Windows
Analysis Report
Payment Challan.exe
Overview
General Information
Detection
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
- System is w10x64
Payment Challan.exe (PID: 3476 cmdline:
"C:\Users\ user\Deskt op\Payment Challan.e xe" MD5: 00801754BD615E4DD9E636A29823204A) cmd.exe (PID: 5292 cmdline:
cmd.exe /c C:\Users\ user\AppDa ta\Local\T emp\NewBit mapImage.b mp MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) conhost.exe (PID: 6136 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) bkkmpxfk.exe (PID: 1824 cmdline:
"C:\Users\ user\AppDa ta\Roaming \Microsoft \Windows\S tart Menu\ Programs\S tartup\bkk mpxfk.exe" MD5: 00801754BD615E4DD9E636A29823204A)
bkkmpxfk.exe (PID: 7400 cmdline:
"C:\Users\ user\AppDa ta\Roaming \Microsoft \Windows\S tart Menu\ Programs\S tartup\bkk mpxfk.exe" MD5: 00801754BD615E4DD9E636A29823204A)
- cleanup
Name | Description | Attribution | Blogpost URLs | Link |
---|---|---|---|---|
Kutaki | Cofense characterizes Kutaki as a data stealer that uses old-school techniques to detect sandboxes and debugging. Kutaki however works quite well against unhardened virtual machines and other analysis devices. By backdooring a legitimate application, it can fool unsophisticated detection methodologies. | No Attribution |
{"C2 url": ["http://newlinkwotolove.club/love/three.php"]}
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Kutaki | Yara detected Kutaki Keylogger | Joe Security |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Kutaki | Yara detected Kutaki Keylogger | Joe Security |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Kutaki | Yara detected Kutaki Keylogger | Joe Security | ||
JoeSecurity_Kutaki | Yara detected Kutaki Keylogger | Joe Security | ||
JoeSecurity_Kutaki | Yara detected Kutaki Keylogger | Joe Security | ||
JoeSecurity_Kutaki | Yara detected Kutaki Keylogger | Joe Security | ||
JoeSecurity_Kutaki | Yara detected Kutaki Keylogger | Joe Security | ||
Click to see the 4 entries |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Kutaki | Yara detected Kutaki Keylogger | Joe Security | ||
JoeSecurity_Kutaki | Yara detected Kutaki Keylogger | Joe Security | ||
JoeSecurity_Kutaki | Yara detected Kutaki Keylogger | Joe Security | ||
JoeSecurity_Kutaki | Yara detected Kutaki Keylogger | Joe Security | ||
JoeSecurity_Kutaki | Yara detected Kutaki Keylogger | Joe Security | ||
Click to see the 1 entries |
System Summary |
---|
Source: | Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): |
Click to jump to signature section
AV Detection |
---|
Source: | Avira: |
Source: | Avira URL Cloud: |
Source: | Avira: |
Source: | Malware Configuration Extractor: |
Source: | Virustotal: | Perma Link |
Source: | ReversingLabs: | |||
Source: | Virustotal: | Perma Link |
Source: | ReversingLabs: | |||
Source: | Virustotal: | Perma Link |
Source: | Static PE information: |
Networking |
---|
Source: | URLs: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Key, Mouse, Clipboard, Microphone and Screen Capturing |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
System Summary |
---|
Source: | Static PE information: |
Source: | Code function: | 0_2_00405494 | |
Source: | Code function: | 0_2_004E61ED |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Static PE information: |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Classification label: |
Source: | File created: | Jump to behavior |
Source: | Mutant created: | ||
Source: | Mutant created: |
Source: | File created: | Jump to behavior |
Source: | Static PE information: |
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: |
Source: | File read: | Jump to behavior |
Source: | Key opened: | Jump to behavior |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | ReversingLabs: | ||
Source: | Virustotal: |
Source: | File read: | Jump to behavior |
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior |
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior |
Source: | Key value queried: | Jump to behavior |
Source: | Window detected: |
Source: | Static PE information: |
Source: | Static file information: |
Source: | Static PE information: |
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Code function: | 0_2_00402635 |
Source: | File created: | Jump to dropped file |
Boot Survival |
---|
Source: | File created: | Jump to dropped file |
Source: | File created: | Jump to behavior |
Source: | File created: | Jump to behavior |
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior |
Source: | Memory allocated: | Jump to behavior | ||
Source: | Memory allocated: | Jump to behavior | ||
Source: | Memory allocated: | Jump to behavior | ||
Source: | Memory allocated: | Jump to behavior | ||
Source: | Memory allocated: | Jump to behavior | ||
Source: | Memory allocated: | Jump to behavior | ||
Source: | Memory allocated: | Jump to behavior | ||
Source: | Memory allocated: | Jump to behavior | ||
Source: | Memory allocated: | Jump to behavior | ||
Source: | Memory allocated: | Jump to behavior | ||
Source: | Memory allocated: | Jump to behavior | ||
Source: | Memory allocated: | Jump to behavior |
Source: | API coverage: |
Source: | Last function: |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | 1 Windows Management Instrumentation | 12 Registry Run Keys / Startup Folder | 1 Process Injection | 1 Masquerading | OS Credential Dumping | 111 Security Software Discovery | Remote Services | 1 Archive Collected Data | 1 Encrypted Channel | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
Credentials | Domains | Default Accounts | Scheduled Task/Job | 1 DLL Side-Loading | 12 Registry Run Keys / Startup Folder | 1 Virtualization/Sandbox Evasion | LSASS Memory | 1 Virtualization/Sandbox Evasion | Remote Desktop Protocol | Data from Removable Media | 1 Application Layer Protocol | Exfiltration Over Bluetooth | Network Denial of Service |
Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | 1 DLL Side-Loading | 1 Process Injection | Security Account Manager | 1 File and Directory Discovery | SMB/Windows Admin Shares | Data from Network Shared Drive | Steganography | Automated Exfiltration | Data Encrypted for Impact |
Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | 1 Deobfuscate/Decode Files or Information | NTDS | 12 System Information Discovery | Distributed Component Object Model | Input Capture | Protocol Impersonation | Traffic Duplication | Data Destruction |
Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | 2 Obfuscated Files or Information | LSA Secrets | Internet Connection Discovery | SSH | Keylogging | Fallback Channels | Scheduled Transfer | Data Encrypted for Impact |
Domain Properties | Botnet | Replication Through Removable Media | Scheduled Task | RC Scripts | RC Scripts | 1 DLL Side-Loading | Cached Domain Credentials | Wi-Fi Discovery | VNC | GUI Input Capture | Multiband Communication | Data Transfer Size Limits | Service Stop |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
53% | ReversingLabs | Win32.Trojan.Kutaki | ||
41% | Virustotal | Browse | ||
100% | Avira | TR/Dropper.Gen |
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
100% | Avira | TR/Dropper.Gen | ||
53% | ReversingLabs | Win32.Trojan.Kutaki | ||
41% | Virustotal | Browse |
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | URL Reputation | safe | ||
0% | Avira URL Cloud | safe | ||
100% | Avira URL Cloud | malware | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
16% | Virustotal | Browse | ||
0% | Avira URL Cloud | safe |
Name | Malicious | Antivirus Detection | Reputation |
---|---|---|---|
true |
| unknown |
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown |
Joe Sandbox version: | 40.0.0 Tourmaline |
Analysis ID: | 1468050 |
Start date and time: | 2024-07-05 09:23:27 +02:00 |
Joe Sandbox product: | CloudBasic |
Overall analysis duration: | 0h 5m 54s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
Number of analysed new started processes analysed: | 14 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Sample name: | Payment Challan.exe |
Detection: | MAL |
Classification: | mal100.troj.adwa.spyw.winEXE@8/14@0/0 |
EGA Information: |
|
HCA Information: |
|
Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): dllhost.exe, RuntimeBroker.exe, WMIADAP.exe, Microsoft.Photos.exe, SIHClient.exe, svchost.exe
- Excluded domains from analysis (whitelisted): client.wns.windows.com, fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
- Execution Graph export aborted for target bkkmpxfk.exe, PID 1824 because it is empty
- Not all processes where analyzed, report is missing behavior information
- Report size exceeded maximum capacity and may have missing disassembly code.
