Edit tour
Windows
Analysis Report
LisectAVT_2403002B_136.dll
Overview
General Information
| Sample name: | LisectAVT_2403002B_136.dll |
| Analysis ID: | 1482064 |
| MD5: | 6533cbce314b3b88abcb1686b7d26a91 |
| SHA1: | 9df9a40839182f8b52ba53d3834f4ab13e7d450b |
| SHA256: | 30a49156bc54f010af18a0ccab0194b79a3d5a5a62c852fa23868250f7043ff8 |
| Tags: | dllEmotetexeHeodo |
| Infos: |   |
 | |
Detection
Emotet
| Score: | 84 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Yara detected Emotet
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for sample
Checks if the current process is being debugged
Connects to several IPs in different countries
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files to the windows directory (C:\Windows)
Found evasive API chain (may stop execution after checking a module file name)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
PE file contains an invalid checksum
PE file contains strange resources
Potential key logger detected (key state polling based)
Program does not show much activity (idle)
Queries the volume information (name, serial number etc) of a device
Registers a DLL
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Communication To Uncommon Destination Ports
Sigma detected: Network Connection Initiated By Regsvr32.EXE
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match
Classification
- System is w10x64
loaddll32.exe (PID: 7972 cmdline: loaddll32. exe "C:\Us ers\user\D esktop\Lis ectAVT_240 3002B_136. dll" MD5: 51E6071F9CBA48E79F10C84515AAE618) 
conhost.exe (PID: 7988 cmdline: C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - cmd.exe (PID: 8064 cmdline:
cmd.exe /C rundll32. exe "C:\Us ers\user\D esktop\Lis ectAVT_240 3002B_136. dll",#1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) 
rundll32.exe (PID: 8088 cmdline: rundll32.e xe "C:\Use rs\user\De sktop\Lise ctAVT_2403 002B_136.d ll",#1 MD5: 889B99C52A60DD49227C5E485A016679) - regsvr32.exe (PID: 8172 cmdline:
C:\Windows \SysWOW64\ regsvr32.e xe /s "C:\ Windows\Sy sWOW64\Ppg ilxcknb\mv rgiaq.kja" MD5: 878E47C8656E53AE8A8A21E927C6F7E0) - regsvr32.exe (PID: 8080 cmdline:
regsvr32.e xe /s C:\U sers\user\ Desktop\Li sectAVT_24 03002B_136 .dll MD5: 878E47C8656E53AE8A8A21E927C6F7E0) - rundll32.exe (PID: 8096 cmdline:
rundll32.e xe C:\User s\user\Des ktop\Lisec tAVT_24030 02B_136.dl l,DllRegis terServer MD5: 889B99C52A60DD49227C5E485A016679) - rundll32.exe (PID: 7232 cmdline:
rundll32.e xe C:\User s\user\Des ktop\Lisec tAVT_24030 02B_136.dl l,DllUnreg isterServe r MD5: 889B99C52A60DD49227C5E485A016679)
- svchost.exe (PID: 8124 cmdline:
C:\Windows \System32\ svchost.ex e -k Local Service -p -s Licens eManager MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
- cleanup
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| Emotet | While Emotet historically was a banking malware organized in a botnet, nowadays Emotet is mostly seen as infrastructure as a service for content delivery. For example, since mid 2018 it is used by Trickbot for installs, which may also lead to ransomware attacks using Ryuk, a combination observed several times against high-profile targets.It is always stealing information from victims but what the criminal gang behind it did, was to open up another business channel by selling their infrastructure delivering additional malicious software. From malware analysts it has been classified into epochs depending on command and control, payloads, and delivery solutions which change over time.Emotet had been taken down by authorities in January 2021, though it appears to have sprung back to life in November 2021. |
{"C2 list": ["135.148.121.246:8080", "213.190.4.223:7080", "175.107.196.192:80", "46.55.222.11:443", "153.126.203.229:8080", "138.185.72.26:8080", "45.118.135.203:7080", "107.182.225.142:8080", "195.154.133.20:443", "79.172.212.216:8080", "129.232.188.93:443", "50.30.40.196:8080", "131.100.24.231:80", "58.227.42.236:80", "216.158.226.206:443", "45.118.115.99:8080", "51.254.140.238:7080", "173.212.193.249:8080", "110.232.117.186:8080", "81.0.236.90:443", "158.69.222.101:443", "103.75.201.2:443", "185.157.82.211:8080", "176.104.106.96:8080", "82.165.152.127:8080", "156.67.219.84:7080", "212.237.17.99:8080", "178.128.83.165:80", "162.243.175.63:443", "45.142.114.231:8080", "103.134.85.85:80", "178.79.147.66:8080", "31.24.158.56:8080", "103.75.201.4:443", "217.182.143.207:443", "159.8.59.82:8080", "164.68.99.3:8080", "209.126.98.206:8080", "207.38.84.195:8080", "119.235.255.201:8080", "212.24.98.99:8080", "212.237.56.116:7080", "50.116.54.215:443", "45.176.232.124:443", "203.114.109.124:443"], "Public Key": ["RUNTMSAAAABAX3S2xNjcDD0fBno33Ln5t71eii+mofIPoXkNFOX1MeiwCh48iz97kB0mJjGGZXwardnDXKxI8GCHGNl0PFj5", "RUNLMSAAAADzozW1Di4r9DVWzQpMKT588RDdy7BPILP6AiDOTLYMHkSWvrQO5slbmr1OvZ2Pz+AQWzRMggQmAtO6rPH7nyx2"]}| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_Emotet_1 | Yara detected Emotet | Joe Security | ||
| Windows_Trojan_Emotet_18379a8d | unknown | unknown |
| |
| Windows_Trojan_Emotet_1943bbf2 | unknown | unknown |
| |
| JoeSecurity_Emotet_1 | Yara detected Emotet | Joe Security | ||
| Windows_Trojan_Emotet_18379a8d | unknown | unknown |
| |
| Click to see the 19 entries | ||||
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_Emotet_1 | Yara detected Emotet | Joe Security | ||
| Windows_Trojan_Emotet_18379a8d | unknown | unknown |
| |
| Windows_Trojan_Emotet_1943bbf2 | unknown | unknown |
| |
| JoeSecurity_Emotet_1 | Yara detected Emotet | Joe Security | ||
| Windows_Trojan_Emotet_18379a8d | unknown | unknown |
| |
| Click to see the 31 entries | ||||
System Summary |   |
|---|
| Source: | Author: Florian Roth (Nextron Systems): | ||
| Source: | Author: Dmitriy Lifanov, oscd.community: | ||
| Source: | Author: vburov: | ||
⊘No Snort rule has matched
| Timestamp: | 2024-07-25T17:49:37.808834+0200 |
| SID: | 2022930 |
| Source Port: | 443 |
| Destination Port: | 49709 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
| Timestamp: | 2024-07-25T17:50:37.612947+0200 |
| SID: | 2028765 |
| Source Port: | 49716 |
| Destination Port: | 7080 |
| Protocol: | TCP |
| Classtype: | Unknown Traffic |
| Timestamp: | 2024-07-25T17:49:54.174083+0200 |
| SID: | 2028765 |
| Source Port: | 49708 |
| Destination Port: | 8080 |
| Protocol: | TCP |
| Classtype: | Unknown Traffic |
| Timestamp: | 2024-07-25T17:50:17.475731+0200 |
| SID: | 2022930 |
| Source Port: | 443 |
| Destination Port: | 49714 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
| Timestamp: | 2024-07-25T17:51:20.487949+0200 |
| SID: | 2028765 |
| Source Port: | 49719 |
| Destination Port: | 80 |
| Protocol: | TCP |
| Classtype: | Unknown Traffic |
Click to jump to signature section
Show All Signature Results
AV Detection | |
|---|
| Source: | Avira: | ||
| Source: | Malware Configuration Extractor: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Static PE information: | ||
| Source: | Code function: | 4_2_6D61172E | |
| Source: | Code function: | 4_2_6D61D098 | |
| Source: | Code function: | 5_2_6D61172E | |
| Source: | Code function: | 5_2_6D61D098 | |
| Source: | Code function: | 7_2_100227C2 | |
| Source: | Code function: | 4_2_6D5FFC12 | |
Networking | |
|---|
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | Network traffic detected: | ||
| Source: | TCP traffic: | ||
| Source: | TCP traffic: | ||
| Source: | IP Address: | ||
| Source: | IP Address: | ||
| Source: | IP Address: | ||
| Source: | ASN Name: | ||
| Source: | ASN Name: | ||
| Source: | ASN Name: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | Code function: | 4_2_6D61A53D | |
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | Code function: | 4_2_6D61DB05 | |
| Source: | Code function: | 4_2_6D60A4E0 | |
| Source: | Code function: | 4_2_6D62BA72 | |
| Source: | Code function: | 4_2_6D6297EF | |
| Source: | Code function: | 5_2_6D60A4E0 | |
| Source: | Code function: | 5_2_6D62BA72 | |
| Source: | Code function: | 5_2_6D6297EF | |
E-Banking Fraud | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
System Summary | |
|---|
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Code function: | 4_2_6D6001FE | |
| Source: | Code function: | 4_2_6D5FFC12 | |
| Source: | Code function: | 4_2_6D5FFB8F | |
| Source: | Code function: | 4_2_6D5FF510 | |
| Source: | Code function: | 5_2_6D6001FE | |
| Source: | Code function: | 5_2_6D5FFC12 | |
| Source: | Code function: | 5_2_6D5FFB8F | |
| Source: | Code function: | 5_2_6D5FF510 | |
| Source: | File created: | Jump to behavior | ||
| Source: | File created: | Jump to behavior | ||
| Source: | File created: | Jump to behavior | ||
| Source: | File deleted: | Jump to behavior | ||
| Source: | Code function: | 4_2_6D640DC1 | |
| Source: | Code function: | 4_2_6D62ED99 | |
| Source: | Code function: | 4_2_6D63EB49 | |
| Source: | Code function: | 4_2_6D6025F0 | |
| Source: | Code function: | 4_2_6D63FCC9 | |
| Source: | Code function: | 4_2_6D60BF21 | |
| Source: | Code function: | 4_2_6D62FE6E | |
| Source: | Code function: | 4_2_6D62FA4E | |
| Source: | Code function: | 4_2_6D63F5D1 | |
| Source: | Code function: | 4_2_6D62F642 | |
| Source: | Code function: | 4_2_6D613699 | |
| Source: | Code function: | 4_2_6D635195 | |
| Source: | Code function: | 4_2_6D63F08D | |
| Source: | Code function: | 4_2_6D62F26E | |
| Source: | Code function: | 4_2_1000303A | |
| Source: | Code function: | 4_2_100050CF | |
| Source: | Code function: | 4_2_1001D15E | |
| Source: | Code function: | 4_2_10021E49 | |
| Source: | Code function: | 4_2_10018131 | |
| Source: | Code function: | 4_2_1001416E | |
| Source: | Code function: | 4_2_100082D2 | |
| Source: | Code function: | 4_2_10008844 | |
| Source: | Code function: | 4_2_1000A9CF | |
| Source: | Code function: | 4_2_10004B40 | |
| Source: | Code function: | 4_2_10020E7A | |
| Source: | Code function: | 4_2_10008FE9 | |
| Source: | Code function: | 4_2_10007013 | |
| Source: | Code function: | 4_2_10019054 | |
| Source: | Code function: | 4_2_10013094 | |
| Source: | Code function: | 4_2_10017098 | |
| Source: | Code function: | 4_2_1001519C | |
| Source: | Code function: | 4_2_100071E3 | |
| Source: | Code function: | 4_2_10013231 | |
| Source: | Code function: | 4_2_10019285 | |
| Source: | Code function: | 4_2_10009343 | |
| Source: | Code function: | 4_2_100213A3 | |
| Source: | Code function: | 4_2_1001D4AE | |
| Source: | Code function: | 4_2_1000D4BC | |
| Source: | Code function: | 4_2_1000958A | |
| Source: | Code function: | 4_2_100135A3 | |
| Source: | Code function: | 4_2_1001F5D9 | |
| Source: | Code function: | 4_2_1000364E | |
| Source: | Code function: | 4_2_10017730 | |
| Source: | Code function: | 4_2_10007761 | |
| Source: | Code function: | 4_2_100117D2 | |
| Source: | Code function: | 4_2_1001F7F4 | |
| Source: | Code function: | 4_2_1000186B | |
| Source: | Code function: | 4_2_1000188C | |
| Source: | Code function: | 4_2_10013983 | |
| Source: | Code function: | 4_2_1001F9AF | |
| Source: | Code function: | 4_2_10021A0A | |
| Source: | Code function: | 4_2_10019A0C | |
| Source: | Code function: | 4_2_10001A5F | |
| Source: | Code function: | 4_2_1001FAD1 | |
| Source: | Code function: | 4_2_1000BB14 | |
| Source: | Code function: | 4_2_10011B29 | |
