Windows
Analysis Report
vekvtia.exe
Overview
General Information
Detection
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
- System is w10x64
- vekvtia.exe (PID: 7152 cmdline:
"C:\Users\ user\Deskt op\vekvtia .exe" MD5: 274D0AB4368246BE7F22990D9D5CB4CF) - cmd.exe (PID: 7120 cmdline:
"C:\Window s\System32 \cmd.exe" /C mkdir C :\Windows\ SysWOW64\x embmrjv\ MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 7128 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - cmd.exe (PID: 6476 cmdline:
"C:\Window s\System32 \cmd.exe" /C move /Y "C:\Users \user\AppD ata\Local\ Temp\igqrt psy.exe" C :\Windows\ SysWOW64\x embmrjv\ MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 5564 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - sc.exe (PID: 5040 cmdline:
"C:\Window s\System32 \sc.exe" c reate xemb mrjv binPa th= "C:\Wi ndows\SysW OW64\xembm rjv\igqrtp sy.exe /d\ "C:\Users\ user\Deskt op\vekvtia .exe\"" ty pe= own st art= auto DisplayNam e= "wifi s upport" MD5: D9D7684B8431A0D10D0E76FE9F5FFEC8) - conhost.exe (PID: 1600 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - sc.exe (PID: 7108 cmdline:
"C:\Window s\System32 \sc.exe" d escription xembmrjv "wifi inte rnet conec tion" MD5: D9D7684B8431A0D10D0E76FE9F5FFEC8) - conhost.exe (PID: 6428 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - sc.exe (PID: 320 cmdline:
"C:\Window s\System32 \sc.exe" s tart xembm rjv MD5: D9D7684B8431A0D10D0E76FE9F5FFEC8) - conhost.exe (PID: 7112 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - netsh.exe (PID: 3692 cmdline:
"C:\Window s\System32 \netsh.exe " advfirew all firewa ll add rul e name="Ho st-process for servi ces of Win dows" dir= in action= allow prog ram="C:\Wi ndows\SysW OW64\svcho st.exe" en able=yes>n ul MD5: 4E89A1A088BE715D6C946E55AB07C7DF) - conhost.exe (PID: 1876 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
- igqrtpsy.exe (PID: 5784 cmdline:
C:\Windows \SysWOW64\ xembmrjv\i gqrtpsy.ex e /d"C:\Us ers\user\D esktop\vek vtia.exe" MD5: CA75AED3D5A70F14C63D2616B573BB74) - svchost.exe (PID: 3664 cmdline:
svchost.ex e MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
- svchost.exe (PID: 2372 cmdline:
C:\Windows \System32\ svchost.ex e -k Local Service -p -s Licens eManager MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
- cleanup
Name | Description | Attribution | Blogpost URLs | Link |
---|---|---|---|---|
Tofsee | According to PCrisk, Tofsee (also known as Gheg) is a malicious Trojan-type program that is capable of performing DDoS attacks, mining cryptocurrency, sending emails, stealing various account credentials, updating itself, and more.Cyber criminals mainly use this program as an email-oriented tool (they target users' email accounts), however, having Tofsee installed can also lead to many other problems. | No Attribution |
{"C2 list": ["vanaheim.cn:443", "jotunheim.name:443"]}
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Tofsee | Yara detected Tofsee | Joe Security | ||
Windows_Trojan_Tofsee_26124fe4 | unknown | unknown |
| |
MALWARE_Win_Tofsee | Detects Tofsee | ditekSHen |
| |
JoeSecurity_Tofsee | Yara detected Tofsee | Joe Security | ||
Windows_Trojan_Smokeloader_3687686f | unknown | unknown |
| |
Click to see the 24 entries |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
Windows_Trojan_Tofsee_26124fe4 | unknown | unknown |
| |
MALWARE_Win_Tofsee | Detects Tofsee | ditekSHen |
| |
JoeSecurity_Tofsee | Yara detected Tofsee | Joe Security | ||
Windows_Trojan_Tofsee_26124fe4 | unknown | unknown |
| |
MALWARE_Win_Tofsee | Detects Tofsee | ditekSHen |
| |
Click to see the 39 entries |
System Summary |
---|
Source: | Author: David Burkett, @signalblur: |
Source: | Author: Nasreddine Bencherchali (Nextron Systems): |
Source: | Author: frack113: |
Source: | Author: Florian Roth (Nextron Systems): |
Source: | Author: Christian Burkard (Nextron Systems): |
Source: | Author: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: |
Source: | Author: vburov: |
Click to jump to signature section
AV Detection |
---|
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: |
Source: | Malware Configuration Extractor: |
Source: | ReversingLabs: |
Source: | Integrated Neural Analysis Model: |
Source: | Joe Sandbox ML: |
Source: | Joe Sandbox ML: |
Compliance |
---|
Source: | Unpacked PE file: | ||
Source: | Unpacked PE file: |
Source: | File opened: | Jump to behavior |
Change of critical system settings |
---|
Source: | Registry key created or modified: | Jump to behavior |
Networking |
---|
Source: | Network Connect: | Jump to behavior | ||
Source: | Network Connect: | Jump to behavior | ||
Source: | Network Connect: | Jump to behavior | ||
Source: | Network Connect: | Jump to behavior | ||
Source: | Network Connect: | Jump to behavior |
Source: | URLs: | ||
Source: | URLs: |
Source: | IP Address: | ||
Source: | IP Address: | ||
Source: | IP Address: |
Source: | ASN Name: | ||
Source: | ASN Name: | ||
Source: | ASN Name: | ||
Source: | ASN Name: |
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: |
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: |
Source: | Code function: | 0_2_00402A62 |
Source: | DNS traffic detected: | ||
Source: | DNS traffic detected: | ||
Source: | DNS traffic detected: | ||
Source: | DNS traffic detected: | ||
Source: | DNS traffic detected: | ||
Source: | DNS traffic detected: | ||
Source: | DNS traffic detected: | ||
Source: | DNS traffic detected: |
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: |
Spam, unwanted Advertisements and Ransom Demands |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
System Summary |
---|
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: |
Source: | Code function: | 0_2_00408E26 |
Source: | Code function: | 0_2_00401280 |
Source: | File created: | Jump to behavior |
Source: | Code function: | 0_2_0040C913 | |
Source: | Code function: | 12_2_0040C913 | |
Source: | Code function: | 15_2_003EC913 |
Source: | Binary or memory string: |
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: |
Source: | Classification label: |
Source: | Code function: | 0_2_00406A60 |
Source: | Code function: | 0_2_007F9180 |
Source: | Code function: | 0_2_00409A6B |
Source: | Code function: | 0_2_00409A6B | |
Source: | Code function: | 12_2_00409A6B | |
Source: | Code function: | 15_2_003E9A6B |
Source: | Mutant created: | ||
Source: | Mutant created: | ||
Source: | Mutant created: | ||
Source: | Mutant created: | ||
Source: | Mutant created: | ||
Source: | Mutant created: |
Source: | File created: | Jump to behavior |
Source: | File read: | Jump to behavior |
Source: | Key opened: | Jump to behavior |
Source: | ReversingLabs: |
Source: | File read: | Jump to behavior |
Source: | Evasive API call chain: | graph_0-14950 | ||
Source: | Evasive API call chain: | graph_12-15091 |
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior |
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior |
Source: | Key value queried: | Jump to behavior |
Source: | Static file information: |
Source: | File opened: | Jump to behavior |
Data Obfuscation |
---|
Source: | Unpacked PE file: | ||
Source: | Unpacked PE file: |
Source: | Unpacked PE file: | ||
Source: | Unpacked PE file: |
Source: | Code function: | 0_2_00406069 |
Source: | Code function: | 0_2_007FC46E | |
Source: | Code function: | 12_2_008F57C6 |
Persistence and Installation Behavior |
---|
Source: | Executable created and started: |
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file |
Source: | File created: | Jump to dropped file |
Source: | Registry key value modified: | Jump to behavior |
Source: | Code function: | 0_2_00409A6B |
Source: | Process created: |
Hooking and other Techniques for Hiding and Protection |
---|
Source: | File deleted: | Jump to behavior |
Source: | Code function: | 0_2_00401000 |
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior |
Source: | Code function: | 15_2_003E199C |
Source: | Decision node followed by non-executed suspicious API: | graph_12-16424 | ||
Source: | Decision node followed by non-executed suspicious API: | graph_15-6408 | ||
Source: | Decision node followed by non-executed suspicious API: | graph_0-15435 |
Source: | Evaded block: | graph_15-6126 |
Source: | Evasive API call chain: | graph_12-15466 | ||
Source: | Evasive API call chain: | graph_0-16143 | ||
Source: | Evasive API call chain: | graph_15-6416 |
Source: | Evasive API call chain: | graph_0-15189 | ||
Source: | Evasive API call chain: | graph_15-7416 |
Source: | Evasive API call chain: | graph_12-15107 | ||