- Report size getting too big, too many NtOpenKeyEx calls found.
- Report size getting too big, too many NtProtectVirtualMemory calls found.
- Report size getting too big, too many NtQueryValueKey calls found.
- Report size getting too big, too many NtSetInformationFile calls found.
- Report size getting too big, too many NtSetValueKey calls found.
Time | Type | Description |
---|---|---|
03:24:19 | API Interceptor | |
03:24:21 | API Interceptor | |
09:24:24 | Autostart |
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\NewErrorPageTemplate[1]
Download File
Process: | C:\Users\user\Desktop\Payment Challan.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 1612 |
Entropy (8bit): | 4.869554560514657 |
Encrypted: | false |
SSDEEP: | 24:5Y0bQ573pHpACtUZtJD0lFBopZleqw87xTe4D8FaFJ/Doz9AtjJgbCzg:5m73jcJqQep89TEw7Uxkk |
MD5: | DFEABDE84792228093A5A270352395B6 |
SHA1: | E41258C9576721025926326F76063C2305586F76 |
SHA-256: | 77B138AB5D0A90FF04648C26ADDD5E414CC178165E3B54A4CB3739DA0F58E075 |
SHA-512: | E256F603E67335151BB709294749794E2E3085F4063C623461A0B3DECBCCA8E620807B707EC9BCBE36DCD7D639C55753DA0495BE85B4AE5FB6BFC52AB4B284FD |
Malicious: | false |
Reputation: | moderate, very likely benign file |
Preview: |
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\errorPageStrings[1]
Download File
Process: | C:\Users\user\Desktop\Payment Challan.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 4722 |
Entropy (8bit): | 5.16192639844512 |
Encrypted: | false |
SSDEEP: | 96:z9UUiqRxqH211CUIRgRLnRynjZbRXkRPRk6C87Apsat/5/+mhPcF+5g5O8b7A9I5:JsUOG1yNlX6ZzWpHOo/iP16CbM1k |
MD5: | 387B4FC78ABB97F378C5299D4D2CE305 |
SHA1: | 6F2995FC620AB520C9EE1CA7244DF57367F983A2 |
SHA-256: | 030209A13E2C84118139ABF0C4F08DBD203B4C802C7B73B74851860D79DF9CB7 |
SHA-512: | 592D5E3FB7C78420F648281D87B0B303773749B8E0D3621A493ACAE257E2C1E77B782F3D6DAA0C2B3D37CBB4865B382617AF744E34F66C0F3E522DBCA7D71AAE |
Malicious: | false |
Reputation: | moderate, very likely benign file |
Preview: |
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\httpErrorPagesScripts[1]
Download File
Process: | C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 12105 |
Entropy (8bit): | 5.451485481468043 |
Encrypted: | false |
SSDEEP: | 192:x20iniOciwd1BtvjrG8tAGGGVWnvyJVUrUiki3ayimi5ezLCvJG1gwm3z:xPini/i+1Btvjy815ZVUwiki3ayimi5f |
MD5: | 9234071287E637F85D721463C488704C |
SHA1: | CCA09B1E0FBA38BA29D3972ED8DCECEFDEF8C152 |
SHA-256: | 65CC039890C7CEB927CE40F6F199D74E49B8058C3F8A6E22E8F916AD90EA8649 |
SHA-512: | 87D691987E7A2F69AD8605F35F94241AB7E68AD4F55AD384F1F0D40DC59FFD1432C758123661EE39443D624C881B01DCD228A67AFB8700FE5E66FC794A6C0384 |
Malicious: | false |
Reputation: | moderate, very likely benign file |
Preview: |
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\NewErrorPageTemplate[1]
Download File
Process: | C:\Users\user\Desktop\Payment Challan.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 1612 |
Entropy (8bit): | 4.869554560514657 |
Encrypted: | false |
SSDEEP: | 24:5Y0bQ573pHpACtUZtJD0lFBopZleqw87xTe4D8FaFJ/Doz9AtjJgbCzg:5m73jcJqQep89TEw7Uxkk |
MD5: | DFEABDE84792228093A5A270352395B6 |
SHA1: | E41258C9576721025926326F76063C2305586F76 |
SHA-256: | 77B138AB5D0A90FF04648C26ADDD5E414CC178165E3B54A4CB3739DA0F58E075 |
SHA-512: | E256F603E67335151BB709294749794E2E3085F4063C623461A0B3DECBCCA8E620807B707EC9BCBE36DCD7D639C55753DA0495BE85B4AE5FB6BFC52AB4B284FD |
Malicious: | false |
Reputation: | moderate, very likely benign file |
Preview: |
Process: | C:\Users\user\Desktop\Payment Challan.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 1681 |
Entropy (8bit): | 4.567538112791388 |
Encrypted: | false |
SSDEEP: | 24:rC7cWhfs5mVM4mVMyIjmgAV28EFP8hRqh/k+CkE03vjqX:u7o5V4VtihV2lFUWlEqvj6 |
MD5: | C74D57042D3614B92F2E0AF783ACD5DE |
SHA1: | 415F8A0F5DBD61D622724034C182C0B15E80CD20 |
SHA-256: | 05182A8C3A558E671705B8A8421712A9715A1D597606E3710A6D6CFEB00FB462 |
SHA-512: | F33BC2CDA990B07FE8EA37A1F68DDDBF5FA9A67CA028019EA4D848B70CC6410D1468E0CE8F8132665124F6E4B8438AFFC41FB562D9E4A1401498E46CD0D1A0EC |
Malicious: | false |
Reputation: | moderate, very likely benign file |
Preview: |
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\errorPageStrings[1]
Download File
Process: | C:\Users\user\Desktop\Payment Challan.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 4722 |
Entropy (8bit): | 5.16192639844512 |
Encrypted: | false |
SSDEEP: | 96:z9UUiqRxqH211CUIRgRLnRynjZbRXkRPRk6C87Apsat/5/+mhPcF+5g5O8b7A9I5:JsUOG1yNlX6ZzWpHOo/iP16CbM1k |
MD5: | 387B4FC78ABB97F378C5299D4D2CE305 |
SHA1: | 6F2995FC620AB520C9EE1CA7244DF57367F983A2 |
SHA-256: | 030209A13E2C84118139ABF0C4F08DBD203B4C802C7B73B74851860D79DF9CB7 |
SHA-512: | 592D5E3FB7C78420F648281D87B0B303773749B8E0D3621A493ACAE257E2C1E77B782F3D6DAA0C2B3D37CBB4865B382617AF744E34F66C0F3E522DBCA7D71AAE |
Malicious: | false |
Preview: |
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\httpErrorPagesScripts[1]
Download File
