Edit tour
Windows
Analysis Report
cW5i0RdQ4L.exe
Overview
General Information
| Sample name: | cW5i0RdQ4L.exerenamed because original name is a hash value |
| Original sample name: | c065ba22909fc8dbded4ea0eebb24ad5.exe |
| Analysis ID: | 1532361 |
| MD5: | c065ba22909fc8dbded4ea0eebb24ad5 |
| SHA1: | b3d61dd7519be3d2909be9ce2d28f65ec7f9965d |
| SHA256: | 9817f4d8bc1374f102196cfcb8a351abdc0563dea60f6084a7525e5ee5409b6d |
| Tags: | 32exetrojan |
| Infos: |  |
 | |
Detection
| Score: | 88 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Sigma detected: Search for Antivirus process
AI detected suspicious sample
Drops PE files with a suspicious file extension
Sigma detected: WScript or CScript Dropper
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Contains functionality for read data from the clipboard
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found evasive API chain (date check)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
OS version to string mapping found (often used in BOTs)
PE / OLE file has an invalid certificate
Potential key logger detected (key state polling based)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Execution of Suspicious File Type Extension
Sigma detected: SCR File Write Event
Sigma detected: Suspicious Screensaver Binary File Creation
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Stores files to the Windows start menu directory
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Classification
- System is w10x64
cW5i0RdQ4L.exe (PID: 3752 cmdline: "C:\Users\ user\Deskt op\cW5i0Rd Q4L.exe" MD5: C065BA22909FC8DBDED4EA0EEBB24AD5) 
cmd.exe (PID: 2576 cmdline: "C:\Window s\System32 \cmd.exe" /c move Ce ntres Cent res.bat & Centres.ba t MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 3840 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) 
tasklist.exe (PID: 6496 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1) - findstr.exe (PID: 7096 cmdline:
findstr /I "wrsa ops svc" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E) - tasklist.exe (PID: 6092 cmdline:
tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1) - findstr.exe (PID: 1632 cmdline:
findstr -I "avastui avgui bdse rvicehost nswscsvc s ophoshealt h" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E) - cmd.exe (PID: 6640 cmdline:
cmd /c md 103495 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - findstr.exe (PID: 5428 cmdline:
findstr /V "aroundac commodateg roupsevery thing" Fin e MD5: F1D4BE0E99EC734376FDE474A8D4EA3E) - cmd.exe (PID: 6524 cmdline:
cmd /c cop y /b ..\Co rrect + .. \Transpare nt + ..\Ba rbie + ..\ Gloves + . .\Latin + ..\Story + ..\Ski + ..\Apprais al n MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) 
Powder.pif (PID: 2696 cmdline: Powder.pif n MD5: 18CE19B57F43CE0A5AF149C96AECC685) - cmd.exe (PID: 2828 cmdline:
cmd /k ech o [Interne tShortcut] > "C:\Use rs\user\Ap pData\Roam ing\Micros oft\Window s\Start Me nu\Program s\Startup\ GuardianCr yptoElite. url" & ech o URL="C:\ Users\user \AppData\L ocal\Guard ianCrypto Systems In c\Guardian CryptoElit e.js" >> " C:\Users\u ser\AppDat a\Roaming\ Microsoft\ Windows\St art Menu\P rograms\St artup\Guar dianCrypto Elite.url" & exit MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 5688 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - choice.exe (PID: 4268 cmdline:
choice /d y /t 5 MD5: FCE0E41C87DC4ABBE976998AD26C27E4)
wscript.exe (PID: 2228 cmdline: "C:\Window s\System32 \WScript.e xe" "C:\Us ers\user\A ppData\Loc al\Guardia nCrypto Sy stems Inc\ GuardianCr yptoElite. js" MD5: A47CBE969EA935BDD3AB568BB126BC80) - GuardianCryptoElite.scr (PID: 1716 cmdline:
"C:\Users\ user\AppDa ta\Local\G uardianCry pto System s Inc\Guar dianCrypto Elite.scr" "C:\Users \user\AppD ata\Local\ GuardianCr ypto Syste ms Inc\O" MD5: 18CE19B57F43CE0A5AF149C96AECC685)
- cleanup
⊘No configs have been found
⊘No yara matches
System Summary |   |
|---|
| Source: | Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: | ||
| Source: | Author: Max Altgelt (Nextron Systems): | ||
| Source: | Author: Christopher Peacock @securepeacock, SCYTHE @scythe_io: | ||
| Source: | Author: frack113: | ||
| Source: | Author: Michael Haag: | ||
Data Obfuscation | |
|---|
| Source: | Author: Joe Security: | ||
HIPS / PFW / Operating System Protection Evasion | |
|---|
| Source: | Author: Joe Security: | ||
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-10-13T01:58:08.149906+0200 | 2803274 | 2 | Potentially Bad Traffic | 192.168.2.5 | 49705 | 104.21.76.57 | 443 | TCP |
| 2024-10-13T01:58:26.202852+0200 | 2803274 | 2 | Potentially Bad Traffic | 192.168.2.5 | 49750 | 104.21.76.57 | 443 | TCP |
Click to jump to signature section
Show All Signature Results
AV Detection | |
|---|
| Source: | Virustotal: | Perma Link | ||
| Source: | Virustotal: | Perma Link | ||
| Source: | Virustotal: | Perma Link | ||
| Source: | Integrated Neural Analysis Model: | ||
| Source: | Static PE information: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | Static PE information: | ||
| Source: | Code function: | 0_2_004062D5 | |
| Source: | Code function: | 0_2_00402E18 | |
| Source: | Code function: | 0_2_00406C9B | |
| Source: | Code function: | 11_2_00CE4005 | |
| Source: | Code function: | 11_2_00CE494A | |
| Source: | Code function: | 11_2_00CE3CE2 | |
| Source: | Code function: | 11_2_00CEC2FF | |
| Source: | Code function: | 11_2_00CECD9F | |
| Source: | Code function: | 11_2_00CECD14 | |
| Source: | Code function: | 11_2_00CEF5D8 | |
| Source: | Code function: | 11_2_00CEF735 | |
| Source: | Code function: | 11_2_00CEFA36 | |
| Source: | Code function: | 17_2_00354005 | |
| Source: | Code function: | 17_2_0035494A | |
| Source: | Code function: | 17_2_0035C2FF | |
| Source: | Code function: | 17_2_0035CD14 | |
| Source: | Code function: | 17_2_0035CD9F | |
| Source: | Code function: | 17_2_0035F5D8 | |
| Source: | Code function: | 17_2_0035F735 | |
| Source: | Code function: | 17_2_0035FA36 | |
| Source: | Code function: | 17_2_00353CE2 | |
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | IP Address: | ||
| Source: | JA3 fingerprint: | ||
| Source: | DNS query: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | Code function: | 11_2_00CF29BA | |