Source: | Evasive API call chain: | graph_0-14965 |
Source: | API coverage: | ||
Source: | API coverage: |
Source: | Thread sleep count: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior |
Source: | Last function: | ||
Source: | Last function: | ||
Source: | Last function: | ||
Source: | Last function: | ||
Source: | Last function: | ||
Source: | Last function: | ||
Source: | Last function: |
Source: | Code function: | 0_2_00401D96 |
Source: | Binary or memory string: |
Source: | API call chain: | graph_0-15396 | ||
Source: | API call chain: | graph_15-6417 |
Anti Debugging |
---|
Source: | Debugger detection routine: | graph_0-16453 | ||
Source: | Debugger detection routine: | graph_15-7651 | ||
Source: | Debugger detection routine: | graph_12-16485 |
Source: | Code function: | 0_2_00406069 |
Source: | Code function: | 0_2_0078092B | |
Source: | Code function: | 0_2_00780D90 | |
Source: | Code function: | 0_2_007F8A5D | |
Source: | Code function: | 12_2_0077092B | |
Source: | Code function: | 12_2_00770D90 | |
Source: | Code function: | 12_2_008F1DB5 |
Source: | Code function: | 0_2_0040EBCC |
Source: | Code function: | 0_2_00409A6B | |
Source: | Code function: | 12_2_00409A6B | |
Source: | Code function: | 15_2_003E9A6B |
HIPS / PFW / Operating System Protection Evasion |
---|
Source: | Network Connect: | Jump to behavior | ||
Source: | Network Connect: | Jump to behavior | ||
Source: | Network Connect: | Jump to behavior | ||
Source: | Network Connect: | Jump to behavior | ||
Source: | Network Connect: | Jump to behavior |
Source: | Memory allocated: | Jump to behavior |
Source: | Memory written: | Jump to behavior |
Source: | Memory written: | Jump to behavior | ||
Source: | Memory written: | Jump to behavior |
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior |
Source: | Code function: | 0_2_00407A95 |
Source: | Code function: | 0_2_00406EDD |
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior |
Source: | Code function: | 0_2_0040405E |
Source: | Code function: | 0_2_0040EC54 |
Source: | Code function: | 0_2_00407A95 |
Source: | Code function: | 0_2_0040B211 |
Source: | Code function: | 0_2_00409326 |
Lowering of HIPS / PFW / Operating System Security Settings |
---|
Source: | Process created: |
Source: | Process created: |
Stealing of Sensitive Information |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Remote Access Functionality |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Source: | Code function: | 0_2_004088B0 | |
Source: | Code function: | 12_2_004088B0 | |
Source: | Code function: | 15_2_003E88B0 |
Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Gather Victim Identity Information | Acquire Infrastructure | 1 Valid Accounts | 41 Native API | 1 DLL Side-Loading | 1 DLL Side-Loading | 3 Disable or Modify Tools | OS Credential Dumping | 2 System Time Discovery | Remote Services | 1 Archive Collected Data | 1 Ingress Tool Transfer | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
Credentials | Domains | Default Accounts | 2 Command and Scripting Interpreter | 1 Valid Accounts | 1 Valid Accounts | 1 Deobfuscate/Decode Files or Information | LSASS Memory | 1 Account Discovery | Remote Desktop Protocol | Data from Removable Media | 12 Encrypted Channel | Exfiltration Over Bluetooth | Network Denial of Service |
Email Addresses | DNS Server | Domain Accounts | 3 Service Execution | 14 Windows Service | 1 Access Token Manipulation | 2 Obfuscated Files or Information | Security Account Manager | 1 File and Directory Discovery | SMB/Windows Admin Shares | Data from Network Shared Drive | 1 Non-Application Layer Protocol | Automated Exfiltration | Data Encrypted for Impact |
Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | 14 Windows Service | 2 Software Packing | NTDS | 15 System Information Discovery | Distributed Component Object Model | Input Capture | 112 Application Layer Protocol | Traffic Duplication | Data Destruction |
Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | 412 Process Injection | 1 DLL Side-Loading | LSA Secrets | 111 Security Software Discovery | SSH | Keylogging | Fallback Channels | Scheduled Transfer | Data Encrypted for Impact |
Domain Properties | Botnet | Replication Through Removable Media | Scheduled Task | RC Scripts | RC Scripts | 1 File Deletion | Cached Domain Credentials | 11 Virtualization/Sandbox Evasion | VNC | GUI Input Capture | Multiband Communication | Data Transfer Size Limits | Service Stop |
DNS | Web Services | External Remote Services | Systemd Timers | Startup Items | Startup Items | 12 Masquerading | DCSync | 1 Process Discovery | Windows Remote Management | Web Portal Capture | Commonly Used Port | Exfiltration Over C2 Channel | Inhibit System Recovery |
Network Trust Dependencies | Serverless | Drive-by Compromise | Container Orchestration Job | Scheduled Task/Job | Scheduled Task/Job | 1 Valid Accounts | Proc Filesystem | 1 System Owner/User Discovery | Cloud Services | Credential API Hooking | Application Layer Protocol | Exfiltration Over Alternative Protocol | Defacement |
Network Topology | Malvertising | Exploit Public-Facing Application | Command and Scripting Interpreter | At | At | 11 Virtualization/Sandbox Evasion | /etc/passwd and /etc/shadow | 1 System Network Configuration Discovery | Direct Cloud VM Connections | Data Staged | Web Protocols | Exfiltration Over Symmetric Encrypted Non-C2 Protocol | Internal Defacement |
IP Addresses | Compromise Infrastructure | Supply Chain Compromise | PowerShell | Cron | Cron | 1 Access Token Manipulation | Network Sniffing | Network Service Discovery | Shared Webroot | Local Data Staging | File Transfer Protocols | Exfiltration Over Asymmetric Encrypted Non-C2 Protocol | External Defacement |
Network Security Appliances | Domains | Compromise Software Dependencies and Development Tools | AppleScript | Launchd | Launchd | 412 Process Injection | Input Capture | System Network Connections Discovery | Software Deployment Tools | Remote Data Staging | Mail Protocols | Exfiltration Over Unencrypted Non-C2 Protocol | Firmware Corruption |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
39% | ReversingLabs | |||
100% | Joe Sandbox ML |
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
100% | Joe Sandbox ML |
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
100% | Avira URL Cloud | malware | ||
100% | Avira URL Cloud | phishing |
Name | IP | Active | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|---|
mta6.am0.yahoodns.net | 67.195.204.79 | true | true | unknown | |
mxs.mail.ru | 94.100.180.31 | true | true | unknown | |
microsoft-com.mail.protection.outlook.com | 52.101.8.49 | true | true | unknown | |
vanaheim.cn | 77.232.41.29 | true | true | unknown | |
smtp.google.com | 142.251.168.26 | true | false | unknown | |
google.com | unknown | unknown | true | unknown | |
yahoo.com | unknown | unknown | true | unknown | |
mail.ru | unknown | unknown | true | unknown |
Name | Malicious | Antivirus Detection | Reputation |
---|---|---|---|
true |
| unknown | |
true |
| unknown |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
67.195.204.79 | mta6.am0.yahoodns.net | United States | 26101 | YAHOO-3US | true | |
52.101.8.49 | microsoft-com.mail.protection.outlook.com | United States | 8075 | MICROSOFT-CORP-MSN-AS-BLOCKUS | true | |
142.251.168.26 | smtp.google.com | United States | 15169 | GOOGLEUS | false | |
77.232.41.29 | vanaheim.cn | Russian Federation | 28968 | EUT-ASEUTIPNetworkRU | true | |
94.100.180.31 | mxs.mail.ru | Russian Federation | 47764 | MAILRU-ASMailRuRU | true |
Joe Sandbox version: | 40.0.0 Tourmaline |
Analysis ID: | 1503657 |
Start date and time: | 2024-09-03 19:05:09 +02:00 |
Joe Sandbox product: | CloudBasic |
Overall analysis duration: | 0h 5m 17s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
Number of analysed new started processes analysed: | 19 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Sample name: | vekvtia.exe |
Detection: | MAL |
Classification: | mal100.troj.evad.winEXE@23/3@9/5 |
EGA Information: |
|
HCA Information: |
|
Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
- Excluded IPs from analysis (whitelisted): 20.236.44.162, 20.70.246.20, 20.231.239.246, 20.112.250.133, 20.76.201.171
- Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, microsoft.com, fe3cr.delivery.mp.microsoft.com
- Not all processes where analyzed, report is missing behavior information
- Report size getting too big, too many NtEnumerateKey calls found.
