Windows
Analysis Report
AvDJi40xp_9fyz7RPmKdbxb4.exe
Overview
General Information
Detection
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
- System is w10x64
- AvDJi40xp_9fyz7RPmKdbxb4.exe (PID: 7136 cmdline:
"C:\Users\ user\Deskt op\AvDJi40 xp_9fyz7RP mKdbxb4.ex e" MD5: B40B6B9BD2F7D17A65C72469EE2E2CFA) - cmd.exe (PID: 5080 cmdline:
"C:\Window s\System32 \cmd.exe" /C mkdir C :\Windows\ SysWOW64\q euwztgf\ MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 2676 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - cmd.exe (PID: 4340 cmdline:
"C:\Window s\System32 \cmd.exe" /C move /Y "C:\Users \user\AppD ata\Local\ Temp\lfkid gdf.exe" C :\Windows\ SysWOW64\q euwztgf\ MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 6820 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - sc.exe (PID: 2496 cmdline:
"C:\Window s\System32 \sc.exe" c reate qeuw ztgf binPa th= "C:\Wi ndows\SysW OW64\qeuwz tgf\lfkidg df.exe /d\ "C:\Users\ user\Deskt op\AvDJi40 xp_9fyz7RP mKdbxb4.ex e\"" type= own start = auto Dis playName= "wifi supp ort" MD5: D9D7684B8431A0D10D0E76FE9F5FFEC8) - conhost.exe (PID: 3228 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - sc.exe (PID: 3156 cmdline:
"C:\Window s\System32 \sc.exe" d escription qeuwztgf "wifi inte rnet conec tion" MD5: D9D7684B8431A0D10D0E76FE9F5FFEC8) - conhost.exe (PID: 3548 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - sc.exe (PID: 6220 cmdline:
"C:\Window s\System32 \sc.exe" s tart qeuwz tgf MD5: D9D7684B8431A0D10D0E76FE9F5FFEC8) - conhost.exe (PID: 6268 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - netsh.exe (PID: 5808 cmdline:
"C:\Window s\System32 \netsh.exe " advfirew all firewa ll add rul e name="Ho st-process for servi ces of Win dows" dir= in action= allow prog ram="C:\Wi ndows\SysW OW64\svcho st.exe" en able=yes>n ul MD5: 4E89A1A088BE715D6C946E55AB07C7DF) - conhost.exe (PID: 1928 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
- lfkidgdf.exe (PID: 2696 cmdline:
C:\Windows \SysWOW64\ qeuwztgf\l fkidgdf.ex e /d"C:\Us ers\user\D esktop\AvD Ji40xp_9fy z7RPmKdbxb 4.exe" MD5: 1D7112211B0E3F7C2ED96B0897990451) - svchost.exe (PID: 4048 cmdline:
svchost.ex e MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
- cleanup
Name | Description | Attribution | Blogpost URLs | Link |
---|---|---|---|---|
Tofsee | According to PCrisk, Tofsee (also known as Gheg) is a malicious Trojan-type program that is capable of performing DDoS attacks, mining cryptocurrency, sending emails, stealing various account credentials, updating itself, and more.Cyber criminals mainly use this program as an email-oriented tool (they target users' email accounts), however, having Tofsee installed can also lead to many other problems. | No Attribution |
{"C2 list": ["vanaheim.cn:443", "jotunheim.name:443"]}
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Tofsee | Yara detected Tofsee | Joe Security | ||
Windows_Trojan_Tofsee_26124fe4 | unknown | unknown |
| |
MALWARE_Win_Tofsee | Detects Tofsee | ditekSHen |
| |
JoeSecurity_Tofsee | Yara detected Tofsee | Joe Security | ||
Windows_Trojan_Smokeloader_3687686f | unknown | unknown |
| |
Click to see the 24 entries |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Tofsee | Yara detected Tofsee | Joe Security | ||
Windows_Trojan_Tofsee_26124fe4 | unknown | unknown |
| |
MALWARE_Win_Tofsee | Detects Tofsee | ditekSHen |
| |
JoeSecurity_Tofsee | Yara detected Tofsee | Joe Security | ||
Windows_Trojan_Tofsee_26124fe4 | unknown | unknown |
| |
Click to see the 39 entries |
System Summary |
---|
Source: | Author: David Burkett, @signalblur: |
Source: | Author: Nasreddine Bencherchali (Nextron Systems): |
Source: | Author: frack113: |
Source: | Author: Florian Roth (Nextron Systems): |
Source: | Author: Christian Burkard (Nextron Systems): |
Source: | Author: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: |
Click to jump to signature section
AV Detection |
---|
Source: | Avira URL Cloud: |
Source: | Malware Configuration Extractor: |
Source: | Virustotal: | Perma Link | ||
Source: | Virustotal: | Perma Link | ||
Source: | Virustotal: | Perma Link | ||
Source: | Virustotal: | Perma Link |
Source: | Virustotal: | Perma Link |
Source: | Integrated Neural Analysis Model: |
Source: | Joe Sandbox ML: |
Source: | Joe Sandbox ML: |
Compliance |
---|
Source: | Unpacked PE file: | ||
Source: | Unpacked PE file: |
Source: | Static PE information: |
Source: | File opened: | Jump to behavior |
Change of critical system settings |
---|
Source: | Registry key created or modified: | Jump to behavior |
Networking |
---|
Source: | Network Connect: | Jump to behavior | ||
Source: | Network Connect: | Jump to behavior | ||
Source: | Network Connect: | Jump to behavior | ||
Source: | Network Connect: | Jump to behavior | ||
Source: | Network Connect: | Jump to behavior | ||
Source: | Network Connect: | Jump to behavior | ||
Source: | Network Connect: | Jump to behavior | ||
Source: | Network Connect: | Jump to behavior | ||
Source: | Network Connect: | Jump to behavior |
Source: | URLs: | ||
Source: | URLs: |
Source: | IP Address: | ||
Source: | IP Address: | ||
Source: | IP Address: | ||
Source: | IP Address: |
Source: | ASN Name: | ||
Source: | ASN Name: | ||
Source: | ASN Name: | ||
Source: | ASN Name: | ||
Source: | ASN Name: |
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: |
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: |
Source: | Code function: | 0_2_00402A62 |
Source: | DNS traffic detected: | ||
Source: | DNS traffic detected: | ||
Source: | DNS traffic detected: | ||
Source: | DNS traffic detected: | ||
Source: | DNS traffic detected: | ||
Source: | DNS traffic detected: | ||
Source: | DNS traffic detected: | ||
Source: | DNS traffic detected: | ||
Source: | DNS traffic detected: | ||
Source: | DNS traffic detected: | ||
Source: | DNS traffic detected: | ||
Source: | DNS traffic detected: |
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: |
Spam, unwanted Advertisements and Ransom Demands |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
System Summary |
---|
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: |
Source: | Process Stats: |
Source: | Code function: | 0_2_00408E26 |
Source: | Code function: | 0_2_00401280 |
Source: | File created: | Jump to behavior |
Source: | Code function: | 0_2_0040C913 | |
Source: | Code function: | 11_2_0040C913 | |
Source: | Code function: | 14_2_02B0C913 |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Static PE information: |
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: |
Source: | Static PE information: |
Source: | Classification label: |
Source: | Code function: | 0_2_00406A60 |
Source: | Code function: | 0_2_02866ECC |
Source: | Code function: | 0_2_00409A6B |
Source: | Code function: | 0_2_00409A6B | |
Source: | Code function: | 11_2_00409A6B | |
Source: | Code function: | 14_2_02B09A6B |
Source: | Mutant created: | ||
Source: | Mutant created: | ||
Source: | Mutant created: | ||
Source: | Mutant created: | ||
Source: | Mutant created: | ||
Source: | Mutant created: |
Source: | File created: | Jump to behavior |
Source: | Static PE information: |
Source: | File read: | Jump to behavior |
Source: | Key opened: | Jump to behavior |
Source: | Virustotal: |
Source: | File read: | Jump to behavior |
Source: | Evasive API call chain: | graph_11-14845 |
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior |
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior |
Source: | Key value queried: | Jump to behavior |
Source: | File opened: | Jump to behavior |
Source: | Static PE information: |
Data Obfuscation |
---|
Source: | Unpacked PE file: | ||
Source: | Unpacked PE file: |
Source: | Unpacked PE file: | ||
Source: | Unpacked PE file: |
Source: | Code function: | 0_2_00406069 |
Source: | Code function: | 0_2_0286A1BA | |
Source: | Code function: | 11_2_02AB4B32 |
Source: | Static PE information: |
Persistence and Installation Behavior |
---|
Source: | Executable created and started: |
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file |
Source: | File created: | Jump to dropped file |
Source: | Registry key value modified: | Jump to behavior |
Source: | Code function: | 0_2_00409A6B |
Source: | Process created: |
Source: | Code function: | 0_2_00401000 |
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior |
Source: | Code function: | 14_2_02B0199C |
Source: | Window / User API: | Jump to behavior |
Source: | Decision node followed by non-executed suspicious API: | graph_11-15271 | ||
Source: | Decision node followed by non-executed suspicious API: | graph_0-15191 | ||
Source: | Decision node followed by non-executed suspicious API: | graph_14-6989 |
Source: | Evaded block: | graph_14-6130 |
Source: | Evasive API call chain: | graph_0-15139 | ||
Source: | Evasive API call chain: | graph_11-15902 | ||
Source: | Evasive API call chain: | graph_14-6420 |
Source: | Evasive API call chain: | graph_14-7409 |
Source: | Evasive API call chain: | graph_0-14717 | ||
Source: | Evasive API call chain: | graph_11-14861 |
Source: | API coverage: | ||
Source: | API coverage: |
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep count: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep count: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior |
Source: | Last function: | ||
Source: | Last function: | ||
Source: | Last function: | ||
Source: | Last function: | ||
Source: | Last function: |
Source: | Code function: | 0_2_00401D96 |
Source: | Binary or memory string: |
Source: | API call chain: | graph_0-15151 | ||
Source: | API call chain: | graph_14-6422 |
Anti Debugging |
---|
Source: | Debugger detection routine: | graph_14-7655 | ||
Source: | Debugger detection routine: | graph_11-16195 |
Source: | Code function: | 0_2_00406069 |
Source: | Code function: | 0_2_028667A9 | |
Source: | Code function: | 0_2_02980D90 | |
Source: | Code function: | 0_2_0298092B | |
Source: | Code function: | 11_2_02A70D90 | |
Source: | Code function: | 11_2_02A7092B | |
Source: | Code function: | 11_2_02AB1121 |
Source: | Code function: | 0_2_0040EBCC |
Source: | Code function: | 0_2_00409A6B | |
Source: | Code function: | 11_2_00409A6B | |
Source: | Code function: | 14_2_02B09A6B |
HIPS / PFW / Operating System Protection Evasion |
---|
Source: | Network Connect: | Jump to behavior | ||
Source: | Network Connect: | Jump to behavior | ||
Source: | Network Connect: | Jump to behavior | ||
Source: | Network Connect: | Jump to behavior | ||
Source: | Network Connect: | Jump to behavior | ||
Source: | Network Connect: | Jump to behavior | ||
Source: | Network Connect: | Jump to behavior | ||
Source: | Network Connect: | Jump to behavior | ||
Source: | Network Connect: | Jump to behavior |
Source: | Memory allocated: | Jump to behavior |
Source: | Memory written: | Jump to behavior |
Source: | Memory written: | Jump to behavior | ||
Source: | Memory written: | Jump to behavior |
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior |
Source: | Code function: | 0_2_00407809 |
Source: | Code function: | 0_2_00406EDD |