| Source: | Code function: | 4_2_10017B9E | |
| Source: | Code function: | 4_2_10009C1B | |
| Source: | Code function: | 4_2_1001BD63 | |
| Source: | Code function: | 4_2_10001DCA | |
| Source: | Code function: | 4_2_10017E3D | |
| Source: | Code function: | 4_2_10013E89 | |
| Source: | Code function: | 4_2_1001FECB | |
| Source: | Code function: | 4_2_1001DF2B | |
| Source: | Code function: | 4_2_10003F5A | |
| Source: | Code function: | 4_2_10021FC7 | |
| Source: | Code function: | 4_2_1001604B | |
| Source: | Code function: | 4_2_1000806B | |
| Source: | Code function: | 4_2_1000C151 | |
| Source: | Code function: | 4_2_1001E168 | |
| Source: | Code function: | 4_2_100022F7 | |
| Source: | Code function: | 4_2_10004313 | |
| Source: | Code function: | 4_2_100223B9 | |
| Source: | Code function: | 4_2_1000A4DE | |
| Source: | Code function: | 4_2_1000C4E5 | |
| Source: | Code function: | 4_2_1000E4F5 | |
| Source: | Code function: | 4_2_10010503 | |
| Source: | Code function: | 4_2_1001E5ED | |
| Source: | Code function: | 4_2_100205F6 | |
| Source: | Code function: | 4_2_1000E65A | |
| Source: | Code function: | 4_2_1001A683 | |
| Source: | Code function: | 4_2_100166C8 | |
| Source: | Code function: | 4_2_100186EE | |
| Source: | Code function: | 4_2_10002710 | |
| Source: | Code function: | 4_2_10012783 | |
| Source: | Code function: | 4_2_1001490E | |
| Source: | Code function: | 4_2_1001A916 | |
| Source: | Code function: | 4_2_10018966 | |
| Source: | Code function: | 4_2_10016998 | |
| Source: | Code function: | 4_2_10020A01 | |
| Source: | Code function: | 4_2_1000CA3C | |
| Source: | Code function: | 4_2_10012B1F | |
| Source: | Code function: | 4_2_1000ED0A | |
| Source: | Code function: | 4_2_1000CDE0 | |
| Source: | Code function: | 4_2_10014E54 | |
| Source: | Code function: | 4_2_10016E97 | |
| Source: | Code function: | 4_2_1000AEBB | |
| Source: | Code function: | 4_2_1001EEC2 | |
| Source: | Code function: | 4_2_10018EF8 | |
| Source: | Code function: | 4_2_1001AF0B | |
| Source: | Code function: | 4_2_10002F36 | |
| Source: | Code function: | 4_2_1001CFA0 | |
| Source: | Code function: | 5_2_6D640DC1 | |
| Source: | Code function: | 5_2_6D62ED99 | |
| Source: | Code function: | 5_2_6D63EB49 | |
| Source: | Code function: | 5_2_6D6025F0 | |
| Source: | Code function: | 5_2_6D63FCC9 | |
| Source: | Code function: | 5_2_6D60BF21 | |
| Source: | Code function: | 5_2_6D62FE6E | |
| Source: | Code function: | 5_2_6D62FA4E | |
| Source: | Code function: | 5_2_6D63F5D1 | |
| Source: | Code function: | 5_2_6D62F642 | |
| Source: | Code function: | 5_2_6D613699 | |
| Source: | Code function: | 5_2_6D635195 | |
| Source: | Code function: | 5_2_6D63F08D | |
| Source: | Code function: | 5_2_6D62F26E | |
| Source: | Code function: | 5_2_1000303A | |
| Source: | Code function: | 5_2_100050CF | |
| Source: | Code function: | 5_2_100213A3 | |
| Source: | Code function: | 5_2_1000364E | |
| Source: | Code function: | 5_2_100117D2 | |
| Source: | Code function: | 5_2_10021E49 | |
| Source: | Code function: | 5_2_1001FECB | |
| Source: | Code function: | 5_2_10018131 | |
| Source: | Code function: | 5_2_1001416E | |
| Source: | Code function: | 5_2_100082D2 | |
| Source: | Code function: | 5_2_10008844 | |
| Source: | Code function: | 5_2_1000A9CF | |
| Source: | Code function: | 5_2_10004B40 | |
| Source: | Code function: | 5_2_10014E54 | |
| Source: | Code function: | 5_2_10020E7A | |
| Source: | Code function: | 5_2_10008FE9 | |
| Source: | Code function: | 5_2_10007013 | |
| Source: | Code function: | 5_2_10019054 | |
| Source: | Code function: | 5_2_10013094 | |
| Source: | Code function: | 5_2_10017098 | |
| Source: | Code function: | 5_2_1001D15E | |
| Source: | Code function: | 5_2_1001519C | |
| Source: | Code function: | 5_2_100071E3 | |
| Source: | Code function: | 5_2_10013231 | |
| Source: | Code function: | 5_2_10019285 | |
| Source: | Code function: | 5_2_10009343 | |
| Source: | Code function: | 5_2_1001D4AE | |
| Source: | Code function: | 5_2_1000D4BC | |
| Source: | Code function: | 5_2_1000958A | |
| Source: | Code function: | 5_2_100135A3 | |
| Source: | Code function: | 5_2_1001F5D9 | |
| Source: | Code function: | 5_2_10017730 | |
| Source: | Code function: | 5_2_10007761 | |
| Source: | Code function: | 5_2_1001F7F4 | |
| Source: | Code function: | 5_2_1000186B | |
| Source: | Code function: | 5_2_1000188C | |
| Source: | Code function: | 5_2_10013983 | |
| Source: | Code function: | 5_2_1001F9AF | |
| Source: | Code function: | 5_2_10021A0A | |
| Source: | Code function: | 5_2_10019A0C | |
| Source: | Code function: | 5_2_10001A5F | |
| Source: | Code function: | 5_2_1001FAD1 | |
| Source: | Code function: | 5_2_1000BB14 | |
| Source: | Code function: | 5_2_10011B29 | |
| Source: | Code function: | 5_2_10017B9E | |
| Source: | Code function: | 5_2_10009C1B | |
| Source: | Code function: | 5_2_1001BD63 | |
| Source: | Code function: | 5_2_10001DCA | |
| Source: | Code function: | 5_2_10017E3D | |
| Source: | Code function: | 5_2_10013E89 | |
| Source: | Code function: | 5_2_1001DF2B | |
| Source: | Code function: | 5_2_10003F5A | |
| Source: | Code function: | 5_2_10021FC7 | |
| Source: | Code function: | 5_2_1001604B | |
| Source: | Code function: | 5_2_1000806B | |
| Source: | Code function: | 5_2_1000C151 | |
| Source: | Code function: | 5_2_1001E168 | |
| Source: | Code function: | 5_2_100022F7 | |
| Source: | Code function: | 5_2_10004313 | |
| Source: | Code function: | 5_2_100223B9 | |
| Source: | Code function: | 5_2_1000A4DE | |
| Source: | Code function: | 5_2_1000C4E5 | |
| Source: | Code function: | 5_2_1000E4F5 | |
| Source: | Code function: | 5_2_10010503 | |
| Source: | Code function: | 5_2_1001E5ED | |
| Source: | Code function: | 5_2_100205F6 | |
| Source: | Code function: | 5_2_1000E65A | |
| Source: | Code function: | 5_2_1001A683 | |
| Source: | Code function: | 5_2_100166C8 | |
| Source: | Code function: | 5_2_100186EE | |
| Source: | Code function: | 5_2_10002710 | |
| Source: | Code function: | 5_2_10012783 | |
| Source: | Code function: | 5_2_1001490E | |
| Source: | Code function: | 5_2_1001A916 | |
| Source: | Code function: | 5_2_10018966 | |
| Source: | Code function: | 5_2_10016998 | |
| Source: | Code function: | 5_2_10020A01 | |
| Source: | Code function: | 5_2_1000CA3C | |
| Source: | Code function: | 5_2_10012B1F | |
| Source: | Code function: | 5_2_1000ED0A | |
| Source: | Code function: | 5_2_1000CDE0 | |
| Source: | Code function: | 5_2_10016E97 | |
| Source: | Code function: | 5_2_1000AEBB | |
| Source: | Code function: | 5_2_1001EEC2 | |
| Source: | Code function: | 5_2_10018EF8 | |
| Source: | Code function: | 5_2_1001AF0B | |
| Source: | Code function: | 5_2_10002F36 | |
| Source: | Code function: | 5_2_1001CFA0 | |
| Source: | Code function: | 6_2_1000303A | |
| Source: | Code function: | 6_2_10008844 | |
| Source: | Code function: | 6_2_10021E49 | |
| Source: | Code function: | 6_2_10020E7A | |
| Source: | Code function: | 6_2_100050CF | |
| Source: | Code function: | 6_2_100082D2 | |
| Source: | Code function: | 6_2_10018131 | |
| Source: | Code function: | 6_2_10004B40 | |
| Source: | Code function: | 6_2_1001D15E | |
| Source: | Code function: | 6_2_1001416E | |
| Source: | Code function: | 6_2_1000A9CF | |
| Source: | Code function: | 6_2_10008FE9 | |
| Source: | Code function: | 6_2_10020A01 | |
| Source: | Code function: | 6_2_10021A0A | |
| Source: | Code function: | 6_2_10019A0C | |
| Source: | Code function: | 6_2_10007013 | |
| Source: | Code function: | 6_2_10009C1B | |
| Source: | Code function: | 6_2_10013231 | |
| Source: | Code function: | 6_2_10017E3D | |
| Source: | Code function: | 6_2_1000CA3C | |
| Source: | Code function: | 6_2_1001604B | |
| Source: | Code function: | 6_2_1000364E | |
| Source: | Code function: | 6_2_10019054 | |
| Source: | Code function: | 6_2_10014E54 | |
| Source: | Code function: | 6_2_1000E65A | |
| Source: | Code function: | 6_2_10001A5F | |
| Source: | Code function: | 6_2_1000806B | |
| Source: | Code function: | 6_2_1000186B | |
| Source: | Code function: | 6_2_1001A683 | |
| Source: | Code function: | 6_2_10019285 | |
| Source: | Code function: | 6_2_10013E89 | |
| Source: | Code function: | 6_2_1000188C | |
| Source: | Code function: | 6_2_10013094 | |
| Source: | Code function: | 6_2_10016E97 | |
| Source: | Code function: | 6_2_10017098 | |
| Source: | Code function: | 6_2_1001D4AE | |
| Source: | Code function: | 6_2_1000AEBB | |
| Source: | Code function: | 6_2_1000D4BC | |
| Source: | Code function: | 6_2_1001EEC2 | |
| Source: | Code function: | 6_2_100166C8 | |
| Source: | Code function: | 6_2_1001FECB | |
| Source: | Code function: | 6_2_1001FAD1 | |
| Source: | Code function: | 6_2_1000A4DE | |
| Source: | Code function: | 6_2_1000C4E5 | |
| Source: | Code function: | 6_2_100186EE | |
| Source: | Code function: | 6_2_1000E4F5 | |
| Source: | Code function: | 6_2_100022F7 | |
| Source: | Code function: | 6_2_10018EF8 | |
| Source: | Code function: | 6_2_10010503 | |
| Source: | Code function: | 6_2_1001AF0B | |
| Source: | Code function: | 6_2_1000ED0A | |
| Source: | Code function: | 6_2_1001490E | |
| Source: | Code function: | 6_2_10002710 | |
| Source: | Code function: | 6_2_10004313 | |
| Source: | Code function: | 6_2_1000BB14 | |
| Source: | Code function: | 6_2_1001A916 | |
| Source: | Code function: | 6_2_10012B1F | |
| Source: | Code function: | 6_2_10011B29 | |
| Source: | Code function: | 6_2_1001DF2B | |
| Source: | Code function: | 6_2_10017730 | |
| Source: | Code function: | 6_2_10002F36 | |
| Source: | Code function: | 6_2_10009343 | |
| Source: | Code function: | 6_2_1000C151 | |
| Source: | Code function: | 6_2_10003F5A | |
| Source: | Code function: | 6_2_10007761 | |
| Source: | Code function: | 6_2_1001BD63 | |
| Source: | Code function: | 6_2_10018966 | |
| Source: | Code function: | 6_2_1001E168 | |
| Source: | Code function: | 6_2_10013983 | |
| Source: | Code function: | 6_2_10012783 | |
| Source: | Code function: | 6_2_1000958A | |
| Source: | Code function: | 6_2_10016998 | |
| Source: | Code function: | 6_2_1001519C | |
| Source: | Code function: | 6_2_10017B9E | |
| Source: | Code function: | 6_2_100213A3 | |
| Source: | Code function: | 6_2_1001CFA0 | |
| Source: | Code function: | 6_2_100135A3 | |
| Source: | Code function: | 6_2_1001F9AF | |
| Source: | Code function: | 6_2_100223B9 | |
| Source: | Code function: | 6_2_10021FC7 | |
| Source: | Code function: | 6_2_10001DCA | |
| Source: | Code function: | 6_2_100117D2 | |
| Source: | Code function: | 6_2_1001F5D9 | |
| Source: | Code function: | 6_2_1000CDE0 | |
| Source: | Code function: | 6_2_100071E3 | |
| Source: | Code function: | 6_2_1001E5ED | |
| Source: | Code function: | 6_2_100205F6 | |
| Source: | Code function: | 6_2_1001F7F4 | |
| Source: | Code function: | 7_2_1000303A | |
| Source: | Code function: | 7_2_10008844 | |
| Source: | Code function: | 7_2_10021E49 | |
| Source: | Code function: | 7_2_10020E7A | |
| Source: | Code function: | 7_2_10013094 | |
| Source: | Code function: | 7_2_10017098 | |
| Source: | Code function: | 7_2_1001EEC2 | |
| Source: | Code function: | 7_2_100050CF | |
| Source: | Code function: | 7_2_1001FAD1 | |