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | Code function: | 0_2_004050CD | |
| Source: | Code function: | 11_2_00CF4830 | |
| Source: | Code function: | 17_2_00364830 | |
| Source: | Code function: | 11_2_00CF4632 | |
| Source: | Code function: | 0_2_004044A5 | |
| Source: | Code function: | 11_2_00D0D164 | |
| Source: | Code function: | 17_2_0037D164 | |
System Summary | |
|---|
| Source: | COM Object queried: | Jump to behavior | ||
| Source: | Code function: | 11_2_00CE42D5 | |
| Source: | Code function: | 11_2_00CD8F2E | |
| Source: | Code function: | 0_2_00403883 | |
| Source: | Code function: | 11_2_00CE5778 | |
| Source: | Code function: | 17_2_00355778 | |
| Source: | Code function: | 0_2_0040497C | |
| Source: | Code function: | 0_2_00406ED2 | |
| Source: | Code function: | 0_2_004074BB | |
| Source: | Code function: | 11_2_00C8B020 | |
| Source: | Code function: | 11_2_00C894E0 | |
| Source: | Code function: | 11_2_00C89C80 | |
| Source: | Code function: | 11_2_00CA23F5 | |
| Source: | Code function: | 11_2_00D08400 | |
| Source: | Code function: | 11_2_00CB6502 | |
| Source: | Code function: | 11_2_00C8E6F0 | |
| Source: | Code function: | 11_2_00CB265E | |
| Source: | Code function: | 11_2_00CA282A | |
| Source: | Code function: | 11_2_00CB89BF | |
| Source: | Code function: | 11_2_00CB6A74 | |
| Source: | Code function: | 11_2_00D00A3A | |
| Source: | Code function: | 11_2_00C90BE0 | |
| Source: | Code function: | 11_2_00CDEDB2 | |
| Source: | Code function: | 11_2_00CACD51 | |
| Source: | Code function: | 11_2_00D00EB7 | |
| Source: | Code function: | 11_2_00CE8E44 | |
| Source: | Code function: | 11_2_00CB6FE6 | |
| Source: | Code function: | 11_2_00CA33B7 | |
| Source: | Code function: | 11_2_00C9D45D | |
| Source: | Code function: | 11_2_00CAF409 | |
| Source: | Code function: | 11_2_00C8F6A0 | |
| Source: | Code function: | 11_2_00CA16B4 | |
| Source: | Code function: | 11_2_00C81663 | |
| Source: | Code function: | 11_2_00C9F628 | |
| Source: | Code function: | 11_2_00CA78C3 | |
| Source: | Code function: | 11_2_00CA1BA8 | |
| Source: | Code function: | 11_2_00CADBA5 | |
| Source: | Code function: | 11_2_00CB9CE5 | |
| Source: | Code function: | 11_2_00C9DD28 | |
| Source: | Code function: | 11_2_00CA1FC0 | |
| Source: | Code function: | 11_2_00CABFD6 | |
| Source: | Code function: | 17_2_002FB020 | |
| Source: | Code function: | 17_2_002F94E0 | |
| Source: | Code function: | 17_2_002F9C80 | |
| Source: | Code function: | 17_2_003123F5 | |
| Source: | Code function: | 17_2_00378400 | |
| Source: | Code function: | 17_2_00326502 | |
| Source: | Code function: | 17_2_0032265E | |
| Source: | Code function: | 17_2_002FE6F0 | |
| Source: | Code function: | 17_2_0031282A | |
| Source: | Code function: | 17_2_003289BF | |
| Source: | Code function: | 17_2_00370A3A | |
| Source: | Code function: | 17_2_00326A74 | |
| Source: | Code function: | 17_2_00300BE0 | |
| Source: | Code function: | 17_2_0031CD51 | |
| Source: | Code function: | 17_2_0034EDB2 | |
| Source: | Code function: | 17_2_00358E44 | |
| Source: | Code function: | 17_2_00370EB7 | |
| Source: | Code function: | 17_2_00326FE6 | |
| Source: | Code function: | 17_2_002F32C0 | |
| Source: | Code function: | 17_2_003133B7 | |
| Source: | Code function: | 17_2_0031F409 | |
| Source: | Code function: | 17_2_0030D45D | |
| Source: | Code function: | 17_2_0030F628 | |
| Source: | Code function: | 17_2_002F1663 | |
| Source: | Code function: | 17_2_003116B4 | |
| Source: | Code function: | 17_2_002FF6A0 | |
| Source: | Code function: | 17_2_003178C3 | |
| Source: | Code function: | 17_2_0031DBA5 | |
| Source: | Code function: | 17_2_00311BA8 | |
| Source: | Code function: | 17_2_00329CE5 | |
| Source: | Code function: | 17_2_002F7CC9 | |
| Source: | Code function: | 17_2_0030DD28 | |
| Source: | Code function: | 17_2_0031BFD6 | |
| Source: | Code function: | 17_2_00311FC0 | |
| Source: | Dropped File: | ||
| Source: | Dropped File: | ||
| Source: | Static PE information: | ||
| Source: | Binary or memory string: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Classification label: | ||
| Source: | Code function: | 11_2_00CEA6AD | |
| Source: | Code function: | 11_2_00CD8DE9 | |
| Source: | Code function: | 11_2_00CD9399 | |
| Source: | Code function: | 17_2_00348DE9 | |
| Source: | Code function: | 17_2_00349399 | |
| Source: | Code function: | 0_2_004044A5 | |
| Source: | Code function: | 11_2_00CE4148 | |
| Source: | Code function: | 0_2_004024FB | |
| Source: | Code function: | 11_2_00CE443D | |
| Source: | File created: | Jump to behavior | ||
| Source: | Mutant created: | ||
| Source: | Mutant created: | ||
| Source: | File created: | Jump to behavior | ||
| Source: | Process created: | ||
| Source: | Static PE information: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | File read: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Virustotal: | ||
| Source: | File read: | Jump to behavior | ||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Key value queried: | Jump to behavior | ||
| Source: | Process created: | ||
| Source: | Static file information: | ||
| Source: | Static PE information: | ||
| Source: | Code function: | 0_2_004062FC | |
| Source: | Code function: | 11_2_00CA8B88 | |
| Source: | Code function: | 17_2_00318B88 | |
| Source: | Code function: | 17_2_0030CBF8 | |
| Source: | Code function: | 17_2_0030CBF8 | |
Persistence and Installation Behavior | |
|---|
| Source: | File created: | Jump to dropped file | ||
| Source: | File created: | Jump to dropped file | ||
| Source: | File created: | Jump to dropped file | ||
| Source: | File created: | Jump to dropped file | ||
| Source: | File created: | Jump to behavior | ||
| Source: | File created: | Jump to behavior | ||
| Source: | Code function: | 11_2_00D059B3 | |
| Source: | Code function: | 11_2_00C95EDA | |
| Source: | Code function: | 17_2_003759B3 | |
| Source: | Code function: | 17_2_00305EDA | |
| Source: | Code function: | 11_2_00CA33B7 | |
| Source: | Registry key monitored for changes: | Jump to behavior | ||
| Source: | Registry key monitored for changes: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Window found: | Jump to behavior | ||