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior |
Source: | Code function: | 0_2_0040405E |
Source: | Code function: | 0_2_0040EC54 |
Source: | Code function: | 0_2_00407809 |
Source: | Code function: | 0_2_0040B211 |
Source: | Code function: | 0_2_00409326 |
Lowering of HIPS / PFW / Operating System Security Settings |
---|
Source: | Process created: |
Source: | Process created: |
Stealing of Sensitive Information |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Remote Access Functionality |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Source: | Code function: | 0_2_004088B0 | |
Source: | Code function: | 11_2_004088B0 | |
Source: | Code function: | 14_2_02B088B0 |
Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Gather Victim Identity Information | Acquire Infrastructure | 1 Valid Accounts | 41 Native API | 1 DLL Side-Loading | 1 DLL Side-Loading | 3 Disable or Modify Tools | OS Credential Dumping | 2 System Time Discovery | Remote Services | 1 Archive Collected Data | 1 Ingress Tool Transfer | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
Credentials | Domains | Default Accounts | 2 Command and Scripting Interpreter | 1 Valid Accounts | 1 Valid Accounts | 1 Deobfuscate/Decode Files or Information | LSASS Memory | 1 Account Discovery | Remote Desktop Protocol | Data from Removable Media | 12 Encrypted Channel | Exfiltration Over Bluetooth | Network Denial of Service |
Email Addresses | DNS Server | Domain Accounts | 3 Service Execution | 14 Windows Service | 1 Access Token Manipulation | 3 Obfuscated Files or Information | Security Account Manager | 1 File and Directory Discovery | SMB/Windows Admin Shares | Data from Network Shared Drive | 1 Non-Application Layer Protocol | Automated Exfiltration | Data Encrypted for Impact |
Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | 14 Windows Service | 22 Software Packing | NTDS | 15 System Information Discovery | Distributed Component Object Model | Input Capture | 112 Application Layer Protocol | Traffic Duplication | Data Destruction |
Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | 412 Process Injection | 1 DLL Side-Loading | LSA Secrets | 111 Security Software Discovery | SSH | Keylogging | Fallback Channels | Scheduled Transfer | Data Encrypted for Impact |
Domain Properties | Botnet | Replication Through Removable Media | Scheduled Task | RC Scripts | RC Scripts | 12 Masquerading | Cached Domain Credentials | 11 Virtualization/Sandbox Evasion | VNC | GUI Input Capture | Multiband Communication | Data Transfer Size Limits | Service Stop |
DNS | Web Services | External Remote Services | Systemd Timers | Startup Items | Startup Items | 1 Valid Accounts | DCSync | 1 Process Discovery | Windows Remote Management | Web Portal Capture | Commonly Used Port | Exfiltration Over C2 Channel | Inhibit System Recovery |
Network Trust Dependencies | Serverless | Drive-by Compromise | Container Orchestration Job | Scheduled Task/Job | Scheduled Task/Job | 11 Virtualization/Sandbox Evasion | Proc Filesystem | 1 Application Window Discovery | Cloud Services | Credential API Hooking | Application Layer Protocol | Exfiltration Over Alternative Protocol | Defacement |
Network Topology | Malvertising | Exploit Public-Facing Application | Command and Scripting Interpreter | At | At | 1 Access Token Manipulation | /etc/passwd and /etc/shadow | 1 System Owner/User Discovery | Direct Cloud VM Connections | Data Staged | Web Protocols | Exfiltration Over Symmetric Encrypted Non-C2 Protocol | Internal Defacement |
IP Addresses | Compromise Infrastructure | Supply Chain Compromise | PowerShell | Cron | Cron | 412 Process Injection | Network Sniffing | 1 System Network Configuration Discovery | Shared Webroot | Local Data Staging | File Transfer Protocols | Exfiltration Over Asymmetric Encrypted Non-C2 Protocol | External Defacement |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
45% | Virustotal | Browse | ||
100% | Joe Sandbox ML |
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
100% | Joe Sandbox ML |
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
1% | Virustotal | Browse | ||
0% | Virustotal | Browse | ||
1% | Virustotal | Browse | ||
14% | Virustotal | Browse | ||
0% | Virustotal | Browse | ||
1% | Virustotal | Browse | ||
17% | Virustotal | Browse | ||
0% | Virustotal | Browse | ||
0% | Virustotal | Browse | ||
0% | Virustotal | Browse | ||
0% | Virustotal | Browse | ||
1% | Virustotal | Browse |
Name | IP | Active | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|---|
mta6.am0.yahoodns.net | 98.136.96.75 | true | true |
| unknown |
mxs.mail.ru | 217.69.139.150 | true | true |
| unknown |
mta7.am0.yahoodns.net | 67.195.228.94 | true | true |
| unknown |
jotunheim.name | 80.66.75.11 | true | true |
| unknown |
microsoft-com.mail.protection.outlook.com | 52.101.11.0 | true | true |
| unknown |
vanaheim.cn | 195.133.13.231 | true | true |
| unknown |
smtp.google.com | 142.251.173.26 | true | false |
| unknown |
15.164.165.52.in-addr.arpa | unknown | unknown | true |
| unknown |
google.com | unknown | unknown | true |
| unknown |
yahoo.com | unknown | unknown | true |
| unknown |
mail.ru | unknown | unknown | true |
| unknown |
50.23.12.20.in-addr.arpa | unknown | unknown | true |
| unknown |
Name | Malicious | Antivirus Detection | Reputation |
---|---|---|---|
true |
| unknown | |
true |
| unknown |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
52.101.11.0 | microsoft-com.mail.protection.outlook.com | United States | 8075 | MICROSOFT-CORP-MSN-AS-BLOCKUS | true | |
67.195.228.94 | mta7.am0.yahoodns.net | United States | 36647 | YAHOO-GQ1US | true | |
142.251.173.26 | smtp.google.com | United States | 15169 | GOOGLEUS | false | |
217.69.139.150 | mxs.mail.ru | Russian Federation | 47764 | MAILRU-ASMailRuRU | true | |
195.133.13.231 | vanaheim.cn | Russian Federation | 197695 | AS-REGRU | true | |
98.136.96.75 | mta6.am0.yahoodns.net | United States | 36646 | YAHOO-NE1US | true | |
80.66.75.11 | jotunheim.name | Russian Federation | 20803 | RISS-ASRU | true | |
94.100.180.31 | unknown | Russian Federation | 47764 | MAILRU-ASMailRuRU | true | |
104.47.53.36 | unknown | United States | 8075 | MICROSOFT-CORP-MSN-AS-BLOCKUS | true |
Joe Sandbox version: | 40.0.0 Tourmaline |
Analysis ID: | 1468501 |
Start date and time: | 2024-07-06 09:06:05 +02:00 |
Joe Sandbox product: | CloudBasic |
Overall analysis duration: | 0h 9m 6s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
Number of analysed new started processes analysed: | 19 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Sample name: | AvDJi40xp_9fyz7RPmKdbxb4.exe |
Detection: | MAL |
Classification: | mal100.troj.evad.winEXE@22/3@17/9 |
EGA Information: |
|
HCA Information: |
|
Cookbook Comments: |
|
- Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
- Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
- Excluded IPs from analysis (whitelisted): 20.112.250.133, 20.76.201.171, 20.70.246.20, 20.231.239.246, 20.236.44.162
- Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, microsoft.com, fe3cr.delivery.mp.microsoft.com
- Not all processes where analyzed, report is missing behavior information
- Report size getting too big, too many NtEnumerateKey calls found.
- Report size getting too big, too many NtOpenKeyEx calls found.
- Report size getting too big, too many NtQueryValueKey calls found.
Time | Type | Description |
---|---|---|
03:08:09 | API Interceptor |
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
52.101.11.0 | Get hash | malicious | Tofsee | Browse | ||
Get hash | malicious | Tofsee | Browse | |||
Get hash | malicious | Tofsee | Browse | |||
Get hash | malicious | Tofsee | Browse | |||
Get hash | malicious | Tofsee | Browse | |||
Get hash | malicious | Unknown | Browse | |||
Get hash | malicious | Tofsee | Browse | |||
Get hash | malicious | Tofsee | Browse | |||
Get hash | malicious | Tofsee | Browse | |||
Get hash | malicious | Tofsee | Browse | |||
67.195.228.94 | Get hash | malicious | Tofsee | Browse | ||
Get hash | malicious | Phorpiex | Browse | |||
Get hash | malicious | Phorpiex | Browse | |||
Get hash | malicious | Unknown | Browse | |||
Get hash | malicious | Phorpiex | Browse | |||
Get hash | malicious | Phorpiex | Browse | |||
Get hash | malicious | Tofsee | Browse | |||
Get hash | malicious | Phorpiex, Xmrig | Browse | |||
Get hash | malicious | Phorpiex | Browse | |||
Get hash | malicious | Unknown | Browse | |||
217.69.139.150 | Get hash | malicious | Tofsee | Browse | ||
Get hash | malicious | Tofsee | Browse | |||
Get hash | malicious | Tofsee | Browse | |||
Get hash | malicious | Tofsee | Browse | |||
Get hash | malicious | Tofsee | Browse | |||
Get hash | malicious | Pushdo | Browse | |||
Get hash | malicious | Pushdo | Browse | |||
Get hash | malicious | Unknown | Browse | |||
Get hash | malicious | Pushdo | Browse | |||
Get hash | malicious | Pushdo | Browse | |||
98.136.96.75 | Get hash | malicious | Phorpiex | Browse | ||
Get hash | malicious | Phorpiex, Xmrig | Browse | |||
Get hash | malicious | Phorpiex | Browse | |||
Get hash | malicious | Unknown | Browse | |||
Get hash | malicious | Unknown | Browse | |||
Get hash | malicious | Raccoon RedLine SmokeLoader Tofsee Xmrig | Browse | |||
Get hash | malicious | Unknown | Browse | |||
Get hash | malicious | Unknown | Browse | |||
Get hash | malicious | Tofsee Xmrig | Browse | |||
Get hash | malicious | Tofsee Xmrig | Browse |
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
mta6.am0.yahoodns.net | Get hash | malicious | Tofsee | Browse |
| |
Get hash | malicious | Tofsee | Browse |
| ||
Get hash | malicious | Phorpiex | Browse |
| ||
Get hash | malicious | Phorpiex | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Tofsee | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Tofsee | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
mta7.am0.yahoodns.net | Get hash | malicious | Tofsee | Browse |
| |
Get hash | malicious | Tofsee | Browse |
| ||
Get hash | malicious | Phorpiex | Browse |
| ||
Get hash | malicious | Tofsee | Browse |
| ||
Get hash | malicious | Phorpiex | Browse |
| ||
Get hash | malicious | Phorpiex | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Phorpiex | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
jotunheim.name | Get hash | malicious | Tofsee | Browse |
| |
Get hash | malicious | Tofsee | Browse |
| ||
Get hash | malicious | Tofsee | Browse |
| ||
Get hash | malicious | Tofsee | Browse |
| ||
Get hash | malicious | Tofsee | Browse |
| ||
Get hash | malicious | Tofsee | Browse |
| ||
Get hash | malicious | Tofsee | Browse |
| ||
Get hash | malicious | Tofsee | Browse |
| ||
Get hash | malicious | Tofsee | Browse |
| ||
Get hash | malicious | Tofsee | Browse |
| ||
mxs.mail.ru | Get hash | malicious | PureLog Stealer, SystemBC | Browse |
| |
Get hash | malicious | Tofsee | Browse |
| ||
Get hash | malicious | Tofsee | Browse |
| ||
Get hash | malicious | Tofsee | Browse |
| ||
Get hash | malicious | Tofsee | Browse |
| ||
Get hash | malicious | Tofsee | Browse |
| ||
Get hash | malicious | Pushdo | Browse |
| ||
Get hash | malicious | Pushdo | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Phorpiex | Browse |
|
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
MAILRU-ASMailRuRU | Get hash | malicious | Unknown | Browse |
| |
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Tofsee | Browse |
| ||
Get hash | malicious | Tofsee | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Mirai | Browse |
| ||
Get hash | malicious | Tofsee | Browse |
| ||
Get hash | malicious | Tofsee | Browse |
| ||
YAHOO-NE1US | Get hash | malicious | Mirai, Moobot | Browse |
| |
Get hash | malicious | Mirai | Browse |
| ||
Get hash | malicious | Tofsee | Browse |
| ||
Get hash | malicious | Tofsee | Browse |
| ||
Get hash | malicious | Brontok | Browse |
| ||
Get hash | malicious | Mirai | Browse |
| ||
Get hash | malicious | HTMLPhisher | Browse |
| ||
Get hash | malicious | Mirai | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | HTMLPhisher | Browse |
| ||
MICROSOFT-CORP-MSN-AS-BLOCKUS | Get hash | malicious | HTMLPhisher | Browse |
| |
Get hash | malicious | Mirai | Browse |
| ||
Get hash | malicious | HTMLPhisher | Browse |
| ||
Get hash | malicious | HTMLPhisher | Browse |
| ||
Get hash | malicious | HTMLPhisher | Browse |
| ||
Get hash | malicious | HTMLPhisher | Browse |
| ||
Get hash | malicious | HTMLPhisher | Browse |
| ||
Get hash | malicious | HTMLPhisher | Browse |
| ||
Get hash | malicious | HTMLPhisher | Browse |
| ||
Get hash | malicious | HTMLPhisher | Browse |
| ||
AS-REGRU | Get hash | malicious | FormBook | Browse |
| |
Get hash | malicious | FormBook | Browse |
| ||
Get hash | malicious | FormBook | Browse |
| ||
Get hash | malicious | FormBook | Browse |
| ||
Get hash | malicious | FormBook | Browse |
| ||
Get hash | malicious | FormBook | Browse |
| ||
Get hash | malicious | FormBook | Browse |
| ||
Get hash | malicious | FormBook | Browse |
| ||
Get hash | malicious | Mirai | Browse |
| ||
Get hash | malicious | FormBook | Browse |
| ||
YAHOO-GQ1US | Get hash | malicious | Tofsee | Browse |
| |
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Tofsee | Browse |
| ||
Get hash | malicious | Mirai | Browse |
| ||
Get hash | malicious | Mirai | Browse |
| ||
Get hash | malicious | Gafgyt, Mirai | Browse |
| ||
Get hash | malicious | Mirai | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | HTMLPhisher | Browse |
| ||
Get hash | malicious | Phorpiex | Browse |
|
Process: | C:\Users\user\Desktop\AvDJi40xp_9fyz7RPmKdbxb4.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 12696064 |
Entropy (8bit): | 5.50848535248732 |
Encrypted: | false |
SSDEEP: | 98304:xqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqS: |
MD5: | 1D7112211B0E3F7C2ED96B0897990451 |
SHA1: | FFE8C1DC7ADE2954699C86909142CF6BE5350313 |
SHA-256: | EDA4991615678D5147D4E63FE8519274C2563B68E38D4663EAFB47F27CF4BCCD |
SHA-512: | FFDA3D463B1F7D8F89AFB089B198A7847F07AE95F535DADA604647E7278B0C01FDA18E213CDC046A2A4823AAFB90DE03DA65846F0C81DCE43F2093CAF6A5A235 |
Malicious: | true |
Antivirus: |
|
Preview: |
Process: | C:\Windows\SysWOW64\cmd.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 12696064 |
Entropy (8bit): | 5.50848535248732 |
Encrypted: | false |
SSDEEP: | 98304:xqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqS: |
MD5: | 1D7112211B0E3F7C2ED96B0897990451 |
SHA1: | FFE8C1DC7ADE2954699C86909142CF6BE5350313 |
SHA-256: | EDA4991615678D5147D4E63FE8519274C2563B68E38D4663EAFB47F27CF4BCCD |
SHA-512: | FFDA3D463B1F7D8F89AFB089B198A7847F07AE95F535DADA604647E7278B0C01FDA18E213CDC046A2A4823AAFB90DE03DA65846F0C81DCE43F2093CAF6A5A235 |
Malicious: | true |
Preview: |
Process: | C:\Windows\SysWOW64\netsh.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 3773 |
Entropy (8bit): | 4.7109073551842435 |
Encrypted: | false |
SSDEEP: | 48:VHILZNfrI7WFY32iIiNOmV/HToZV9It199hiALlIg39bWA1RvTBi/g2eB:VoLr0y9iIiNOoHTou7bhBlIydWALLt2w |
MD5: | DA3247A302D70819F10BCEEBAF400503 |
SHA1: | 2857AA198EE76C86FC929CC3388A56D5FD051844 |
SHA-256: | 5262E1EE394F329CD1F87EA31BA4A396C4A76EDC3A87612A179F81F21606ABC8 |
SHA-512: | 48FFEC059B4E88F21C2AA4049B7D9E303C0C93D1AD771E405827149EDDF986A72EF49C0F6D8B70F5839DCDBD6B1EA8125C8B300134B7F71C47702B577AD090F8 |
Malicious: | false |
Preview: |
File type: | |
Entropy (8bit): | 6.314370004206929 |
TrID: |
|
File name: | AvDJi40xp_9fyz7RPmKdbxb4.exe |
File size: | 235'008 bytes |
MD5: | b40b6b9bd2f7d17a65c72469ee2e2cfa |
SHA1: | 859ffdfda568b34e1c3ded9f846dea6e8774f5b5 |
SHA256: | f37f32eb1c859541773f55297fb1e05bbfc2874851fc7bbd4e185d3a6a1b6583 |
SHA512: | 7a4b7171000f8dad0eed766e212ee6c9ebf6431175291442524383232f5455f6bc3e8b224c31dc8bf48ad0cba4ef7637edd4dcc8f32e48f93fb9ea7036adeae1 |
SSDEEP: | 3072:DI/quXXuYu/IdYKV97eRuWYxYBouZdSzBS7sy4iIb:DYqKXzEIzSbYxYTAS7W |
TLSH: | 5B34DF21B2E19431D47B453785F1FA60EA7ABC52B7F1912F23682A3F2EB07D18725316 |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............yB..yB..yB...B..yB...B..yB...B..yB...B..yB..xB..yB...B..yB...B..yB...B..yBRich..yB................PE..L...577d........... |
Icon Hash: | 63796de961636e0f |
Entrypoint: | 0x402568 |
Entrypoint Section: | .text |
Digitally signed: | false |
Imagebase: | 0x400000 |
Subsystem: | windows gui |
Image File Characteristics: | RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE |
DLL Characteristics: | NX_COMPAT, TERMINAL_SERVER_AWARE |
Time Stamp: | 0x64373735 [Wed Apr 12 22:56:53 2023 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 5 |
OS Version Minor: | 1 |
File Version Major: | 5 |
File Version Minor: | 1 |
Subsystem Version Major: | 5 |
Subsystem Version Minor: | 1 |
Import Hash: | 48bfd2c8ba2c8c1adc16449871b198d1 |
Instruction |
---|
call 00007F1FD523C0F7h |
jmp 00007F1FD523935Eh |
push edi |
mov eax, esi |
and eax, 0Fh |
test eax, eax |
jne 00007F1FD5239597h |
mov edx, ecx |
and ecx, 7Fh |
shr edx, 07h |
je 00007F1FD5239537h |
jmp 00007F1FD52394D8h |
lea ebx, dword ptr [ebx+00000000h] |
movdqa xmm0, dqword ptr [esi] |
movdqa xmm1, dqword ptr [esi+10h] |
movdqa xmm2, dqword ptr [esi+20h] |
movdqa xmm3, dqword ptr [esi+30h] |
movdqa dqword ptr [edi], xmm0 |
movdqa dqword ptr [edi+10h], xmm1 |
movdqa dqword ptr [edi+20h], xmm2 |
movdqa dqword ptr [edi+30h], xmm3 |
movdqa xmm4, dqword ptr [esi+40h] |
movdqa xmm5, dqword ptr [esi+50h] |
movdqa xmm6, dqword ptr [esi+60h] |
movdqa xmm7, dqword ptr [esi+70h] |
movdqa dqword ptr [edi+40h], xmm4 |
movdqa dqword ptr [edi+50h], xmm5 |
movdqa dqword ptr [edi+60h], xmm6 |
movdqa dqword ptr [edi+70h], xmm7 |
lea esi, dword ptr [esi+00000080h] |
lea edi, dword ptr [edi+00000080h] |
dec edx |
jne 00007F1FD5239475h |
test ecx, ecx |
je 00007F1FD523951Bh |
mov edx, ecx |
shr edx, 04h |
test edx, edx |
je 00007F1FD52394E9h |
lea ebx, dword ptr [ebx+00000000h] |
movdqa xmm0, dqword ptr [esi] |
movdqa dqword ptr [edi], xmm0 |
lea esi, dword ptr [esi+10h] |
lea edi, dword ptr [edi+10h] |
dec edx |
jne 00007F1FD52394C1h |
and ecx, 0Fh |
je 00007F1FD52394F6h |
mov eax, ecx |
shr ecx, 02h |
je 00007F1FD52394DFh |
mov edx, dword ptr [esi] |
mov dword ptr [edi], edx |
lea esi, dword ptr [esi+04h] |
lea edi, dword ptr [edi+04h] |
dec ecx |
jne 00007F1FD52394C5h |
mov ecx, eax |
and ecx, 00000000h |
Programming Language: |
|
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x2393c | 0xa0 | .rdata |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x2415000 | 0xaa80 | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x239dc | 0x1c | .rdata |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x23400 | 0x40 | .rdata |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x21000 | 0x188 | .rdata |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|---|
.text | 0x1000 | 0x1fd70 | 0x1fe00 | f5b5e491efb8ad14df382794e6776642 | False | 0.8540517769607843 | data | 7.709118323604979 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
.rdata | 0x21000 | 0x3264 | 0x3400 | dc624da186f5daab5640a9131c1c02cb | False | 0.3528395432692308 | data | 4.875662859094191 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.data | 0x25000 | 0x23efea0 | 0xb400 | b235bffcaa98db9eee9dbe7e6d7e3579 | unknown | unknown | unknown | unknown | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.rsrc | 0x2415000 | 0xaa80 | 0xac00 | c848a5b0454368cd4816965a8c11e511 | False | 0.5316815043604651 | data | 5.479127369442671 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
---|---|---|---|---|---|---|
RT_ICON | 0x24153a0 | 0x6c8 | Device independent bitmap graphic, 24 x 48 x 8, image size 0 | Japanese | Japan | 0.5299539170506913 |
RT_ICON | 0x2415a68 | 0x25a8 | Device independent bitmap graphic, 48 x 96 x 32, image size 0 | Japanese | Japan | 0.4182572614107884 |
RT_ICON | 0x2418010 | 0x468 | Device independent bitmap graphic, 16 x 32 x 32, image size 0 | Japanese | Japan | 0.45390070921985815 |
RT_ICON | 0x24184a8 | 0xea8 | Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors | Japanese | Japan | 0.3997867803837953 |
RT_ICON | 0x2419350 | 0x8a8 | Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors | Japanese | Japan | 0.5816787003610109 |
RT_ICON | 0x2419bf8 | 0x6c8 | Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors | Japanese | Japan | 0.646889400921659 |
RT_ICON | 0x241a2c0 | 0x568 | Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors | Japanese | Japan | 0.661849710982659 |
RT_ICON | 0x241a828 | 0x25a8 | Device independent bitmap graphic, 48 x 96 x 32, image size 9600 | Japanese | Japan | 0.5451244813278008 |
RT_ICON | 0x241cdd0 | 0x10a8 | Device independent bitmap graphic, 32 x 64 x 32, image size 4224 | Japanese | Japan | 0.5970919324577861 |
RT_ICON | 0x241de78 | 0x988 | Device independent bitmap graphic, 24 x 48 x 32, image size 2400 | Japanese | Japan | 0.5713114754098361 |
RT_ICON | 0x241e800 | 0x468 | Device independent bitmap graphic, 16 x 32 x 32, image size 1088 | Japanese | Japan | 0.650709219858156 |
RT_STRING | 0x241ef70 | 0x6c0 | data | Japanese | Japan | 0.42476851851851855 |
RT_STRING | 0x241f630 | 0x23a | Matlab v4 mat-file (little endian) , numeric, rows 0, columns 0 | Japanese | Japan | 0.48947368421052634 |
RT_STRING | 0x241f870 | 0x20e | data | Japanese | Japan | 0.5057034220532319 |
RT_GROUP_ICON | 0x2418478 | 0x30 | data | Japanese | Japan | 0.9375 |
RT_GROUP_ICON | 0x241ec68 | 0x76 | data | Japanese | Japan | 0.6694915254237288 |
RT_VERSION | 0x241ece0 | 0x290 | MS Windows COFF PA-RISC object file | 0.5274390243902439 |
DLL | Import |
---|---|
