 4.5, APIs: 3, Instructions: 33COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D4C9DB Relevance: 3.1, APIs: 2, Instructions: 144COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D4C3C8 Relevance: 3.0, APIs: 2, Instructions: 37libraryCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D4369F Relevance: 3.0, APIs: 2, Instructions: 34fileCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D3FE53 Relevance: 1.6, APIs: 1, Instructions: 76COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D37487 Relevance: 1.6, APIs: 1, Instructions: 74COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D392E6 Relevance: 1.6, APIs: 1, Instructions: 68COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D2B2B9 Relevance: 1.6, APIs: 1, Instructions: 57COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D4C024 Relevance: 1.5, APIs: 1, Instructions: 48COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D2A9C9 Relevance: 1.5, APIs: 1, Instructions: 38fileCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D2AD06 Relevance: 1.5, APIs: 1, Instructions: 35COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D3D0AC Relevance: 1.5, APIs: 1, Instructions: 32COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D4A0E5 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D4A119 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D4865D Relevance: 1.5, APIs: 1, Instructions: 15COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D47E5F Relevance: 1.5, APIs: 1, Instructions: 12COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D43221 Relevance: 56.3, APIs: 21, Strings: 11, Instructions: 262sleepprocessCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D2DE9F Relevance: 28.3, APIs: 5, Strings: 11, Instructions: 303fileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D5BE6C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 54COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D4D524 Relevance: 47.5, APIs: 12, Strings: 15, Instructions: 275libraryloaderCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D2C398 Relevance: 28.2, APIs: 5, Strings: 11, Instructions: 162libraryloaderCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D2F595 Relevance: 26.7, APIs: 7, Strings: 8, Instructions: 448synchronizationCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D2E9A2 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 189libraryloaderCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D487B5 Relevance: 21.1, APIs: 14, Instructions: 117COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D48D9E Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 141filewindowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D4A911 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 148memoryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D4D20F Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 93libraryloaderCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D43A7B Relevance: 12.6, APIs: 3, Strings: 4, Instructions: 341windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D3A702 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 53libraryloaderCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D4D462 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 52libraryloaderCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D3AC0E Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 153registryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D4B31B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 98memoryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D39BDD Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 17libraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D4868C Relevance: 9.0, APIs: 6, Instructions: 43windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D47AD3 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 73windowCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D4E08E Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 14libraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D4896E Relevance: 7.6, APIs: 5, Instructions: 85COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D49D45 Relevance: 7.6, APIs: 5, Instructions: 61COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D42E93 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 276sleepwindowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D41DEF Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 160windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D4C569 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 74windowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D4D036 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 51networkCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D4CF99 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 51networkCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D4A76C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46memoryCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D2C687 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 45libraryCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D4D4E6 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 21libraryloaderCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D4C1FD Relevance: 6.2, APIs: 4, Instructions: 155fileCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D4BE87 Relevance: 6.1, APIs: 4, Instructions: 88COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D34E9C Relevance: 6.1, APIs: 4, Instructions: 86COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D47CE1 Relevance: 6.1, APIs: 4, Instructions: 84COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D49840 Relevance: 6.1, APIs: 4, Instructions: 74windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D482EA Relevance: 6.1, APIs: 4, Instructions: 60COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D49DDA Relevance: 6.1, APIs: 4, Instructions: 54windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D48700 Relevance: 6.0, APIs: 4, Instructions: 50windowCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D4960F Relevance: 6.0, APIs: 4, Instructions: 40windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D48384 Relevance: 6.0, APIs: 4, Instructions: 38COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D47F9C Relevance: 6.0, APIs: 4, Instructions: 38COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D481B3 Relevance: 6.0, APIs: 4, Instructions: 37windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D4806C Relevance: 6.0, APIs: 4, Instructions: 32COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D35859 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D338E3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55COMMONLIBRARYCODE