Process: | C:\Users\user\Desktop\Payment Challan.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 12105 |
Entropy (8bit): | 5.451485481468043 |
Encrypted: | false |
SSDEEP: | 192:x20iniOciwd1BtvjrG8tAGGGVWnvyJVUrUiki3ayimi5ezLCvJG1gwm3z:xPini/i+1Btvjy815ZVUwiki3ayimi5f |
MD5: | 9234071287E637F85D721463C488704C |
SHA1: | CCA09B1E0FBA38BA29D3972ED8DCECEFDEF8C152 |
SHA-256: | 65CC039890C7CEB927CE40F6F199D74E49B8058C3F8A6E22E8F916AD90EA8649 |
SHA-512: | 87D691987E7A2F69AD8605F35F94241AB7E68AD4F55AD384F1F0D40DC59FFD1432C758123661EE39443D624C881B01DCD228A67AFB8700FE5E66FC794A6C0384 |
Malicious: | false |
Preview: |
Process: | C:\Users\user\Desktop\Payment Challan.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 1681 |
Entropy (8bit): | 4.567538112791388 |
Encrypted: | false |
SSDEEP: | 24:rC7cWhfs5mVM4mVMyIjmgAV28EFP8hRqh/k+CkE03vjqX:u7o5V4VtihV2lFUWlEqvj6 |
MD5: | C74D57042D3614B92F2E0AF783ACD5DE |
SHA1: | 415F8A0F5DBD61D622724034C182C0B15E80CD20 |
SHA-256: | 05182A8C3A558E671705B8A8421712A9715A1D597606E3710A6D6CFEB00FB462 |
SHA-512: | F33BC2CDA990B07FE8EA37A1F68DDDBF5FA9A67CA028019EA4D848B70CC6410D1468E0CE8F8132665124F6E4B8438AFFC41FB562D9E4A1401498E46CD0D1A0EC |
Malicious: | false |
Preview: |
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\NewErrorPageTemplate[1]
Download File
Process: | C:\Users\user\Desktop\Payment Challan.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 1612 |
Entropy (8bit): | 4.869554560514657 |
Encrypted: | false |
SSDEEP: | 24:5Y0bQ573pHpACtUZtJD0lFBopZleqw87xTe4D8FaFJ/Doz9AtjJgbCzg:5m73jcJqQep89TEw7Uxkk |
MD5: | DFEABDE84792228093A5A270352395B6 |
SHA1: | E41258C9576721025926326F76063C2305586F76 |
SHA-256: | 77B138AB5D0A90FF04648C26ADDD5E414CC178165E3B54A4CB3739DA0F58E075 |
SHA-512: | E256F603E67335151BB709294749794E2E3085F4063C623461A0B3DECBCCA8E620807B707EC9BCBE36DCD7D639C55753DA0495BE85B4AE5FB6BFC52AB4B284FD |
Malicious: | false |
Preview: |
Process: | C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 1681 |
Entropy (8bit): | 4.567538112791388 |
Encrypted: | false |
SSDEEP: | 24:rC7cWhfs5mVM4mVMyIjmgAV28EFP8hRqh/k+CkE03vjqX:u7o5V4VtihV2lFUWlEqvj6 |
MD5: | C74D57042D3614B92F2E0AF783ACD5DE |
SHA1: | 415F8A0F5DBD61D622724034C182C0B15E80CD20 |
SHA-256: | 05182A8C3A558E671705B8A8421712A9715A1D597606E3710A6D6CFEB00FB462 |
SHA-512: | F33BC2CDA990B07FE8EA37A1F68DDDBF5FA9A67CA028019EA4D848B70CC6410D1468E0CE8F8132665124F6E4B8438AFFC41FB562D9E4A1401498E46CD0D1A0EC |
Malicious: | false |
Preview: |
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\errorPageStrings[1]
Download File
Process: | C:\Users\user\Desktop\Payment Challan.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 4722 |
Entropy (8bit): | 5.16192639844512 |
Encrypted: | false |
SSDEEP: | 96:z9UUiqRxqH211CUIRgRLnRynjZbRXkRPRk6C87Apsat/5/+mhPcF+5g5O8b7A9I5:JsUOG1yNlX6ZzWpHOo/iP16CbM1k |
MD5: | 387B4FC78ABB97F378C5299D4D2CE305 |
SHA1: | 6F2995FC620AB520C9EE1CA7244DF57367F983A2 |
SHA-256: | 030209A13E2C84118139ABF0C4F08DBD203B4C802C7B73B74851860D79DF9CB7 |
SHA-512: | 592D5E3FB7C78420F648281D87B0B303773749B8E0D3621A493ACAE257E2C1E77B782F3D6DAA0C2B3D37CBB4865B382617AF744E34F66C0F3E522DBCA7D71AAE |
Malicious: | false |
Preview: |
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\httpErrorPagesScripts[1]
Download File
Process: | C:\Users\user\Desktop\Payment Challan.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 12105 |
Entropy (8bit): | 5.451485481468043 |
Encrypted: | false |
SSDEEP: | 192:x20iniOciwd1BtvjrG8tAGGGVWnvyJVUrUiki3ayimi5ezLCvJG1gwm3z:xPini/i+1Btvjy815ZVUwiki3ayimi5f |
MD5: | 9234071287E637F85D721463C488704C |
SHA1: | CCA09B1E0FBA38BA29D3972ED8DCECEFDEF8C152 |
SHA-256: | 65CC039890C7CEB927CE40F6F199D74E49B8058C3F8A6E22E8F916AD90EA8649 |
SHA-512: | 87D691987E7A2F69AD8605F35F94241AB7E68AD4F55AD384F1F0D40DC59FFD1432C758123661EE39443D624C881B01DCD228A67AFB8700FE5E66FC794A6C0384 |
Malicious: | false |
Preview: |
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe ![AV hit](data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABgAAAAXCAYAAAARIY8tAAAAGXRFWHRTb2Z0d2FyZQBBZG9iZSBJbWFnZVJlYWR5ccllPAAAAyFpVFh0WE1MOmNvbS5hZG9iZS54bXAAAAAAADw/eHBhY2tldCBiZWdpbj0i77u/IiBpZD0iVzVNME1wQ2VoaUh6cmVTek5UY3prYzlkIj8+IDx4OnhtcG1ldGEgeG1sbnM6eD0iYWRvYmU6bnM6bWV0YS8iIHg6eG1wdGs9IkFkb2JlIFhNUCBDb3JlIDUuNi1jMTQyIDc5LjE2MDkyNCwgMjAxNy8wNy8xMy0wMTowNjozOSAgICAgICAgIj4gPHJkZjpSREYgeG1sbnM6cmRmPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5LzAyLzIyLXJkZi1zeW50YXgtbnMjIj4gPHJkZjpEZXNjcmlwdGlvbiByZGY6YWJvdXQ9IiIgeG1sbnM6eG1wTU09Imh0dHA6Ly9ucy5hZG9iZS5jb20veGFwLzEuMC9tbS8iIHhtbG5zOnN0UmVmPSJodHRwOi8vbnMuYWRvYmUuY29tL3hhcC8xLjAvc1R5cGUvUmVzb3VyY2VSZWYjIiB4bWxuczp4bXA9Imh0dHA6Ly9ucy5hZG9iZS5jb20veGFwLzEuMC8iIHhtcE1NOkRvY3VtZW50SUQ9InhtcC5kaWQ6N0I2MkE5MENFMDExMTFFN0IwMUVBNjlCREU2MTc3OTIiIHhtcE1NOkluc3RhbmNlSUQ9InhtcC5paWQ6N0I2MkE5MEJFMDExMTFFN0IwMUVBNjlCREU2MTc3OTIiIHhtcDpDcmVhdG9yVG9vbD0iQWRvYmUgUGhvdG9zaG9wIENDIChXaW5kb3dzKSI+IDx4bXBNTTpEZXJpdmVkRnJvbSBzdFJlZjppbnN0YW5jZUlEPSJ4bXAuaWlkOjUxREYxNzEwRTAxMTExRTc4NzA2RDNFQTNEMTNCRTY1IiBzdFJlZjpkb2N1bWVudElEPSJ4bXAuZGlkOjUxREYxNzExRTAxMTExRTc4NzA2RDNFQTNEMTNCRTY1Ii8+IDwvcmRmOkRlc2NyaXB0aW9uPiA8L3JkZjpSREY+IDwveDp4bXBtZXRhPiA8P3hwYWNrZXQgZW5kPSJyIj8+WYtJ4AAAArxJREFUeNqsVU2IUlEUPu89fxJnBkW30y4KElpFtRnTpSmBIuQmysiVEaSBJkHLCMbQTaQVhD+VWqDgOAhtQiKZaDG1aAaMFi4CUzDJ1Abt3JdPnvp8KnXgcO99597vO++cc8+lBoMB8IWiKBCSGx4PMZxHvbO/t3dMubJyXyKR3E7E4wdC+zlcah4BAqtwsKNeRz1Ovn3c3WVtMpmsp1QqX0plsltI9HUhAo/XewSHk0M9NRwl/D0cAd8puVzeQqIv+FdlhmG2kolEFiYPDmUflhTiZKfTWUU9gUuiLsJLbLTA/gP4R+GHWYjg57KANE2D3W4Hp9PJglM0PfhvBBhz8Pv94HA4oFgssuGiKaovRtBbxnOfzwd6vR6CwSBUq1XuuyhBbVECt9sNGxsbkM/noVQq8Ym7YgTfFgG3Wq1gNpuhVqtBNBods2GZ/hAj+DwPXKfTgcvlYufhcBja7fZkXipiBB94noDFYgGtVjsyKhQKCAQCbPzL5TKrk8JIJO/ECF6Tu0Mmh9fX4Swm8KbXCwaDgQW12Wyg0Wig3+9DJBIRriyGeTC6E0K9CPvPW5yeIetzJhMYjUbWVq/XWXAiJLGhUGgKHP+wmcvlVBwuPSPMj7lJYXsbKpW/IeXAsSVALBYTPHhIociMlfIMgufEYTIhoYjF49BqtUbGbDYLjUZjOvYM05dKpb65BMHNTXKb73FrAk5IyG/3ej3IZDKCXq2urb3Ctv19LB8i1UgC7EQ9ShYkTFuFAltFzWZzajO26y6+D5enGp/Yg4PJPo3DG1QpZ0MQeL+zM3VGo9VeeJZMvph8cGixC4WhIvV8jX+o2+1O7VOpVE/54IskmU/yEAf/LDuCF1Kp1KWZDXGRvoMkd3G4ivqbHxa1Wv0knU6bRDvuop0TSR4NL98nTOgvvBMX0fMr8879EWAAxCD3JoAqg14AAAAASUVORK5CYII=)
![malicious](data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABgAAAAXCAYAAAARIY8tAAAAGXRFWHRTb2Z0d2FyZQBBZG9iZSBJbWFnZVJlYWR5ccllPAAAAyFpVFh0WE1MOmNvbS5hZG9iZS54bXAAAAAAADw/eHBhY2tldCBiZWdpbj0i77u/IiBpZD0iVzVNME1wQ2VoaUh6cmVTek5UY3prYzlkIj8+IDx4OnhtcG1ldGEgeG1sbnM6eD0iYWRvYmU6bnM6bWV0YS8iIHg6eG1wdGs9IkFkb2JlIFhNUCBDb3JlIDUuNi1jMTQyIDc5LjE2MDkyNCwgMjAxNy8wNy8xMy0wMTowNjozOSAgICAgICAgIj4gPHJkZjpSREYgeG1sbnM6cmRmPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5LzAyLzIyLXJkZi1zeW50YXgtbnMjIj4gPHJkZjpEZXNjcmlwdGlvbiByZGY6YWJvdXQ9IiIgeG1sbnM6eG1wPSJodHRwOi8vbnMuYWRvYmUuY29tL3hhcC8xLjAvIiB4bWxuczp4bXBNTT0iaHR0cDovL25zLmFkb2JlLmNvbS94YXAvMS4wL21tLyIgeG1sbnM6c3RSZWY9Imh0dHA6Ly9ucy5hZG9iZS5jb20veGFwLzEuMC9zVHlwZS9SZXNvdXJjZVJlZiMiIHhtcDpDcmVhdG9yVG9vbD0iQWRvYmUgUGhvdG9zaG9wIENDIChXaW5kb3dzKSIgeG1wTU06SW5zdGFuY2VJRD0ieG1wLmlpZDo1MURGMTcxMEUwMTExMUU3ODcwNkQzRUEzRDEzQkU2NSIgeG1wTU06RG9jdW1lbnRJRD0ieG1wLmRpZDo1MURGMTcxMUUwMTExMUU3ODcwNkQzRUEzRDEzQkU2NSI+IDx4bXBNTTpEZXJpdmVkRnJvbSBzdFJlZjppbnN0YW5jZUlEPSJ4bXAuaWlkOjUxREYxNzBFRTAxMTExRTc4NzA2RDNFQTNEMTNCRTY1IiBzdFJlZjpkb2N1bWVudElEPSJ4bXAuZGlkOjUxREYxNzBGRTAxMTExRTc4NzA2RDNFQTNEMTNCRTY1Ii8+IDwvcmRmOkRlc2NyaXB0aW9uPiA8L3JkZjpSREY+IDwveDp4bXBtZXRhPiA8P3hwYWNrZXQgZW5kPSJyIj8+ndzG2gAAA2JJREFUeNq0VVtIlEEU/nZXaTc1txbLMkrFxAuolA+Z3dQgqIdE0dSy1gclezJt1VWrh9TSBzUqKCorMs1L0ENJqV0helBMxTCSykUSzby77pKX7czorr/r6mLggcPMf/453zdz5pwzIoPBgNUUMVZZRJaM0evlUTRUrRArpmpouNIqAYFLaeggdV0hgYbUm0h01kJ0zhK4o9NGwdzJEsF20tRl74B270xDltC2RiZDpEqFTa7bTbbNHh6ISEvj/8xETRhbljtBPqm90JBV8xTa4WF8a2w02b5++oSJ0VGoq2vMCezmMBYTEPNOGpTmHjIHBwz09CyKB7OtXbfOUqhOEVagpROULJVVTCS2tjiafJYrm1vJzBIi4Vg2grTct5THjl2BiM5UQz8xwb8PxsXhc339ciTBDJa0UjyXloWWVsns7XmIjqWk8H29vH0Lz2/eoLmI29g/pktIAWHLJL4yqYo+IheckQAOxMZCVV4BhYuLKU19gvfCOygILp6eszcqlyPk5AmMDQ5C095uTiAn1TECVrGmbbj6+UFVVoag8HA8K7mGvzodnN3dIRaLURgXi8baFzxEM9PTNK9F3b27iL14CbvDj+FHSwuG+/qEJL4iOoZamFqn869AameHJ7mXMdLfj/tdGlxPSsSeiEhMjIxgemoKDooNeFv2GOdpIwlUHyyUx7NzwBrnwyy1kCCHZVExaZfRohsbw920VA5uFL1Wi5E//TicmIgjyckY6u0lsBnTf934OB5dyOG1YdY6iiRf9PopChNLdJZJ3PG3RjMPTs5JxSWccJu3z2wN/OrhlVyZl4vvzc3cZpiZYc7o7+42up6hvtQiEhTaB5aqIoo1XywQB4UCUekZ/ARMXt25g+rCAowNDCwsgHnfjwyLCAwS023IpK00JNEuRHaOjvwS2WIGHpOdjdD4eNSVlqKzqQmHlErYr5fzOUsCiY0NmA+bs8OwrCTwnkXtmk5RSkMCq9SQuBPw3b8P/qFh+NnaigfqTHR3dPB1W728kHDlKtwCAtD65jXa33/Au4pyTE9Ost8PCVxp8T2Y66adxobHct/N3w8tDQ0WKykgjMjb2oQJoSX1NO5+qQdHbd4RVyA5BJ5n7cFZkLYrfNGKrD76tAM9Den/QZBh/lwy+SfAAK5qO2iUYLhmAAAAAElFTkSuQmCC)
Download File
Process: | C:\Users\user\Desktop\Payment Challan.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 1553618 |
Entropy (8bit): | 6.149509296622149 |
Encrypted: | false |
SSDEEP: | 24576:Pfg8IQCyIHUUqOvMMMtUhBgsvAFaofmP/UDMS08Ckn3w:JIQCyg7vMMMtUh6svA4ofmP/SA8NA |
MD5: | 00801754BD615E4DD9E636A29823204A |
SHA1: | 3A4BEA7747A8FBFF333C51628E39E29BBBE34872 |
SHA-256: | D10C34C796A14AD8A34AEBB5311378DABCB15F14DA5C1FDEB7CC1F1D7B499162 |
SHA-512: | 47FA210766B8B320C5DC299CCCE91F5586A91936E5079B5979A8E5ABFD49BD4724BD8651B5AF11B447E6E9358796C545AB6F02C8F017D712EADD48614505E035 |
Malicious: | true |
Yara Hits: |
|
Antivirus: |
|
Preview: |
Process: | C:\Windows\SysWOW64\cmd.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 1835008 |
Entropy (8bit): | 4.465931416561485 |
Encrypted: | false |
SSDEEP: | 6144:4zZfpi6ceLPx9skLmb0fBZWSP3aJG8nAgeiJRMMhA2zX4WABluuNLjDH5S:uZHtBZWOKnMM6bFpZj4 |
MD5: | 326999FF42C0D33D990B00F026954C10 |
SHA1: | C911841F0D17FAEAC6D5BD0AA2E90BC7454B5396 |
SHA-256: | 3748EE03B8D71C51CCF34B43BB53ABD5D43F19C613AF7D9ECEB14C0A84D8483F |
SHA-512: | 4B5F3BC9E9C19A6A391354FE63EDE27BF6932838EF2C29F9C9656D3AD42E83568A0A7C05A678D66B19C14FDF5BD1510BD0FB1794D616EDA1693B040D2ABE985D |
Malicious: | false |
Preview: |
File type: | |
Entropy (8bit): | 6.149509296622149 |
TrID: |
|
File name: | Payment Challan.exe |
File size: | 1'553'618 bytes |