- Report size getting too big, too many NtOpenKeyEx calls found.
- Report size getting too big, too many NtQueryValueKey calls found.
- VT rate limit hit for: vekvtia.exe
Time | Type | Description |
---|---|---|
13:06:48 | API Interceptor |
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
67.195.204.79 | Get hash | malicious | Phorpiex | Browse | ||
Get hash | malicious | Unknown | Browse | |||
Get hash | malicious | Unknown | Browse | |||
Get hash | malicious | Unknown | Browse | |||
Get hash | malicious | Phorpiex, Xmrig | Browse | |||
Get hash | malicious | Phorpiex | Browse | |||
Get hash | malicious | Unknown | Browse | |||
Get hash | malicious | Unknown | Browse | |||
Get hash | malicious | Unknown | Browse | |||
Get hash | malicious | Unknown | Browse | |||
52.101.8.49 | Get hash | malicious | Tofsee | Browse | ||
Get hash | malicious | Unknown | Browse | |||
Get hash | malicious | Tofsee | Browse | |||
Get hash | malicious | Tofsee | Browse | |||
Get hash | malicious | Tofsee | Browse | |||
Get hash | malicious | Tofsee | Browse | |||
Get hash | malicious | Tofsee | Browse | |||
Get hash | malicious | Tofsee | Browse | |||
Get hash | malicious | Tofsee | Browse | |||
Get hash | malicious | Tofsee | Browse | |||
77.232.41.29 | Get hash | malicious | Tofsee | Browse | ||
Get hash | malicious | Tofsee | Browse | |||
Get hash | malicious | Tofsee | Browse | |||
Get hash | malicious | Tofsee | Browse | |||
94.100.180.31 | Get hash | malicious | Tofsee | Browse | ||
Get hash | malicious | Tofsee | Browse | |||
Get hash | malicious | Tofsee | Browse | |||
Get hash | malicious | Tofsee | Browse | |||
Get hash | malicious | Tofsee | Browse | |||
Get hash | malicious | Tofsee | Browse | |||
Get hash | malicious | Tofsee | Browse | |||
Get hash | malicious | Tofsee | Browse | |||
Get hash | malicious | Tofsee | Browse | |||
Get hash | malicious | Phorpiex, Xmrig | Browse |
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
mxs.mail.ru | Get hash | malicious | Tofsee | Browse |
| |
Get hash | malicious | Tofsee | Browse |
| ||
Get hash | malicious | Tofsee | Browse |
| ||
Get hash | malicious | Tofsee | Browse |
| ||
Get hash | malicious | Tofsee | Browse |
| ||
Get hash | malicious | Tofsee | Browse |
| ||
Get hash | malicious | Tofsee | Browse |
| ||
Get hash | malicious | Tofsee | Browse |
| ||
Get hash | malicious | Tofsee | Browse |
| ||
Get hash | malicious | Tofsee | Browse |
| ||
mta6.am0.yahoodns.net | Get hash | malicious | Tofsee | Browse |
| |
Get hash | malicious | Tofsee | Browse |
| ||
Get hash | malicious | Tofsee | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Tofsee | Browse |
| ||
Get hash | malicious | Tofsee | Browse |
| ||
Get hash | malicious | Tofsee | Browse |
| ||
Get hash | malicious | Tofsee | Browse |
| ||
Get hash | malicious | Tofsee | Browse |
| ||
Get hash | malicious | Tofsee | Browse |
| ||
microsoft-com.mail.protection.outlook.com | Get hash | malicious | Tofsee | Browse |
| |
Get hash | malicious | Tofsee | Browse |
| ||
Get hash | malicious | Tofsee | Browse |
| ||
Get hash | malicious | Tofsee | Browse |
| ||
Get hash | malicious | Tofsee | Browse |
| ||
Get hash | malicious | Tofsee | Browse |
| ||
Get hash | malicious | Tofsee | Browse |
| ||
Get hash | malicious | Tofsee | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Tofsee | Browse |
| ||
vanaheim.cn | Get hash | malicious | Tofsee | Browse |
| |
Get hash | malicious | Tofsee | Browse |
| ||
Get hash | malicious | Tofsee | Browse |
| ||
Get hash | malicious | Tofsee | Browse |
| ||
Get hash | malicious | Tofsee | Browse |
| ||
Get hash | malicious | Tofsee | Browse |
| ||
Get hash | malicious | Tofsee | Browse |
| ||
Get hash | malicious | Tofsee | Browse |
| ||
Get hash | malicious | Tofsee | Browse |
| ||
Get hash | malicious | Tofsee | Browse |
|
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
YAHOO-3US | Get hash | malicious | Tofsee | Browse |
| |
Get hash | malicious | Tofsee | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Tofsee | Browse |
| ||
Get hash | malicious | Tofsee | Browse |
| ||
Get hash | malicious | Mirai | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Mirai, Gafgyt, Okiru | Browse |
| ||
EUT-ASEUTIPNetworkRU | Get hash | malicious | Tofsee | Browse |
| |
Get hash | malicious | Tofsee | Browse |
| ||
Get hash | malicious | Tofsee | Browse |
| ||
Get hash | malicious | Tofsee | Browse |
| ||
Get hash | malicious | Cryptbot | Browse |
| ||
Get hash | malicious | Cryptbot | Browse |
| ||
Get hash | malicious | Cryptbot | Browse |
| ||
Get hash | malicious | Cryptbot | Browse |
| ||
Get hash | malicious | Cryptbot | Browse |
| ||
Get hash | malicious | Cryptbot | Browse |
| ||
MICROSOFT-CORP-MSN-AS-BLOCKUS | Get hash | malicious | Tofsee | Browse |
| |
Get hash | malicious | Tofsee | Browse |
| ||
Get hash | malicious | Tofsee | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | HTMLPhisher | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | HTMLPhisher | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
MAILRU-ASMailRuRU | Get hash | malicious | Tofsee | Browse |
| |
Get hash | malicious | Tofsee | Browse |
| ||
Get hash | malicious | Tofsee | Browse |
| ||
Get hash | malicious | LummaC Stealer | Browse |
| ||
Get hash | malicious | LummaC Stealer | Browse |
| ||
Get hash | malicious | Tofsee | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Tofsee | Browse |
|
Process: | C:\Users\user\Desktop\vekvtia.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 12936704 |
Entropy (8bit): | 4.596303678164068 |
Encrypted: | false |
SSDEEP: | 6144:4c6OZDisWsD0Td2HJxO+m8PuG1R4WnWjrsaz:41OZDisvwdaxO0PuG1R4CWs |
MD5: | CA75AED3D5A70F14C63D2616B573BB74 |
SHA1: | 4B27332D9E901CFA61A32E96E64BFF1EBCD6CE09 |
SHA-256: | 99CDFAFD7F532F87951A79A74A90B9F10DC8A5FFCB4915298D9BE610AB217EA4 |
SHA-512: | D02AD32803E325411B9A0F30DF718B9F0120669DF9AD9243F8C8095F7CBBC868EB299BE693BE709B7B66E6ED5CC3805764303A0D4607E4B14FDE3C6CC9FEA254 |
Malicious: | true |
Antivirus: |
|
Preview: |
Process: | C:\Windows\SysWOW64\cmd.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 12936704 |
Entropy (8bit): | 4.596303678164068 |
Encrypted: | false |
SSDEEP: | 6144:4c6OZDisWsD0Td2HJxO+m8PuG1R4WnWjrsaz:41OZDisvwdaxO0PuG1R4CWs |
MD5: | CA75AED3D5A70F14C63D2616B573BB74 |
SHA1: | 4B27332D9E901CFA61A32E96E64BFF1EBCD6CE09 |
SHA-256: | 99CDFAFD7F532F87951A79A74A90B9F10DC8A5FFCB4915298D9BE610AB217EA4 |
SHA-512: | D02AD32803E325411B9A0F30DF718B9F0120669DF9AD9243F8C8095F7CBBC868EB299BE693BE709B7B66E6ED5CC3805764303A0D4607E4B14FDE3C6CC9FEA254 |
Malicious: | true |
Preview: |
Process: | C:\Windows\SysWOW64\netsh.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 3773 |
Entropy (8bit): | 4.7109073551842435 |
Encrypted: | false |
SSDEEP: | 48:VHILZNfrI7WFY32iIiNOmV/HToZV9It199hiALlIg39bWA1RvTBi/g2eB:VoLr0y9iIiNOoHTou7bhBlIydWALLt2w |
MD5: | DA3247A302D70819F10BCEEBAF400503 |
SHA1: | 2857AA198EE76C86FC929CC3388A56D5FD051844 |
SHA-256: | 5262E1EE394F329CD1F87EA31BA4A396C4A76EDC3A87612A179F81F21606ABC8 |
SHA-512: | 48FFEC059B4E88F21C2AA4049B7D9E303C0C93D1AD771E405827149EDDF986A72EF49C0F6D8B70F5839DCDBD6B1EA8125C8B300134B7F71C47702B577AD090F8 |
Malicious: | false |
Preview: |
File type: | |
Entropy (8bit): | 4.608398278849609 |
TrID: |
|
File name: | vekvtia.exe |
File size: | 10'966'528 bytes |
MD5: | 274d0ab4368246be7f22990d9d5cb4cf |
SHA1: | d34547e852863893aef034effc726bf2ee227d02 |
SHA256: | 21a5e8cf356706a639eee50ea97cecef91685eb906921245c314ac50950b9825 |
SHA512: | dab676f30f08c6719e26cc376c89803a14d89adf50c6ee31d941f724b3dae03ca1cce950a3dd7651e3ed5f40323b021c875cdd1dfbbba9952cd417d7a3f90e81 |
SSDEEP: | 6144:Sc6OZDisWsD0Td2HJxO+m8PuG1R4WnWjrsaz:S1OZDisvwdaxO0PuG1R4CWs |
TLSH: | 7EB6537392E5BD54FA627A329E2FC6FC361EF951CD08379A2118BF0F2471162D1AA311 |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......`P..$1v.$1v.$1v.KG..81v.KG..>1v.KG..T1v.-I..#1v.$1w..1v.KG..%1v.KG..%1v.KG..%1v.Rich$1v.........PE..L....M.e................... |
Icon Hash: | cd4d3d2e4e054d03 |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Sep 3, 2024 19:06:06.144110918 CEST | 49705 | 25 | 192.168.2.5 | 52.101.8.49 |
Sep 3, 2024 19:06:07.146706104 CEST | 49705 | 25 | 192.168.2.5 | 52.101.8.49 |
Sep 3, 2024 19:06:09.146687031 CEST | 49705 | 25 | 192.168.2.5 | 52.101.8.49 |
Sep 3, 2024 19:06:09.241677999 CEST | 49706 | 443 | 192.168.2.5 | 77.232.41.29 |
Sep 3, 2024 19:06:09.241715908 CEST | 443 | 49706 | 77.232.41.29 | 192.168.2.5 |
Sep 3, 2024 19:06:09.241792917 CEST | 49706 | 443 | 192.168.2.5 | 77.232.41.29 |
Sep 3, 2024 19:06:13.162341118 CEST | 49705 | 25 | 192.168.2.5 | 52.101.8.49 |
Sep 3, 2024 19:06:21.162314892 CEST | 49705 | 25 | 192.168.2.5 | 52.101.8.49 |
Sep 3, 2024 19:06:26.152616978 CEST | 49714 | 25 | 192.168.2.5 | 67.195.204.79 |
Sep 3, 2024 19:06:27.162405968 CEST | 49714 | 25 | 192.168.2.5 | 67.195.204.79 |
Sep 3, 2024 19:06:29.177975893 CEST | 49714 | 25 | 192.168.2.5 | 67.195.204.79 |
Sep 3, 2024 19:06:33.193589926 CEST | 49714 | 25 | 192.168.2.5 | 67.195.204.79 |
Sep 3, 2024 19:06:41.193597078 CEST | 49714 | 25 | 192.168.2.5 | 67.195.204.79 |
Sep 3, 2024 19:06:47.019665003 CEST | 49715 | 25 | 192.168.2.5 | 142.251.168.26 |
Sep 3, 2024 19:06:48.021739006 CEST | 49715 | 25 | 192.168.2.5 | 142.251.168.26 |