| Source: | Code function: | 7_2_100186EE | |
| Source: | Code function: | 7_2_10010503 | |
| Source: | Code function: | 7_2_1001AF0B | |
| Source: | Code function: | 7_2_1000ED0A | |
| Source: | Code function: | 7_2_10002710 | |
| Source: | Code function: | 7_2_10004313 | |
| Source: | Code function: | 7_2_10003F5A | |
| Source: | Code function: | 7_2_1001BD63 | |
| Source: | Code function: | 7_2_10018966 | |
| Source: | Code function: | 7_2_1001E168 | |
| Source: | Code function: | 7_2_1001416E | |
| Source: | Code function: | 7_2_10016998 | |
| Source: | Code function: | 7_2_10021FC7 | |
| Source: | Code function: | 7_2_1000A9CF | |
| Source: | Code function: | 7_2_100117D2 | |
| Source: | Code function: | 7_2_10020A01 | |
| Source: | Code function: | 7_2_10021A0A | |
| Source: | Code function: | 7_2_10019A0C | |
| Source: | Code function: | 7_2_10007013 | |
| Source: | Code function: | 7_2_10009C1B | |
| Source: | Code function: | 7_2_10013231 | |
| Source: | Code function: | 7_2_10017E3D | |
| Source: | Code function: | 7_2_1000CA3C | |
| Source: | Code function: | 7_2_1001604B | |
| Source: | Code function: | 7_2_1000364E | |
| Source: | Code function: | 7_2_10019054 | |
| Source: | Code function: | 7_2_10014E54 | |
| Source: | Code function: | 7_2_1000E65A | |
| Source: | Code function: | 7_2_10001A5F | |
| Source: | Code function: | 7_2_1000806B | |
| Source: | Code function: | 7_2_1000186B | |
| Source: | Code function: | 7_2_1001A683 | |
| Source: | Code function: | 7_2_10019285 | |
| Source: | Code function: | 7_2_10013E89 | |
| Source: | Code function: | 7_2_1000188C | |
| Source: | Code function: | 7_2_10016E97 | |
| Source: | Code function: | 7_2_1001D4AE | |
| Source: | Code function: | 7_2_1000AEBB | |
| Source: | Code function: | 7_2_1000D4BC | |
| Source: | Code function: | 7_2_100166C8 | |
| Source: | Code function: | 7_2_1001FECB | |
| Source: | Code function: | 7_2_100082D2 | |
| Source: | Code function: | 7_2_1000A4DE | |
| Source: | Code function: | 7_2_1000C4E5 | |
| Source: | Code function: | 7_2_1000E4F5 | |
| Source: | Code function: | 7_2_100022F7 | |
| Source: | Code function: | 7_2_10018EF8 | |
| Source: | Code function: | 7_2_1001490E | |
| Source: | Code function: | 7_2_1000BB14 | |
| Source: | Code function: | 7_2_1001A916 | |
| Source: | Code function: | 7_2_10012B1F | |
| Source: | Code function: | 7_2_10011B29 | |
| Source: | Code function: | 7_2_1001DF2B | |
| Source: | Code function: | 7_2_10018131 | |
| Source: | Code function: | 7_2_10017730 | |
| Source: | Code function: | 7_2_10002F36 | |
| Source: | Code function: | 7_2_10004B40 | |
| Source: | Code function: | 7_2_10009343 | |
| Source: | Code function: | 7_2_1000C151 | |
| Source: | Code function: | 7_2_1001D15E | |
| Source: | Code function: | 7_2_10007761 | |
| Source: | Code function: | 7_2_10013983 | |
| Source: | Code function: | 7_2_10012783 | |
| Source: | Code function: | 7_2_1000958A | |
| Source: | Code function: | 7_2_1001519C | |
| Source: | Code function: | 7_2_10017B9E | |
| Source: | Code function: | 7_2_100213A3 | |
| Source: | Code function: | 7_2_1001CFA0 | |
| Source: | Code function: | 7_2_100135A3 | |
| Source: | Code function: | 7_2_1001F9AF | |
| Source: | Code function: | 7_2_100223B9 | |
| Source: | Code function: | 7_2_10001DCA | |
| Source: | Code function: | 7_2_1001F5D9 | |
| Source: | Code function: | 7_2_1000CDE0 | |
| Source: | Code function: | 7_2_100071E3 | |
| Source: | Code function: | 7_2_10008FE9 | |
| Source: | Code function: | 7_2_1001E5ED | |
| Source: | Code function: | 7_2_100205F6 | |
| Source: | Code function: | 7_2_1001F7F4 | |
| Source: | Static PE information: | ||
| Source: | Binary or memory string: | ||
| Source: | Static PE information: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Classification label: | ||
| Source: | Code function: | 4_2_6D5FD2D0 | |
| Source: | Code function: | 5_2_6D5FD2D0 | |
| Source: | Code function: | 7_2_1000BE5E | |
| Source: | Code function: | 4_2_6D613417 | |
| Source: | Code function: | 4_2_6D5F9E50 | |
| Source: | Mutant created: | ||
| Source: | Static PE information: | ||
| Source: | File read: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Process created: | ||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Key value queried: | Jump to behavior | ||
| Source: | Code function: | 4_2_6D5F27F0 | |
| Source: | Static PE information: | ||
| Source: | Process created: | ||
| Source: | Code function: | 0_2_011910C0 | |
| Source: | Code function: | 4_2_6D62ED3C | |
| Source: | Code function: | 4_2_6D62E64F | |
| Source: | Code function: | 5_2_6D62ED3C | |
| Source: | Code function: | 5_2_6D62E64F | |
| Source: | PE file moved: | Jump to behavior | ||
Hooking and other Techniques for Hiding and Protection | |
|---|
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | Code function: | 4_2_6D5FB800 | |
| Source: | Code function: | 4_2_6D6078E8 | |
| Source: | Code function: | 5_2_6D5FB800 | |
| Source: | Code function: | 5_2_6D6078E8 | |
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Evasive API call chain: | graph_4-43338 | ||
| Source: | Evasive API call chain: | graph_5-43335 | ||
| Source: | API coverage: | ||
| Source: | API coverage: | ||
| Source: | Thread injection, dropped files, key value created, disk infection and DNS query: | ||
| Source: | Last function: | ||
| Source: | File Volume queried: | Jump to behavior | ||
| Source: | Code function: | 4_2_6D61172E | |
| Source: | Code function: | 4_2_6D61D098 | |
| Source: | Code function: | 5_2_6D61172E | |
| Source: | Code function: | 5_2_6D61D098 | |
| Source: | Code function: | 7_2_100227C2 | |
| Source: | Code function: | 4_2_6D5FFC12 | |
| Source: | Code function: | 4_2_6D62E7DB | |
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | API call chain: | graph_4-43509 | ||
| Source: | API call chain: | graph_4-43544 | ||
| Source: | API call chain: | graph_5-43506 | ||
| Source: | API call chain: | graph_5-43541 | ||
| Source: | Process information queried: | Jump to behavior | ||
| Source: | Process queried: | Jump to behavior | ||
| Source: | Code function: | 4_2_6D62CD5C | |
| Source: | Code function: | 4_2_6D62E7DB | |
| Source: | Code function: | 4_2_6D5F27F0 | |
| Source: | Code function: | 4_2_100032AC | |
| Source: | Code function: | 5_2_100032AC | |
| Source: | Code function: | 6_2_100032AC | |
| Source: | Code function: | 7_2_100032AC | |
| Source: | Code function: | 4_2_6D5F8F00 | |
| Source: | Thread injection, dropped files, key value created, disk infection and DNS query: | ||
| Source: | Code function: | 4_2_6D62CD5C | |
| Source: | Code function: | 4_2_6D63AF75 | |
| Source: | Code function: | 4_2_6D6333A4 | |
| Source: | Code function: | 5_2_6D62CD5C | |
| Source: | Code function: | 5_2_6D63AF75 | |
| Source: | Code function: | 5_2_6D6333A4 | |
| Source: | Process created: | Jump to behavior | ||
| Source: | Code function: | 4_2_6D63E514 | |
| Source: | Code function: | 4_2_6D617787 | |
| Source: | Code function: | 5_2_6D63E514 | |
| Source: | Code function: | 5_2_6D617787 | |
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Code function: | 4_2_6D63ACD0 | |
| Source: | Code function: | 4_2_6D639824 | |
| Source: | Code function: | 4_2_6D613417 | |
Stealing of Sensitive Information | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | Code function: | 4_2_6D61A853 | |
| Source: | Code function: | 4_2_6D601060 | |
| Source: | Code function: | 5_2_6D61A853 | |
| Source: | Code function: | 5_2_6D601060 | |
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | 2 Native API | 1 DLL Side-Loading | 1 DLL Side-Loading | 1 Disable or Modify Tools | 21 Input Capture | 2 System Time Discovery | Remote Services | 1 Archive Collected Data | 1 Ingress Tool Transfer | Exfiltration Over Other Network Medium | 1 System Shutdown/Reboot |
| Credentials | Domains | Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | 1 Access Token Manipulation | 1 Deobfuscate/Decode Files or Information | LSASS Memory | 3 File and Directory Discovery | Remote Desktop Protocol | 21 Input Capture | 1 Encrypted Channel | Exfiltration Over Bluetooth | Network Denial of Service |
| Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | 11 Process Injection | 2 Obfuscated Files or Information | Security Account Manager | 25 System Information Discovery | SMB/Windows Admin Shares | Data from Network Shared Drive | 1 Non-Standard Port | Automated Exfiltration | Data Encrypted for Impact |
| Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | 1 DLL Side-Loading | NTDS | 31 Security Software Discovery | Distributed Component Object Model | Input Capture | 1 Application Layer Protocol | Traffic Duplication | Data Destruction |
| Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | 1 File Deletion | LSA Secrets | 1 Virtualization/Sandbox Evasion | SSH | Keylogging | Fallback Channels | Scheduled Transfer | Data Encrypted for Impact |
| Domain Properties | Botnet | Replication Through Removable Media | Scheduled Task | RC Scripts | RC Scripts | 2 Masquerading | Cached Domain Credentials | 2 Process Discovery | VNC | GUI Input Capture | Multiband Communication | Data Transfer Size Limits | Service Stop |
| DNS | Web Services | External Remote Services | Systemd Timers | Startup Items | Startup Items | 1 Virtualization/Sandbox Evasion | DCSync | 1 Application Window Discovery | Windows Remote Management | Web Portal Capture | Commonly Used Port | Exfiltration Over C2 Channel | Inhibit System Recovery |
| Network Trust Dependencies | Serverless | Drive-by Compromise | Container Orchestration Job | Scheduled Task/Job | Scheduled Task/Job | 1 Access Token Manipulation | Proc Filesystem | System Owner/User Discovery | Cloud Services | Credential API Hooking | Application Layer Protocol | Exfiltration Over Alternative Protocol | Defacement |
| Network Topology | Malvertising | Exploit Public-Facing Application | Command and Scripting Interpreter | At | At | 11 Process Injection | /etc/passwd and /etc/shadow | Network Sniffing | Direct Cloud VM Connections | Data Staged | Web Protocols | Exfiltration Over Symmetric Encrypted Non-C2 Protocol | Internal Defacement |
| IP Addresses | Compromise Infrastructure | Supply Chain Compromise | PowerShell | Cron | Cron | 1 Hidden Files and Directories | Network Sniffing | Network Service Discovery | Shared Webroot | Local Data Staging | File Transfer Protocols | Exfiltration Over Asymmetric Encrypted Non-C2 Protocol | External Defacement |
| Network Security Appliances | Domains | Compromise Software Dependencies and Development Tools | AppleScript | Launchd | Launchd | 1 Regsvr32 | Input Capture | System Network Connections Discovery | Software Deployment Tools | Remote Data Staging | Mail Protocols | Exfiltration Over Unencrypted Non-C2 Protocol | Firmware Corruption |
| Gather Victim Org Information | DNS Server | Compromise Software Supply Chain | Windows Command Shell | Scheduled Task | Scheduled Task | 1 Rundll32 | Keylogging | Process Discovery | Taint Shared Content | Screen Capture | DNS | Exfiltration Over Physical Medium | Resource Hijacking |
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetThis section contains all screenshots as thumbnails, including those not shown in the slideshow.