KERNEL32.dll | GetConsoleAliasesLengthW, SetEndOfFile, FindResourceW, CreateDirectoryW, WriteConsoleInputA, VirtualFree, GetWindowsDirectoryA, LoadLibraryW, ReplaceFileW, GetModuleFileNameW, GlobalUnlock, SetLastError, GetProcAddress, LoadLibraryA, IsBadStringPtrW, GlobalGetAtomNameW, EnumResourceTypesW, GetOEMCP, CancelIo, OpenFileMappingW, GetWindowsDirectoryW, RtlUnwind, Sleep, GetStringTypeW, LCMapStringW, RemoveVectoredExceptionHandler, FindResourceA, CreateFileA, LocalAlloc, GetDateFormatW, EnterCriticalSection, LeaveCriticalSection, GetLastError, HeapFree, HeapAlloc, MultiByteToWideChar, HeapReAlloc, GetCommandLineA, HeapSetInformation, GetStartupInfoW, IsProcessorFeaturePresent, RaiseException, HeapCreate, GetModuleHandleW, ExitProcess, DecodePointer, WriteFile, GetStdHandle, EncodePointer, GetCPInfo, InterlockedIncrement, InterlockedDecrement, GetACP, IsValidCodePage, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetCurrentThreadId, SetUnhandledExceptionFilter, GetModuleFileNameA, FreeEnvironmentStringsW, WideCharToMultiByte, GetEnvironmentStringsW, SetHandleCount, InitializeCriticalSectionAndSpinCount, GetFileType, DeleteCriticalSection, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, UnhandledExceptionFilter, IsDebuggerPresent, TerminateProcess, GetCurrentProcess, HeapSize |
USER32.dll | InsertMenuItemW, GetKeyboardLayoutNameW, GetCaretPos, SetMessageExtraInfo, CharUpperBuffW, DdeKeepStringHandle, GetClassInfoW |
GDI32.dll | GetCharWidthW |
ADVAPI32.dll | CopySid, BackupEventLogW |
SHELL32.dll | FindExecutableA |
ole32.dll | CoRevokeClassObject, CoMarshalHresult |
WINHTTP.dll | WinHttpWriteData |
Language of compilation system | Country where language is spoken | Map |
---|---|---|
Japanese | Japan |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Jul 6, 2024 09:07:26.823124886 CEST | 49731 | 25 | 192.168.2.4 | 52.101.11.0 |
Jul 6, 2024 09:07:27.908132076 CEST | 49731 | 25 | 192.168.2.4 | 52.101.11.0 |
Jul 6, 2024 09:07:29.908129930 CEST | 49731 | 25 | 192.168.2.4 | 52.101.11.0 |
Jul 6, 2024 09:07:30.033493042 CEST | 49734 | 443 | 192.168.2.4 | 195.133.13.231 |
Jul 6, 2024 09:07:30.033518076 CEST | 443 | 49734 | 195.133.13.231 | 192.168.2.4 |
Jul 6, 2024 09:07:30.033588886 CEST | 49734 | 443 | 192.168.2.4 | 195.133.13.231 |
Jul 6, 2024 09:07:33.923743010 CEST | 49731 | 25 | 192.168.2.4 | 52.101.11.0 |
Jul 6, 2024 09:07:41.923763037 CEST | 49731 | 25 | 192.168.2.4 | 52.101.11.0 |
Jul 6, 2024 09:07:46.832237959 CEST | 58402 | 25 | 192.168.2.4 | 98.136.96.75 |
Jul 6, 2024 09:07:47.892532110 CEST | 58402 | 25 | 192.168.2.4 | 98.136.96.75 |
Jul 6, 2024 09:07:49.892699003 CEST | 58402 | 25 | 192.168.2.4 | 98.136.96.75 |
Jul 6, 2024 09:07:53.892534971 CEST | 58402 | 25 | 192.168.2.4 | 98.136.96.75 |
Jul 6, 2024 09:08:01.908209085 CEST | 58402 | 25 | 192.168.2.4 | 98.136.96.75 |
Jul 6, 2024 09:08:06.863055944 CEST | 58408 | 25 | 192.168.2.4 | 142.251.173.26 |
Jul 6, 2024 09:08:07.876934052 CEST | 58408 | 25 | 192.168.2.4 | 142.251.173.26 |
Jul 6, 2024 09:08:09.876946926 CEST | 58408 | 25 | 192.168.2.4 | 142.251.173.26 |
Jul 6, 2024 09:08:10.035496950 CEST | 49734 | 443 | 192.168.2.4 | 195.133.13.231 |
Jul 6, 2024 09:08:10.035581112 CEST | 443 | 49734 | 195.133.13.231 | 192.168.2.4 |
Jul 6, 2024 09:08:10.035702944 CEST | 49734 | 443 | 192.168.2.4 | 195.133.13.231 |
Jul 6, 2024 09:08:10.296592951 CEST | 58409 | 443 | 192.168.2.4 | 195.133.13.231 |
Jul 6, 2024 09:08:10.296613932 CEST | 443 | 58409 | 195.133.13.231 | 192.168.2.4 |
Jul 6, 2024 09:08:10.296843052 CEST | 58409 | 443 | 192.168.2.4 | 195.133.13.231 |
Jul 6, 2024 09:08:13.876966000 CEST | 58408 | 25 | 192.168.2.4 | 142.251.173.26 |
Jul 6, 2024 09:08:21.892576933 CEST | 58408 | 25 | 192.168.2.4 | 142.251.173.26 |
Jul 6, 2024 09:08:26.894571066 CEST | 58410 | 25 | 192.168.2.4 | 217.69.139.150 |
Jul 6, 2024 09:08:27.892606974 CEST | 58410 | 25 | 192.168.2.4 | 217.69.139.150 |
Jul 6, 2024 09:08:29.892726898 CEST | 58410 | 25 | 192.168.2.4 | 217.69.139.150 |
Jul 6, 2024 09:08:33.892961025 CEST | 58410 | 25 | 192.168.2.4 | 217.69.139.150 |
Jul 6, 2024 09:08:41.892604113 CEST | 58410 | 25 | 192.168.2.4 | 217.69.139.150 |
Jul 6, 2024 09:08:50.283477068 CEST | 58409 | 443 | 192.168.2.4 | 195.133.13.231 |
Jul 6, 2024 09:08:50.283565998 CEST | 443 | 58409 | 195.133.13.231 | 192.168.2.4 |
Jul 6, 2024 09:08:50.283623934 CEST | 58409 | 443 | 192.168.2.4 | 195.133.13.231 |
Jul 6, 2024 09:08:50.395740032 CEST | 58411 | 443 | 192.168.2.4 | 195.133.13.231 |
Jul 6, 2024 09:08:50.395771980 CEST | 443 | 58411 | 195.133.13.231 | 192.168.2.4 |
Jul 6, 2024 09:08:50.395838022 CEST | 58411 | 443 | 192.168.2.4 | 195.133.13.231 |
Jul 6, 2024 09:09:30.392812014 CEST | 58411 | 443 | 192.168.2.4 | 195.133.13.231 |
Jul 6, 2024 09:09:30.392901897 CEST | 443 | 58411 | 195.133.13.231 | 192.168.2.4 |
Jul 6, 2024 09:09:30.392968893 CEST | 58411 | 443 | 192.168.2.4 | 195.133.13.231 |
Jul 6, 2024 09:09:30.527815104 CEST | 58412 | 443 | 192.168.2.4 | 195.133.13.231 |
Jul 6, 2024 09:09:30.527865887 CEST | 443 | 58412 | 195.133.13.231 | 192.168.2.4 |
Jul 6, 2024 09:09:30.528054953 CEST | 58412 | 443 | 192.168.2.4 | 195.133.13.231 |
Jul 6, 2024 09:09:53.633944988 CEST | 58414 | 25 | 192.168.2.4 | 104.47.53.36 |
Jul 6, 2024 09:09:54.642785072 CEST | 58414 | 25 | 192.168.2.4 | 104.47.53.36 |
Jul 6, 2024 09:09:56.658519983 CEST | 58414 | 25 | 192.168.2.4 | 104.47.53.36 |
Jul 6, 2024 09:10:00.658432007 CEST | 58414 | 25 | 192.168.2.4 | 104.47.53.36 |
Jul 6, 2024 09:10:08.673999071 CEST | 58414 | 25 | 192.168.2.4 | 104.47.53.36 |
Jul 6, 2024 09:10:10.533494949 CEST | 58412 | 443 | 192.168.2.4 | 195.133.13.231 |
Jul 6, 2024 09:10:10.533572912 CEST | 443 | 58412 | 195.133.13.231 | 192.168.2.4 |
Jul 6, 2024 09:10:10.533646107 CEST | 58412 | 443 | 192.168.2.4 | 195.133.13.231 |
Jul 6, 2024 09:10:10.643465996 CEST | 58415 | 443 | 192.168.2.4 | 195.133.13.231 |
Jul 6, 2024 09:10:10.643501043 CEST | 443 | 58415 | 195.133.13.231 | 192.168.2.4 |
Jul 6, 2024 09:10:10.643584967 CEST | 58415 | 443 | 192.168.2.4 | 195.133.13.231 |
Jul 6, 2024 09:10:13.660056114 CEST | 58416 | 25 | 192.168.2.4 | 67.195.228.94 |
Jul 6, 2024 09:10:14.674062014 CEST | 58416 | 25 | 192.168.2.4 | 67.195.228.94 |
Jul 6, 2024 09:10:16.689766884 CEST | 58416 | 25 | 192.168.2.4 | 67.195.228.94 |
Jul 6, 2024 09:10:20.689675093 CEST | 58416 | 25 | 192.168.2.4 | 67.195.228.94 |
Jul 6, 2024 09:10:28.705327034 CEST | 58416 | 25 | 192.168.2.4 | 67.195.228.94 |
Jul 6, 2024 09:10:33.682821989 CEST | 58417 | 25 | 192.168.2.4 | 142.251.173.26 |
Jul 6, 2024 09:10:34.689682007 CEST | 58417 | 25 | 192.168.2.4 | 142.251.173.26 |
Jul 6, 2024 09:10:36.689677000 CEST | 58417 | 25 | 192.168.2.4 | 142.251.173.26 |
Jul 6, 2024 09:10:40.689682961 CEST | 58417 | 25 | 192.168.2.4 | 142.251.173.26 |
Jul 6, 2024 09:10:48.689732075 CEST | 58417 | 25 | 192.168.2.4 | 142.251.173.26 |
Jul 6, 2024 09:10:50.658696890 CEST | 58415 | 443 | 192.168.2.4 | 195.133.13.231 |
Jul 6, 2024 09:10:50.658785105 CEST | 443 | 58415 | 195.133.13.231 | 192.168.2.4 |
Jul 6, 2024 09:10:50.658843040 CEST | 58415 | 443 | 192.168.2.4 | 195.133.13.231 |
Jul 6, 2024 09:10:50.777395964 CEST | 58418 | 443 | 192.168.2.4 | 80.66.75.11 |
Jul 6, 2024 09:10:50.777440071 CEST | 443 | 58418 | 80.66.75.11 | 192.168.2.4 |
Jul 6, 2024 09:10:50.777654886 CEST | 58418 | 443 | 192.168.2.4 | 80.66.75.11 |
Jul 6, 2024 09:10:53.826019049 CEST | 58419 | 25 | 192.168.2.4 | 94.100.180.31 |
Jul 6, 2024 09:10:54.830389023 CEST | 58419 | 25 | 192.168.2.4 | 94.100.180.31 |
Jul 6, 2024 09:10:56.845967054 CEST | 58419 | 25 | 192.168.2.4 | 94.100.180.31 |
Jul 6, 2024 09:11:00.861612082 CEST | 58419 | 25 | 192.168.2.4 | 94.100.180.31 |
Jul 6, 2024 09:11:08.861622095 CEST | 58419 | 25 | 192.168.2.4 | 94.100.180.31 |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Jul 6, 2024 09:07:26.814307928 CEST | 63470 | 53 | 192.168.2.4 | 1.1.1.1 |
Jul 6, 2024 09:07:26.822060108 CEST | 53 | 63470 | 1.1.1.1 | 192.168.2.4 |
Jul 6, 2024 09:07:29.847974062 CEST | 65319 | 53 | 192.168.2.4 | 1.1.1.1 |
Jul 6, 2024 09:07:29.949486017 CEST | 53 | 65319 | 1.1.1.1 | 192.168.2.4 |
Jul 6, 2024 09:07:46.605709076 CEST | 53 | 60752 | 162.159.36.2 | 192.168.2.4 |
Jul 6, 2024 09:07:46.815073967 CEST | 63612 | 53 | 192.168.2.4 | 1.1.1.1 |
Jul 6, 2024 09:07:46.821835995 CEST | 53 | 63612 | 1.1.1.1 | 192.168.2.4 |
Jul 6, 2024 09:07:46.822587967 CEST | 62200 | 53 | 192.168.2.4 | 1.1.1.1 |
Jul 6, 2024 09:07:46.831470966 CEST | 53 | 62200 | 1.1.1.1 | 192.168.2.4 |
Jul 6, 2024 09:07:47.097781897 CEST | 58980 | 53 | 192.168.2.4 | 1.1.1.1 |
Jul 6, 2024 09:07:47.104604006 CEST | 53 | 58980 | 1.1.1.1 | 192.168.2.4 |
Jul 6, 2024 09:07:58.092180014 CEST | 55243 | 53 | 192.168.2.4 | 1.1.1.1 |
Jul 6, 2024 09:07:58.099659920 CEST | 53 | 55243 | 1.1.1.1 | 192.168.2.4 |
Jul 6, 2024 09:08:06.846370935 CEST | 65114 | 53 | 192.168.2.4 | 1.1.1.1 |
Jul 6, 2024 09:08:06.854034901 CEST | 53 | 65114 | 1.1.1.1 | 192.168.2.4 |
Jul 6, 2024 09:08:06.854772091 CEST | 65092 | 53 | 192.168.2.4 | 1.1.1.1 |
Jul 6, 2024 09:08:06.862607002 CEST | 53 | 65092 | 1.1.1.1 | 192.168.2.4 |
Jul 6, 2024 09:08:10.143599987 CEST | 53868 | 53 | 192.168.2.4 | 1.1.1.1 |
Jul 6, 2024 09:08:10.295814037 CEST | 53 | 53868 | 1.1.1.1 | 192.168.2.4 |
Jul 6, 2024 09:08:26.877829075 CEST | 57976 | 53 | 192.168.2.4 | 1.1.1.1 |
Jul 6, 2024 09:08:26.885570049 CEST | 53 | 57976 | 1.1.1.1 | 192.168.2.4 |
Jul 6, 2024 09:08:26.886821032 CEST | 52364 | 53 | 192.168.2.4 | 1.1.1.1 |
Jul 6, 2024 09:08:26.894076109 CEST | 53 | 52364 | 1.1.1.1 | 192.168.2.4 |
Jul 6, 2024 09:09:53.381567955 CEST | 52445 | 53 | 192.168.2.4 | 1.1.1.1 |
Jul 6, 2024 09:09:53.630542994 CEST | 53 | 52445 | 1.1.1.1 | 192.168.2.4 |
Jul 6, 2024 09:10:13.643323898 CEST | 52756 | 53 | 192.168.2.4 | 1.1.1.1 |
Jul 6, 2024 09:10:13.650563002 CEST | 53 | 52756 | 1.1.1.1 | 192.168.2.4 |
Jul 6, 2024 09:10:13.651390076 CEST | 55162 | 53 | 192.168.2.4 | 1.1.1.1 |
Jul 6, 2024 09:10:13.658704042 CEST | 53 | 55162 | 1.1.1.1 | 192.168.2.4 |
Jul 6, 2024 09:10:33.674823046 CEST | 56136 | 53 | 192.168.2.4 | 1.1.1.1 |
Jul 6, 2024 09:10:33.682007074 CEST | 53 | 56136 | 1.1.1.1 | 192.168.2.4 |
Jul 6, 2024 09:10:50.769082069 CEST | 54089 | 53 | 192.168.2.4 | 1.1.1.1 |
Jul 6, 2024 09:10:50.776566982 CEST | 53 | 54089 | 1.1.1.1 | 192.168.2.4 |
Jul 6, 2024 09:10:53.675098896 CEST | 62069 | 53 | 192.168.2.4 | 1.1.1.1 |
Jul 6, 2024 09:10:53.825036049 CEST | 53 | 62069 | 1.1.1.1 | 192.168.2.4 |
Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
---|---|---|---|---|---|---|---|---|
Jul 6, 2024 09:07:26.814307928 CEST | 192.168.2.4 | 1.1.1.1 | 0x645b | Standard query (0) | A (IP address) | IN (0x0001) | false | |
Jul 6, 2024 09:07:29.847974062 CEST | 192.168.2.4 | 1.1.1.1 | 0x93a0 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
Jul 6, 2024 09:07:46.815073967 CEST | 192.168.2.4 | 1.1.1.1 | 0xf78a | Standard query (0) | MX (Mail exchange) | IN (0x0001) | false | |
Jul 6, 2024 09:07:46.822587967 CEST | 192.168.2.4 | 1.1.1.1 | 0x6477 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
Jul 6, 2024 09:07:47.097781897 CEST | 192.168.2.4 | 1.1.1.1 | 0xb5a3 | Standard query (0) | PTR (Pointer record) | IN (0x0001) | false | |
Jul 6, 2024 09:07:58.092180014 CEST | 192.168.2.4 | 1.1.1.1 | 0xa162 | Standard query (0) | PTR (Pointer record) | IN (0x0001) | false | |
Jul 6, 2024 09:08:06.846370935 CEST | 192.168.2.4 | 1.1.1.1 | 0x2ab3 | Standard query (0) | MX (Mail exchange) | IN (0x0001) | false | |
Jul 6, 2024 09:08:06.854772091 CEST | 192.168.2.4 | 1.1.1.1 | 0x541 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
Jul 6, 2024 09:08:10.143599987 CEST | 192.168.2.4 | 1.1.1.1 | 0xa3c7 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