MD5: | 00801754bd615e4dd9e636a29823204a |
SHA1: | 3a4bea7747a8fbff333c51628e39e29bbbe34872 |
SHA256: | d10c34c796a14ad8a34aebb5311378dabcb15f14da5c1fdeb7cc1f1d7b499162 |
SHA512: | 47fa210766b8b320c5dc299ccce91f5586a91936e5079b5979a8e5abfd49bd4724bd8651b5af11b447e6e9358796c545ab6f02c8f017d712eadd48614505e035 |
SSDEEP: | 24576:Pfg8IQCyIHUUqOvMMMtUhBgsvAFaofmP/UDMS08Ckn3w:JIQCyg7vMMMtUh6svA4ofmP/SA8NA |
TLSH: | 96758D23A3D4E727D5398E71597B5EB40619FC39156A890BA5403B0FEBB2EC2053732B |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........K...*...*...*...6...*...5...*..t5...*..Rich.*..................PE..L.....qf.................p... .......T............@........ |
Icon Hash: | 00869eb0b230201f |
Entrypoint: | 0x405494 |
Entrypoint Section: | .text |
Digitally signed: | false |
Imagebase: | 0x400000 |
Subsystem: | windows gui |
Image File Characteristics: | RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE |
DLL Characteristics: | |
Time Stamp: | 0x6671A3D3 [Tue Jun 18 15:12:19 2024 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 4 |
OS Version Minor: | 0 |
File Version Major: | 4 |
File Version Minor: | 0 |
Subsystem Version Major: | 4 |
Subsystem Version Minor: | 0 |
Import Hash: | bbbc09b8643dca9dcbc41feaf4f2fbb6 |
Instruction |
---|
push 0040620Ch |
call 00007FA31CB93753h |
add byte ptr [eax], al |
dec esp |
xor dword ptr [eax], eax |
add dword ptr [ebp-2E890B59h], eax |
add eax, dword ptr [eax] |
inc esi |
mov al, CBh |
xlatb |
sbb al, F2h |
jns 00007FA31CB93793h |
retn 3D7Ah |
mov eax, dword ptr [2E1FDF25h] |
dec edi |
mov ah, 2Dh |
mov al, 36h |
fucomip st(0), st(0) |
and dword ptr [esi+33AD4F3Ah], esp |
cdq |
iretw |
adc dword ptr [edi+00AA000Ch], esi |
pushad |
rcl dword ptr [ebx+00000000h], cl |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax+00h], al |
add byte ptr [eax], al |
add byte ptr [726F4600h], al |
insd |
xor dword ptr [eax], eax |
or eax, 46000501h |
outsd |
jc 00007FA31CB937CFh |
xor dword ptr [eax], eax |
sbb dword ptr [ecx], eax |
add byte ptr [edx+00h], al |
and edi, edi |
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x136d34 | 0x28 | .text |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x148000 | 0x413f8 | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x230 | 0x20 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x1000 | 0x3b0 | .text |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|---|
.text | 0x1000 | 0x136c18 | 0x137000 | c5839c7ff98fa6f32c2b52494b2dd9e0 | False | 0.3043161864449357 | data | 5.617665253051609 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
.data | 0x138000 | 0xf828 | 0x1000 | 620f0b67a91f7f74151bc5be745b7110 | False | 0.00634765625 | data | 0.0 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.rsrc | 0x148000 | 0x413f8 | 0x42000 | 3993e5db66e053692f32382b2f5e2d18 | False | 0.9822221235795454 | data | 7.972734114189162 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
---|---|---|---|---|---|---|
CUSTOM | 0x148230 | 0x40800 | OpenPGP Public Key | 1.0003444464631783 | ||
CUSTOM | 0x188a30 | 0x16 | ASCII text, with CRLF line terminators | 1.3636363636363635 | ||
CUSTOM | 0x188a48 | 0xff | data | 0.8235294117647058 | ||
CUSTOM | 0x188b48 | 0xe6 | ISO-8859 text, with CRLF line terminators | 0.14347826086956522 | ||
RT_ICON | 0x188c30 | 0x130 | Device independent bitmap graphic, 32 x 64 x 1, image size 256 | 0.3223684210526316 | ||
RT_ICON | 0x188d60 | 0x2e8 | Device independent bitmap graphic, 32 x 64 x 4, image size 640 | 0.19623655913978494 | ||
RT_ICON | 0x189048 | 0x128 | Device independent bitmap graphic, 16 x 32 x 4, image size 192 | 0.4155405405405405 | ||
RT_GROUP_ICON | 0x189170 | 0x30 | data | 1.0 | ||
RT_VERSION | 0x1891a0 | 0x258 | data | English | United States | 0.485 |
DLL | Import |
---|---|
MSVBVM60.DLL | EVENT_SINK_GetIDsOfNames, __vbaVarSub, __vbaVarTstGt, __vbaStrI2, _CIcos, _adj_fptan, __vbaHresultCheck, __vbaVarMove, __vbaStrI4, __vbaVarVargNofree, __vbaAryMove, __vbaFreeVar, __vbaLenBstr, __vbaLateIdCall, __vbaStrVarMove, __vbaPut3, __vbaEnd, __vbaFreeVarList, _adj_fdiv_m64, EVENT_SINK_Invoke, __vbaNextEachVar, __vbaRaiseEvent, __vbaFreeObjList, __vbaVarIndexLoadRef, __vbaStrErrVarCopy, _adj_fprem1, __vbaForEachCollAd, __vbaVarCmpNe, __vbaStrCat, __vbaRecDestruct, __vbaSetSystemError, __vbaLenBstrB, __vbaHresultCheckObj, __vbaLenVar, _adj_fdiv_m32, __vbaAryVar, Zombie_GetTypeInfo, __vbaAryDestruct, __vbaVarIndexLoadRefLock, __vbaLateMemSt, __vbaVarForInit, __vbaExitProc, __vbaForEachCollObj, __vbaI4Abs, __vbaCyAdd, __vbaObjSet, __vbaOnError, _adj_fdiv_m16i, __vbaObjSetAddref, _adj_fdivr_m16i, __vbaVarIndexLoad, __vbaCyStr, __vbaFpR4, __vbaBoolVar, __vbaRefVarAry, __vbaFpR8, __vbaVarTstLt, __vbaBoolVarNull, _CIsin, __vbaErase, __vbaVargVarMove, __vbaNextEachCollObj, __vbaVarCmpGt, __vbaChkstk, __vbaFileClose, EVENT_SINK_AddRef, __vbaGenerateBoundsError, __vbaGet3, __vbaStrCmp, __vbaExitEachColl, __vbaAryConstruct2, __vbaVarTstEq, __vbaPutOwner4, __vbaObjVar, __vbaI2I4, DllFunctionCall, __vbaVarOr, __vbaVarLateMemSt, __vbaCastObjVar, __vbaLbound, _adj_fpatan, __vbaR4Var, __vbaLateIdCallLd, Zombie_GetTypeInfoCount, __vbaStrR8, __vbaR8Cy, __vbaRedim, EVENT_SINK_Release, __vbaNew, __vbaUI1I2, _CIsqrt, __vbaObjIs, __vbaVarAnd, EVENT_SINK_QueryInterface, __vbaStr2Vec, __vbaUI1I4, __vbaExceptHandler, __vbaPrintFile, __vbaStrToUnicode, __vbaDateStr, _adj_fprem, _adj_fdivr_m64, __vbaFPException, __vbaInStrVar, __vbaUbound, __vbaStrVarVal, __vbaVarCat, __vbaDateVar, __vbaI2Var, _CIlog, __vbaErrorOverflow, __vbaFileOpen, __vbaVar2Vec, __vbaVarLateMemCallLdRf, __vbaR8Str, __vbaInStr, __vbaNew2, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaVarSetObj, __vbaStrCopy, __vbaI4Str, __vbaVarCmpLt, __vbaFreeStrList, __vbaDerefAry1, _adj_fdivr_m32, __vbaR8Var, __vbaPowerR8, _adj_fdiv_r, __vbaVarTstNe, __vbaI4Var, __vbaVarCmpEq, __vbaFpCy, __vbaAryLock, __vbaLateMemCall, __vbaVarAdd, __vbaStrComp, __vbaStrToAnsi, __vbaFreeVarg, __vbaVarDup, __vbaFpI2, __vbaFpI4, __vbaVarCopy, __vbaVarLateMemCallLd, __vbaVarSetObjAddref, __vbaLateMemCallLd, _CIatan, __vbaAryCopy, __vbaStrMove, __vbaCastObj, __vbaR8IntI4, __vbaStrVarCopy, __vbaForEachVar, _allmul, __vbaVarLateMemCallSt, __vbaLateIdSt, _CItan, __vbaNextEachCollAd, __vbaUI1Var, __vbaAryUnlock, __vbaVarForNext, _CIexp, __vbaStrCy, __vbaI4ErrVar, __vbaRecAssign, __vbaFreeObj, __vbaFreeStr |
Language of compilation system | Country where language is spoken | Map |
---|---|---|
English | United States |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
Target ID: | 0 |
Start time: | 03:24:18 |
Start date: | 05/07/2024 |
Path: | C:\Users\user\Desktop\Payment Challan.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x400000 |
File size: | 1'553'618 bytes |
MD5 hash: | 00801754BD615E4DD9E636A29823204A |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Yara matches: |
|
Reputation: | low |
Has exited: | true |
Target ID: | 3 |
Start time: | 03:24:19 |
Start date: | 05/07/2024 |
Path: | C:\Windows\SysWOW64\cmd.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x1c0000 |
File size: | 236'544 bytes |
MD5 hash: | D0FCE3AFA6AA1D58CE9FA336CC2B675B |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Target ID: | 4 |
Start time: | 03:24:19 |
Start date: | 05/07/2024 |
Path: | C:\Windows\System32\conhost.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff66e660000 |
File size: | 862'208 bytes |
MD5 hash: | 0D698AF330FD17BEE3BF90011D49251D |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Target ID: | 9 |
Start time: | 03:24:21 |
Start date: | 05/07/2024 |
Path: | C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x400000 |
File size: | 1'553'618 bytes |
MD5 hash: | 00801754BD615E4DD9E636A29823204A |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Yara matches: |
|
Antivirus matches: |
|
Reputation: | low |
Has exited: | false |
Target ID: | 11 |
Start time: | 03:24:32 |
Start date: | 05/07/2024 |
Path: | C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x400000 |
File size: | 1'553'618 bytes |
MD5 hash: | 00801754BD615E4DD9E636A29823204A |
Has elevated privileges: | false |
Has administrator privileges: | false |
Programmed in: | C, C++ or other language |
Yara matches: |
|
Reputation: | low |
Has exited: | true |
Execution Graph
Execution Coverage: | 2.9% |
Dynamic/Decrypted Code Coverage: | 0% |
Signature Coverage: | 0.2% |
Total number of Nodes: | 1131 |
Total number of Limit Nodes: | 92 |
Graph
Function 00405494 Relevance: 1.9, APIs: 1, Instructions: 434COMMON
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 005296DA Relevance: 500.7, APIs: 270, Strings: 15, Instructions: 1992COMMON
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00533134 Relevance: 483.3, APIs: 263, Strings: 12, Instructions: 2030COMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00522C25 Relevance: 258.5, APIs: 142, Strings: 5, Instructions: 1231COMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0052876C Relevance: 54.5, APIs: 36, Instructions: 509COMMON
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 004FF2BD Relevance: 18.2, APIs: 12, Instructions: 164COMMON
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0052B695 Relevance: 4.5, APIs: 3, Instructions: 40COMMON
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0041EF44 Relevance: .0, Instructions: 8COMMON
Control-flow Graph