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D4A189 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50registryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D53E39 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D2C719 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37libraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D2C095 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 33memoryCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D42579 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 33memoryCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Execution Graph
| Execution Coverage: | 2.4% |
| Dynamic/Decrypted Code Coverage: | 0% |
| Signature Coverage: | 1.7% |
| Total number of Nodes: | 1486 |
| Total number of Limit Nodes: | 56 |
Graph
Function 00F865FF Relevance: 103.8, APIs: 48, Strings: 11, Instructions: 557libraryloaderstringCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 73F712A0 Relevance: 4.5, APIs: 3, Instructions: 23COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FF2627 Relevance: 42.4, APIs: 22, Strings: 2, Instructions: 421windowCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F64F60 Relevance: 23.1, APIs: 7, Strings: 6, Instructions: 343windowCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F61240 Relevance: 22.9, APIs: 9, Strings: 4, Instructions: 109registryclipboardtimeCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F62FC0 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 91registryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F848C7 Relevance: 16.6, APIs: 11, Instructions: 106memoryCOMMONLIBRARYCODE
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F634E0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 104fileCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F84E81 Relevance: 12.0, APIs: 8, Instructions: 39COMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F80643 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 78registryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F67040 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 69synchronizationCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F61BF0 Relevance: 4.6, APIs: 3, Instructions: 83COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F7BC99 Relevance: 4.5, APIs: 3, Instructions: 37windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F65AD0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 18libraryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F706AB Relevance: 3.1, APIs: 2, Instructions: 88windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F707F1 Relevance: 3.1, APIs: 2, Instructions: 70windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F7B92D Relevance: 3.1, APIs: 2, Instructions: 65windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F65460 Relevance: 3.1, APIs: 2, Instructions: 54windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F61400 Relevance: 3.0, APIs: 2, Instructions: 50windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F8AF3B Relevance: 3.0, APIs: 2, Instructions: 36COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F74156 Relevance: 3.0, APIs: 2, Instructions: 35COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F7787F Relevance: 3.0, APIs: 2, Instructions: 32threadCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F731F6 Relevance: 3.0, APIs: 2, Instructions: 28COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F74312 Relevance: 3.0, APIs: 2, Instructions: 24libraryCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F7BE4A Relevance: 3.0, APIs: 2, Instructions: 15threadCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F77A36 Relevance: 1.8, APIs: 1, Instructions: 285COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F64A40 Relevance: 1.6, APIs: 1, Instructions: 110COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F7612E Relevance: 1.6, APIs: 1, Instructions: 77COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F76233 Relevance: 1.5, APIs: 1, Instructions: 31COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F6E77F Relevance: 1.5, APIs: 1, Instructions: 30windowCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F65690 Relevance: 1.5, APIs: 1, Instructions: 29windowCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F7B358 Relevance: 1.5, APIs: 1, Instructions: 27COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F62310 Relevance: 1.5, APIs: 1, Instructions: 26COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F8548C Relevance: 1.5, APIs: 1, Instructions: 17COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F79743 Relevance: 1.5, APIs: 1, Instructions: 14COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F63330 Relevance: 1.5, APIs: 1, Instructions: 12windowCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FC0035 Relevance: 27.4, APIs: 18, Instructions: 386windowkeyboardCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FCE541 Relevance: 16.7, APIs: 11, Instructions: 220windowkeyboardCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F7A00F Relevance: 13.6, APIs: 9, Instructions: 79windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FD6205 Relevance: 4.5, APIs: 3, Instructions: 43windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FD0420 Relevance: 3.1, APIs: 2, Instructions: 57windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FF211A Relevance: 52.8, APIs: 28, Strings: 2, Instructions: 323fileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FEA519 Relevance: 30.0, APIs: 16, Strings: 1, Instructions: 283windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FEE6A5 Relevance: 30.0, APIs: 15, Strings: 2, Instructions: 237windowCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FCA58A Relevance: 24.8, APIs: 12, Strings: 2, Instructions: 335windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FD2372 Relevance: 22.8, APIs: 15, Instructions: 259COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FC669F Relevance: 21.4, APIs: 14, Instructions: 355COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F6A090 Relevance: 21.1, APIs: 3, Strings: 9, Instructions: 111windowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F902A2 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 111windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F6A240 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 196windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FBC485 Relevance: 16.9, APIs: 11, Instructions: 392COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FCC058 Relevance: 16.7, APIs: 11, Instructions: 192timeCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FF042C Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 240windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FE2128 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 113stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FC21B0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 244windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0100229A Relevance: 13.7, APIs: 9, Instructions: 207COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FBA08D Relevance: 13.7, APIs: 9, Instructions: 189COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F8030D Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 115threadwindowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FB8526 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 100windowmemoryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F6C310 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 66windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FE0274 Relevance: 10.7, APIs: 7, Instructions: 246COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0100C020 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 226windowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F6A6B0 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 166windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 010064C5 Relevance: 10.6, APIs: 7, Instructions: 78COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F8440D Relevance: 10.6, APIs: 7, Instructions: 73COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F746D3 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 53libraryloaderCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FAE0C7 Relevance: 9.2, APIs: 6, Instructions: 221COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FDE37A Relevance: 9.2, APIs: 6, Instructions: 208windowCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FB6594 Relevance: 9.2, APIs: 6, Instructions: 202windowCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F98088 Relevance: 9.2, APIs: 6, Instructions: 173COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FC648E Relevance: 9.1, APIs: 6, Instructions: 144windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FBA53A Relevance: 9.1, APIs: 6, Instructions: 137windowCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F6A480 Relevance: 9.1, APIs: 6, Instructions: 73windowCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F8025B Relevance: 9.1, APIs: 6, Instructions: 69COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F84375 Relevance: 9.1, APIs: 6, Instructions: 56COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F844CF Relevance: 9.1, APIs: 6, Instructions: 52windowCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FCC415 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 294keyboardCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FBA370 Relevance: 9.0, APIs: 6, Instructions: 43COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F906FF Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 54libraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FFC2FC Relevance: 7.9, APIs: 5, Instructions: 362COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F983AA Relevance: 7.8, APIs: 5, Instructions: 338COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FE8232 Relevance: 7.7, APIs: 5, Instructions: 207COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FC0696 Relevance: 7.7, APIs: 5, Instructions: 169COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FFC12E Relevance: 7.7, APIs: 5, Instructions: 168COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F661B0 Relevance: 7.7, APIs: 5, Instructions: 166windowCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F8A3AB Relevance: 7.6, APIs: 5, Instructions: 127stringCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FB06AA Relevance: 7.6, APIs: 5, Instructions: 113windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FE85A3 Relevance: 7.6, APIs: 5, Instructions: 105COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FA00EE Relevance: 7.6, APIs: 5, Instructions: 97COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FAC34A Relevance: 7.6, APIs: 5, Instructions: 96windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FC426C Relevance: 7.6, APIs: 5, Instructions: 94windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F86488 Relevance: 7.6, APIs: 5, Instructions: 92windowCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F765C2 Relevance: 7.6, APIs: 5, Instructions: 80windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FA23BC Relevance: 7.6, APIs: 5, Instructions: 66COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F8417A Relevance: 7.6, APIs: 5, Instructions: 54stringCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F6E470 Relevance: 7.5, APIs: 5, Instructions: 48windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FD82A9 Relevance: 7.5, APIs: 5, Instructions: 45windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F66470 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 186windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F805C1 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 39libraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F80568 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 35libraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FD43C0 Relevance: 6.5, APIs: 4, Instructions: 476COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 010625D9 Relevance: 6.2, APIs: 4, Instructions: 173COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FC8131 Relevance: 6.2, APIs: 4, Instructions: 162windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0103E26F Relevance: 6.2, APIs: 4, Instructions: 155windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FA636E Relevance: 6.1, APIs: 4, Instructions: 148COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FD05D4 Relevance: 6.1, APIs: 4, Instructions: 129COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F6C6F0 Relevance: 6.1, APIs: 4, Instructions: 123windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FC8487 Relevance: 6.1, APIs: 4, Instructions: 120COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F7022D Relevance: 6.1, APIs: 4, Instructions: 106COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FE256D Relevance: 6.1, APIs: 4, Instructions: 101COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FB23F1 Relevance: 6.1, APIs: 4, Instructions: 66windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F820F9 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F7C53A Relevance: 6.1, APIs: 4, Instructions: 59COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FE61A2 Relevance: 6.1, APIs: 4, Instructions: 57COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FA811C Relevance: 6.0, APIs: 4, Instructions: 50COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F76447 Relevance: 6.0, APIs: 4, Instructions: 50COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F8051E Relevance: 6.0, APIs: 4, Instructions: 19COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FB8133 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58windowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FF40EE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34registryclipboardCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|