Jul 6, 2024 09:08:26.877829075 CEST | 192.168.2.4 | 1.1.1.1 | 0x122e | Standard query (0) | MX (Mail exchange) | IN (0x0001) | false | |
Jul 6, 2024 09:08:26.886821032 CEST | 192.168.2.4 | 1.1.1.1 | 0x9e6f | Standard query (0) | A (IP address) | IN (0x0001) | false | |
Jul 6, 2024 09:09:53.381567955 CEST | 192.168.2.4 | 1.1.1.1 | 0xd339 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
Jul 6, 2024 09:10:13.643323898 CEST | 192.168.2.4 | 1.1.1.1 | 0x3656 | Standard query (0) | MX (Mail exchange) | IN (0x0001) | false | |
Jul 6, 2024 09:10:13.651390076 CEST | 192.168.2.4 | 1.1.1.1 | 0x12f8 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
Jul 6, 2024 09:10:33.674823046 CEST | 192.168.2.4 | 1.1.1.1 | 0x460a | Standard query (0) | MX (Mail exchange) | IN (0x0001) | false | |
Jul 6, 2024 09:10:50.769082069 CEST | 192.168.2.4 | 1.1.1.1 | 0x8d8b | Standard query (0) | A (IP address) | IN (0x0001) | false | |
Jul 6, 2024 09:10:53.675098896 CEST | 192.168.2.4 | 1.1.1.1 | 0xf2dc | Standard query (0) | A (IP address) | IN (0x0001) | false |
Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
---|---|---|---|---|---|---|---|---|---|---|
Jul 6, 2024 09:07:26.822060108 CEST | 1.1.1.1 | 192.168.2.4 | 0x645b | No error (0) | 52.101.11.0 | A (IP address) | IN (0x0001) | false | ||
Jul 6, 2024 09:07:26.822060108 CEST | 1.1.1.1 | 192.168.2.4 | 0x645b | No error (0) | 52.101.8.49 | A (IP address) | IN (0x0001) | false | ||
Jul 6, 2024 09:07:26.822060108 CEST | 1.1.1.1 | 192.168.2.4 | 0x645b | No error (0) | 52.101.42.0 | A (IP address) | IN (0x0001) | false | ||
Jul 6, 2024 09:07:26.822060108 CEST | 1.1.1.1 | 192.168.2.4 | 0x645b | No error (0) | 52.101.40.26 | A (IP address) | IN (0x0001) | false | ||
Jul 6, 2024 09:07:29.949486017 CEST | 1.1.1.1 | 192.168.2.4 | 0x93a0 | No error (0) | 195.133.13.231 | A (IP address) | IN (0x0001) | false | ||
Jul 6, 2024 09:07:46.821835995 CEST | 1.1.1.1 | 192.168.2.4 | 0xf78a | No error (0) | MX (Mail exchange) | IN (0x0001) | false | |||
Jul 6, 2024 09:07:46.821835995 CEST | 1.1.1.1 | 192.168.2.4 | 0xf78a | No error (0) | MX (Mail exchange) | IN (0x0001) | false | |||
Jul 6, 2024 09:07:46.821835995 CEST | 1.1.1.1 | 192.168.2.4 | 0xf78a | No error (0) | MX (Mail exchange) | IN (0x0001) | false | |||
Jul 6, 2024 09:07:46.831470966 CEST | 1.1.1.1 | 192.168.2.4 | 0x6477 | No error (0) | 98.136.96.75 | A (IP address) | IN (0x0001) | false | ||
Jul 6, 2024 09:07:46.831470966 CEST | 1.1.1.1 | 192.168.2.4 | 0x6477 | No error (0) | 67.195.228.111 | A (IP address) | IN (0x0001) | false | ||
Jul 6, 2024 09:07:46.831470966 CEST | 1.1.1.1 | 192.168.2.4 | 0x6477 | No error (0) | 67.195.204.74 | A (IP address) | IN (0x0001) | false | ||
Jul 6, 2024 09:07:46.831470966 CEST | 1.1.1.1 | 192.168.2.4 | 0x6477 | No error (0) | 67.195.204.77 | A (IP address) | IN (0x0001) | false | ||
Jul 6, 2024 09:07:46.831470966 CEST | 1.1.1.1 | 192.168.2.4 | 0x6477 | No error (0) | 67.195.228.94 | A (IP address) | IN (0x0001) | false | ||
Jul 6, 2024 09:07:46.831470966 CEST | 1.1.1.1 | 192.168.2.4 | 0x6477 | No error (0) | 67.195.228.106 | A (IP address) | IN (0x0001) | false | ||
Jul 6, 2024 09:07:46.831470966 CEST | 1.1.1.1 | 192.168.2.4 | 0x6477 | No error (0) | 98.136.96.76 | A (IP address) | IN (0x0001) | false | ||
Jul 6, 2024 09:07:46.831470966 CEST | 1.1.1.1 | 192.168.2.4 | 0x6477 | No error (0) | 67.195.204.73 | A (IP address) | IN (0x0001) | false | ||
Jul 6, 2024 09:07:47.104604006 CEST | 1.1.1.1 | 192.168.2.4 | 0xb5a3 | Name error (3) | none | none | PTR (Pointer record) | IN (0x0001) | false | |
Jul 6, 2024 09:07:58.099659920 CEST | 1.1.1.1 | 192.168.2.4 | 0xa162 | Name error (3) | none | none | PTR (Pointer record) | IN (0x0001) | false | |
Jul 6, 2024 09:08:06.854034901 CEST | 1.1.1.1 | 192.168.2.4 | 0x2ab3 | No error (0) | MX (Mail exchange) | IN (0x0001) | false | |||
Jul 6, 2024 09:08:06.862607002 CEST | 1.1.1.1 | 192.168.2.4 | 0x541 | No error (0) | 142.251.173.26 | A (IP address) | IN (0x0001) | false | ||
Jul 6, 2024 09:08:06.862607002 CEST | 1.1.1.1 | 192.168.2.4 | 0x541 | No error (0) | 64.233.184.26 | A (IP address) | IN (0x0001) | false | ||
Jul 6, 2024 09:08:06.862607002 CEST | 1.1.1.1 | 192.168.2.4 | 0x541 | No error (0) | 64.233.184.27 | A (IP address) | IN (0x0001) | false | ||
Jul 6, 2024 09:08:06.862607002 CEST | 1.1.1.1 | 192.168.2.4 | 0x541 | No error (0) | 142.251.173.27 | A (IP address) | IN (0x0001) | false | ||
Jul 6, 2024 09:08:06.862607002 CEST | 1.1.1.1 | 192.168.2.4 | 0x541 | No error (0) | 74.125.206.27 | A (IP address) | IN (0x0001) | false | ||
Jul 6, 2024 09:08:10.295814037 CEST | 1.1.1.1 | 192.168.2.4 | 0xa3c7 | No error (0) | 195.133.13.231 | A (IP address) | IN (0x0001) | false | ||
Jul 6, 2024 09:08:26.885570049 CEST | 1.1.1.1 | 192.168.2.4 | 0x122e | No error (0) | MX (Mail exchange) | IN (0x0001) | false | |||
Jul 6, 2024 09:08:26.894076109 CEST | 1.1.1.1 | 192.168.2.4 | 0x9e6f | No error (0) | 217.69.139.150 | A (IP address) | IN (0x0001) | false | ||
Jul 6, 2024 09:08:26.894076109 CEST | 1.1.1.1 | 192.168.2.4 | 0x9e6f | No error (0) | 94.100.180.31 | A (IP address) | IN (0x0001) | false | ||
Jul 6, 2024 09:09:53.630542994 CEST | 1.1.1.1 | 192.168.2.4 | 0xd339 | No error (0) | 104.47.53.36 | A (IP address) | IN (0x0001) | false | ||
Jul 6, 2024 09:09:53.630542994 CEST | 1.1.1.1 | 192.168.2.4 | 0xd339 | No error (0) | 104.47.54.36 | A (IP address) | IN (0x0001) | false | ||
Jul 6, 2024 09:10:13.650563002 CEST | 1.1.1.1 | 192.168.2.4 | 0x3656 | No error (0) | MX (Mail exchange) | IN (0x0001) | false | |||
Jul 6, 2024 09:10:13.650563002 CEST | 1.1.1.1 | 192.168.2.4 | 0x3656 | No error (0) | MX (Mail exchange) | IN (0x0001) | false | |||
Jul 6, 2024 09:10:13.650563002 CEST | 1.1.1.1 | 192.168.2.4 | 0x3656 | No error (0) | MX (Mail exchange) | IN (0x0001) | false | |||
Jul 6, 2024 09:10:13.658704042 CEST | 1.1.1.1 | 192.168.2.4 | 0x12f8 | No error (0) | 67.195.228.94 | A (IP address) | IN (0x0001) | false | ||
Jul 6, 2024 09:10:13.658704042 CEST | 1.1.1.1 | 192.168.2.4 | 0x12f8 | No error (0) | 67.195.228.106 | A (IP address) | IN (0x0001) | false | ||
Jul 6, 2024 09:10:13.658704042 CEST | 1.1.1.1 | 192.168.2.4 | 0x12f8 | No error (0) | 98.136.96.76 | A (IP address) | IN (0x0001) | false | ||
Jul 6, 2024 09:10:13.658704042 CEST | 1.1.1.1 | 192.168.2.4 | 0x12f8 | No error (0) | 67.195.204.79 | A (IP address) | IN (0x0001) | false | ||
Jul 6, 2024 09:10:13.658704042 CEST | 1.1.1.1 | 192.168.2.4 | 0x12f8 | No error (0) | 98.136.96.77 | A (IP address) | IN (0x0001) | false | ||
Jul 6, 2024 09:10:13.658704042 CEST | 1.1.1.1 | 192.168.2.4 | 0x12f8 | No error (0) | 67.195.228.110 | A (IP address) | IN (0x0001) | false | ||
Jul 6, 2024 09:10:13.658704042 CEST | 1.1.1.1 | 192.168.2.4 | 0x12f8 | No error (0) | 98.136.96.74 | A (IP address) | IN (0x0001) | false | ||
Jul 6, 2024 09:10:13.658704042 CEST | 1.1.1.1 | 192.168.2.4 | 0x12f8 | No error (0) | 67.195.228.111 | A (IP address) | IN (0x0001) | false | ||
Jul 6, 2024 09:10:33.682007074 CEST | 1.1.1.1 | 192.168.2.4 | 0x460a | No error (0) | MX (Mail exchange) | IN (0x0001) | false | |||
Jul 6, 2024 09:10:50.776566982 CEST | 1.1.1.1 | 192.168.2.4 | 0x8d8b | No error (0) | 80.66.75.11 | A (IP address) | IN (0x0001) | false | ||
Jul 6, 2024 09:10:53.825036049 CEST | 1.1.1.1 | 192.168.2.4 | 0xf2dc | No error (0) | 94.100.180.31 | A (IP address) | IN (0x0001) | false | ||
Jul 6, 2024 09:10:53.825036049 CEST | 1.1.1.1 | 192.168.2.4 | 0xf2dc | No error (0) | 217.69.139.150 | A (IP address) | IN (0x0001) | false |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
Target ID: | 0 |
Start time: | 03:07:02 |
Start date: | 06/07/2024 |
Path: | C:\Users\user\Desktop\AvDJi40xp_9fyz7RPmKdbxb4.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x400000 |
File size: | 235'008 bytes |
MD5 hash: | B40B6B9BD2F7D17A65C72469EE2E2CFA |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Yara matches: |
|
Reputation: | low |
Has exited: | false |
Target ID: | 1 |
Start time: | 03:07:06 |
Start date: | 06/07/2024 |
Path: | C:\Windows\SysWOW64\cmd.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x240000 |
File size: | 236'544 bytes |
MD5 hash: | D0FCE3AFA6AA1D58CE9FA336CC2B675B |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Target ID: | 2 |
Start time: | 03:07:06 |
Start date: | 06/07/2024 |
Path: | C:\Windows\System32\conhost.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff7699e0000 |
File size: | 862'208 bytes |
MD5 hash: | 0D698AF330FD17BEE3BF90011D49251D |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Target ID: | 3 |
Start time: | 03:07:07 |
Start date: | 06/07/2024 |
Path: | C:\Windows\SysWOW64\cmd.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x7ff7699e0000 |
File size: | 236'544 bytes |
MD5 hash: | D0FCE3AFA6AA1D58CE9FA336CC2B675B |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Target ID: | 4 |
Start time: | 03:07:07 |
Start date: | 06/07/2024 |
Path: | C:\Windows\System32\conhost.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff7699e0000 |
File size: | 862'208 bytes |
MD5 hash: | 0D698AF330FD17BEE3BF90011D49251D |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Target ID: | 5 |
Start time: | 03:07:07 |
Start date: | 06/07/2024 |
Path: | C:\Windows\SysWOW64\sc.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x6d0000 |
File size: | 61'440 bytes |
MD5 hash: | D9D7684B8431A0D10D0E76FE9F5FFEC8 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | moderate |
Has exited: | true |
Target ID: | 6 |
Start time: | 03:07:08 |
Start date: | 06/07/2024 |
Path: | C:\Windows\System32\conhost.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff7699e0000 |
File size: | 862'208 bytes |
MD5 hash: | 0D698AF330FD17BEE3BF90011D49251D |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Target ID: | 7 |
Start time: | 03:07:08 |
Start date: | 06/07/2024 |
Path: | C:\Windows\SysWOW64\sc.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x6d0000 |
File size: | 61'440 bytes |
MD5 hash: | D9D7684B8431A0D10D0E76FE9F5FFEC8 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | moderate |
Has exited: | true |
Target ID: | 8 |
Start time: | 03:07:08 |
Start date: | 06/07/2024 |
Path: | C:\Windows\System32\conhost.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff7699e0000 |
File size: | 862'208 bytes |
MD5 hash: | 0D698AF330FD17BEE3BF90011D49251D |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Target ID: | 9 |
Start time: | 03:07:09 |
Start date: | 06/07/2024 |
Path: | C:\Windows\SysWOW64\sc.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x6d0000 |
File size: | 61'440 bytes |
MD5 hash: | D9D7684B8431A0D10D0E76FE9F5FFEC8 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | moderate |
Has exited: | true |
Target ID: | 10 |
Start time: | 03:07:09 |
Start date: | 06/07/2024 |
Path: | C:\Windows\System32\conhost.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff7699e0000 |
File size: | 862'208 bytes |
MD5 hash: | 0D698AF330FD17BEE3BF90011D49251D |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Target ID: | 11 |
Start time: | 03:07:09 |