Sep 3, 2024 19:06:49.240818977 CEST | 49706 | 443 | 192.168.2.5 | 77.232.41.29 |
Sep 3, 2024 19:06:49.240900993 CEST | 443 | 49706 | 77.232.41.29 | 192.168.2.5 |
Sep 3, 2024 19:06:49.240968943 CEST | 49706 | 443 | 192.168.2.5 | 77.232.41.29 |
Sep 3, 2024 19:06:49.350766897 CEST | 49716 | 443 | 192.168.2.5 | 77.232.41.29 |
Sep 3, 2024 19:06:49.350811005 CEST | 443 | 49716 | 77.232.41.29 | 192.168.2.5 |
Sep 3, 2024 19:06:49.350877047 CEST | 49716 | 443 | 192.168.2.5 | 77.232.41.29 |
Sep 3, 2024 19:06:50.021733999 CEST | 49715 | 25 | 192.168.2.5 | 142.251.168.26 |
Sep 3, 2024 19:06:54.021738052 CEST | 49715 | 25 | 192.168.2.5 | 142.251.168.26 |
Sep 3, 2024 19:07:02.021806955 CEST | 49715 | 25 | 192.168.2.5 | 142.251.168.26 |
Sep 3, 2024 19:07:07.038412094 CEST | 49718 | 25 | 192.168.2.5 | 94.100.180.31 |
Sep 3, 2024 19:07:08.037384033 CEST | 49718 | 25 | 192.168.2.5 | 94.100.180.31 |
Sep 3, 2024 19:07:10.037379026 CEST | 49718 | 25 | 192.168.2.5 | 94.100.180.31 |
Sep 3, 2024 19:07:14.052983999 CEST | 49718 | 25 | 192.168.2.5 | 94.100.180.31 |
Sep 3, 2024 19:07:22.068690062 CEST | 49718 | 25 | 192.168.2.5 | 94.100.180.31 |
Sep 3, 2024 19:07:29.350158930 CEST | 49716 | 443 | 192.168.2.5 | 77.232.41.29 |
Sep 3, 2024 19:07:29.350229025 CEST | 443 | 49716 | 77.232.41.29 | 192.168.2.5 |
Sep 3, 2024 19:07:29.350325108 CEST | 49716 | 443 | 192.168.2.5 | 77.232.41.29 |
Sep 3, 2024 19:07:29.460329056 CEST | 49719 | 443 | 192.168.2.5 | 77.232.41.29 |
Sep 3, 2024 19:07:29.460369110 CEST | 443 | 49719 | 77.232.41.29 | 192.168.2.5 |
Sep 3, 2024 19:07:29.460462093 CEST | 49719 | 443 | 192.168.2.5 | 77.232.41.29 |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Sep 3, 2024 19:06:05.887734890 CEST | 55583 | 53 | 192.168.2.5 | 1.1.1.1 |
Sep 3, 2024 19:06:06.142760992 CEST | 53 | 55583 | 1.1.1.1 | 192.168.2.5 |
Sep 3, 2024 19:06:08.922777891 CEST | 53620 | 53 | 192.168.2.5 | 1.1.1.1 |
Sep 3, 2024 19:06:09.237741947 CEST | 53 | 53620 | 1.1.1.1 | 192.168.2.5 |
Sep 3, 2024 19:06:26.132100105 CEST | 55104 | 53 | 192.168.2.5 | 1.1.1.1 |
Sep 3, 2024 19:06:26.139076948 CEST | 53 | 55104 | 1.1.1.1 | 192.168.2.5 |
Sep 3, 2024 19:06:26.140149117 CEST | 49916 | 53 | 192.168.2.5 | 1.1.1.1 |
Sep 3, 2024 19:06:26.152061939 CEST | 53 | 49916 | 1.1.1.1 | 192.168.2.5 |
Sep 3, 2024 19:06:46.163031101 CEST | 62209 | 53 | 192.168.2.5 | 1.1.1.1 |
Sep 3, 2024 19:06:47.011306047 CEST | 53 | 62209 | 1.1.1.1 | 192.168.2.5 |
Sep 3, 2024 19:06:47.012104034 CEST | 61527 | 53 | 192.168.2.5 | 1.1.1.1 |
Sep 3, 2024 19:06:47.019150972 CEST | 53 | 61527 | 1.1.1.1 | 192.168.2.5 |
Sep 3, 2024 19:07:07.022238016 CEST | 64084 | 53 | 192.168.2.5 | 1.1.1.1 |
Sep 3, 2024 19:07:07.030286074 CEST | 53 | 64084 | 1.1.1.1 | 192.168.2.5 |
Sep 3, 2024 19:07:07.030951977 CEST | 49245 | 53 | 192.168.2.5 | 1.1.1.1 |
Sep 3, 2024 19:07:07.037951946 CEST | 53 | 49245 | 1.1.1.1 | 192.168.2.5 |
Sep 3, 2024 19:08:06.105032921 CEST | 63108 | 53 | 192.168.2.5 | 1.1.1.1 |
Sep 3, 2024 19:08:06.446161985 CEST | 53 | 63108 | 1.1.1.1 | 192.168.2.5 |
Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
---|---|---|---|---|---|---|---|---|
Sep 3, 2024 19:06:05.887734890 CEST | 192.168.2.5 | 1.1.1.1 | 0x453e | Standard query (0) | A (IP address) | IN (0x0001) | false | |
Sep 3, 2024 19:06:08.922777891 CEST | 192.168.2.5 | 1.1.1.1 | 0x9b29 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
Sep 3, 2024 19:06:26.132100105 CEST | 192.168.2.5 | 1.1.1.1 | 0x193f | Standard query (0) | MX (Mail exchange) | IN (0x0001) | false | |
Sep 3, 2024 19:06:26.140149117 CEST | 192.168.2.5 | 1.1.1.1 | 0x4ac8 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
Sep 3, 2024 19:06:46.163031101 CEST | 192.168.2.5 | 1.1.1.1 | 0x1fc3 | Standard query (0) | MX (Mail exchange) | IN (0x0001) | false | |
Sep 3, 2024 19:06:47.012104034 CEST | 192.168.2.5 | 1.1.1.1 | 0x7a84 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
Sep 3, 2024 19:07:07.022238016 CEST | 192.168.2.5 | 1.1.1.1 | 0xa83e | Standard query (0) | MX (Mail exchange) | IN (0x0001) | false | |
Sep 3, 2024 19:07:07.030951977 CEST | 192.168.2.5 | 1.1.1.1 | 0x6130 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
Sep 3, 2024 19:08:06.105032921 CEST | 192.168.2.5 | 1.1.1.1 | 0x67 | Standard query (0) | A (IP address) | IN (0x0001) | false |
Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
---|---|---|---|---|---|---|---|---|---|---|
Sep 3, 2024 19:06:06.142760992 CEST | 1.1.1.1 | 192.168.2.5 | 0x453e | No error (0) | 52.101.8.49 | A (IP address) | IN (0x0001) | false | ||
Sep 3, 2024 19:06:06.142760992 CEST | 1.1.1.1 | 192.168.2.5 | 0x453e | No error (0) | 52.101.11.0 | A (IP address) | IN (0x0001) | false | ||
Sep 3, 2024 19:06:06.142760992 CEST | 1.1.1.1 | 192.168.2.5 | 0x453e | No error (0) | 52.101.42.0 | A (IP address) | IN (0x0001) | false | ||
Sep 3, 2024 19:06:06.142760992 CEST | 1.1.1.1 | 192.168.2.5 | 0x453e | No error (0) | 52.101.40.26 | A (IP address) | IN (0x0001) | false | ||
Sep 3, 2024 19:06:09.237741947 CEST | 1.1.1.1 | 192.168.2.5 | 0x9b29 | No error (0) | 77.232.41.29 | A (IP address) | IN (0x0001) | false | ||
Sep 3, 2024 19:06:26.139076948 CEST | 1.1.1.1 | 192.168.2.5 | 0x193f | No error (0) | MX (Mail exchange) | IN (0x0001) | false | |||
Sep 3, 2024 19:06:26.139076948 CEST | 1.1.1.1 | 192.168.2.5 | 0x193f | No error (0) | MX (Mail exchange) | IN (0x0001) | false | |||
Sep 3, 2024 19:06:26.139076948 CEST | 1.1.1.1 | 192.168.2.5 | 0x193f | No error (0) | MX (Mail exchange) | IN (0x0001) | false | |||
Sep 3, 2024 19:06:26.152061939 CEST | 1.1.1.1 | 192.168.2.5 | 0x4ac8 | No error (0) | 67.195.204.79 | A (IP address) | IN (0x0001) | false | ||
Sep 3, 2024 19:06:26.152061939 CEST | 1.1.1.1 | 192.168.2.5 | 0x4ac8 | No error (0) | 67.195.228.106 | A (IP address) | IN (0x0001) | false | ||
Sep 3, 2024 19:06:26.152061939 CEST | 1.1.1.1 | 192.168.2.5 | 0x4ac8 | No error (0) | 67.195.204.72 | A (IP address) | IN (0x0001) | false | ||
Sep 3, 2024 19:06:26.152061939 CEST | 1.1.1.1 | 192.168.2.5 | 0x4ac8 | No error (0) | 67.195.228.111 | A (IP address) | IN (0x0001) | false | ||
Sep 3, 2024 19:06:26.152061939 CEST | 1.1.1.1 | 192.168.2.5 | 0x4ac8 | No error (0) | 67.195.228.109 | A (IP address) | IN (0x0001) | false | ||
Sep 3, 2024 19:06:26.152061939 CEST | 1.1.1.1 | 192.168.2.5 | 0x4ac8 | No error (0) | 67.195.204.77 | A (IP address) | IN (0x0001) | false | ||
Sep 3, 2024 19:06:26.152061939 CEST | 1.1.1.1 | 192.168.2.5 | 0x4ac8 | No error (0) | 67.195.228.110 | A (IP address) | IN (0x0001) | false | ||
Sep 3, 2024 19:06:26.152061939 CEST | 1.1.1.1 | 192.168.2.5 | 0x4ac8 | No error (0) | 98.136.96.76 | A (IP address) | IN (0x0001) | false | ||
Sep 3, 2024 19:06:47.011306047 CEST | 1.1.1.1 | 192.168.2.5 | 0x1fc3 | No error (0) | MX (Mail exchange) | IN (0x0001) | false | |||
Sep 3, 2024 19:06:47.019150972 CEST | 1.1.1.1 | 192.168.2.5 | 0x7a84 | No error (0) | 142.251.168.26 | A (IP address) | IN (0x0001) | false | ||
Sep 3, 2024 19:06:47.019150972 CEST | 1.1.1.1 | 192.168.2.5 | 0x7a84 | No error (0) | 64.233.184.26 | A (IP address) | IN (0x0001) | false | ||
Sep 3, 2024 19:06:47.019150972 CEST | 1.1.1.1 | 192.168.2.5 | 0x7a84 | No error (0) | 142.250.110.26 | A (IP address) | IN (0x0001) | false | ||
Sep 3, 2024 19:06:47.019150972 CEST | 1.1.1.1 | 192.168.2.5 | 0x7a84 | No error (0) | 142.250.110.27 | A (IP address) | IN (0x0001) | false | ||
Sep 3, 2024 19:06:47.019150972 CEST | 1.1.1.1 | 192.168.2.5 | 0x7a84 | No error (0) | 142.251.168.27 | A (IP address) | IN (0x0001) | false | ||
Sep 3, 2024 19:07:07.030286074 CEST | 1.1.1.1 | 192.168.2.5 | 0xa83e | No error (0) | MX (Mail exchange) | IN (0x0001) | false | |||
Sep 3, 2024 19:07:07.037951946 CEST | 1.1.1.1 | 192.168.2.5 | 0x6130 | No error (0) | 94.100.180.31 | A (IP address) | IN (0x0001) | false | ||
Sep 3, 2024 19:07:07.037951946 CEST | 1.1.1.1 | 192.168.2.5 | 0x6130 | No error (0) | 217.69.139.150 | A (IP address) | IN (0x0001) | false | ||
Sep 3, 2024 19:08:06.446161985 CEST | 1.1.1.1 | 192.168.2.5 | 0x67 | No error (0) | 52.101.40.26 | A (IP address) | IN (0x0001) | false | ||
Sep 3, 2024 19:08:06.446161985 CEST | 1.1.1.1 | 192.168.2.5 | 0x67 | No error (0) | 52.101.11.0 | A (IP address) | IN (0x0001) | false | ||
Sep 3, 2024 19:08:06.446161985 CEST | 1.1.1.1 | 192.168.2.5 | 0x67 | No error (0) | 52.101.42.0 | A (IP address) | IN (0x0001) | false | ||
Sep 3, 2024 19:08:06.446161985 CEST | 1.1.1.1 | 192.168.2.5 | 0x67 | No error (0) | 52.101.8.49 | A (IP address) | IN (0x0001) | false |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
Target ID: | 0 |
Start time: | 13:06:00 |
Start date: | 03/09/2024 |
Path: | C:\Users\user\Desktop\vekvtia.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x400000 |
File size: | 10'966'528 bytes |
MD5 hash: | 274D0AB4368246BE7F22990D9D5CB4CF |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Yara matches: |
|
Reputation: | low |
Has exited: | true |
Target ID: | 2 |
Start time: | 13:06:01 |
Start date: | 03/09/2024 |
Path: | C:\Windows\SysWOW64\cmd.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x790000 |
File size: | 236'544 bytes |
MD5 hash: | D0FCE3AFA6AA1D58CE9FA336CC2B675B |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Target ID: | 3 |