| Source: | Evasive API call chain: | |||
| Source: | Evasive API call chain: | graph_11-100731 | ||
| Source: | API coverage: | ||
| Source: | API coverage: | ||
| Source: | Last function: | ||
| Source: | Last function: | ||
| Source: | Last function: | ||
| Source: | Code function: | 0_2_004062D5 | |
| Source: | Code function: | 0_2_00402E18 | |
| Source: | Code function: | 0_2_00406C9B | |
| Source: | Code function: | 11_2_00CE4005 | |
| Source: | Code function: | 11_2_00CE494A | |
| Source: | Code function: | 11_2_00CE3CE2 | |
| Source: | Code function: | 11_2_00CEC2FF | |
| Source: | Code function: | 11_2_00CECD9F | |
| Source: | Code function: | 11_2_00CECD14 | |
| Source: | Code function: | 11_2_00CEF5D8 | |
| Source: | Code function: | 11_2_00CEF735 | |
| Source: | Code function: | 11_2_00CEFA36 | |
| Source: | Code function: | 17_2_00354005 | |
| Source: | Code function: | 17_2_0035494A | |
| Source: | Code function: | 17_2_0035C2FF | |
| Source: | Code function: | 17_2_0035CD14 | |
| Source: | Code function: | 17_2_0035CD9F | |
| Source: | Code function: | 17_2_0035F5D8 | |
| Source: | Code function: | 17_2_0035F735 | |
| Source: | Code function: | 17_2_0035FA36 | |
| Source: | Code function: | 17_2_00353CE2 | |
| Source: | Code function: | 11_2_00C95D13 | |
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Process information queried: | Jump to behavior | ||
| Source: | Code function: | 11_2_00CF45D5 | |
| Source: | Code function: | 11_2_00C95240 | |
| Source: | Code function: | 11_2_00CB5CAC | |
| Source: | Code function: | 0_2_004062FC | |
| Source: | Code function: | 11_2_00CD88CD | |
| Source: | Process token adjusted: | Jump to behavior | ||
| Source: | Process token adjusted: | Jump to behavior | ||
| Source: | Code function: | 11_2_00CAA385 | |
| Source: | Code function: | 11_2_00CAA354 | |
| Source: | Code function: | 17_2_0031A354 | |
| Source: | Code function: | 17_2_0031A385 | |
| Source: | Code function: | 11_2_00CD9369 | |
| Source: | Code function: | 11_2_00C95240 | |
| Source: | Code function: | 11_2_00CE1AC6 | |
| Source: | Code function: | 11_2_00CE51E2 | |
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | |||
| Source: | Process created: | Jump to behavior | ||
| Source: | Code function: | 11_2_00CD88CD | |
| Source: | Code function: | 11_2_00CE4F1C | |
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Code function: | 11_2_00CA885B | |
| Source: | Code function: | 11_2_00CC0030 | |
| Source: | Code function: | 11_2_00CC0722 | |
| Source: | Code function: | 11_2_00CB416A | |
| Source: | Code function: | 0_2_00406805 | |
| Source: | Key value queried: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Code function: | 11_2_00CF696E | |
| Source: | Code function: | 11_2_00CF6E32 | |
| Source: | Code function: | 17_2_0036696E | |
| Source: | Code function: | 17_2_00366E32 | |
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Gather Victim Identity Information | 11 Scripting | 2 Valid Accounts | 1 Windows Management Instrumentation | 11 Scripting | 1 Exploitation for Privilege Escalation | 1 Disable or Modify Tools | 21 Input Capture | 2 System Time Discovery | Remote Services | 1 Archive Collected Data | 4 Ingress Tool Transfer | Exfiltration Over Other Network Medium | 1 System Shutdown/Reboot |
| Credentials | Domains | Default Accounts | 2 Native API | 1 DLL Side-Loading | 1 DLL Side-Loading | 1 Deobfuscate/Decode Files or Information | LSASS Memory | 1 Account Discovery | Remote Desktop Protocol | 21 Input Capture | 11 Encrypted Channel | Exfiltration Over Bluetooth | Network Denial of Service |
| Email Addresses | DNS Server | Domain Accounts | 1 Command and Scripting Interpreter | 2 Valid Accounts | 2 Valid Accounts | 2 Obfuscated Files or Information | Security Account Manager | 3 File and Directory Discovery | SMB/Windows Admin Shares | 3 Clipboard Data | 3 Non-Application Layer Protocol | Automated Exfiltration | Data Encrypted for Impact |
| Employee Names | Virtual Private Server | Local Accounts | Cron | 2 Registry Run Keys / Startup Folder | 21 Access Token Manipulation | 1 Software Packing | NTDS | 17 System Information Discovery | Distributed Component Object Model | Input Capture | 4 Application Layer Protocol | Traffic Duplication | Data Destruction |
| Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | 12 Process Injection | 1 DLL Side-Loading | LSA Secrets | 1 Query Registry | SSH | Keylogging | Fallback Channels | Scheduled Transfer | Data Encrypted for Impact |
| Domain Properties | Botnet | Replication Through Removable Media | Scheduled Task | RC Scripts | 2 Registry Run Keys / Startup Folder | 11 Masquerading | Cached Domain Credentials | 131 Security Software Discovery | VNC | GUI Input Capture | Multiband Communication | Data Transfer Size Limits | Service Stop |
| DNS | Web Services | External Remote Services | Systemd Timers | Startup Items | Startup Items | 2 Valid Accounts | DCSync | 4 Process Discovery | Windows Remote Management | Web Portal Capture | Commonly Used Port | Exfiltration Over C2 Channel | Inhibit System Recovery |
| Network Trust Dependencies | Serverless | Drive-by Compromise | Container Orchestration Job | Scheduled Task/Job | Scheduled Task/Job | 21 Access Token Manipulation | Proc Filesystem | 1 Application Window Discovery | Cloud Services | Credential API Hooking | Application Layer Protocol | Exfiltration Over Alternative Protocol | Defacement |
| Network Topology | Malvertising | Exploit Public-Facing Application | Command and Scripting Interpreter | At | At | 12 Process Injection | /etc/passwd and /etc/shadow | 1 System Owner/User Discovery | Direct Cloud VM Connections | Data Staged | Web Protocols | Exfiltration Over Symmetric Encrypted Non-C2 Protocol | Internal Defacement |
| IP Addresses | Compromise Infrastructure | Supply Chain Compromise | PowerShell | Cron | Cron | Dynamic API Resolution | Network Sniffing | 1 System Network Configuration Discovery | Shared Webroot | Local Data Staging | File Transfer Protocols | Exfiltration Over Asymmetric Encrypted Non-C2 Protocol | External Defacement |
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetThis section contains all screenshots as thumbnails, including those not shown in the slideshow.