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 04AE0FBF Relevance: .0, Instructions: 4COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 04AE0FCF Relevance: .0, Instructions: 4COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 04AE0FC7 Relevance: .0, Instructions: 4COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 04AE0FD7 Relevance: .0, Instructions: 4COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 04A60FBF Relevance: .0, Instructions: 4COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 04A60FC7 Relevance: .0, Instructions: 4COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 04A60FCF Relevance: .0, Instructions: 4COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 04A60FD7 Relevance: .0, Instructions: 4COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 04AA0FBF Relevance: .0, Instructions: 4COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 04AA0FCF Relevance: .0, Instructions: 4COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 04AA0FC7 Relevance: .0, Instructions: 4COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 04AA0FD7 Relevance: .0, Instructions: 4COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 04B20FBF Relevance: .0, Instructions: 4COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 04B20FD7 Relevance: .0, Instructions: 4COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 04B20FC7 Relevance: .0, Instructions: 4COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 04B20FCF Relevance: .0, Instructions: 4COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004E61ED Relevance: 296.0, APIs: 164, Strings: 4, Instructions: 2023COMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0051C5A9 Relevance: 136.9, APIs: 67, Strings: 11, Instructions: 428COMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 004FD595 Relevance: 121.1, APIs: 58, Strings: 11, Instructions: 388COMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0051B9C4 Relevance: 100.1, APIs: 45, Strings: 12, Instructions: 334COMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0052F987 Relevance: 72.5, APIs: 48, Instructions: 498COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 005171F2 Relevance: 64.9, APIs: 43, Instructions: 415COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0051AAFC Relevance: 58.8, APIs: 39, Instructions: 326COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 004E1898 Relevance: 52.9, APIs: 35, Instructions: 429COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 004E3570 Relevance: 51.4, APIs: 34, Instructions: 446COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0053008C Relevance: 48.3, APIs: 32, Instructions: 322COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0051BE92 Relevance: 46.7, APIs: 31, Instructions: 188COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 004E7C6B Relevance: 45.4, APIs: 30, Instructions: 386COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 004F7A0E Relevance: 45.4, APIs: 30, Instructions: 361COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0050EE28 Relevance: 39.1, APIs: 26, Instructions: 143COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00523D78 Relevance: 35.1, APIs: 19, Strings: 1, Instructions: 113fileCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 004E2DB2 Relevance: 34.8, APIs: 23, Instructions: 309COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00501E7B Relevance: 34.7, APIs: 23, Instructions: 194COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00515A1D Relevance: 33.1, APIs: 22, Instructions: 138COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 005291E8 Relevance: 31.7, APIs: 21, Instructions: 196COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 004FFB0E Relevance: 30.2, APIs: 20, Instructions: 220COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 005099D8 Relevance: 30.1, APIs: 20, Instructions: 94COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 004E8DE9 Relevance: 27.3, APIs: 18, Instructions: 272COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0051012B Relevance: 27.2, APIs: 18, Instructions: 177COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00532AE9 Relevance: 27.1, APIs: 18, Instructions: 146COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 004DEE94 Relevance: 25.7, APIs: 17, Instructions: 231COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 004E79EC Relevance: 24.2, APIs: 16, Instructions: 211COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00501087 Relevance: 24.1, APIs: 16, Instructions: 127COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00525BC1 Relevance: 22.7, APIs: 15, Instructions: 188COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00532D49 Relevance: 21.1, APIs: 14, Instructions: 120COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 004DF1D6 Relevance: 19.7, APIs: 13, Instructions: 168COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 004F3CD8 Relevance: 19.7, APIs: 13, Instructions: 168COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 004FF6F4 Relevance: 19.6, APIs: 13, Instructions: 120COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00503893 Relevance: 18.2, APIs: 12, Instructions: 196COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 004FDDB7 Relevance: 18.1, APIs: 12, Instructions: 97COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00533014 Relevance: 18.1, APIs: 12, Instructions: 72COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00531BEF Relevance: 16.6, APIs: 11, Instructions: 67COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00531420 Relevance: 