Start time: | 13:06:01 |
Start date: | 03/09/2024 |
Path: | C:\Windows\System32\conhost.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff6d64d0000 |
File size: | 862'208 bytes |
MD5 hash: | 0D698AF330FD17BEE3BF90011D49251D |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Target ID: | 4 |
Start time: | 13:06:02 |
Start date: | 03/09/2024 |
Path: | C:\Windows\SysWOW64\cmd.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x790000 |
File size: | 236'544 bytes |
MD5 hash: | D0FCE3AFA6AA1D58CE9FA336CC2B675B |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Target ID: | 5 |
Start time: | 13:06:02 |
Start date: | 03/09/2024 |
Path: | C:\Windows\System32\conhost.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff6d64d0000 |
File size: | 862'208 bytes |
MD5 hash: | 0D698AF330FD17BEE3BF90011D49251D |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Target ID: | 6 |
Start time: | 13:06:03 |
Start date: | 03/09/2024 |
Path: | C:\Windows\SysWOW64\sc.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x890000 |
File size: | 61'440 bytes |
MD5 hash: | D9D7684B8431A0D10D0E76FE9F5FFEC8 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | moderate |
Has exited: | true |
Target ID: | 7 |
Start time: | 13:06:03 |
Start date: | 03/09/2024 |
Path: | C:\Windows\System32\conhost.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff6d64d0000 |
File size: | 862'208 bytes |
MD5 hash: | 0D698AF330FD17BEE3BF90011D49251D |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Target ID: | 8 |
Start time: | 13:06:03 |
Start date: | 03/09/2024 |
Path: | C:\Windows\SysWOW64\sc.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x890000 |
File size: | 61'440 bytes |
MD5 hash: | D9D7684B8431A0D10D0E76FE9F5FFEC8 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | moderate |
Has exited: | true |
Target ID: | 9 |
Start time: | 13:06:03 |
Start date: | 03/09/2024 |
Path: | C:\Windows\System32\conhost.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff6d64d0000 |
File size: | 862'208 bytes |
MD5 hash: | 0D698AF330FD17BEE3BF90011D49251D |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Target ID: | 10 |
Start time: | 13:06:04 |
Start date: | 03/09/2024 |
Path: | C:\Windows\SysWOW64\sc.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x890000 |
File size: | 61'440 bytes |
MD5 hash: | D9D7684B8431A0D10D0E76FE9F5FFEC8 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | moderate |
Has exited: | true |
Target ID: | 11 |
Start time: | 13:06:04 |
Start date: | 03/09/2024 |
Path: | C:\Windows\System32\conhost.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff6d64d0000 |
File size: | 862'208 bytes |
MD5 hash: | 0D698AF330FD17BEE3BF90011D49251D |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Target ID: | 12 |
Start time: | 13:06:04 |
Start date: | 03/09/2024 |
Path: | C:\Windows\SysWOW64\xembmrjv\igqrtpsy.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x400000 |
File size: | 12'936'704 bytes |
MD5 hash: | CA75AED3D5A70F14C63D2616B573BB74 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Yara matches: |
|
Has exited: | true |
Target ID: | 13 |
Start time: | 13:06:04 |
Start date: | 03/09/2024 |
Path: | C:\Windows\SysWOW64\netsh.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x1080000 |
File size: | 82'432 bytes |
MD5 hash: | 4E89A1A088BE715D6C946E55AB07C7DF |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Has exited: | true |
Target ID: | 14 |
Start time: | 13:06:04 |
Start date: | 03/09/2024 |
Path: | C:\Windows\System32\conhost.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff6d64d0000 |
File size: | 862'208 bytes |
MD5 hash: | 0D698AF330FD17BEE3BF90011D49251D |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Has exited: | true |
Target ID: | 15 |
Start time: | 13:06:04 |
Start date: | 03/09/2024 |
Path: | C:\Windows\SysWOW64\svchost.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0xbe0000 |
File size: | 46'504 bytes |
MD5 hash: | 1ED18311E3DA35942DB37D15FA40CC5B |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Yara matches: |
|
Has exited: | false |
Target ID: | 18 |
Start time: | 13:06:44 |
Start date: | 03/09/2024 |
Path: | C:\Windows\System32\svchost.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff7e52b0000 |
File size: | 55'320 bytes |
MD5 hash: | B7F884C1B74A263F746EE12A5F7C9F6A |
Has elevated privileges: | true |
Has administrator privileges: | false |
Programmed in: | C, C++ or other language |
Has exited: | false |
Execution Graph
Execution Coverage: | 3.7% |
Dynamic/Decrypted Code Coverage: | 30.2% |
Signature Coverage: | 27.3% |
Total number of Nodes: | 1595 |
Total number of Limit Nodes: | 19 |
Graph
Function 00409A6B Relevance: 98.8, APIs: 48, Strings: 8, Instructions: 799stringsleepregistryCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00407A95 Relevance: 45.8, APIs: 24, Strings: 2, Instructions: 269registrymemoryCOMMON
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00409326 Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 284registryCOMMON
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00406A60 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 106fileCOMMON
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0040EC54 Relevance: 4.5, APIs: 3, Instructions: 24timeCOMMON
Control-flow Graph
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0078092B Relevance: 3.8, Strings: 3, Instructions: 90COMMON
Control-flow Graph
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 007F9180 Relevance: 3.0, APIs: 2, Instructions: 41processCOMMON
Control-flow Graph
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0040EBCC Relevance: 3.0, APIs: 2, Instructions: 13memoryCOMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 004073FF Relevance: 23.1, APIs: 11, Strings: 2, Instructions: 345registryCOMMON
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0040704C Relevance: 23.1, APIs: 10, Strings: 3, Instructions: 332registryCOMMON
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0040675C Relevance: 19.7, APIs: 13, Instructions: 199fileCOMMON
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0078003C Relevance: 12.8, APIs: 5, Strings: 2, Instructions: 515memoryCOMMON
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 004099D2 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 54stringCOMMON
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00404000 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 35sleepfileCOMMON
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Control-flow Graph
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 004091EB Relevance: 3.1, APIs: 2, Instructions: 119sleepCOMMON
Control-flow Graph
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00780E0F Relevance: 3.0, APIs: 2, Instructions: 15COMMON
Control-flow Graph
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00406DC2 Relevance: 1.5, APIs: 1, Instructions: 42COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00780920 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 007F8E3F Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0040C913 Relevance: 113.4, APIs: 45, Strings: 19, Instructions: 1397filestringprocessCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00401000 Relevance: 56.2, APIs: 16, Strings: 16, Instructions: 170libraryloaderCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0040B211 Relevance: 47.4, APIs: 7, Strings: 20, Instructions: 131timeCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00401280 Relevance: 31.9, APIs: 9, Strings: 9, Instructions: 417stringCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00401D96 Relevance: 30.0, APIs: 6, Strings: 11, Instructions: 205libraryloaderCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00406EDD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 52memoryCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00408E26 Relevance: 4.6, APIs: 3, Instructions: 63fileCOMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 004088B0 Relevance: .1, Instructions: 108COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 007F8A5D Relevance: .1, Instructions: 61COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00780D90 Relevance: .0, Instructions: 43COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00789EA0 Relevance: 59.9, APIs: 28, Strings: 6, Instructions: 421stringregistryfileCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00787CFC Relevance: 45.8, APIs: 24, Strings: 2, Instructions: 269registrymemoryCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0040A7C1 Relevance: 38.8, APIs: 8, Strings: 14, Instructions: 299networkstringCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00407809 Relevance: 38.7, APIs: 21, Strings: 1, Instructions: 226memoryCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00787A70 Relevance: 38.7, APIs: 21, Strings: 1, Instructions: 226memoryCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00408328 Relevance: 35.4, APIs: 18, Strings: 2, Instructions: 361registryCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0040199C Relevance: 29.9, APIs: 11, Strings: 6, Instructions: 106memorylibraryloaderCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0078858F Relevance: 28.4, APIs: 14, Strings: 2, Instructions: 361registryCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 007814E7 Relevance: 23.2, APIs: 9, Strings: 4, Instructions: 417stringCOMMON