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 8% | ReversingLabs | |||
| 14% | Virustotal | Browse |
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 5% | ReversingLabs | |||
| 10% | Virustotal | Browse | ||
| 5% | ReversingLabs | |||
| 10% | Virustotal | Browse |
⊘No Antivirus matches
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 1% | Virustotal | Browse |
| Name | IP | Active | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|---|
| iplogger.com | 104.21.76.57 | true | false |
| unknown |
| SfqIcJOQLLJLIQzEeYKSUBXfTZxPy.SfqIcJOQLLJLIQzEeYKSUBXfTZxPy | unknown | unknown | false | unknown |
| Name | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|
| false | unknown |
| Name | Source | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|
| false |
| unknown | ||
| false | unknown | |||
| false | unknown | |||
| false |
| unknown | ||
| false | unknown | |||
| false |
| unknown | ||
| false | unknown | |||
| false | unknown | |||
| false |
| unknown | ||
| false | unknown |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
| IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
|---|---|---|---|---|---|---|
| 104.21.76.57 | iplogger.com | United States | 13335 | CLOUDFLARENETUS | false |
| Joe Sandbox version: | 41.0.0 Charoite |
| Analysis ID: | 1532361 |
| Start date and time: | 2024-10-13 01:57:07 +02:00 |
| Joe Sandbox product: | CloudBasic |
| Overall analysis duration: | 0h 8m 10s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
| Number of analysed new started processes analysed: | 20 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Sample name: | cW5i0RdQ4L.exerenamed because original name is a hash value |
| Original Sample Name: | c065ba22909fc8dbded4ea0eebb24ad5.exe |
| Detection: | MAL |
| Classification: | mal88.expl.evad.winEXE@28/18@3/1 |
| EGA Information: |
|
| HCA Information: |
|
| Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
- Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
- Not all processes where analyzed, report is missing behavior information
- Report size exceeded maximum capacity and may have missing behavior information.
- Report size exceeded maximum capacity and may have missing disassembly code.
- Report size getting too big, too many NtOpenKeyEx calls found.
- Report size getting too big, too many NtQueryValueKey calls found.
- Report size getting too big, too many NtSetInformationFile calls found.
| Time | Type | Description |
|---|---|---|
| 01:58:09 | Autostart | |
| 19:58:07 | API Interceptor | |
| 19:58:25 | API Interceptor |
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| 104.21.76.57 | Get hash | malicious | LummaC | Browse | ||
| Get hash | malicious | Unknown | Browse | |||
| Get hash | malicious | DarkTortilla, PureLog Stealer | Browse | |||
| Get hash | malicious | DarkTortilla | Browse | |||
| Get hash | malicious | Unknown | Browse | |||
| Get hash | malicious | Unknown | Browse | |||
| Get hash | malicious | DarkTortilla, Neoreklami | Browse | |||
| Get hash | malicious | Amadey, Cryptbot, Neoreklami, PureLog Stealer, RedLine, Stealc, Vidar | Browse | |||
| Get hash | malicious | Cryptbot | Browse | |||
| Get hash | malicious | EICAR | Browse |
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| iplogger.com | Get hash | malicious | LummaC | Browse |
| |
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | DarkTortilla, PureLog Stealer | Browse |
| ||
| Get hash | malicious | DarkTortilla | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | DarkTortilla | Browse |
| ||
| Get hash | malicious | DarkTortilla | Browse |
| ||
| Get hash | malicious | Cryptbot, Vidar, Xmrig | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| CLOUDFLARENETUS | Get hash | malicious | LummaC | Browse |
| |
| Get hash | malicious | CredGrabber, Meduza Stealer | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LegionLoader | Browse |
| ||
| Get hash | malicious | CredGrabber, Meduza Stealer | Browse |
| ||
| Get hash | malicious | Python Stealer, CStealer | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| 37f463bf4616ecd445d4a1937da06e19 | Get hash | malicious | CredGrabber, Meduza Stealer | Browse |
| |
| Get hash | malicious | LegionLoader | Browse |
| ||
| Get hash | malicious | CredGrabber, Meduza Stealer | Browse |
| ||
| Get hash | malicious | CredGrabber, Meduza Stealer | Browse |
| ||
| Get hash | malicious | Remcos, GuLoader | Browse |
| ||
| Get hash | malicious | LegionLoader | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | XRed | Browse |
| ||
| Get hash | malicious | GuLoader, Snake Keylogger | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| C:\Users\user\AppData\Local\Temp\103495\Powder.pif | Get hash | malicious | Unknown | Browse | ||
| Get hash | malicious | Remcos | Browse | |||
| Get hash | malicious | Stealc, Vidar | Browse | |||
| Get hash | malicious | Clipboard Hijacker, Stealc, Vidar | Browse | |||
| Get hash | malicious | Stealc | Browse | |||
| Get hash | malicious | Unknown | Browse | |||
| Get hash | malicious | LummaC | Browse | |||
| Get hash | malicious | Clipboard Hijacker, Stealc, Vidar | Browse | |||
| Get hash | malicious | Stealc | Browse | |||
| Get hash | malicious | Amadey, Go Injector, LummaC Stealer, Phorpiex, PureLog Stealer, Stealc, Vidar | Browse | |||
| C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr | Get hash | malicious | Unknown | Browse | ||
| Get hash | malicious | Remcos | Browse | |||
| Get hash | malicious | Stealc, Vidar | Browse | |||
| Get hash | malicious | Clipboard Hijacker, Stealc, Vidar | Browse | |||