Start date: | 06/07/2024 |
Path: | C:\Windows\SysWOW64\qeuwztgf\lfkidgdf.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x400000 |
File size: | 12'696'064 bytes |
MD5 hash: | 1D7112211B0E3F7C2ED96B0897990451 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Yara matches: |
|
Reputation: | low |
Has exited: | true |
Target ID: | 12 |
Start time: | 03:07:09 |
Start date: | 06/07/2024 |
Path: | C:\Windows\SysWOW64\netsh.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x1560000 |
File size: | 82'432 bytes |
MD5 hash: | 4E89A1A088BE715D6C946E55AB07C7DF |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Target ID: | 13 |
Start time: | 03:07:09 |
Start date: | 06/07/2024 |
Path: | C:\Windows\System32\conhost.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff7699e0000 |
File size: | 862'208 bytes |
MD5 hash: | 0D698AF330FD17BEE3BF90011D49251D |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Target ID: | 14 |
Start time: | 03:07:15 |
Start date: | 06/07/2024 |
Path: | C:\Windows\SysWOW64\svchost.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x730000 |
File size: | 46'504 bytes |
MD5 hash: | 1ED18311E3DA35942DB37D15FA40CC5B |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Yara matches: |
|
Reputation: | moderate |
Has exited: | false |
Execution Graph
Execution Coverage: | 4% |
Dynamic/Decrypted Code Coverage: | 2.2% |
Signature Coverage: | 24.9% |
Total number of Nodes: | 1529 |
Total number of Limit Nodes: | 19 |
Graph
Function 00409A6B Relevance: 98.8, APIs: 48, Strings: 8, Instructions: 799stringsleepregistryCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00409326 Relevance: 23.0, APIs: 11, Strings: 2, Instructions: 284registryCOMMON
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Control-flow Graph
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00406A60 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 106fileCOMMON
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0040EC54 Relevance: 4.5, APIs: 3, Instructions: 24timeCOMMON
Control-flow Graph
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 02866ECC Relevance: 3.0, APIs: 2, Instructions: 41processCOMMON
Control-flow Graph
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0040EBCC Relevance: 3.0, APIs: 2, Instructions: 13memoryCOMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 004073FF Relevance: 23.1, APIs: 11, Strings: 2, Instructions: 345registryCOMMON
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0040704C Relevance: 23.1, APIs: 10, Strings: 3, Instructions: 332registryCOMMON
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0040675C Relevance: 19.7, APIs: 13, Instructions: 199fileCOMMON
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0298003C Relevance: 12.8, APIs: 5, Strings: 2, Instructions: 515memoryCOMMON
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 004099D2 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 54stringCOMMON
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00404000 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 35sleepfileCOMMON
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00403F8C Relevance: 6.0, APIs: 4, Instructions: 46filesynchronizationCOMMON
Control-flow Graph
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Control-flow Graph
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 004091EB Relevance: 3.1, APIs: 2, Instructions: 119sleepCOMMON
Control-flow Graph
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 02980E0F Relevance: 3.0, APIs: 2, Instructions: 15COMMON
Control-flow Graph
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00406DC2 Relevance: 1.5, APIs: 1, Instructions: 42COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 02866B8B Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0040C913 Relevance: 113.4, APIs: 45, Strings: 19, Instructions: 1394filestringprocessCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00401000 Relevance: 56.2, APIs: 16, Strings: 16, Instructions: 170libraryloaderCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0040B211 Relevance: 47.4, APIs: 7, Strings: 20, Instructions: 131timeCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00407809 Relevance: 38.7, APIs: 21, Strings: 1, Instructions: 226memoryCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00401280 Relevance: 31.9, APIs: 9, Strings: 9, Instructions: 417stringCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00401D96 Relevance: 30.0, APIs: 6, Strings: 11, Instructions: 205libraryloaderCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00406EDD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 52memoryCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00408E26 Relevance: 4.6, APIs: 3, Instructions: 63fileCOMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0298092B Relevance: 3.8, Strings: 3, Instructions: 90COMMON
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 004088B0 Relevance: .1, Instructions: 108COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 028667A9 Relevance: .1, Instructions: 61COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 02980D90 Relevance: .0, Instructions: 43COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 02989EA0 Relevance: 59.9, APIs: 28, Strings: 6, Instructions: 421stringregistryfileCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 02987CFC Relevance: 45.8, APIs: 24, Strings: 2, Instructions: 269registrymemoryCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00407A95 Relevance: 45.8, APIs: 24, Strings: 2, Instructions: 269registrymemoryCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0040A7C1 Relevance: 38.8, APIs: 8, Strings: 14, Instructions: 299networkstringCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 02987A70 Relevance: 38.7, APIs: 21, Strings: 1, Instructions: 226memoryCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00408328 Relevance: 35.4, APIs: 18, Strings: 2, Instructions: 361registryCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0040199C Relevance: 29.9, APIs: 11, Strings: 6, Instructions: 106memorylibraryloaderCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0298858F Relevance: 28.4, APIs: 14, Strings: 2, Instructions: 361registryCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 029814E7 Relevance: 23.2, APIs: 9, Strings: 4, Instructions: 417stringCOMMON
APIs |
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 02987666 Relevance: 23.1, APIs: 11, Strings: 2, Instructions: 345registryCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0040AD89 Relevance: 21.1, APIs: 5, Strings: 7, Instructions: 121timeCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00402DF2 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 97memorylibrarynetworkCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0298958D Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 284registryCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0040BE31 Relevance: 18.2, APIs: 6, Strings: 6, Instructions: 152stringCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0040F315 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 103networkCOMMON
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0040C2DC Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 182threadCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 02983059 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 97memorylibrarynetworkCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00402D21 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 85memorylibrarystringCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00406CC9 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 84libraryloaderCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0040977C Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 82threadinjectionprocessCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0298F57C Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 103networkCOMMON
APIs |
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 02982F88 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 85memorylibrarystringCOMMON
APIs |
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 02986F30 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 84libraryloaderCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 029892CB Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 83filestringCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00409064 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 83filestringCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 029899E3 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 82threadinjectionprocessCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0040E3CA Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 136registryCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 02986CC7 Relevance: 10.6, APIs: 7, Instructions: 106fileCOMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0298AA28 Relevance: 9.2, APIs: 4, Strings: 2, Instructions: 247stringCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0040E8A1 Relevance: 9.2, APIs: 4, Strings: 2, Instructions: 172stringCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0298E8BB Relevance: 9.1, APIs: 3, Strings: 3, Instructions: 96stringCOMMON
APIs |
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 02986E0E Relevance: 9.1, APIs: 6, Instructions: 84COMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0298C543 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 182threadCOMMON
APIs |
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 004080C9 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 146registryCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0298E2FC Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 92registryCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0040E095 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 92registryCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0040AD08 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55stringnetworkCOMMON
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0298B478 Relevance: 7.6, APIs: 5, Instructions: 131timeCOMMON
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00402923 Relevance: 7.6, APIs: 5, Instructions: 107COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0040E654 Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 96stringCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 004026FF Relevance: 7.6, APIs: 5, Instructions: 96networkCOMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0040F26D Relevance: 7.6, APIs: 5, Instructions: 63COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00402419 Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 45stringCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0298E795 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 111fileCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0040E52E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 111fileCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00401AC3 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 74libraryloaderCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 02987665 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 68registryCOMMON