APIs |
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00787666 Relevance: 23.1, APIs: 11, Strings: 2, Instructions: 345registryCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0040AD89 Relevance: 21.1, APIs: 5, Strings: 7, Instructions: 121timeCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00402DF2 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 97memorylibrarynetworkCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0078958D Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 284registryCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0040BE31 Relevance: 18.2, APIs: 6, Strings: 6, Instructions: 152stringCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00781FFD Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 205libraryloaderCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0040F315 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 103networkCOMMON
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0040C2DC Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 182threadCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00783059 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 97memorylibrarynetworkCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00402D21 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 85memorylibrarystringCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00406CC9 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 84libraryloaderCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0040977C Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 82threadinjectionprocessCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0078F57C Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 103networkCOMMON
APIs |
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00782F88 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 85memorylibrarystringCOMMON
APIs |
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00786F30 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 84libraryloaderCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00409064 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 83filestringCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 007892CB Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 83filestringCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 007899E3 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 82threadinjectionprocessCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0040E3CA Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 136registryCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00786CC7 Relevance: 10.6, APIs: 7, Instructions: 106fileCOMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0078E2FC Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 92registryCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0078AA28 Relevance: 9.2, APIs: 4, Strings: 2, Instructions: 247stringCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0040E8A1 Relevance: 9.2, APIs: 4, Strings: 2, Instructions: 172stringCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0078E8BB Relevance: 9.1, APIs: 3, Strings: 3, Instructions: 96stringCOMMON
APIs |
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00786E0E Relevance: 9.1, APIs: 6, Instructions: 84COMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0078C543 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 182threadCOMMON
APIs |
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 004080C9 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 146registryCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0040E095 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 92registryCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0040AD08 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55stringnetworkCOMMON
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0078B478 Relevance: 7.6, APIs: 5, Instructions: 131timeCOMMON
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00402923 Relevance: 7.6, APIs: 5, Instructions: 107COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0040E654 Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 96stringCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 004026FF Relevance: 7.6, APIs: 5, Instructions: 96networkCOMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0040F26D Relevance: 7.6, APIs: 5, Instructions: 63COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00402419 Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 45stringCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0078E3DE Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 148fileCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0040E52E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 111fileCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0078E795 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 111fileCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00401AC3 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 74libraryloaderCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00787665 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 68registryCOMMON
APIs |
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 004096FF Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 48registryCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00789966 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 48registryCOMMON
APIs |
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 007828EB Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 20networkCOMMON
APIs |
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 007869C3 Relevance: 6.2, APIs: 4, Instructions: 199COMMON
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00403F18 Relevance: 6.0, APIs: 4, Instructions: 46filesynchronizationCOMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00403F8C Relevance: 6.0, APIs: 4, Instructions: 46filesynchronizationCOMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0078417F Relevance: 6.0, APIs: 4, Instructions: 46filesynchronizationCOMMON
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 007841F3 Relevance: 6.0, APIs: 4, Instructions: 46filesynchronizationCOMMON
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0078E036 Relevance: 6.0, APIs: 1, Strings: 3, Instructions: 35stringCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0040A4C7 Relevance: 6.0, APIs: 4, Instructions: 27sleepCOMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00404E92 Relevance: 6.0, APIs: 4, Instructions: 27sleepCOMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00404BD1 Relevance: 6.0, APIs: 4, Instructions: 27sleepCOMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 004030FA Relevance: 6.0, APIs: 4, Instructions: 23sleepCOMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0040E177 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 148fileCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00788330 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 146registryCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0078E631 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 136registryCOMMON
APIs |
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0078AFF0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 121timeCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00789452 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 119sleepCOMMON
APIs |
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 004038F0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55threadCOMMON
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0040AB81 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44stringCOMMON
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 004026B2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37networkCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00402684 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 20networkCOMMON
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0040EAE4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13libraryloaderCOMMON
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00402F22 Relevance: 5.2, APIs: 4, Instructions: 157memoryCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00783189 Relevance: 5.2, APIs: 4, Instructions: 157memoryCOMMON
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Execution Graph
Execution Coverage: | 3% |
Dynamic/Decrypted Code Coverage: | 100% |
Signature Coverage: | 0% |
Total number of Nodes: | 1606 |
Total number of Limit Nodes: | 14 |
Graph
Function 00409A6B Relevance: 102.3, APIs: 48, Strings: 10, Instructions: 799stringsleepregistryCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Control-flow Graph
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00407A95 Relevance: 45.8, APIs: 24, Strings: 2, Instructions: 269registrymemoryCOMMON
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 004073FF Relevance: 21.3, APIs: 11, Strings: 1, Instructions: 345registryCOMMON
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0077003C Relevance: 12.8, APIs: 5, Strings: 2, Instructions: 515memoryCOMMON
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0040977C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 82threadprocessinjectionCOMMON