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 100% | Avira | HEUR/AGEN.1302651 | ||
| 100% | Joe Sandbox ML |
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe |
⊘No contacted domains info
| Name | Source | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false | unknown | |||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false | unknown | |||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
| IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
|---|---|---|---|---|---|---|
| 195.154.133.20 | unknown | France | 12876 | OnlineSASFR | true | |
| 185.157.82.211 | unknown | Poland | 42927 | S-NET-ASPL | true | |
| 79.172.212.216 | unknown | Hungary | 61998 | SZERVERPLEXHU | true | |
| 212.237.17.99 | unknown | Italy | 31034 | ARUBA-ASNIT | true | |
| 110.232.117.186 | unknown | Australia | 56038 | RACKCORP-APRackCorpAU | true | |
| 51.254.140.238 | unknown | France | 16276 | OVHFR | true | |
| 119.235.255.201 | unknown | Indonesia | 45146 | RAJASA-AS-ID-APPTRajaSepadanAbadiID | true | |
| 212.24.98.99 | unknown | Lithuania | 62282 | RACKRAYUABRakrejusLT | true | |
| 213.190.4.223 | unknown | Germany | 47583 | AS-HOSTINGERLT | true | |
| 138.185.72.26 | unknown | Brazil | 264343 | EmpasoftLtdaMeBR | true | |
| 153.126.203.229 | unknown | Japan | 7684 | SAKURA-ASAKURAInternetIncJP | true | |
| 81.0.236.90 | unknown | Czech Republic | 15685 | CASABLANCA-ASInternetCollocationProviderCZ | true | |
| 216.158.226.206 | unknown | United States | 19318 | IS-AS-1US | true | |
| 45.118.115.99 | unknown | Indonesia | 131717 | IDNIC-CIFO-AS-IDPTCitraJelajahInformatikaID | true | |
| 103.75.201.2 | unknown | Thailand | 133496 | CDNPLUSCOLTD-AS-APCDNPLUSCOLTDTH | true | |
| 103.75.201.4 | unknown | Thailand | 133496 | CDNPLUSCOLTD-AS-APCDNPLUSCOLTDTH | true | |
| 209.126.98.206 | unknown | United States | 30083 | AS-30083-GO-DADDY-COM-LLCUS | true | |
| 156.67.219.84 | unknown | Cyprus | 47583 | AS-HOSTINGERLT | true | |
| 175.107.196.192 | unknown | Pakistan | 9541 | CYBERNET-APCyberInternetServicesPvtLtdPK | true | |
| 217.182.143.207 | unknown | France | 16276 | OVHFR | true | |
| 82.165.152.127 | unknown | Germany | 8560 | ONEANDONE-ASBrauerstrasse48DE | true | |
| 107.182.225.142 | unknown | United States | 32780 | HOSTINGSERVICES-INCUS | true | |
| 45.118.135.203 | unknown | Japan | 63949 | LINODE-APLinodeLLCUS | true | |
| 50.116.54.215 | unknown | United States | 63949 | LINODE-APLinodeLLCUS | true | |
| 131.100.24.231 | unknown | Brazil | 61635 | GOPLEXTELECOMUNICACOESEINTERNETLTDA-MEBR | true | |
| 135.148.121.246 | unknown | United States | 18676 | AVAYAUS | true | |
| 46.55.222.11 | unknown | Bulgaria | 34841 | BALCHIKNETBG | true | |
| 173.212.193.249 | unknown | Germany | 51167 | CONTABODE | true | |
| 178.79.147.66 | unknown | United Kingdom | 63949 | LINODE-APLinodeLLCUS | true | |
| 45.176.232.124 | unknown | Colombia | 267869 | CABLEYTELECOMUNICACIONESDECOLOMBIASASCABLETELCOC | true | |
| 162.243.175.63 | unknown | United States | 14061 | DIGITALOCEAN-ASNUS | true | |
| 176.104.106.96 | unknown | Serbia | 198371 | NINETRS | true | |
| 31.24.158.56 | unknown | Spain | 50926 | INFORTELECOM-ASES | true | |
| 50.30.40.196 | unknown | United States | 30083 | AS-30083-GO-DADDY-COM-LLCUS | true | |
| 207.38.84.195 | unknown | United States | 30083 | AS-30083-GO-DADDY-COM-LLCUS | true | |
| 164.68.99.3 | unknown | Germany | 51167 | CONTABODE | true | |
| 103.134.85.85 | unknown | Indonesia | 139943 | IDNIC-GARUTKAB-AS-IDDinasKomunikasidanInformatikaKabupa | true | |
| 212.237.56.116 | unknown | Italy | 31034 | ARUBA-ASNIT | true | |
| 45.142.114.231 | unknown | Germany | 44066 | DE-FIRSTCOLOwwwfirst-colonetDE | true | |
| 203.114.109.124 | unknown | Thailand | 131293 | TOT-LLI-AS-APTOTPublicCompanyLimitedTH | true | |
| 129.232.188.93 | unknown | South Africa | 37153 | xneeloZA | true | |
| 159.8.59.82 | unknown | United States | 36351 | SOFTLAYERUS | true | |
| 58.227.42.236 | unknown | Korea Republic of | 9318 | SKB-ASSKBroadbandCoLtdKR | true | |
| 158.69.222.101 | unknown | Canada | 16276 | OVHFR | true | |
| 178.128.83.165 | unknown | Netherlands | 14061 | DIGITALOCEAN-ASNUS | true |
| Joe Sandbox version: | 40.0.0 Tourmaline |
| Analysis ID: | 1482064 |
| Start date and time: | 2024-07-25 17:48:24 +02:00 |
| Joe Sandbox product: | CloudBasic |
| Overall analysis duration: | 0h 6m 40s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
| Number of analysed new started processes analysed: | 15 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Sample name: | LisectAVT_2403002B_136.dll |
| Detection: | MAL |
| Classification: | mal84.troj.evad.winDLL@15/0@0/45 |
| EGA Information: |
|
| HCA Information: |
|
| Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
- Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
- Execution Graph export aborted for target loaddll32.exe, PID 7972 because there are no executed function
- Not all processes where analyzed, report is missing behavior information
- Report size exceeded maximum capacity and may have missing disassembly code.
- Report size getting too big, too many NtOpenKeyEx calls found.
- Report size getting too big, too many NtProtectVirtualMemory calls found.
- Report size getting too big, too many NtQueryValueKey calls found.
- VT rate limit hit for: LisectAVT_2403002B_136.dll
⊘No simulations
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| 195.154.133.20 | Get hash | malicious | Emotet | Browse | ||
| Get hash | malicious | Emotet | Browse | |||
| Get hash | malicious | Emotet | Browse | |||
| Get hash | malicious | Emotet | Browse | |||
| Get hash | malicious | Emotet | Browse | |||
| Get hash | malicious | Emotet | Browse | |||
| Get hash | malicious | Emotet | Browse | |||
| Get hash | malicious | Emotet | Browse | |||
| Get hash | malicious | Emotet | Browse | |||
| Get hash | malicious | Emotet | Browse | |||
| 185.157.82.211 | Get hash | malicious | Emotet | Browse | ||
| Get hash | malicious | Emotet | Browse | |||
| Get hash | malicious | Emotet | Browse | |||
| Get hash | malicious | Emotet | Browse | |||
| Get hash | malicious | Emotet | Browse | |||
| Get hash | malicious | Emotet | Browse | |||
| Get hash | malicious | Emotet | Browse | |||
| Get hash | malicious | Emotet | Browse | |||
| Get hash | malicious | Emotet | Browse | |||
| Get hash | malicious | Emotet | Browse | |||
| 79.172.212.216 | Get hash | malicious | Emotet | Browse | ||
| Get hash | malicious | Emotet | Browse | |||
| Get hash | malicious | Emotet | Browse | |||
| Get hash | malicious | Emotet | Browse | |||
| Get hash | malicious | Emotet | Browse | |||
| Get hash | malicious | Emotet | Browse | |||
| Get hash | malicious | Emotet | Browse | |||
| Get hash | malicious | Emotet | Browse | |||
| Get hash | malicious | Emotet | Browse | |||
| Get hash | malicious | Emotet | Browse |
⊘No context
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| S-NET-ASPL | Get hash | malicious | Mirai | Browse |
| |
| Get hash | malicious | Mirai | Browse |
| ||
| Get hash | malicious | Mirai | Browse |
| ||
| Get hash | malicious | AsyncRAT, DarkTortilla | Browse |
| ||
| Get hash | malicious | Remcos | Browse |
| ||
| Get hash | malicious | Mirai, Moobot | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | XWorm | Browse |
| ||
| Get hash | malicious | Mirai | Browse |
| ||
| Get hash | malicious | AveMaria, UACMe | Browse |
| ||
| SZERVERPLEXHU | Get hash | malicious | AgentTesla, DBatLoader, PureLog Stealer | Browse |
| |
| Get hash | malicious | AgentTesla, DBatLoader, PureLog Stealer | Browse |
| ||
| Get hash | malicious | Mirai | Browse |
| ||
| Get hash | malicious | Mirai | Browse |
| ||
| Get hash | malicious | Mirai | Browse |
| ||
| Get hash | malicious | Mirai | Browse |
| ||
| Get hash | malicious | Mirai | Browse |
| ||
| Get hash | malicious | Mirai | Browse |
| ||
| Get hash | malicious | Mirai | Browse |
| ||
| Get hash | malicious | Mirai | Browse |
| ||
| OnlineSASFR | Get hash | malicious | Unknown | Browse |
| |
| Get hash | malicious | Emotet | Browse |
| ||
| Get hash | malicious | Emotet | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Glupteba, Xmrig | Browse |
| ||
| Get hash | malicious | ScreenConnect Tool, PureLog Stealer, RedLine, Xmrig, zgRAT | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | WhiteSnake Stealer, XWorm | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
|
⊘No context
⊘No context
⊘No created / dropped files found
| File type: | |
| Entropy (8bit): | 6.975036391230239 |
| TrID: |
|
| File name: | LisectAVT_2403002B_136.dll |
| File size: | 668'160 bytes |
| MD5: | 6533cbce314b3b88abcb1686b7d26a91 |
| SHA1: | 9df9a40839182f8b52ba53d3834f4ab13e7d450b |
| SHA256: | 30a49156bc54f010af18a0ccab0194b79a3d5a5a62c852fa23868250f7043ff8 |
| SHA512: | 1d821140d4337270eb1769bb3a28bf415f0fe7855f538ea11ccec3ff3b1275804cc15047dceb609ffd2b410dd24f564c641237af1ccfb122de654f9c8a780b8c |
| SSDEEP: | 12288:y6f5tUaLG1iZuyzbVysg1wuKWKDYjX3rUXY:ygHpbVy9750YjX3N |
| TLSH: | 3DE4BE517B81C0B6C25E30B54556E37962EDA9709F3893C3BBC46A3F6E741C1993832B |
| File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........./...A...A...A.?.Q...A.......A..O,...A..O:...A...@...A.......A.....,.A.....{.A.......A.......A.......A.Rich..A.........PE..L.. |
 | |
| Icon Hash: | ce87b1d3e6c6ec58 |
| Entrypoint: | 0x1003e527 |
| Entrypoint Section: | .text |
| Digitally signed: | false |
| Imagebase: | 0x10000000 |
| Subsystem: | windows gui |
| Image File Characteristics: | EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL |
| DLL Characteristics: | DYNAMIC_BASE |
| Time Stamp: | 0x62168D46 [Wed Feb 23 19:38:46 2022 UTC] |
| TLS Callbacks: | |
| CLR (.Net) Version: | |
| OS Version Major: | 5 |
| OS Version Minor: | 0 |
| File Version Major: | 5 |
| File Version Minor: | 0 |
| Subsystem Version Major: | 5 |
| Subsystem Version Minor: | 0 |
| Import Hash: | cca9170027b8a1c09e4e49e3efdfdd6a |
| Instruction |
|---|
| mov edi, edi |
| push ebp |
| mov ebp, esp |
| cmp dword ptr [ebp+0Ch], 01h |
| jne 00007F978CB75487h |
| call 00007F978CB81C1Eh |
| push dword ptr [ebp+08h] |
| mov ecx, dword ptr [ebp+10h] |
| mov edx, dword ptr [ebp+0Ch] |
| call 00007F978CB75371h |
| pop ecx |
| pop ebp |
| retn 000Ch |
| mov edi, edi |
| push ebp |
| mov ebp, esp |
| mov eax, dword ptr [ebp+08h] |
| mov cx, word ptr [eax] |
| inc eax |
| inc eax |
| test cx, cx |
| jne 00007F978CB75478h |
| sub eax, dword ptr [ebp+08h] |
| sar eax, 1 |
| dec eax |
| pop ebp |
| ret |
| push eax |
| push dword ptr fs:[00000000h] |
| lea eax, dword ptr [esp+0Ch] |
| sub esp, dword ptr [esp+0Ch] |
| push ebx |
| push esi |
| push edi |
| mov dword ptr [eax], ebp |
| mov ebp, eax |
| mov eax, dword ptr [1006CD1Ch] |
| xor eax, ebp |
| push eax |
| push dword ptr [ebp-04h] |
| mov dword ptr [ebp-04h], FFFFFFFFh |
| lea eax, dword ptr [ebp-0Ch] |
| mov dword ptr fs:[00000000h], eax |
| ret |
| push eax |
| push dword ptr fs:[00000000h] |
| lea eax, dword ptr [esp+0Ch] |
| sub esp, dword ptr [esp+0Ch] |
| push ebx |
| push esi |
| push edi |
| mov dword ptr [eax], ebp |
| mov ebp, eax |
| mov eax, dword ptr [1006CD1Ch] |
| xor eax, ebp |
| push eax |
| mov dword ptr [ebp-10h], esp |
| push dword ptr [ebp-04h] |
| mov dword ptr [ebp-04h], FFFFFFFFh |
| lea eax, dword ptr [ebp-0Ch] |
| mov dword ptr fs:[00000000h], eax |
| ret |
| push eax |
| push dword ptr fs:[00000000h] |
| lea eax, dword ptr [esp+0Ch] |
| sub esp, dword ptr [esp+0Ch] |
| push ebx |
| push esi |
| push edi |
| mov dword ptr [eax], ebp |
| mov ebp, eax |
| mov eax, dword ptr [1006CD1Ch] |
| xor eax, ebp |
| push eax |
| mov dword ptr [ebp-10h], eax |
| Programming Language: |
|
| Name | Virtual Address | Virtual Size | Is in Section |
|---|---|---|---|
| IMAGE_DIRECTORY_ENTRY_EXPORT | 0x6aee0 | 0x72 | .rdata |
| IMAGE_DIRECTORY_ENTRY_IMPORT | 0x68bfc | 0x118 | .rdata |
| IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x72000 | 0x2ad2c | .rsrc |
| IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x9d000 | 0x70d0 | .reloc |
| IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IAT | 0x56000 | 0x6cc | .rdata |
| IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x68b74 | 0x40 | .rdata |
| IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
| Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
|---|---|---|---|---|---|---|---|---|---|
| .text | 0x1000 | 0x5470d | 0x54800 | 77bf2cc8d9f9ac6009e5044c19c44a78 | False | 0.5482444988905325 | data | 6.6456067202243565 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
| .rdata | 0x56000 | 0x14f52 | 0x15000 | 57bdb4f933dd3a352b291573c8335489 | False | 0.3084077380952381 | data | 5.28195931672097 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .data | 0x6b000 | 0x6cfc | 0x3200 | 5fbfb40e0b0775ce485cefcc0d258486 | False | 0.298125 | data | 4.554850026972256 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .rsrc | 0x72000 | 0x2ad2c | 0x2ae00 | 383c63981e6b3813f914150c572b16fd | False | 0.8915474672011662 | data | 7.771415105871024 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .reloc | 0x9d000 | 0xb528 | 0xb600 | 20572a755ce521e1d2f1956685425084 | False | 0.35310782967032966 | data | 4.916088887795584 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
| Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
|---|---|---|---|---|---|---|
| 0x72f28 | 0x22800 | data | Chinese | China | 1.0003609035326086 | |
| RT_CURSOR | 0x95728 | 0x134 | Targa image data - RGB 64 x 65536 x 1 +32 "\001" | Chinese | China | 0.4805194805194805 |
| RT_CURSOR | 0x9585c | 0xb4 | Targa image data - Map 32 x 65536 x 1 +16 "\001" | Chinese | China | 0.7 |
| RT_CURSOR | 0x95910 | 0x134 | AmigaOS bitmap font "(", fc_YSize 4294967264, 5120 elements, 2nd "\377\360?\377\377\370\177\377\377\374\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377", 3rd | Chinese | China | 0.36363636363636365 |