APIs |
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 02989966 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 48registryCOMMON
APIs |
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 004096FF Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 48registryCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 029828EB Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 20networkCOMMON
APIs |
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 029869C3 Relevance: 6.2, APIs: 4, Instructions: 199COMMON
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 029841F3 Relevance: 6.0, APIs: 4, Instructions: 46filesynchronizationCOMMON
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0298417F Relevance: 6.0, APIs: 4, Instructions: 46filesynchronizationCOMMON
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00403F18 Relevance: 6.0, APIs: 4, Instructions: 46filesynchronizationCOMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0298E036 Relevance: 6.0, APIs: 1, Strings: 3, Instructions: 35stringCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0040A4C7 Relevance: 6.0, APIs: 4, Instructions: 27sleepCOMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00404E92 Relevance: 6.0, APIs: 4, Instructions: 27sleepCOMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00404BD1 Relevance: 6.0, APIs: 4, Instructions: 27sleepCOMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 004030FA Relevance: 6.0, APIs: 4, Instructions: 23sleepCOMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0298E3DE Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 148fileCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0040E177 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 148fileCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 02988330 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 146registryCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0298E631 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 136registryCOMMON
APIs |
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0298AFF0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 121timeCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 02989452 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 119sleepCOMMON
APIs |
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 004038F0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55threadCOMMON
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0040AB81 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44stringCOMMON
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 004026B2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37networkCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00402684 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 20networkCOMMON
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0040EAE4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13libraryloaderCOMMON
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 02983189 Relevance: 5.2, APIs: 4, Instructions: 157memoryCOMMON
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00402F22 Relevance: 5.2, APIs: 4, Instructions: 157memoryCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Execution Graph
Execution Coverage: | 3.3% |
Dynamic/Decrypted Code Coverage: | 2% |
Signature Coverage: | 0% |
Total number of Nodes: | 1538 |
Total number of Limit Nodes: | 13 |
Graph
Function 00409A6B Relevance: 102.3, APIs: 48, Strings: 10, Instructions: 799stringsleepregistryCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Control-flow Graph
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 004073FF Relevance: 21.3, APIs: 11, Strings: 1, Instructions: 345registryCOMMON
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0040405E Relevance: 16.7, APIs: 11, Instructions: 203COMMON
Control-flow Graph
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 02A7003C Relevance: 12.8, APIs: 5, Strings: 2, Instructions: 515memoryCOMMON
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0040977C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 82threadprocessinjectionCOMMON
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00403F8C Relevance: 6.0, APIs: 4, Instructions: 46filesynchronizationCOMMON
Control-flow Graph
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Control-flow Graph
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0040EC54 Relevance: 4.5, APIs: 3, Instructions: 24timeCOMMON
Control-flow Graph
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00406E36 Relevance: 3.1, APIs: 2, Instructions: 51COMMON
Control-flow Graph
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 02A70E0F Relevance: 3.0, APIs: 2, Instructions: 15COMMON
Control-flow Graph
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00406DC2 Relevance: 1.5, APIs: 1, Instructions: 42COMMON
Control-flow Graph
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 02AB1844 Relevance: 1.5, APIs: 1, Instructions: 41COMMON
Control-flow Graph
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00409892 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
Control-flow Graph
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 02AB1503 Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON
Control-flow Graph
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 004098F2 Relevance: 1.3, APIs: 1, Instructions: 37sleepCOMMON
Control-flow Graph
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 02A79EA0 Relevance: 59.9, APIs: 28, Strings: 6, Instructions: 421stringregistryfileCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00401000 Relevance: 56.2, APIs: 16, Strings: 16, Instructions: 170libraryloaderCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0040B211 Relevance: 47.4, APIs: 7, Strings: 20, Instructions: 131timeCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00407A95 Relevance: 45.8, APIs: 24, Strings: 2, Instructions: 269registrymemoryCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 02A77CFC Relevance: 45.8, APIs: 24, Strings: 2, Instructions: 269registrymemoryCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0040A7C1 Relevance: 38.8, APIs: 8, Strings: 14, Instructions: 299networkstringCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00407809 Relevance: 38.7, APIs: 21, Strings: 1, Instructions: 226memoryCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 02A77A70 Relevance: 38.7, APIs: 21, Strings: 1, Instructions: 226memoryCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00408328 Relevance: 35.4, APIs: 18, Strings: 2, Instructions: 361registryCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00401280 Relevance: 31.9, APIs: 9, Strings: 9, Instructions: 417stringCOMMON
APIs |
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00401D96 Relevance: 30.0, APIs: 6, Strings: 11, Instructions: 205libraryloaderCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0040199C Relevance: 29.9, APIs: 11, Strings: 6, Instructions: 106memorylibraryloaderCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 02A7858F Relevance: 28.4, APIs: 14, Strings: 2, Instructions: 361registryCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 02A714E7 Relevance: 23.2, APIs: 9, Strings: 4, Instructions: 417stringCOMMON
APIs |
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 02A77666 Relevance: 21.3, APIs: 11, Strings: 1, Instructions: 345registryCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0040704C Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 332registryCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00409326 Relevance: 21.3, APIs: 11, Strings: 1, Instructions: 284registryCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0040AD89 Relevance: 21.1, APIs: 5, Strings: 7, Instructions: 121timeCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00402DF2 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 97memorylibrarynetworkCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0040675C Relevance: 19.7, APIs: 13, Instructions: 199fileCOMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0040F315 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 103networkCOMMON
APIs |
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0040C2DC Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 182threadCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 02A73059 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 97memorylibrarynetworkCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00402D21 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 85memorylibrarystringCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0040BE31 Relevance: 13.7, APIs: 6, Strings: 3, Instructions: 152stringCOMMON
APIs |
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00406A60 Relevance: 13.6, APIs: 9, Instructions: 106fileCOMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 02A7F57C Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 103networkCOMMON
APIs |
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 02A72F88 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 85memorylibrarystringCOMMON
APIs |
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00406CC9 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 84libraryloaderCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 02A799E3 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 82threadinjectionprocessCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 02A76CC7 Relevance: 10.6, APIs: 7, Instructions: 106fileCOMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 02A76F30 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 84libraryloaderCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 02A7AA28 Relevance: 9.2, APIs: 4, Strings: 2, Instructions: 247stringCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0040E8A1 Relevance: 9.2, APIs: 4, Strings: 2, Instructions: 172stringCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 02A7E8BB Relevance: 9.1, APIs: 3, Strings: 3, Instructions: 96stringCOMMON
APIs |
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00406BA7 Relevance: 9.1, APIs: 6, Instructions: 84COMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 02A76E0E Relevance: 9.1, APIs: 6, Instructions: 84COMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 02A7C543 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 182threadCOMMON
APIs |
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 004080C9 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 146registryCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0040AD08 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55stringnetworkCOMMON
APIs |
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 02A7B478 Relevance: 7.6, APIs: 5, Instructions: 131timeCOMMON
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00404280 Relevance: 7.6, APIs: 5, Instructions: 124COMMON