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Control-flow Graph
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0040EC54 Relevance: 4.5, APIs: 3, Instructions: 24timeCOMMON
Control-flow Graph
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00406E36 Relevance: 3.1, APIs: 2, Instructions: 51COMMON
Control-flow Graph
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 008F24D8 Relevance: 3.0, APIs: 2, Instructions: 41processCOMMON
Control-flow Graph
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00770E0F Relevance: 3.0, APIs: 2, Instructions: 15COMMON
Control-flow Graph
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00406DC2 Relevance: 1.5, APIs: 1, Instructions: 42COMMON
Control-flow Graph
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00409892 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
Control-flow Graph
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00770920 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
Control-flow Graph
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 008F2197 Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON
Control-flow Graph
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 004098F2 Relevance: 1.3, APIs: 1, Instructions: 37sleepCOMMON
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00779EA0 Relevance: 59.9, APIs: 28, Strings: 6, Instructions: 421stringregistryfileCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00401000 Relevance: 56.2, APIs: 16, Strings: 16, Instructions: 170libraryloaderCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0040B211 Relevance: 47.4, APIs: 7, Strings: 20, Instructions: 131timeCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00777CFC Relevance: 45.8, APIs: 24, Strings: 2, Instructions: 269registrymemoryCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0040A7C1 Relevance: 38.8, APIs: 8, Strings: 14, Instructions: 299networkstringCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00407809 Relevance: 38.7, APIs: 21, Strings: 1, Instructions: 226memoryCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00777A70 Relevance: 38.7, APIs: 21, Strings: 1, Instructions: 226memoryCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00408328 Relevance: 35.4, APIs: 18, Strings: 2, Instructions: 361registryCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00401280 Relevance: 31.9, APIs: 9, Strings: 9, Instructions: 417stringCOMMON
APIs |
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00401D96 Relevance: 30.0, APIs: 6, Strings: 11, Instructions: 205libraryloaderCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0040199C Relevance: 29.9, APIs: 11, Strings: 6, Instructions: 106memorylibraryloaderCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0077858F Relevance: 28.4, APIs: 14, Strings: 2, Instructions: 361registryCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 007714E7 Relevance: 23.2, APIs: 9, Strings: 4, Instructions: 417stringCOMMON
APIs |
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00777666 Relevance: 21.3, APIs: 11, Strings: 1, Instructions: 345registryCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0040704C Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 332registryCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0040AD89 Relevance: 21.1, APIs: 5, Strings: 7, Instructions: 121timeCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00402DF2 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 97memorylibrarynetworkCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0040675C Relevance: 19.7, APIs: 13, Instructions: 199fileCOMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00409326 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 284registryCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00771FFD Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 205libraryloaderCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0040F315 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 103networkCOMMON
APIs |
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0040405E Relevance: 16.7, APIs: 11, Instructions: 203COMMON
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0040C2DC Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 182threadCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00773059 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 97memorylibrarynetworkCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00402D21 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 85memorylibrarystringCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0040BE31 Relevance: 13.7, APIs: 6, Strings: 3, Instructions: 152stringCOMMON
APIs |
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00406A60 Relevance: 13.6, APIs: 9, Instructions: 106fileCOMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0077F57C Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 103networkCOMMON
APIs |
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00772F88 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 85memorylibrarystringCOMMON
APIs |
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00406CC9 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 84libraryloaderCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 007799E3 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 82threadinjectionprocessCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00776CC7 Relevance: 10.6, APIs: 7, Instructions: 106fileCOMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00776F30 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 84libraryloaderCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0077AA28 Relevance: 9.2, APIs: 4, Strings: 2, Instructions: 247stringCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0040E8A1 Relevance: 9.2, APIs: 4, Strings: 2, Instructions: 172stringCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0077E8BB Relevance: 9.1, APIs: 3, Strings: 3, Instructions: 96stringCOMMON
APIs |
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00406BA7 Relevance: 9.1, APIs: 6, Instructions: 84COMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00776E0E Relevance: 9.1, APIs: 6, Instructions: 84COMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0077C543 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 182threadCOMMON
APIs |
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 004080C9 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 146registryCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0077E2FC Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 92registryCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0040AD08 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55stringnetworkCOMMON
APIs |
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0077B478 Relevance: 7.6, APIs: 5, Instructions: 131timeCOMMON
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00404280 Relevance: 7.6, APIs: 5, Instructions: 124COMMON
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00402923 Relevance: 7.6, APIs: 5, Instructions: 107COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0040E654 Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 96stringCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 004026FF Relevance: 7.6, APIs: 5, Instructions: 96networkCOMMON
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0040F26D Relevance: 7.6, APIs: 5, Instructions: 63COMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00409145 Relevance: 7.6, APIs: 5, Instructions: 56COMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 007793AC Relevance: 7.6, APIs: 5, Instructions: 56COMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00402419 Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 45stringCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00401AC3 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 74libraryloaderCOMMON
APIs |
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00406EDD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 52memoryCOMMON
APIs |
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 007728EB Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 20networkCOMMON
APIs |
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 007769C3 Relevance: 6.2, APIs: 4, Instructions: 199COMMON
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00403F18 Relevance: 6.0, APIs: 4, Instructions: 46filesynchronizationCOMMON
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00403F8C Relevance: 6.0, APIs: 4, Instructions: 46filesynchronizationCOMMON
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0077417F Relevance: 6.0, APIs: 4, Instructions: 46filesynchronizationCOMMON
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 007741F3 Relevance: 6.0, APIs: 4, Instructions: 46filesynchronizationCOMMON
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0077E036 Relevance: 6.0, APIs: 1, Strings: 3, Instructions: 35stringCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0040A4C7 Relevance: 6.0, APIs: 4, Instructions: 27sleepCOMMON
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00404E92 Relevance: 6.0, APIs: 4, Instructions: 27sleepCOMMON
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00404BD1 Relevance: 6.0, APIs: 4, Instructions: 27sleepCOMMON