| RT_CURSOR | 0x95a44 | 0x134 | Targa image data - RLE 64 x 65536 x 1 +32 "\001" | Chinese | China | 0.35714285714285715 |
| RT_CURSOR | 0x95b78 | 0x134 | data | Chinese | China | 0.37337662337662336 |
| RT_CURSOR | 0x95cac | 0x134 | data | Chinese | China | 0.37662337662337664 |
| RT_CURSOR | 0x95de0 | 0x134 | Targa image data 64 x 65536 x 1 +32 "\001" | Chinese | China | 0.36688311688311687 |
| RT_CURSOR | 0x95f14 | 0x134 | Targa image data 64 x 65536 x 1 +32 "\001" | Chinese | China | 0.37662337662337664 |
| RT_CURSOR | 0x96048 | 0x134 | Targa image data - Mono - RLE 64 x 65536 x 1 +32 "\001" | Chinese | China | 0.36688311688311687 |
| RT_CURSOR | 0x9617c | 0x134 | Targa image data - RGB - RLE 64 x 65536 x 1 +32 "\001" | Chinese | China | 0.38636363636363635 |
| RT_CURSOR | 0x962b0 | 0x134 | data | Chinese | China | 0.44155844155844154 |
| RT_CURSOR | 0x963e4 | 0x134 | data | Chinese | China | 0.4155844155844156 |
| RT_CURSOR | 0x96518 | 0x134 | AmigaOS bitmap font "(", fc_YSize 4294966847, 3840 elements, 2nd "\377?\374\377\377\300\003\377\377\300\003\377\377\340\007\377\377\360\017\377\377\370\037\377\377\374?\377\377\376\177\377\377\377\377\377\377\377\377\377\377\377\377\377", 3rd | Chinese | China | 0.5422077922077922 |
| RT_CURSOR | 0x9664c | 0x134 | data | Chinese | China | 0.2662337662337662 |
| RT_CURSOR | 0x96780 | 0x134 | data | Chinese | China | 0.2824675324675325 |
| RT_CURSOR | 0x968b4 | 0x134 | data | Chinese | China | 0.3246753246753247 |
| RT_BITMAP | 0x969e8 | 0xb8 | Device independent bitmap graphic, 12 x 10 x 4, image size 80 | Chinese | China | 0.44565217391304346 |
| RT_BITMAP | 0x96aa0 | 0x144 | Device independent bitmap graphic, 33 x 11 x 4, image size 220 | Chinese | China | 0.37962962962962965 |
| RT_ICON | 0x96be4 | 0x25a8 | Device independent bitmap graphic, 48 x 96 x 32, image size 0 | Chinese | China | 0.491804979253112 |
| RT_ICON | 0x9918c | 0xca8 | Device independent bitmap graphic, 32 x 64 x 24, image size 3200 | Chinese | China | 0.6907407407407408 |
| RT_ICON | 0x99e34 | 0x468 | Device independent bitmap graphic, 16 x 32 x 32, image size 0 | Chinese | China | 0.7313829787234043 |
| RT_MENU | 0x9a29c | 0x124 | data | Chinese | China | 0.6061643835616438 |
| RT_DIALOG | 0x9a3c0 | 0x2b2 | data | Chinese | China | 0.5014492753623189 |
| RT_DIALOG | 0x9a674 | 0x3f2 | data | Chinese | China | 0.4495049504950495 |
| RT_DIALOG | 0x9aa68 | 0x176 | data | Chinese | China | 0.5347593582887701 |
| RT_DIALOG | 0x9abe0 | 0x226 | data | Chinese | China | 0.4581818181818182 |
| RT_DIALOG | 0x9ae08 | 0x12e | data | Chinese | China | 0.6291390728476821 |
| RT_DIALOG | 0x9af38 | 0x2e0 | data | Chinese | China | 0.4361413043478261 |
| RT_DIALOG | 0x9b218 | 0xf8 | data | Chinese | China | 0.6733870967741935 |
| RT_DIALOG | 0x9b310 | 0xd8 | data | Chinese | China | 0.6944444444444444 |
| RT_DIALOG | 0x9b3e8 | 0x9e | data | Chinese | China | 0.6962025316455697 |
| RT_DIALOG | 0x9b488 | 0x144 | data | Chinese | China | 0.595679012345679 |
| RT_DIALOG | 0x9b5cc | 0xfa | data | Chinese | China | 0.628 |
| RT_DIALOG | 0x9b6c8 | 0xce | data | Chinese | China | 0.6456310679611651 |
| RT_DIALOG | 0x9b798 | 0x2c2 | data | Chinese | China | 0.556657223796034 |
| RT_DIALOG | 0x9ba5c | 0xca | data | Chinese | China | 0.7326732673267327 |
| RT_DIALOG | 0x9bb28 | 0xf2 | data | Chinese | China | 0.6942148760330579 |
| RT_DIALOG | 0x9bc1c | 0x28 | data | Chinese | China | 0.85 |
| RT_DIALOG | 0x9bc44 | 0xe2 | data | Chinese | China | 0.6814159292035398 |
| RT_DIALOG | 0x9bd28 | 0x34 | data | Chinese | China | 0.9038461538461539 |
| RT_STRING | 0x9bd5c | 0x58 | data | Chinese | China | 0.7840909090909091 |
| RT_STRING | 0x9bdb4 | 0x4e | data | Chinese | China | 0.8461538461538461 |
| RT_STRING | 0x9be04 | 0x2c | data | Chinese | China | 0.5909090909090909 |
| RT_STRING | 0x9be30 | 0x82 | data | Chinese | China | 0.9307692307692308 |
| RT_STRING | 0x9beb4 | 0x1d6 | data | Chinese | China | 0.8148936170212766 |
| RT_STRING | 0x9c08c | 0x160 | data | Chinese | China | 0.4971590909090909 |
| RT_STRING | 0x9c1ec | 0x12e | data | Chinese | China | 0.652317880794702 |
| RT_STRING | 0x9c31c | 0x50 | data | Chinese | China | 0.7125 |
| RT_STRING | 0x9c36c | 0x44 | data | Chinese | China | 0.6764705882352942 |
| RT_STRING | 0x9c3b0 | 0x68 | data | Chinese | China | 0.7019230769230769 |
| RT_STRING | 0x9c418 | 0x1b8 | data | Chinese | China | 0.6568181818181819 |
| RT_STRING | 0x9c5d0 | 0x104 | data | Chinese | China | 0.6038461538461538 |
| RT_STRING | 0x9c6d4 | 0x24 | data | Chinese | China | 0.4722222222222222 |
| RT_STRING | 0x9c6f8 | 0x30 | data | Chinese | China | 0.625 |
| RT_GROUP_CURSOR | 0x9c728 | 0x22 | Lotus unknown worksheet or configuration, revision 0x2 | Chinese | China | 1.0294117647058822 |
| RT_GROUP_CURSOR | 0x9c74c | 0x14 | Lotus unknown worksheet or configuration, revision 0x1 | Chinese | China | 1.3 |
| RT_GROUP_CURSOR | 0x9c760 | 0x14 | Lotus unknown worksheet or configuration, revision 0x1 | Chinese | China | 1.3 |
| RT_GROUP_CURSOR | 0x9c774 | 0x14 | Lotus unknown worksheet or configuration, revision 0x1 | Chinese | China | 1.3 |
| RT_GROUP_CURSOR | 0x9c788 | 0x14 | Lotus unknown worksheet or configuration, revision 0x1 | Chinese | China | 1.3 |
| RT_GROUP_CURSOR | 0x9c79c | 0x14 | Lotus unknown worksheet or configuration, revision 0x1 | Chinese | China | 1.3 |
| RT_GROUP_CURSOR | 0x9c7b0 | 0x14 | Lotus unknown worksheet or configuration, revision 0x1 | Chinese | China | 1.3 |
| RT_GROUP_CURSOR | 0x9c7c4 | 0x14 | Lotus unknown worksheet or configuration, revision 0x1 | Chinese | China | 1.3 |
| RT_GROUP_CURSOR | 0x9c7d8 | 0x14 | Lotus unknown worksheet or configuration, revision 0x1 | Chinese | China | 1.3 |
| RT_GROUP_CURSOR | 0x9c7ec | 0x14 | Lotus unknown worksheet or configuration, revision 0x1 | Chinese | China | 1.3 |
| RT_GROUP_CURSOR | 0x9c800 | 0x14 | Lotus unknown worksheet or configuration, revision 0x1 | Chinese | China | 1.3 |
| RT_GROUP_CURSOR | 0x9c814 | 0x14 | Lotus unknown worksheet or configuration, revision 0x1 | Chinese | China | 1.3 |
| RT_GROUP_CURSOR | 0x9c828 | 0x14 | Lotus unknown worksheet or configuration, revision 0x1 | Chinese | China | 1.3 |
| RT_GROUP_CURSOR | 0x9c83c | 0x14 | Lotus unknown worksheet or configuration, revision 0x1 | Chinese | China | 1.3 |
| RT_GROUP_CURSOR | 0x9c850 | 0x14 | Lotus unknown worksheet or configuration, revision 0x1 | Chinese | China | 1.3 |
| RT_GROUP_ICON | 0x9c864 | 0x30 | data | Chinese | China | 0.9166666666666666 |
| RT_VERSION | 0x9c894 | 0x320 | data | Chinese | China | 0.48625 |
| RT_MANIFEST | 0x9cbb4 | 0x15a | ASCII text, with CRLF line terminators | English | United States | 0.5491329479768786 |
| None | 0x9cd10 | 0x1a | GLS_BINARY_LSB_FIRST | Chinese | China | 0.9615384615384616 |
| DLL | Import |
|---|---|
| KERNEL32.dll | WritePrivateProfileStringA, GetCurrentDirectoryA, FindResourceExA, GetTickCount, RtlUnwind, HeapAlloc, HeapFree, GetSystemTimeAsFileTime, GetCommandLineA, RaiseException, VirtualAlloc, GetSystemInfo, VirtualQuery, HeapReAlloc, SetStdHandle, GetFileType, ExitThread, HeapSize, TerminateProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, VirtualFree, HeapCreate, HeapDestroy, GetStdHandle, GetFileTime, IsValidCodePage, GetStringTypeA, GetStringTypeW, GetTimeZoneInformation, SetHandleCount, GetStartupInfoA, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, GetEnvironmentStringsW, QueryPerformanceCounter, InitializeCriticalSectionAndSpinCount, GetConsoleCP, GetConsoleMode, LCMapStringA, LCMapStringW, WriteConsoleA, GetConsoleOutputCP, WriteConsoleW, CompareStringW, SetEnvironmentVariableA, GetFileSizeEx, GetFileAttributesA, GetOEMCP, GetCPInfo, GlobalFlags, TlsFree, DeleteCriticalSection, LocalReAlloc, TlsSetValue, TlsAlloc, InitializeCriticalSection, GlobalHandle, GlobalReAlloc, EnterCriticalSection, TlsGetValue, LeaveCriticalSection, LocalAlloc, GetModuleHandleW, VirtualProtect, FileTimeToLocalFileTime, FindNextFileA, FileTimeToSystemTime, GetCurrentThread, ConvertDefaultLocale, EnumResourceLanguagesA, GetLocaleInfoA, InterlockedExchange, CreateEventA, SetEvent, InterlockedDecrement, GetCurrentProcessId, GetFullPathNameA, FindFirstFileA, FindClose, DuplicateHandle, GetFileSize, SetEndOfFile, UnlockFile, LockFile, FlushFileBuffers, SetFilePointer, WriteFile, ReadFile, MoveFileA, lstrcmpA, GetThreadLocale, InterlockedIncrement, FreeResource, GetCurrentThreadId, GlobalGetAtomNameA, GlobalAddAtomA, GlobalFindAtomA, GlobalDeleteAtom, CompareStringA, lstrcmpW, GetVersionExA, GlobalFree, GlobalAlloc, GlobalLock, GlobalUnlock, FormatMessageA, LocalFree, MulDiv, lstrlenA, MultiByteToWideChar, ReadDirectoryChangesW, GetModuleFileNameA, GetVolumeInformationA, CreateThread, SetThreadPriority, GetDriveTypeA, GetWindowsDirectoryA, GetSystemDirectoryA, GetLogicalDriveStringsA, GetCurrentProcess, GetShortPathNameA, OpenProcess, ResumeThread, SuspendThread, GetExitCodeThread, TerminateThread, SetLastError, GetModuleHandleA, Sleep, CreateProcessA, WaitForSingleObject, GetLastError, ExitProcess, FindResourceA, LoadResource, LockResource, SizeofResource, CreateFileA, CloseHandle, DeleteFileA, LoadLibraryA, GetProcAddress, FreeLibrary, GetACP, WideCharToMultiByte |
| USER32.dll | GetNextDlgGroupItem, MessageBeep, RegisterClipboardFormatA, PostThreadMessageA, GetSysColorBrush, GetAsyncKeyState, SetWindowContextHelpId, MapDialogRect, WaitMessage, SetRectEmpty, PostQuitMessage, EndPaint, BeginPaint, GetWindowDC, ReleaseDC, GetDC, ClientToScreen, GrayStringA, DrawTextExA, DrawTextA, TabbedTextOutA, GetMessageA, TranslateMessage, ValidateRect, DestroyMenu, GetWindowThreadProcessId, GetDesktopWindow, GetActiveWindow, CreateDialogIndirectParamA, EndDialog, CharUpperA, CharNextA, IsWindowEnabled, MoveWindow, SetWindowTextA, IsDialogMessageA, SetMenuItemBitmaps, GetMenuCheckMarkDimensions, EnableMenuItem, CheckMenuItem, RegisterWindowMessageA, SendDlgItemMessageA, WinHelpA, GetCapture, SetWindowsHookExA, CallNextHookEx, GetClassLongA, GetClassNameA, SetPropA, GetPropA, RemovePropA, GetFocus, IsWindow, SetFocus, GetWindowTextLengthA, GetWindowTextA, GetForegroundWindow, GetLastActivePopup, SetActiveWindow, DispatchMessageA, GetDlgItem, GetTopWindow, DestroyWindow, UnhookWindowsHookEx, GetMessageTime, GetMessagePos, MapWindowPoints, TrackPopupMenu, GetKeyState, SetMenu, SetForegroundWindow, MessageBoxA, GetClassInfoExA, GetClassInfoA, RegisterClassA, AdjustWindowRectEx, GetParent, EqualRect, EnableWindow, SendMessageA, CopyRect, InflateRect, DeferWindowPos, PtInRect, GetDlgCtrlID, DefWindowProcA, CallWindowProcA, GetMenu, GetWindowLongA, SetWindowLongA, SetWindowPos, OffsetRect, IntersectRect, SystemParametersInfoA, GetWindowPlacement, WindowFromPoint, ReleaseCapture, SetCapture, InvalidateRgn, IsRectEmpty, IsChild, CopyAcceleratorTableA, LoadBitmapA, GetMenuItemCount, GetMenuItemID, GetSubMenu, ModifyMenuA, GetClientRect, UpdateWindow, InvalidateRect, RedrawWindow, SetTimer, KillTimer, SetCursor, GetSysColor, CreateWindowExA, ShowWindow, CreateWindowExW, GetWindowRect, ClipCursor, SetSystemCursor, ShowCursor, DrawIcon, LoadMenuA, IsIconic, ScreenToClient, IsWindowVisible, LoadCursorA, LoadIconA, GetSystemMetrics, FillRect, SetRect, GetCursorPos, LoadCursorFromFileA, CopyIcon, ExitWindowsEx, PeekMessageA, PostMessageA, GetWindow, GetMenuState, GetMenuStringA, GetNextDlgTabItem |
| GDI32.dll | ExtSelectClipRgn, DeleteDC, CreateRectRgnIndirect, GetMapMode, GetCharWidthA, StretchDIBits, CreateCompatibleBitmap, GetRgnBox, EnumFontFamiliesExA, SetWindowExtEx, ScaleWindowExtEx, ScaleViewportExtEx, SetViewportExtEx, OffsetViewportOrgEx, SetViewportOrgEx, Escape, TextOutA, RectVisible, PtVisible, GetWindowExtEx, GetViewportExtEx, CreateFontA, IntersectClipRect, ExcludeClipRect, SetMapMode, SetBkMode, RestoreDC, SaveDC, ExtTextOutA, GetTextColor, GetBkColor, CreateBitmap, SetBkColor, SetTextColor, GetClipBox, GetDeviceCaps, BitBlt, SelectObject, GetStockObject, CreateFontIndirectA, DeleteObject, CreateSolidBrush, StretchBlt, Rectangle, CreateCompatibleDC, GetObjectA |
| COMDLG32.dll | GetFileTitleA |
| WINSPOOL.DRV | DocumentPropertiesA, ClosePrinter, OpenPrinterA |
| ADVAPI32.dll | RegQueryValueA, RegEnumKeyA, RegDeleteKeyA, RegOpenKeyExA, RegOpenKeyA, RegQueryValueExA, RegCloseKey, RegCreateKeyA, RegSetValueExA, RegDeleteValueA, OpenProcessToken, LookupPrivilegeValueA, AdjustTokenPrivileges, RegCreateKeyExA |
| SHELL32.dll | SHBrowseForFolderA, ShellExecuteA, Shell_NotifyIconA, SHGetFileInfoA, SHGetPathFromIDListA |
| SHLWAPI.dll | PathIsUNCA, PathRemoveFileSpecW, PathFindExtensionA, PathStripToRootA, PathFindFileNameA |
| oledlg.dll | |
| ole32.dll | CoTaskMemFree, CLSIDFromString, OleIsCurrentClipboard, OleFlushClipboard, CoRegisterMessageFilter, CoTaskMemAlloc, CoUninitialize, CoInitializeEx, CoGetClassObject, StgOpenStorageOnILockBytes, StgCreateDocfileOnILockBytes, CreateILockBytesOnHGlobal, OleUninitialize, CoFreeUnusedLibraries, OleInitialize, CoRevokeClassObject, CoCreateInstance, CLSIDFromProgID |
| OLEAUT32.dll | VariantChangeType, SysFreeString, SysStringLen, SysAllocString, SysAllocStringByteLen, VariantInit, SysAllocStringLen, OleCreateFontIndirect, VariantCopy, SafeArrayDestroy, VariantTimeToSystemTime, SystemTimeToVariantTime, VariantClear |
| WS2_32.dll | WSACleanup, accept, select, htonl, WSAGetLastError, WSASetLastError, connect, sendto, recvfrom, WSAAsyncSelect, send, socket, gethostbyname, inet_addr, setsockopt, htons, bind, WSAIoctl, recv, ntohs, inet_ntoa, closesocket, WSAStartup |
| PSAPI.DLL | EnumProcessModules, EnumProcesses, GetModuleFileNameExA |
| Name | Ordinal | Address |
|---|---|---|
| DllRegisterServer | 1 | 0x10008c30 |
| DllUnregisterServer | 2 | 0x10008ce0 |
| Language of compilation system | Country where language is spoken | Map |