| Get hash | malicious | Stealc | Browse | |||
| Get hash | malicious | Unknown | Browse | |||
| Get hash | malicious | LummaC | Browse | |||
| Get hash | malicious | Clipboard Hijacker, Stealc, Vidar | Browse | |||
| Get hash | malicious | Stealc | Browse | |||
| Get hash | malicious | Amadey, Go Injector, LummaC Stealer, Phorpiex, PureLog Stealer, Stealc, Vidar | Browse |
| Process: | C:\Users\user\AppData\Local\Temp\103495\Powder.pif |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 202 |
| Entropy (8bit): | 4.786819322701662 |
| Encrypted: | false |
| SSDEEP: | 6:RiJBJHonwWDaJ0/hJkDB+Mak7WkMu8HMaz7ywWDaJ0/hJkDB+Mak7WkMu05M:YJ7QjW0hCzaUW5iaKW0hCzaUW54 |
| MD5: | BFE58F1EEFA06EC93983BF94E2C8C5EC |
| SHA1: | D7955EDD640E01A3B4B24125B00C1906EE2FF8D4 |
| SHA-256: | 5A4150377F850B2886A2C7DD381CA738B9F7ABBDBFA6DD413F3C8FE15CC0145F |
| SHA-512: | 7091C41AE6C896F0BE4982CF5D107E1C306E5364199A3927648013BE287203901374C3396ADF0E4A98F2B5862591461815AC5EEC6E4E1723FD664A0655263BD5 |
| Malicious: | true |
| Preview: |
| Process: | C:\Users\user\AppData\Local\Temp\103495\Powder.pif |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 893608 |
| Entropy (8bit): | 6.62028134425878 |
| Encrypted: | false |
| SSDEEP: | 12288:WpV0etV7qtINsegA/rMyyzlcqakvAfcN9b2MyZa31tqoPTdFbgawV2501:WTxz1JMyyzlohMf1tN70aw8501 |
| MD5: | 18CE19B57F43CE0A5AF149C96AECC685 |
| SHA1: | 1BD5CA29FC35FC8AC346F23B155337C5B28BBC36 |
| SHA-256: | D8B7C7178FBADBF169294E4F29DCE582F89A5CF372E9DA9215AA082330DC12FD |
| SHA-512: | A0C58F04DFB49272A2B6F1E8CE3F541A030A6C7A09BB040E660FC4CD9892CA3AC39CF3D6754C125F7CD1987D1FCA01640A153519B4E2EB3E3B4B8C9DC1480558 |
| Malicious: | true |
| Antivirus: |
|
| Joe Sandbox View: |
|
| Preview: |
| Process: | C:\Users\user\AppData\Local\Temp\103495\Powder.pif |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 589559 |
| Entropy (8bit): | 7.999707598770209 |
| Encrypted: | true |
| SSDEEP: | 12288:+WPM1wUWq0fYgJafcwbk88kntuz+WrR9sv9mkkNVTJMa:+WPiwfqGYgAfnU6CR9Pk+TJMa |
| MD5: | D61BFD64FBF003BA89A0038E38339DF6 |
| SHA1: | EF8F3EA9AA749EA516E2D62AE586680C4E14D4E5 |
| SHA-256: | 3133DFE772AFBE5FFD178038BEE3FF413665EC29A5565881D63BBB5370C58AF2 |
| SHA-512: | 56FBB30D2358297E662F19A6236C9E039D4EF78B97BAF34508A04C80388483B5EE17DD2CBA97A3BBBDCB4E28CE7D9322CFCAB3974718C65945265591E86BA09F |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\SysWOW64\cmd.exe |
| File Type: | |
| Category: | modified |
| Size (bytes): | 893608 |
| Entropy (8bit): | 6.62028134425878 |
| Encrypted: | false |
| SSDEEP: | 12288:WpV0etV7qtINsegA/rMyyzlcqakvAfcN9b2MyZa31tqoPTdFbgawV2501:WTxz1JMyyzlohMf1tN70aw8501 |
| MD5: | 18CE19B57F43CE0A5AF149C96AECC685 |
| SHA1: | 1BD5CA29FC35FC8AC346F23B155337C5B28BBC36 |
| SHA-256: | D8B7C7178FBADBF169294E4F29DCE582F89A5CF372E9DA9215AA082330DC12FD |
| SHA-512: | A0C58F04DFB49272A2B6F1E8CE3F541A030A6C7A09BB040E660FC4CD9892CA3AC39CF3D6754C125F7CD1987D1FCA01640A153519B4E2EB3E3B4B8C9DC1480558 |
| Malicious: | true |
| Antivirus: |
|
| Joe Sandbox View: |
|
| Preview: |
| Process: | C:\Windows\SysWOW64\cmd.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 589559 |
| Entropy (8bit): | 7.999707598770209 |
| Encrypted: | true |
| SSDEEP: | 12288:+WPM1wUWq0fYgJafcwbk88kntuz+WrR9sv9mkkNVTJMa:+WPiwfqGYgAfnU6CR9Pk+TJMa |
| MD5: | D61BFD64FBF003BA89A0038E38339DF6 |
| SHA1: | EF8F3EA9AA749EA516E2D62AE586680C4E14D4E5 |
| SHA-256: | 3133DFE772AFBE5FFD178038BEE3FF413665EC29A5565881D63BBB5370C58AF2 |
| SHA-512: | 56FBB30D2358297E662F19A6236C9E039D4EF78B97BAF34508A04C80388483B5EE17DD2CBA97A3BBBDCB4E28CE7D9322CFCAB3974718C65945265591E86BA09F |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\Desktop\cW5i0RdQ4L.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 3831 |
| Entropy (8bit): | 7.946757292660395 |
| Encrypted: | false |
| SSDEEP: | 96:HtLdIQTWXW4M4hKF9wZpR7ezSKMaRTeBvOG03d2oF1U2pkmIgSl:HtBIQTb4ZpR0SKMaIBe3QoF1BNDSl |
| MD5: | 768DB4AC22081145374C24722FCC43AD |
| SHA1: | BDB3807C1202E377300C0BA5C3583A698C37ADFD |
| SHA-256: | 344B4C601FD07DF63377194621D87533A3AFA29FF6F56190C4F64B5D9FAB5B08 |
| SHA-512: | D68A1343313C8F7D6EA6320FDD421A119725B2EBF71853E1726BCDDDA7E88812C2D018914AC9FA25AD4C236536813D33FB746E1B76E9860405025F78BDC1DDBD |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\Desktop\cW5i0RdQ4L.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 68608 |
| Entropy (8bit): | 7.9975055008806235 |
| Encrypted: | true |
| SSDEEP: | 1536:/BvokD+6XgWAVRX3efhLoR1Q28NgQhjbfa5ZU:/BRD+68VRX3eiB21GA |
| MD5: | 001014C69A9062B0753718619B7E71E3 |
| SHA1: | 5EE78AB9158525C3F2342707C29FBC8C50DC8426 |
| SHA-256: | 29A6F67DE3F128B72F48CD17714C88EC0EF28771A242A4C6924087807D0F1182 |
| SHA-512: | 17BF97DFD5B44D40B0D662095D62E5AF2954390DE62B9791C1B1FAEA26C87E6427AA06B27BF7E53DDECDB7860D5B2B031DA87164341FD945C320236F54FCFDEA |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\Desktop\cW5i0RdQ4L.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 23862 |
| Entropy (8bit): | 5.096137660724854 |
| Encrypted: | false |
| SSDEEP: | 384:Q4VFdKAGOKr0a70GNJZdjLU7xQnrSVAMqmTLQ+dsbBBTlwKns/N7UosAy+xmlYf:PVFdjKrPYCJZVU7xQrMqcM+2Rlw3N7Uy |
| MD5: | DE5800B2AD98E412AFE2A7BC93DFA639 |
| SHA1: | E3D423C60E01C7C079261521B0939DA80A85649A |
| SHA-256: | 67D35DB2809DA95D2DC7E4CE76800103CBC042E2F02D1CC1934A6C06E5E6737C |
| SHA-512: | E935DF1E0716EA1D5E5DCDF28E1A7CCCBAB533737F10EBF9DFF9363E457512EBC9661AE615F06FF514EC03A1F3386E45BB98C996ADF5A0FD7EEDBA2EFEC74079 |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\SysWOW64\cmd.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 23862 |