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 004030FA Relevance: 6.0, APIs: 4, Instructions: 23sleepCOMMON
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0077E3DE Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 148fileCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00778330 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 146registryCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0077AFF0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 121timeCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00779452 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 119sleepCOMMON
APIs |
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 004038F0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55threadCOMMON
APIs |
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0040AB81 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44stringCOMMON
APIs |
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 004026B2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37networkCOMMON
APIs |
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00402684 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 20networkCOMMON
APIs |
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0040EAE4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13libraryloaderCOMMON
APIs |
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00402F22 Relevance: 5.2, APIs: 4, Instructions: 157memoryCOMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00773189 Relevance: 5.2, APIs: 4, Instructions: 157memoryCOMMON
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Execution Graph
Execution Coverage: | 14.7% |
Dynamic/Decrypted Code Coverage: | 0% |
Signature Coverage: | 0.7% |
Total number of Nodes: | 1807 |
Total number of Limit Nodes: | 18 |
Graph
Function 003EC913 Relevance: 115.1, APIs: 45, Strings: 20, Instructions: 1397filestringprocessCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 003E9A6B Relevance: 100.5, APIs: 48, Strings: 9, Instructions: 799stringsleepregistryCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 003E199C Relevance: 35.1, APIs: 14, Strings: 6, Instructions: 106memorylibraryloaderCOMMON
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 003E7A95 Relevance: 45.8, APIs: 24, Strings: 2, Instructions: 269registrymemoryCOMMON
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 003E7809 Relevance: 38.7, APIs: 21, Strings: 1, Instructions: 226memoryCOMMON
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 003E8328 Relevance: 35.4, APIs: 18, Strings: 2, Instructions: 361registryCOMMON
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 003E1D96 Relevance: 30.0, APIs: 6, Strings: 11, Instructions: 205libraryloaderCOMMON
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 003E73FF Relevance: 21.3, APIs: 11, Strings: 1, Instructions: 345registryCOMMON
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 003E675C Relevance: 19.7, APIs: 13, Instructions: 199fileCOMMON
Control-flow Graph
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 003EF315 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 103networkCOMMON
Control-flow Graph
APIs |
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 003E405E Relevance: 16.7, APIs: 11, Instructions: 203COMMON
Control-flow Graph
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 003E2D21 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 85memorylibrarystringCOMMON
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 003E80C9 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 146registryCOMMON
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 003E1AC3 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 74libraryloaderCOMMON
Control-flow Graph
APIs |
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Control-flow Graph
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 003EF26D Relevance: 7.6, APIs: 5, Instructions: 63COMMON
Control-flow Graph
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 003E2684 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 20networkCOMMON
APIs |
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 003EEC2E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14memoryCOMMONLIBRARYCODE
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 003EE52E Relevance: 4.6, APIs: 3, Instructions: 111fileCOMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 003E877E Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 100sleepCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 003EEC54 Relevance: 4.5, APIs: 3, Instructions: 24timeCOMMON
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 003E30B5 Relevance: 3.0, APIs: 2, Instructions: 29networkCOMMON
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 003EEBCC Relevance: 3.0, APIs: 2, Instructions: 13memoryCOMMON
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 003EF43E Relevance: 1.5, APIs: 1, Instructions: 33networkCOMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 003E1978 Relevance: 1.5, APIs: 1, Instructions: 16COMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 003EDD84 Relevance: 1.3, APIs: 1, Instructions: 31stringCOMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 003E1000 Relevance: 56.2, APIs: 16, Strings: 16, Instructions: 170libraryloaderCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 003EB211 Relevance: 47.4, APIs: 7, Strings: 20, Instructions: 131timeCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 003EA7C1 Relevance: 40.5, APIs: 8, Strings: 15, Instructions: 299networkstringCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 003E1280 Relevance: 31.9, APIs: 9, Strings: 9, Instructions: 417stringCOMMON
APIs |
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 003E704C Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 332registryCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 003EAD89 Relevance: 21.1, APIs: 5, Strings: 7, Instructions: 121timeCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 003E2DF2 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 97memorylibrarynetworkCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 003E9326 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 284registryCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 003EC2DC Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 182threadCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 003EBE31 Relevance: 13.7, APIs: 6, Strings: 3, Instructions: 152stringCOMMON
APIs |
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 003E6A60 Relevance: 13.6, APIs: 9, Instructions: 106fileCOMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 003E6CC9 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 84libraryloaderCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 003E977C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 82threadinjectionprocessCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 003EE8A1 Relevance: 9.2, APIs: 4, Strings: 2, Instructions: 172stringCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 003E6BA7 Relevance: 9.1, APIs: 6, Instructions: 84COMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 003EAD08 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55stringnetworkCOMMON
APIs |
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 003E4280 Relevance: 7.6, APIs: 5, Instructions: 124COMMON
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 003E2923 Relevance: 7.6, APIs: 5, Instructions: 107COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 003E26FF Relevance: 7.6, APIs: 5, Instructions: 96networkCOMMON
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 003E9145 Relevance: 7.6, APIs: 5, Instructions: 56COMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 003E2419 Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 45stringCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 003E6EDD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 52memoryCOMMON
APIs |
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 003EE654 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 96stringCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 003E3F18 Relevance: 6.0, APIs: 4, Instructions: 46filesynchronizationCOMMON
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 003E3F8C Relevance: 6.0, APIs: 4, Instructions: 46filesynchronizationCOMMON
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 003E4E92 Relevance: 6.0, APIs: 4, Instructions: 27sleepCOMMON
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 003EA4C7 Relevance: 6.0, APIs: 4, Instructions: 27sleepCOMMON
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 003E4BD1 Relevance: 6.0, APIs: 4, Instructions: 27sleepCOMMON
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 003E30FA Relevance: 6.0, APIs: 4, Instructions: 23sleepCOMMON
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 003E26B2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37networkCOMMON
APIs |
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 003EEAE4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13libraryloaderCOMMON
APIs |
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 003E2F22 Relevance: 5.2, APIs: 4, Instructions: 157memoryCOMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|