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00402923 Relevance: 7.6, APIs: 5, Instructions: 107COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0040E654 Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 96stringCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 004026FF Relevance: 7.6, APIs: 5, Instructions: 96networkCOMMON
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0040F26D Relevance: 7.6, APIs: 5, Instructions: 63COMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00409145 Relevance: 7.6, APIs: 5, Instructions: 56COMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 02A793AC Relevance: 7.6, APIs: 5, Instructions: 56COMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00402419 Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 45stringCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00401AC3 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 74libraryloaderCOMMON
APIs |
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00406EDD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 52memoryCOMMON
APIs |
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 02A728EB Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 20networkCOMMON
APIs |
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 02A769C3 Relevance: 6.2, APIs: 4, Instructions: 199COMMON
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00403F18 Relevance: 6.0, APIs: 4, Instructions: 46filesynchronizationCOMMON
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 02A741F3 Relevance: 6.0, APIs: 4, Instructions: 46filesynchronizationCOMMON
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 02A7417F Relevance: 6.0, APIs: 4, Instructions: 46filesynchronizationCOMMON
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 02A7E036 Relevance: 6.0, APIs: 1, Strings: 3, Instructions: 35stringCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0040A4C7 Relevance: 6.0, APIs: 4, Instructions: 27sleepCOMMON
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00404E92 Relevance: 6.0, APIs: 4, Instructions: 27sleepCOMMON
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00404BD1 Relevance: 6.0, APIs: 4, Instructions: 27sleepCOMMON
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 004030FA Relevance: 6.0, APIs: 4, Instructions: 23sleepCOMMON
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 02A78330 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 146registryCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 02A7AFF0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 121timeCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 02A79452 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 119sleepCOMMON
APIs |
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 004038F0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55threadCOMMON
APIs |
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0040AB81 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44stringCOMMON
APIs |
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 004026B2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37networkCOMMON
APIs |
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00402684 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 20networkCOMMON
APIs |
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0040EAE4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13libraryloaderCOMMON
APIs |
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00402F22 Relevance: 5.2, APIs: 4, Instructions: 157memoryCOMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 02A73189 Relevance: 5.2, APIs: 4, Instructions: 157memoryCOMMON
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Execution Graph
Execution Coverage: | 15.1% |
Dynamic/Decrypted Code Coverage: | 0% |
Signature Coverage: | 0.7% |
Total number of Nodes: | 1807 |
Total number of Limit Nodes: | 18 |
Graph
Function 02B0C913 Relevance: 113.4, APIs: 45, Strings: 19, Instructions: 1397filestringprocessCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 02B09A6B Relevance: 100.5, APIs: 48, Strings: 9, Instructions: 799stringsleepregistryCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 02B0199C Relevance: 35.1, APIs: 14, Strings: 6, Instructions: 106memorylibraryloaderCOMMON
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 02B07A95 Relevance: 45.8, APIs: 24, Strings: 2, Instructions: 269registrymemoryCOMMON
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 02B07809 Relevance: 38.7, APIs: 21, Strings: 1, Instructions: 226memoryCOMMON
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 02B08328 Relevance: 35.4, APIs: 18, Strings: 2, Instructions: 361registryCOMMON
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 02B01D96 Relevance: 30.0, APIs: 6, Strings: 11, Instructions: 205libraryloaderCOMMON
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 02B073FF Relevance: 21.3, APIs: 11, Strings: 1, Instructions: 345registryCOMMON
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 02B0675C Relevance: 19.7, APIs: 13, Instructions: 199fileCOMMON
Control-flow Graph
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 02B0F315 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 103networkCOMMON
Control-flow Graph
APIs |
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 02B0405E Relevance: 16.7, APIs: 11, Instructions: 203COMMON
Control-flow Graph
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 02B02D21 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 85memorylibrarystringCOMMON
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 02B080C9 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 146registryCOMMON
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 02B01AC3 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 74libraryloaderCOMMON
Control-flow Graph
APIs |
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Control-flow Graph
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 02B0F26D Relevance: 7.6, APIs: 5, Instructions: 63COMMON
Control-flow Graph
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 02B02684 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 20networkCOMMON
APIs |
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 02B0E52E Relevance: 4.6, APIs: 3, Instructions: 111fileCOMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 02B0877E Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 100sleepCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 02B0EC54 Relevance: 4.5, APIs: 3, Instructions: 24timeCOMMON
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 02B030B5 Relevance: 3.0, APIs: 2, Instructions: 29networkCOMMON
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 02B0EBED Relevance: 3.0, APIs: 2, Instructions: 27memoryCOMMON
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 02B0EC2E Relevance: 3.0, APIs: 2, Instructions: 14memoryCOMMONLIBRARYCODE
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 02B0EBCC Relevance: 3.0, APIs: 2, Instructions: 13memoryCOMMON
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 02B0F43E Relevance: 1.5, APIs: 1, Instructions: 33networkCOMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 02B01978 Relevance: 1.5, APIs: 1, Instructions: 16COMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 02B0DD84 Relevance: 1.3, APIs: 1, Instructions: 31stringCOMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 02B01000 Relevance: 56.2, APIs: 16, Strings: 16, Instructions: 170libraryloaderCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 02B0B211 Relevance: 47.4, APIs: 7, Strings: 20, Instructions: 131timeCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 02B0A7C1 Relevance: 40.5, APIs: 8, Strings: 15, Instructions: 299networkstringCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 02B01280 Relevance: 31.9, APIs: 9, Strings: 9, Instructions: 417stringCOMMON
APIs |
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 02B0704C Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 332registryCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 02B0AD89 Relevance: 21.1, APIs: 5, Strings: 7, Instructions: 121timeCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 02B02DF2 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 97memorylibrarynetworkCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 02B09326 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 284registryCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 02B0C2DC Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 182threadCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 02B0BE31 Relevance: 13.7, APIs: 6, Strings: 3, Instructions: 152stringCOMMON
APIs |
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 02B06A60 Relevance: 13.6, APIs: 9, Instructions: 106fileCOMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 02B06CC9 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 84libraryloaderCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 02B0977C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 82threadinjectionprocessCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 02B0E8A1 Relevance: 9.2, APIs: 4, Strings: 2, Instructions: 172stringCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 02B06BA7 Relevance: 9.1, APIs: 6, Instructions: 84COMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 02B0AD08 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55stringnetworkCOMMON
APIs |
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 02B04280 Relevance: 7.6, APIs: 5, Instructions: 124COMMON
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 02B02923 Relevance: 7.6, APIs: 5, Instructions: 107COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 02B026FF Relevance: 7.6, APIs: 5, Instructions: 96networkCOMMON
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 02B09145 Relevance: 7.6, APIs: 5, Instructions: 56COMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 02B02419 Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 45stringCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 02B0E654 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 96stringCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 02B03F8C Relevance: 6.0, APIs: 4, Instructions: 46filesynchronizationCOMMON
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 02B03F18 Relevance: 6.0, APIs: 4, Instructions: 46filesynchronizationCOMMON
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 02B04E92 Relevance: 6.0, APIs: 4, Instructions: 27sleepCOMMON
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 02B0A4C7 Relevance: 6.0, APIs: 4, Instructions: 27sleepCOMMON
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 02B04BD1 Relevance: 6.0, APIs: 4, Instructions: 27sleepCOMMON
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 02B030FA Relevance: 6.0, APIs: 4, Instructions: 23sleepCOMMON
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 02B026B2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37networkCOMMON
APIs |
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 02B0EAE4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13libraryloaderCOMMON
APIs |
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 02B02F22 Relevance: 5.2, APIs: 4, Instructions: 157memoryCOMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|