| Entropy (8bit): | 5.096137660724854 |
| Encrypted: | false |
| SSDEEP: | 384:Q4VFdKAGOKr0a70GNJZdjLU7xQnrSVAMqmTLQ+dsbBBTlwKns/N7UosAy+xmlYf:PVFdjKrPYCJZVU7xQrMqcM+2Rlw3N7Uy |
| MD5: | DE5800B2AD98E412AFE2A7BC93DFA639 |
| SHA1: | E3D423C60E01C7C079261521B0939DA80A85649A |
| SHA-256: | 67D35DB2809DA95D2DC7E4CE76800103CBC042E2F02D1CC1934A6C06E5E6737C |
| SHA-512: | E935DF1E0716EA1D5E5DCDF28E1A7CCCBAB533737F10EBF9DFF9363E457512EBC9661AE615F06FF514EC03A1F3386E45BB98C996ADF5A0FD7EEDBA2EFEC74079 |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\Desktop\cW5i0RdQ4L.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 82944 |
| Entropy (8bit): | 7.997785532907348 |
| Encrypted: | true |
| SSDEEP: | 1536:+bNAgMpBbyaSuuG7cEFKWgtnMOCQZaT1BB+kEcr1Ue38UnKC8TsvVwFLcFlEOtMI:TBbyuIEFutntgrfgC5diAuOS8V |
| MD5: | D91B8B96745F7B7D81179268D4DA4B4D |
| SHA1: | B4AD21AFB4044B0C1461E1C5523D792110FB6130 |
| SHA-256: | 8704CB6EBE7EEF39F91CA6838C2D06EB9B21ED6E6DFDDC5F5707B8CB4A9F64F1 |
| SHA-512: | 8A036E1C23FF3C1921F5FAAB9BC423D7AAD509E370EA1E45C31FC84E0E868E13C862CC51D14A1708B2147DA6D6447E8D7CB2179E1D5AD8F33C29CE03C59AF85F |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\Desktop\cW5i0RdQ4L.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 7800 |
| Entropy (8bit): | 6.237887479843994 |
| Encrypted: | false |
| SSDEEP: | 192:fUHAeOqAFDw09CV/2nPvj6DdMP3r1HI5jMlbN+G3yM:fUHAHhww+/2nlP3r1WAL3yM |
| MD5: | 5A3868FBE5A6517157D7A0337C938E0A |
| SHA1: | 4E8E6C526393D3D679C93D2A57B0DCA2EC0427FC |
| SHA-256: | 75CB47C2BB9BEDEDD276C0008683B7E655A9E943626D2755BFA7D7E167F2B31B |
| SHA-512: | 0D1C04C9D05395EBD831CA0DC94158CA32B0B5C9C839190E00EAECD572D8AB78CDB0EC07B55AFC38B8CFF1D59759A73D0AE13EF7B14A2CD8089B11FFB7E53668 |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\Desktop\cW5i0RdQ4L.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 98304 |
| Entropy (8bit): | 7.998271363701794 |
| Encrypted: | true |
| SSDEEP: | 1536:LhAC8plpAB13tObsRlWOFw5a7qbRSIBDoJ0MiSJj9cwhXYxZvJk0EKSxImCGg7AK:LIpABRtmsRlWYw5a7KyJZcwRYxBJHE5m |
| MD5: | 383CECC8DE45B96CEFDF4CE6DDBAE343 |
| SHA1: | 8A12728453735E74E0D633B28BDF4556D4B0AF41 |
| SHA-256: | A47C770A23612063F299F22871E18642B3D4668FB58765CDC279C4C0C3A23321 |
| SHA-512: | 3AE0ADE7BD22E407CEA05006C12F6F2A4A94A907919F2DEE40441D019631E848E2A6C90F2CA0D16691C15A087926AAC485F57E421AF0D60FC5BBFCAC43B36412 |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\Desktop\cW5i0RdQ4L.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 91136 |
| Entropy (8bit): | 7.997834867280466 |
| Encrypted: | true |
| SSDEEP: | 1536:POwYt0r7QuNT7NQyPOPSpnezwcV9xE1zaFTpX3XQwM78kIxTUU8n1V4J/:iIQu5NGPYezvTxE1upX3XQwsjUYVO/ |
| MD5: | AC72A864D71E31270399396CEFA534E7 |
| SHA1: | C41004BCFB507028F7D109EA2CBAB9A8BA5F4BD9 |
| SHA-256: | F83C95DD15E4EB1B7F68946ECB8F1A689CC16CEBE02AE68EBC4E08E7AB467296 |
| SHA-512: | 7275D5A775A4FFA64AC59F0BB350582F19549A9C2FE5B0E6686D642E6BBD4B16D21E7B4358ADDEF096B539627D73CD39FE6A9D0377E817CA539C09CAFDC95180 |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\Desktop\cW5i0RdQ4L.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 885843 |
| Entropy (8bit): | 6.622038773759726 |
| Encrypted: | false |
| SSDEEP: | 12288:kV0etV7qtINsegA/rMyyzlcqakvAfcN9b2MyZa31tqoPTdFbgawV2501:exz1JMyyzlohMf1tN70aw8501 |
| MD5: | 194A567844C46F20EABDCF8A7BF469DD |
| SHA1: | CCC915EEAEBEA7AD2C5550A3BA1C917B3708C469 |
| SHA-256: | C2E3ADF32419B4163876794FCE4ED1F2C5D631A13AAAA955F3D3E30F1EB66A13 |
| SHA-512: | BB5BE430767C176AFF3A5D3BFBE039CD67EDBA0246F3C51D302FD08D4BE19DEF43F7E6363D187AED454CD84F960DEA90746B7B6EDA525E3E4D67FA05B8BA3A00 |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\Desktop\cW5i0RdQ4L.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 93184 |
| Entropy (8bit): | 7.998470680086986 |
| Encrypted: | true |
| SSDEEP: | 1536:FhL2bzYtAJ28r1yhcuDzkoKPze14spu84cnY6lxlbj1mCTS4Yj2VMr:H2fYtAJ2k1yWWhUzeRNYy3bjNTS4YyGr |
| MD5: | 08342A0886A607763230CC9E7F9763E9 |
| SHA1: | EDBEA1401B8653FED918C0E6ADBAF9E6271BEC52 |
| SHA-256: | F7AD68CE94DF8B242FC3F6E9BD7814A16011214952805ED5E8E6ADEF74A27F48 |
| SHA-512: | D2E319DD4E914DFB6F4399BC8527B4D1C764A02C4D5BDC8735F6CE9A46614622568692DAB02122C47B75D8B970F0418DE17FF08A8032B8F92FCF7E67D0259341 |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\Desktop\cW5i0RdQ4L.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 73728 |
| Entropy (8bit): | 7.997368475932792 |
| Encrypted: | true |
| SSDEEP: | 1536:J+Q3dgxNnWvKXe/b3h7iLpHdJUzOSa6kNFZett8zMdvBG:1Wje/ZilHdJUKSa6kNLetttvBG |
| MD5: | 99E977093BC7AB3360CBC1146D0EE20C |
| SHA1: | AD950626C995AF3BBE62E9AC187FA7CABDA406AD |
| SHA-256: | C1551D0D3D6C658C1B55558C4FDB2B1BE9233715B63485997C935C434BD570E7 |
| SHA-512: | C148E1D0374611A19D6724EB7337A93899CFB4DB9D040F3541A47AC35947098860BCA1A9EC16E7B479E1AA98A258209E969459B2546700B462D18376B868B8C3 |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\Desktop\cW5i0RdQ4L.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 77824 |
| Entropy (8bit): | 7.997575500781217 |
| Encrypted: | true |
| SSDEEP: | 1536:AITtaftyMQXhoaS4SjfF7iLuiVjVK5xCUFQcCzo55:75aftCVS4SJ7Yuy4we5 |
| MD5: | 0B034950E941768616AF2EBA4F9D4000 |
| SHA1: | A50F20A10E8DF21A1B2C1655F9F300C31D2EBED3 |
| SHA-256: | D9AEA2AAD680EFCD111B992B6124E72F6BA2FEB178867D1C5F5167A21423BD4E |
| SHA-512: | EC0FDFE281CCBA186991DC872EEDA99EC0EFEC5C4F8B2CBFAAA7CEFC5248B08E071189934600A8EEDFCA804BCDF78F108778CE9A3B5F15C80BD80D77A1651965 |
| Malicious: | false |
| Preview: |
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GuardianCryptoElite.url 
Download File