|---|---|---|
| Chinese | China |  |
| English | United States |  |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library Node| Timestamp | Protocol | SID | Signature | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|---|---|---|
| 2024-07-25T17:49:37.808834+0200 | TCP | 2022930 | ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow | 443 | 49709 | 40.68.123.157 | 192.168.2.10 |
| 2024-07-25T17:50:37.612947+0200 | TCP | 2028765 | ET JA3 Hash - [Abuse.ch] Possible Dridex | 49716 | 7080 | 192.168.2.10 | 213.190.4.223 |
| 2024-07-25T17:49:54.174083+0200 | TCP | 2028765 | ET JA3 Hash - [Abuse.ch] Possible Dridex | 49708 | 8080 | 192.168.2.10 | 135.148.121.246 |
| 2024-07-25T17:50:17.475731+0200 | TCP | 2022930 | ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow | 443 | 49714 | 40.68.123.157 | 192.168.2.10 |
| 2024-07-25T17:51:20.487949+0200 | TCP | 2028765 | ET JA3 Hash - [Abuse.ch] Possible Dridex | 49719 | 80 | 192.168.2.10 | 175.107.196.192 |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Jul 25, 2024 17:49:32.792500019 CEST | 49708 | 8080 | 192.168.2.10 | 135.148.121.246 |
| Jul 25, 2024 17:49:32.799031019 CEST | 8080 | 49708 | 135.148.121.246 | 192.168.2.10 |
| Jul 25, 2024 17:49:32.799165964 CEST | 49708 | 8080 | 192.168.2.10 | 135.148.121.246 |
| Jul 25, 2024 17:49:32.810743093 CEST | 49708 | 8080 | 192.168.2.10 | 135.148.121.246 |
| Jul 25, 2024 17:49:32.817770004 CEST | 8080 | 49708 | 135.148.121.246 | 192.168.2.10 |
| Jul 25, 2024 17:49:54.173981905 CEST | 8080 | 49708 | 135.148.121.246 | 192.168.2.10 |
| Jul 25, 2024 17:49:54.174082994 CEST | 49708 | 8080 | 192.168.2.10 | 135.148.121.246 |
| Jul 25, 2024 17:49:54.174196005 CEST | 49708 | 8080 | 192.168.2.10 | 135.148.121.246 |
| Jul 25, 2024 17:49:54.179059029 CEST | 8080 | 49708 | 135.148.121.246 | 192.168.2.10 |
| Jul 25, 2024 17:49:54.180344105 CEST | 49713 | 8080 | 192.168.2.10 | 135.148.121.246 |
| Jul 25, 2024 17:49:54.185247898 CEST | 8080 | 49713 | 135.148.121.246 | 192.168.2.10 |
| Jul 25, 2024 17:49:54.185923100 CEST | 49713 | 8080 | 192.168.2.10 | 135.148.121.246 |
| Jul 25, 2024 17:49:54.185923100 CEST | 49713 | 8080 | 192.168.2.10 | 135.148.121.246 |
| Jul 25, 2024 17:49:54.190840006 CEST | 8080 | 49713 | 135.148.121.246 | 192.168.2.10 |
| Jul 25, 2024 17:50:16.167201996 CEST | 8080 | 49713 | 135.148.121.246 | 192.168.2.10 |
| Jul 25, 2024 17:50:16.167361021 CEST | 49713 | 8080 | 192.168.2.10 | 135.148.121.246 |
| Jul 25, 2024 17:50:16.167462111 CEST | 49713 | 8080 | 192.168.2.10 | 135.148.121.246 |
| Jul 25, 2024 17:50:16.167929888 CEST | 8080 | 49713 | 135.148.121.246 | 192.168.2.10 |
| Jul 25, 2024 17:50:16.167980909 CEST | 49713 | 8080 | 192.168.2.10 | 135.148.121.246 |
| Jul 25, 2024 17:50:16.168553114 CEST | 8080 | 49713 | 135.148.121.246 | 192.168.2.10 |
| Jul 25, 2024 17:50:16.168602943 CEST | 49713 | 8080 | 192.168.2.10 | 135.148.121.246 |
| Jul 25, 2024 17:50:16.170875072 CEST | 49715 | 8080 | 192.168.2.10 | 135.148.121.246 |
| Jul 25, 2024 17:50:16.172893047 CEST | 8080 | 49713 | 135.148.121.246 | 192.168.2.10 |
| Jul 25, 2024 17:50:16.178544998 CEST | 8080 | 49715 | 135.148.121.246 | 192.168.2.10 |
| Jul 25, 2024 17:50:16.178668976 CEST | 49715 | 8080 | 192.168.2.10 | 135.148.121.246 |
| Jul 25, 2024 17:50:16.178843975 CEST | 49715 | 8080 | 192.168.2.10 | 135.148.121.246 |
| Jul 25, 2024 17:50:16.186456919 CEST | 8080 | 49715 | 135.148.121.246 | 192.168.2.10 |
| Jul 25, 2024 17:50:16.200503111 CEST | 49716 | 7080 | 192.168.2.10 | 213.190.4.223 |
| Jul 25, 2024 17:50:16.204551935 CEST | 8080 | 49715 | 135.148.121.246 | 192.168.2.10 |
| Jul 25, 2024 17:50:16.204638004 CEST | 49715 | 8080 | 192.168.2.10 | 135.148.121.246 |
| Jul 25, 2024 17:50:16.206327915 CEST | 7080 | 49716 | 213.190.4.223 | 192.168.2.10 |
| Jul 25, 2024 17:50:16.206415892 CEST | 49716 | 7080 | 192.168.2.10 | 213.190.4.223 |
| Jul 25, 2024 17:50:16.206737041 CEST | 49716 | 7080 | 192.168.2.10 | 213.190.4.223 |
| Jul 25, 2024 17:50:16.212070942 CEST | 7080 | 49716 | 213.190.4.223 | 192.168.2.10 |
| Jul 25, 2024 17:50:37.612843037 CEST | 7080 | 49716 | 213.190.4.223 | 192.168.2.10 |
| Jul 25, 2024 17:50:37.612946987 CEST | 49716 | 7080 | 192.168.2.10 | 213.190.4.223 |
| Jul 25, 2024 17:50:37.624778032 CEST | 49716 | 7080 | 192.168.2.10 | 213.190.4.223 |
| Jul 25, 2024 17:50:37.629808903 CEST | 7080 | 49716 | 213.190.4.223 | 192.168.2.10 |
| Jul 25, 2024 17:50:37.636965036 CEST | 49717 | 7080 | 192.168.2.10 | 213.190.4.223 |
| Jul 25, 2024 17:50:37.648411036 CEST | 7080 | 49717 | 213.190.4.223 | 192.168.2.10 |
| Jul 25, 2024 17:50:37.648628950 CEST | 49717 | 7080 | 192.168.2.10 | 213.190.4.223 |
| Jul 25, 2024 17:50:37.649034977 CEST | 49717 | 7080 | 192.168.2.10 | 213.190.4.223 |
| Jul 25, 2024 17:50:37.653908968 CEST | 7080 | 49717 | 213.190.4.223 | 192.168.2.10 |
| Jul 25, 2024 17:50:59.041941881 CEST | 7080 | 49717 | 213.190.4.223 | 192.168.2.10 |
| Jul 25, 2024 17:50:59.042069912 CEST | 49717 | 7080 | 192.168.2.10 | 213.190.4.223 |
| Jul 25, 2024 17:50:59.042182922 CEST | 49717 | 7080 | 192.168.2.10 | 213.190.4.223 |
| Jul 25, 2024 17:50:59.042854071 CEST | 49718 | 7080 | 192.168.2.10 | 213.190.4.223 |
| Jul 25, 2024 17:50:59.048762083 CEST | 7080 | 49717 | 213.190.4.223 | 192.168.2.10 |
| Jul 25, 2024 17:50:59.048780918 CEST | 7080 | 49718 | 213.190.4.223 | 192.168.2.10 |
| Jul 25, 2024 17:50:59.048893929 CEST | 49718 | 7080 | 192.168.2.10 | 213.190.4.223 |
| Jul 25, 2024 17:50:59.049030066 CEST | 49718 | 7080 | 192.168.2.10 | 213.190.4.223 |
| Jul 25, 2024 17:50:59.058638096 CEST | 7080 | 49718 | 213.190.4.223 | 192.168.2.10 |
| Jul 25, 2024 17:50:59.058712959 CEST | 49718 | 7080 | 192.168.2.10 | 213.190.4.223 |
| Jul 25, 2024 17:50:59.060978889 CEST | 49719 | 80 | 192.168.2.10 | 175.107.196.192 |
| Jul 25, 2024 17:50:59.068340063 CEST | 80 | 49719 | 175.107.196.192 | 192.168.2.10 |
| Jul 25, 2024 17:50:59.068526983 CEST | 49719 | 80 | 192.168.2.10 | 175.107.196.192 |
| Jul 25, 2024 17:50:59.068876028 CEST | 49719 | 80 | 192.168.2.10 | 175.107.196.192 |
| Jul 25, 2024 17:50:59.073782921 CEST | 80 | 49719 | 175.107.196.192 | 192.168.2.10 |
| Jul 25, 2024 17:51:20.487788916 CEST | 80 | 49719 | 175.107.196.192 | 192.168.2.10 |
| Jul 25, 2024 17:51:20.487948895 CEST | 49719 | 80 | 192.168.2.10 | 175.107.196.192 |
| Jul 25, 2024 17:51:20.488374949 CEST | 49719 | 80 | 192.168.2.10 | 175.107.196.192 |
| Jul 25, 2024 17:51:20.493213892 CEST | 80 | 49719 | 175.107.196.192 | 192.168.2.10 |
| Jul 25, 2024 17:51:20.495786905 CEST | 49720 | 80 | 192.168.2.10 | 175.107.196.192 |
| Jul 25, 2024 17:51:20.500818014 CEST | 80 | 49720 | 175.107.196.192 | 192.168.2.10 |
| Jul 25, 2024 17:51:20.504098892 CEST | 49720 | 80 | 192.168.2.10 | 175.107.196.192 |
| Jul 25, 2024 17:51:20.505332947 CEST | 49720 | 80 | 192.168.2.10 | 175.107.196.192 |
| Jul 25, 2024 17:51:20.510222912 CEST | 80 | 49720 | 175.107.196.192 | 192.168.2.10 |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 0 | 192.168.2.10 | 49719 | 175.107.196.192 | 80 | 8172 | C:\Windows\SysWOW64\regsvr32.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| Jul 25, 2024 17:50:59.068876028 CEST | 149 | OUT |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 1 | 192.168.2.10 | 49720 | 175.107.196.192 | 80 | 8172 | C:\Windows\SysWOW64\regsvr32.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| Jul 25, 2024 17:51:20.505332947 CEST | 95 | OUT |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
| Target ID: | 0 |
| Start time: | 11:49:19 |
| Start date: | 25/07/2024 |
| Path: | C:\Windows\System32\loaddll32.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x610000 |
| File size: | 126'464 bytes |
| MD5 hash: | 51E6071F9CBA48E79F10C84515AAE618 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 2 |
| Start time: | 11:49:20 |
| Start date: | 25/07/2024 |
| Path: | C:\Windows\System32\conhost.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff620390000 |
| File size: | 862'208 bytes |
| MD5 hash: | 0D698AF330FD17BEE3BF90011D49251D |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 3 |
| Start time: | 11:49:20 |
| Start date: | 25/07/2024 |
| Path: | C:\Windows\SysWOW64\cmd.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0xd70000 |
| File size: | 236'544 bytes |
| MD5 hash: | D0FCE3AFA6AA1D58CE9FA336CC2B675B |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 4 |
| Start time: | 11:49:20 |
| Start date: | 25/07/2024 |
| Path: | C:\Windows\SysWOW64\regsvr32.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x8c0000 |
| File size: | 20'992 bytes |
| MD5 hash: | 878E47C8656E53AE8A8A21E927C6F7E0 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Yara matches: |
|
| Reputation: | high |
| Has exited: | true |
| Target ID: | 5 |
| Start time: | 11:49:20 |
| Start date: | 25/07/2024 |
| Path: | C:\Windows\SysWOW64\rundll32.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x10000 |
| File size: | 61'440 bytes |
| MD5 hash: | 889B99C52A60DD49227C5E485A016679 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Yara matches: |
|
| Reputation: | high |
| Has exited: | true |
| Target ID: | 6 |
| Start time: | 11:49:21 |
| Start date: | 25/07/2024 |
| Path: | C:\Windows\SysWOW64\rundll32.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x10000 |
| File size: | 61'440 bytes |
| MD5 hash: | 889B99C52A60DD49227C5E485A016679 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Yara matches: |
|
| Reputation: | high |
| Has exited: | true |
| Target ID: | 7 |
| Start time: | 11:49:22 |
| Start date: | 25/07/2024 |
| Path: | C:\Windows\SysWOW64\regsvr32.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x8c0000 |
| File size: | 20'992 bytes |
| MD5 hash: | 878E47C8656E53AE8A8A21E927C6F7E0 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Yara matches: |
|
| Reputation: | high |
| Has exited: | false |
| Target ID: | 8 |
| Start time: | 11:49:24 |
| Start date: | 25/07/2024 |
| Path: | C:\Windows\SysWOW64\rundll32.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x10000 |
| File size: | 61'440 bytes |
| MD5 hash: | 889B99C52A60DD49227C5E485A016679 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 11 |
| Start time: | 11:50:04 |
| Start date: | 25/07/2024 |
| Path: | C:\Windows\System32\svchost.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff7df220000 |
| File size: | 55'320 bytes |
| MD5 hash: | B7F884C1B74A263F746EE12A5F7C9F6A |
| Has elevated privileges: | true |
| Has administrator privileges: | false |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | false |
Execution Graph
| Execution Coverage: | 4% |
| Dynamic/Decrypted Code Coverage: | 32.8% |
| Signature Coverage: | 22.9% |
| Total number of Nodes: | 597 |
| Total number of Limit Nodes: | 24 |
Graph
Function 100050CF Relevance: 41.1, Strings: 32, Instructions: 1098COMMON
Download Yara Rule
Control-flow Graph
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 6D5F9E50 Relevance: 38.9, APIs: 19, Strings: 3, Instructions: 385memoryCOMMONLIBRARYCODE
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 10008844 Relevance: 9.0, Strings: 7, Instructions: 256COMMON
Download Yara Rule
Control-flow Graph
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 10020E7A Relevance: 9.0, Strings: 7, Instructions: 248COMMON
Download Yara Rule
Control-flow Graph
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 10018131 Relevance: 7.8, Strings: 6, Instructions: 273COMMON
Download Yara Rule
Control-flow Graph
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 6D5F8F00 Relevance: 7.0, APIs: 4, Instructions: 1014memoryCOMMONLIBRARYCODE
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 1001416E Relevance: 5.3, Strings: 4, Instructions: 331COMMON
Download Yara Rule
Control-flow Graph
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 1000A9CF Relevance: 5.2, Strings: 4, Instructions: 221COMMON
Download Yara Rule
Control-flow Graph
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 1001D15E Relevance: 3.9, Strings: 3, Instructions: 186COMMON
Download Yara Rule
Control-flow Graph
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 100082D2 Relevance: 3.9, Strings: 3, Instructions: 184COMMON
Download Yara Rule
Control-flow Graph
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 10008FE9 Relevance: 3.9, Strings: 3, Instructions: 130COMMON
Download Yara Rule
Control-flow Graph
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 10004B40 Relevance: 2.7, Strings: 2, Instructions: 194COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 1000303A Relevance: 2.5, Strings: 2, Instructions: 48COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 10021E49 Relevance: .1, Instructions: 86COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 6D61FB51 Relevance: 16.6, APIs: 11, Instructions: 106memoryCOMMONLIBRARYCODE
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D62CED5 Relevance: 7.5, APIs: 5, Instructions: 44memoryCOMMONLIBRARYCODE