16.6, APIs: 11, Instructions: 63COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 004DECF9 Relevance: 15.1, APIs: 10, Instructions: 126COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0051DCF8 Relevance: 15.1, APIs: 10, Instructions: 122COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 004EB485 Relevance: 13.6, APIs: 9, Instructions: 122COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00515202 Relevance: 13.6, APIs: 9, Instructions: 108COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00528EE2 Relevance: 13.6, APIs: 9, Instructions: 99COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0050965C Relevance: 12.1, APIs: 8, Instructions: 95COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00505986 Relevance: 10.6, APIs: 7, Instructions: 114COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0052DE87 Relevance: 10.6, APIs: 7, Instructions: 114COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 004F50DD Relevance: 10.6, APIs: 7, Instructions: 86COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 004F80F5 Relevance: 10.6, APIs: 7, Instructions: 86COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 004F0983 Relevance: 10.6, APIs: 7, Instructions: 86COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 004F821B Relevance: 10.6, APIs: 7, Instructions: 86COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 004F0AA9 Relevance: 10.6, APIs: 7, Instructions: 86COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 004E2B66 Relevance: 10.6, APIs: 7, Instructions: 86COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 004E3B2F Relevance: 10.6, APIs: 7, Instructions: 86COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 004FA3F4 Relevance: 10.6, APIs: 7, Instructions: 86COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 004DFC2D Relevance: 10.6, APIs: 7, Instructions: 86COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 004E2C8C Relevance: 10.6, APIs: 7, Instructions: 86COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 004FA51A Relevance: 10.6, APIs: 7, Instructions: 86COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00409A39 Relevance: 9.1, APIs: 6, Instructions: 85COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0040BE1A Relevance: 9.1, APIs: 6, Instructions: 85COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 005258AD Relevance: 9.1, APIs: 6, Instructions: 58COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00531523 Relevance: 9.0, APIs: 6, Instructions: 47COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0052F246 Relevance: 7.6, APIs: 5, Instructions: 67COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00530473 Relevance: 7.6, APIs: 5, Instructions: 67COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 004ED99E Relevance: 7.6, APIs: 5, Instructions: 62COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 004E0200 Relevance: 7.6, APIs: 5, Instructions: 62COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 004F75E2 Relevance: 7.6, APIs: 5, Instructions: 62COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 004FA640 Relevance: 7.6, APIs: 5, Instructions: 62COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 004F567B Relevance: 7.6, APIs: 5, Instructions: 62COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00500624 Relevance: 7.6, APIs: 5, Instructions: 58COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 005219B0 Relevance: 7.6, APIs: 5, Instructions: 51COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00500576 Relevance: 7.6, APIs: 5, Instructions: 50COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0051C0DF Relevance: 7.5, APIs: 5, Instructions: 46COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00515BE2 Relevance: 7.5, APIs: 5, Instructions: 46COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00530C84 Relevance: 7.5, APIs: 5, Instructions: 46COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 004DEC04 Relevance: 6.1, APIs: 4, Instructions: 73COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 004F2A0C Relevance: 6.1, APIs: 4, Instructions: 61COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 004E0034 Relevance: 6.1, APIs: 4, Instructions: 54COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00501A4F Relevance: 6.1, APIs: 4, Instructions: 54COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 004FDA61 Relevance: 6.1, APIs: 4, Instructions: 54COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 004ED2DC Relevance: 6.1, APIs: 4, Instructions: 54COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 004F5BD8 Relevance: 6.1, APIs: 4, Instructions: 54COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 004FC686 Relevance: 6.1, APIs: 4, Instructions: 54COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 004FF87D Relevance: 6.0, APIs: 4, Instructions: 50COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0051E475 Relevance: 6.0, APIs: 4, Instructions: 41COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|