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 10004A9D Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 43libraryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 1001A50A Relevance: 1.6, APIs: 1, Instructions: 70fileCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 100102D8 Relevance: 1.6, APIs: 1, Instructions: 60COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 10003506 Relevance: 1.5, APIs: 1, Instructions: 47memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D63575B Relevance: 1.5, APIs: 1, Instructions: 20memoryCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D5F82A0 Relevance: 1.3, APIs: 1, Instructions: 10memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D5F82C0 Relevance: 1.3, APIs: 1, Instructions: 8COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D5FD2D0 Relevance: 95.7, APIs: 45, Strings: 9, Instructions: 1160windowfileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D601060 Relevance: 54.7, APIs: 29, Strings: 2, Instructions: 488windownetworkCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D62BA72 Relevance: 35.3, APIs: 19, Strings: 1, Instructions: 323windowkeyboardCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 10010503 Relevance: 30.8, Strings: 24, Instructions: 779COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 6D5FF510 Relevance: 25.2, APIs: 11, Strings: 3, Instructions: 683threadwindowshutdownCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 1000ED0A Relevance: 23.3, Strings: 18, Instructions: 791COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 1001BD63 Relevance: 22.0, Strings: 17, Instructions: 709COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 6D613699 Relevance: 19.7, APIs: 9, Strings: 2, Instructions: 443libraryloaderCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 1000D4BC Relevance: 15.6, Strings: 12, Instructions: 647COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 1001519C Relevance: 14.4, Strings: 11, Instructions: 619COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 10009C1B Relevance: 14.1, Strings: 11, Instructions: 399COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 6D61D098 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 106filestringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 1001490E Relevance: 14.0, Strings: 11, Instructions: 268COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 6D61DB05 Relevance: 13.6, APIs: 9, Instructions: 79windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 1001D4AE Relevance: 13.0, Strings: 10, Instructions: 457COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 10019A0C Relevance: 12.9, Strings: 10, Instructions: 416COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 10002710 Relevance: 12.8, Strings: 10, Instructions: 327COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 6D6001FE Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 376windowthreadshutdownCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D5FFC12 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 246threadwindowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D5FFB8F Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 246threadwindowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 1001AF0B Relevance: 11.8, Strings: 9, Instructions: 577COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 10011B29 Relevance: 11.7, Strings: 9, Instructions: 415COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 1000364E Relevance: 11.6, Strings: 9, Instructions: 371COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 10004313 Relevance: 11.6, Strings: 9, Instructions: 365COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 6D613417 Relevance: 10.7, APIs: 7, Instructions: 173comCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 1000AEBB Relevance: 10.5, Strings: 8, Instructions: 477COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 100213A3 Relevance: 10.3, Strings: 8, Instructions: 287COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 6D5FB800 Relevance: 9.1, APIs: 6, Instructions: 74windowCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 100071E3 Relevance: 9.0, Strings: 7, Instructions: 261COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 1001E168 Relevance: 9.0, Strings: 7, Instructions: 235COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 1000C151 Relevance: 8.9, Strings: 7, Instructions: 195COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 6D5F27F0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 96libraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D617787 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73libraryCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 1001FECB Relevance: 7.8, Strings: 6, Instructions: 306COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 10020A01 Relevance: 7.7, Strings: 6, Instructions: 218COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 10003F5A Relevance: 7.7, Strings: 6, Instructions: 171COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 10017098 Relevance: 6.6, Strings: 5, Instructions: 376COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 1001A916 Relevance: 6.5, Strings: 5, Instructions: 287COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 1001E5ED Relevance: 6.5, Strings: 5, Instructions: 255COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 1000C4E5 Relevance: 6.5, Strings: 5, Instructions: 252COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 10016998 Relevance: 6.4, Strings: 5, Instructions: 172COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 1001EEC2 Relevance: 5.3, Strings: 4, Instructions: 349COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 1000958A Relevance: 5.3, Strings: 4, Instructions: 262COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 10001A5F Relevance: 5.2, Strings: 4, Instructions: 176COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 10017E3D Relevance: 5.2, Strings: 4, Instructions: 167COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 10013983 Relevance: 5.2, Strings: 4, Instructions: 153COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 6D6078E8 Relevance: 4.5, APIs: 3, Instructions: 38COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 1000E65A Relevance: 4.0, Strings: 3, Instructions: 259COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 10012B1F Relevance: 4.0, Strings: 3, Instructions: 242COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 1000CDE0 Relevance: 4.0, Strings: 3, Instructions: 229COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 10012783 Relevance: 4.0, Strings: 3, Instructions: 201COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 100022F7 Relevance: 3.9, Strings: 3, Instructions: 191COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 10017730 Relevance: 3.9, Strings: 3, Instructions: 182COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 1000BB14 Relevance: 3.9, Strings: 3, Instructions: 149COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 10007761 Relevance: 3.9, Strings: 3, Instructions: 142COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 10013231 Relevance: 3.9, Strings: 3, Instructions: 125COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 1001CFA0 Relevance: 3.9, Strings: 3, Instructions: 110COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 10019285 Relevance: 2.7, Strings: 2, Instructions: 229COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 10001DCA Relevance: 2.7, Strings: 2, Instructions: 216COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 100205F6 Relevance: 2.7, Strings: 2, Instructions: 166COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 10014E54 Relevance: 2.7, Strings: 2, Instructions: 159COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 10013E89 Relevance: 2.7, Strings: 2, Instructions: 156COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 1000A4DE Relevance: 2.6, Strings: 2, Instructions: 145COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 10007013 Relevance: 2.6, Strings: 2, Instructions: 127COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 10009343 Relevance: 2.6, Strings: 2, Instructions: 117COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 10016E97 Relevance: 2.6, Strings: 2, Instructions: 111COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 1001FAD1 Relevance: 2.6, Strings: 2, Instructions: 111COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 10013094 Relevance: 2.6, Strings: 2, Instructions: 103COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 1001F7F4 Relevance: 2.6, Strings: 2, Instructions: 91COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 6D60BF21 Relevance: 2.0, APIs: 1, Instructions: 452COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D61A853 Relevance: 1.5, APIs: 1, Instructions: 13networkCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D61A53D Relevance: 1.5, APIs: 1, Instructions: 10networkCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 100135A3 Relevance: 1.5, Strings: 1, Instructions: 211COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 1001DF2B Relevance: 1.4, Strings: 1, Instructions: 127COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 10021A0A Relevance: 1.4, Strings: 1, Instructions: 124COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 1000188C Relevance: 1.4, Strings: 1, Instructions: 105COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 100223B9 Relevance: 1.4, Strings: 1, Instructions: 103COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 1001F9AF Relevance: 1.3, Strings: 1, Instructions: 77COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 1000186B Relevance: 1.3, Strings: 1, Instructions: 74COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 10002F36 Relevance: 1.3, Strings: 1, Instructions: 72COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 1000CA3C Relevance: 1.3, Strings: 1, Instructions: 49COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 6D62FE6E Relevance: .4, Instructions: 384COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D62FA4E Relevance: .4, Instructions: 378COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D62F642 Relevance: .4, Instructions: 361COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D62F26E Relevance: .4, Instructions: 351COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 10018966 Relevance: .2, Instructions: 194COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 1001604B Relevance: .2, Instructions: 173COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 100186EE Relevance: .1, Instructions: 143COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 10021FC7 Relevance: .1, Instructions: 141COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 10017B9E Relevance: .1, Instructions: 136COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 1001A683 Relevance: .1, Instructions: 121COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 100166C8 Relevance: .1, Instructions: 109COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 1000E4F5 Relevance: .1, Instructions: 106COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 1001F5D9 Relevance: .1, Instructions: 105COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 10018EF8 Relevance: .1, Instructions: 104COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 10019054 Relevance: .1, Instructions: 88COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 100117D2 Relevance: .1, Instructions: 71COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 1000806B Relevance: .1, Instructions: 67COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 100032AC Relevance: .0, Instructions: 2COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 6D62B5BE Relevance: 42.0, APIs: 12, Strings: 12, Instructions: 45registryclipboardCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D6055A0 Relevance: 35.4, APIs: 19, Strings: 1, Instructions: 416fileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D6179A3 Relevance: 31.7, APIs: 14, Strings: 4, Instructions: 158libraryloaderCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D600700 Relevance: 28.5, APIs: 14, Strings: 2, Instructions: 492windowthreadCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D6077A0 Relevance: 28.1, APIs: 8, Strings: 8, Instructions: 78libraryloaderCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D62A7A6 Relevance: 26.0, APIs: 17, Instructions: 453windowkeyboardCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D609A48 Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 175windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D6280B2 Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 129registryclipboardCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D63434F Relevance: 22.8, APIs: 8, Strings: 5, Instructions: 57libraryloaderCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D604F40 Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 184windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D6050C9 Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 162windowsleepCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D615EDA Relevance: 21.1, APIs: 14, Instructions: 99synchronizationthreadinjectionCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D5FC7B0 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 189threadinjectionCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D605077 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 141windowsleepCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D605079 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 141windowsleepCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D61417F Relevance: 18.3, APIs: 12, Instructions: 310COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D6172DF Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 60libraryloaderCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D612346 Relevance: 16.6, APIs: 11, Instructions: 139COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D62B3D6 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 116librarymemoryloaderCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D628E0A Relevance: 15.1, APIs: 10, Instructions: 97COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D604B40 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 179registrywindowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D5FBB50 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 101windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D5FCEF0 Relevance: 13.7, APIs: 9, Instructions: 152COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D5FAA20 Relevance: 13.6, APIs: 9, Instructions: 137COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D61A6A2 Relevance: 13.6, APIs: 9, Instructions: 120windowtimenetworkCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D61FD10 Relevance: 13.6, APIs: 9, Instructions: 96memoryCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D6033C0 Relevance: 13.6, APIs: 9, Instructions: 89windowCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D61D9DA Relevance: 13.6, APIs: 9, Instructions: 67windowCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D6322A7 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 71threadCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D5F5990 Relevance: 12.1, APIs: 8, Instructions: 81COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D632224 Relevance: 12.0, APIs: 8, Instructions: 42threadCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D61F826 Relevance: 12.0, APIs: 8, Instructions: 39COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D5F3DB0 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 324fileCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D5F3980 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 324fileCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D626FDC Relevance: 10.6, APIs: 7, Instructions: 128COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D627DDE Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 128stringCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D60A1B8 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 104windowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D618147 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 101registryCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D617FC9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 86registryCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D628407 Relevance: 10.6, APIs: 7, Instructions: 70windowCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D6282A3 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 66registryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D6082C4 Relevance: 10.6, APIs: 7, Instructions: 61COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D61FDB1 Relevance: 10.6, APIs: 7, Instructions: 51memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D635FAB Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 47COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D61F7E0 Relevance: 10.5, APIs: 7, Instructions: 30COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D626A9D Relevance: 9.4, APIs: 6, Instructions: 403COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D61F26D Relevance: 9.3, APIs: 6, Instructions: 256stringCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D5FB8D0 Relevance: 9.2, APIs: 6, Instructions: 166COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D613D2B Relevance: 9.1, APIs: 6, Instructions: 140windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D612190 Relevance: 9.1, APIs: 6, Instructions: 136COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D623C52 Relevance: 9.1, APIs: 6, Instructions: 126COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D61F659 Relevance: 9.1, APIs: 6, Instructions: 116memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D5FC190 Relevance: 9.1, APIs: 6, Instructions: 79threadCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D61914F Relevance: 9.1, APIs: 6, Instructions: 72windowCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D612637 Relevance: 9.1, APIs: 6, Instructions: 69COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D6201FE Relevance: 9.0, APIs: 6, Instructions: 46COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D6256F1 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 293memoryCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D603920 Relevance: 9.0, APIs: 6, Instructions: 41COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D601D50 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 162windowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D60D6ED Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 94windowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D5F4890 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 87windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D5FBD10 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 76sleepCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D5FB350 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 40processsynchronizationCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D5F4F00 Relevance: 7.6, APIs: 5, Instructions: 125windowCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D61E3A1 Relevance: 7.6, APIs: 5, Instructions: 88memoryCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D6051D0 Relevance: 7.6, APIs: 5, Instructions: 85threadCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D60ABC0 Relevance: 7.6, APIs: 5, Instructions: 80windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D6310D8 Relevance: 7.6, APIs: 5, Instructions: 71COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D612928 Relevance: 7.6, APIs: 5, Instructions: 68windowCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D6194B6 Relevance: 7.6, APIs: 5, Instructions: 60windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D616F19 Relevance: 7.6, APIs: 5, Instructions: 59COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D616E89 Relevance: 7.6, APIs: 5, Instructions: 59COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D6018F0 Relevance: 7.6, APIs: 5, Instructions: 58windowCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D61A8A5 Relevance: 7.6, APIs: 5, Instructions: 55networkCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D62000E Relevance: 7.6, APIs: 5, Instructions: 54stringCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D6031B0 Relevance: 7.5, APIs: 5, Instructions: 38COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D632218 Relevance: 7.5, APIs: 5, Instructions: 24threadCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D6048B0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 154windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D60CB7F Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 95COMMONLIBRARYCODE
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D627D7C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 43memoryCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D60B3BB Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 43libraryloaderCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D633BFF Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42COMMONLIBRARYCODE
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D61EB40 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D639248 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D5FBFF0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 29libraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D626193 Relevance: 6.2, APIs: 4, Instructions: 174windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D5F89A0 Relevance: 6.2, APIs: 4, Instructions: 172memoryCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D60F1DF Relevance: 6.1, APIs: 4, Instructions: 136COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D5F50A0 Relevance: 6.1, APIs: 4, Instructions: 132windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D627918 Relevance: 6.1, APIs: 4, Instructions: 131timeCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D613FDB Relevance: 6.1, APIs: 4, Instructions: 107windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D60DEF3 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D620870 Relevance: 6.1, APIs: 4, Instructions: 89COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D61B15C Relevance: 6.1, APIs: 4, Instructions: 89networkCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D62A224 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D613EE8 Relevance: 6.1, APIs: 4, Instructions: 75windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D60E546 Relevance: 6.1, APIs: 4, Instructions: 74COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D61E644 Relevance: 6.1, APIs: 4, Instructions: 62COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D6120AA Relevance: 6.1, APIs: 4, Instructions: 59COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D607195 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D617C86 Relevance: 6.1, APIs: 4, Instructions: 57threadCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D60BEA3 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D61B95E Relevance: 6.1, APIs: 4, Instructions: 56COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D6114E9 Relevance: 6.1, APIs: 4, Instructions: 52COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D62B97D Relevance: 6.1, APIs: 4, Instructions: 51COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D60AA45 Relevance: 6.0, APIs: 4, Instructions: 50COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D61ED99 Relevance: 6.0, APIs: 4, Instructions: 49memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D61484B Relevance: 6.0, APIs: 4, Instructions: 49COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D60A3C1 Relevance: 6.0, APIs: 4, Instructions: 49COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D6042B0 Relevance: 6.0, APIs: 4, Instructions: 49windowCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D60D10A Relevance: 6.0, APIs: 4, Instructions: 45COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D6086EA Relevance: 6.0, APIs: 4, Instructions: 44COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D6040D0 Relevance: 6.0, APIs: 4, Instructions: 35COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D5FA8B0 Relevance: 6.0, APIs: 4, Instructions: 34COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D6124AE Relevance: 6.0, APIs: 4, Instructions: 32COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D62B6A2 Relevance: 6.0, APIs: 4, Instructions: 25COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D6321A6 Relevance: 6.0, APIs: 4, Instructions: 19threadCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D62BEA7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56windowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D619F34 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42libraryloaderCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D614C8F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 39windowCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D633978 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D62BF5C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24libraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D61FE60 Relevance: 5.1, APIs: 4, Instructions: 61COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Execution Graph
| Execution Coverage: | 4.8% |
| Dynamic/Decrypted Code Coverage: | 37.7% |
| Signature Coverage: | 0% |
| Total number of Nodes: | 644 |
| Total number of Limit Nodes: | 24 |
Graph
Function 6D5F9E50 Relevance: 38.9, APIs: 19, Strings: 3, Instructions: 385memoryCOMMONLIBRARYCODE
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D61FB51 Relevance: 16.6, APIs: 11, Instructions: 106memoryCOMMONLIBRARYCODE
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D62CED5 Relevance: 7.5, APIs: 5, Instructions: 44memoryCOMMONLIBRARYCODE
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 6D5F8F00 Relevance: 7.0, APIs: 4, Instructions: 1014memoryCOMMONLIBRARYCODE
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 10004A9D Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 43libraryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 1001A50A Relevance: 1.6, APIs: 1, Instructions: 70fileCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 1000816B Relevance: 1.6, APIs: 1, Instructions: 68processCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 100102D8 Relevance: 1.6, APIs: 1, Instructions: 60COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 1001EAB3 Relevance: 1.5, APIs: 1, Instructions: 49COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 10006F64 Relevance: 1.5, APIs: 1, Instructions: 49memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 10003506 Relevance: 1.5, APIs: 1, Instructions: 47memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D63575B Relevance: 1.5, APIs: 1, Instructions: 20memoryCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D5F82A0 Relevance: 1.3, APIs: 1, Instructions: 10memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D5F82C0 Relevance: 1.3, APIs: 1, Instructions: 8COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D604F40 Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 184windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D628E0A Relevance: 15.1, APIs: 10, Instructions: 97COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D5FCEF0 Relevance: 13.7, APIs: 9, Instructions: 152COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D626FDC Relevance: 10.6, APIs: 7, Instructions: 128COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D5F4F00 Relevance: 7.6, APIs: 5, Instructions: 125windowCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D612928 Relevance: 7.6, APIs: 5, Instructions: 68windowCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D616F19 Relevance: 7.6, APIs: 5, Instructions: 59COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D616E89 Relevance: 7.6, APIs: 5, Instructions: 59COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D5F89A0 Relevance: 6.2, APIs: 4, Instructions: 172memoryCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D620870 Relevance: 6.1, APIs: 4, Instructions: 89COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D61ED99 Relevance: 6.0, APIs: 4, Instructions: 49memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D61484B Relevance: 6.0, APIs: 4, Instructions: 49COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D614C8F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 39windowCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|