| Process: | C:\Windows\SysWOW64\cmd.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 111 |
| Entropy (8bit): | 4.884789601065906 |
| Encrypted: | false |
| SSDEEP: | 3:HRAbABGQaFyw3pYoUkh4E2J5iQztkRe7WkMuzEqtkRKfy:HRYF5yjo923iQzak7WkMuHaQfy |
| MD5: | 43A33FC9F048D678F3DA577B0151326D |
| SHA1: | 7B60D017B40EFA376E4D8949F7BB79E41BBAFFFD |
| SHA-256: | 703EA2D37382590EA2FD57DACBC8E5FF641AD670C658EAA154C4FA2C85A49777 |
| SHA-512: | 45B984F6E830792AC4CECDF80D95691F681CA7AEEFC40A012E15EB6637751804567EF266BBBCFF0BD17801B448DA525FFF9F6751A3447E2592E017D8AE92EDFE |
| Malicious: | true |
| Preview: |
| File type: | |
| Entropy (8bit): | 7.977071843843171 |
| TrID: |
|
| File name: | cW5i0RdQ4L.exe |
| File size: | 1'086'602 bytes |
| MD5: | c065ba22909fc8dbded4ea0eebb24ad5 |
| SHA1: | b3d61dd7519be3d2909be9ce2d28f65ec7f9965d |
| SHA256: | 9817f4d8bc1374f102196cfcb8a351abdc0563dea60f6084a7525e5ee5409b6d |
| SHA512: | b8621a86897e0da506157225ef049e92e6c6bff9837e6e2a2b55328b6931e8bd484e57dba9d2fa532728a7e35a36918a1f699cc3a9af11d26ac1fbd4fce72814 |
| SSDEEP: | 24576:vqJm/Xl+FIqBwq4QlGsljfzlE6J4zYfs6nScxy63:S4l+OqyLQHugVfDnS8y63 |
| TLSH: | CF35238222E15865D8E62F352D7013626F38BC3B1CB94D6F93148E5CBED454B863B727 |
| File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A{.k...8...8...8.b<8...8.b,8...8...8...8...8...8..%8...8.."8...8Rich...8........PE..L.....GO.................n.......B...8..... |
 | |
| Icon Hash: | 6c64686470544c00 |
| Entrypoint: | 0x403883 |
| Entrypoint Section: | .text |
| Digitally signed: | true |
| Imagebase: | 0x400000 |
| Subsystem: | windows gui |
| Image File Characteristics: | EXECUTABLE_IMAGE, 32BIT_MACHINE |
| DLL Characteristics: | DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE |
| Time Stamp: | 0x4F47E2DA [Fri Feb 24 19:19:54 2012 UTC] |
| TLS Callbacks: | |
| CLR (.Net) Version: | |
| OS Version Major: | 5 |
| OS Version Minor: | 0 |
| File Version Major: | 5 |
| File Version Minor: | 0 |
| Subsystem Version Major: | 5 |
| Subsystem Version Minor: | 0 |
| Import Hash: | be41bf7b8cc010b614bd36bbca606973 |
| Signature Valid: | false |
| Signature Issuer: | CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US |
| Signature Validation Error: | The digital signature of the object did not verify |
| Error Number: | -2146869232 |
| Not Before, Not After |
|
| Subject Chain |
|
| Version: | 3 |
| Thumbprint MD5: | 2876C1BECB51837D0E3DE50903D025B6 |
| Thumbprint SHA-1: | 940D69C0A34A1B4CFD8048488BA86F4CED60481A |
| Thumbprint SHA-256: | EE46613A38B4F486164BCE7FB23178667715617F511B364594311A1548B08EB1 |
| Serial: | 068BE2F53452C882F18ED41A5DD4E7A3 |
| Instruction |
|---|
| sub esp, 000002D4h |
| push ebx |
| push ebp |
| push esi |
| push edi |
| push 00000020h |
| xor ebp, ebp |
| pop esi |
| mov dword ptr [esp+18h], ebp |
| mov dword ptr [esp+10h], 00409268h |
| mov dword ptr [esp+14h], ebp |
| call dword ptr [00408030h] |
| push 00008001h |
| call dword ptr [004080B4h] |
| push ebp |
| call dword ptr [004082C0h] |
| push 00000008h |
| mov dword ptr [00472EB8h], eax |
| call 00007F6B54FF66EBh |
| push ebp |
| push 000002B4h |
| mov dword ptr [00472DD0h], eax |
| lea eax, dword ptr [esp+38h] |
| push eax |
| push ebp |
| push 00409264h |
| call dword ptr [00408184h] |
| push 0040924Ch |
| push 0046ADC0h |
| call 00007F6B54FF63CDh |
| call dword ptr [004080B0h] |
| push eax |
| mov edi, 004C30A0h |
| push edi |
| call 00007F6B54FF63BBh |
| push ebp |
| call dword ptr [00408134h] |
| cmp word ptr [004C30A0h], 0022h |
| mov dword ptr [00472DD8h], eax |
| mov eax, edi |
| jne 00007F6B54FF3CBAh |
| push 00000022h |
| pop esi |
| mov eax, 004C30A2h |
| push esi |
| push eax |
| call 00007F6B54FF6091h |
| push eax |
| call dword ptr [00408260h] |
| mov esi, eax |
| mov dword ptr [esp+1Ch], esi |
| jmp 00007F6B54FF3D43h |
| push 00000020h |
| pop ebx |
| cmp ax, bx |
| jne 00007F6B54FF3CBAh |
| add esi, 02h |
| cmp word ptr [esi], bx |
| Programming Language: |
|
| Name | Virtual Address | Virtual Size | Is in Section |
|---|---|---|---|
| IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IMPORT | 0x9b34 | 0xb4 | .rdata |
| IMAGE_DIRECTORY_ENTRY_RESOURCE | 0xf4000 | 0x85a8 | .rsrc |
| IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_SECURITY | 0x106bda | 0x28b0 | |
| IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x7a000 | 0x964 | .ndata |
| IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IAT | 0x8000 | 0x2d0 | .rdata |
| IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
| Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
|---|---|---|---|---|---|---|---|---|---|
| .text | 0x1000 | 0x6dae | 0x6e00 | 00499a6f70259150109c809d6aa0e6ed | False | 0.6611150568181818 | data | 6.508529563136936 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
| .rdata | 0x8000 | 0x2a62 | 0x2c00 | 07990aaa54c3bc638bb87a87f3fb13e3 | False | 0.3526278409090909 | data | 4.390535020989255 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .data | 0xb000 | 0x67ebc | 0x200 | 014871d9a00f0e0c8c2a7cd25606c453 | False | 0.203125 | data | 1.4308602597540492 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .ndata | 0x73000 | 0x81000 | 0x0 | d41d8cd98f00b204e9800998ecf8427e | False | 0 | empty | 0.0 | IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .rsrc | 0xf4000 | 0x85a8 | 0x8600 | 9dff8efb6cb5e3124b64b6bb0f444b58 | False | 0.8464902052238806 | data | 7.386337967469148 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .reloc | 0xfd000 | 0xf32 | 0x1000 | d5ec3cf97c0668f4bbd50420ccf8fbc1 | False | 1.002685546875 | data | 7.948997141079556 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
| Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
|---|---|---|---|---|---|---|
| RT_ICON | 0xf4250 | 0x442d | PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced | English | United States | 0.9940411390591876 |
| RT_ICON | 0xf8680 | 0x182e | PNG image data, 128 x 128, 8-bit/color RGBA, non-interlaced | English | United States | 1.0012924071082392 |
| RT_ICON | 0xf9eb0 | 0x1128 | Device independent bitmap graphic, 32 x 64 x 32, image size 4352 | English | United States | 0.22814207650273224 |
| RT_ICON | 0xfafd8 | 0xbb9 | PNG image data, 64 x 64, 8-bit/color RGBA, non-interlaced | English | United States | 1.0036654448517162 |
| RT_ICON | 0xfbb98 | 0x468 | Device independent bitmap graphic, 16 x 32 x 32, image size 1088 | English | United States | 0.24822695035460993 |
| RT_DIALOG | 0xfc000 | 0x100 | data | English | United States | 0.5234375 |
| RT_DIALOG | 0xfc100 | 0x11c | data | English | United States | 0.6056338028169014 |
| RT_DIALOG | 0xfc220 | 0x60 | data | English | United States | 0.7291666666666666 |
| RT_GROUP_ICON | 0xfc280 | 0x4c | data | English | United States | 0.8026315789473685 |
| RT_MANIFEST | 0xfc2d0 | 0x2d6 | XML 1.0 document, ASCII text, with very long lines (726), with no line terminators | English | United States | 0.5647382920110193 |
| DLL | Import |
|---|---|
| KERNEL32.dll | SetFileTime, CompareFileTime, SearchPathW, GetShortPathNameW, GetFullPathNameW, MoveFileW, SetCurrentDirectoryW, GetFileAttributesW, GetLastError, CreateDirectoryW, SetFileAttributesW, Sleep, GetTickCount, GetFileSize, GetModuleFileNameW, GetCurrentProcess, CopyFileW, ExitProcess, GetWindowsDirectoryW, GetTempPathW, GetCommandLineW, SetErrorMode, lstrcpynA, CloseHandle, lstrcpynW, GetDiskFreeSpaceW, GlobalUnlock, GlobalLock, CreateThread, LoadLibraryW, CreateProcessW, lstrcmpiA, CreateFileW, GetTempFileNameW, lstrcatW, GetProcAddress, LoadLibraryA, GetModuleHandleA, OpenProcess, lstrcpyW, GetVersionExW, GetSystemDirectoryW, GetVersion, lstrcpyA, RemoveDirectoryW, lstrcmpA, lstrcmpiW, lstrcmpW, ExpandEnvironmentStringsW, GlobalAlloc, WaitForSingleObject, GetExitCodeProcess, GlobalFree, GetModuleHandleW, LoadLibraryExW, FreeLibrary, WritePrivateProfileStringW, GetPrivateProfileStringW, WideCharToMultiByte, lstrlenA, MulDiv, WriteFile, ReadFile, MultiByteToWideChar, SetFilePointer, FindClose, FindNextFileW, FindFirstFileW, DeleteFileW, lstrlenW |
| USER32.dll | GetAsyncKeyState, IsDlgButtonChecked, ScreenToClient, GetMessagePos, CallWindowProcW, IsWindowVisible, LoadBitmapW, CloseClipboard, SetClipboardData, EmptyClipboard, OpenClipboard, TrackPopupMenu, GetWindowRect, AppendMenuW, CreatePopupMenu, GetSystemMetrics, EndDialog, EnableMenuItem, GetSystemMenu, SetClassLongW, IsWindowEnabled, SetWindowPos, DialogBoxParamW, CheckDlgButton, CreateWindowExW, SystemParametersInfoW, RegisterClassW, SetDlgItemTextW, GetDlgItemTextW, MessageBoxIndirectW, CharNextA, CharUpperW, CharPrevW, wvsprintfW, DispatchMessageW, PeekMessageW, wsprintfA, DestroyWindow, CreateDialogParamW, SetTimer, SetWindowTextW, PostQuitMessage, SetForegroundWindow, ShowWindow, wsprintfW, SendMessageTimeoutW, LoadCursorW, SetCursor, GetWindowLongW, GetSysColor, CharNextW, GetClassInfoW, ExitWindowsEx, IsWindow, GetDlgItem, SetWindowLongW, LoadImageW, GetDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, DrawTextW, EndPaint, FindWindowExW |
| GDI32.dll | SetBkColor, GetDeviceCaps, DeleteObject, CreateBrushIndirect, CreateFontIndirectW, SetBkMode, SetTextColor, SelectObject |
| SHELL32.dll | SHBrowseForFolderW, SHGetPathFromIDListW, SHGetFileInfoW, ShellExecuteW, SHFileOperationW, SHGetSpecialFolderLocation |
| ADVAPI32.dll | RegEnumKeyW, RegOpenKeyExW, RegCloseKey, RegDeleteKeyW, RegDeleteValueW, RegCreateKeyExW, RegSetValueExW, RegQueryValueExW, RegEnumValueW |
| COMCTL32.dll | ImageList_AddMasked, ImageList_Destroy, ImageList_Create |
| ole32.dll | CoTaskMemFree, OleInitialize, OleUninitialize, CoCreateInstance |
| VERSION.dll | GetFileVersionInfoSizeW, GetFileVersionInfoW, VerQueryValueW |
| Language of compilation system | Country where language is spoken | Map |
|---|---|---|
| English | United States |  |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library Node| Timestamp | SID | Signature | Severity | Source IP | Source Port | Dest IP | Dest Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-10-13T01:58:08.149906+0200 | 2803274 | ETPRO MALWARE Common Downloader Header Pattern UH | 2 | 192.168.2.5 | 49705 | 104.21.76.57 | 443 | TCP |
| 2024-10-13T01:58:26.202852+0200 | 2803274 | ETPRO MALWARE Common Downloader Header Pattern UH | 2 | 192.168.2.5 | 49750 | 104.21.76.57 | 443 | TCP |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Oct 13, 2024 01:58:07.493583918 CEST | 49705 | 443 | 192.168.2.5 | 104.21.76.57 |
| Oct 13, 2024 01:58:07.493701935 CEST | 443 | 49705 | 104.21.76.57 | 192.168.2.5 |
| Oct 13, 2024 01:58:07.493789911 CEST | 49705 | 443 | 192.168.2.5 | 104.21.76.57 |
| Oct 13, 2024 01:58:07.502959013 CEST | 49705 | 443 | 192.168.2.5 | 104.21.76.57 |
| Oct 13, 2024 01:58:07.503000975 CEST | 443 | 49705 | 104.21.76.57 | 192.168.2.5 |
| Oct 13, 2024 01:58:07.996864080 CEST | 443 | 49705 | 104.21.76.57 | 192.168.2.5 |
| Oct 13, 2024 01:58:07.996937037 CEST | 49705 | 443 | 192.168.2.5 | 104.21.76.57 |
| Oct 13, 2024 01:58:08.043570995 CEST | 49705 | 443 | 192.168.2.5 | 104.21.76.57 |
| Oct 13, 2024 01:58:08.043606997 CEST | 443 | 49705 | 104.21.76.57 | 192.168.2.5 |
| Oct 13, 2024 01:58:08.044647932 CEST | 443 | 49705 | 104.21.76.57 | 192.168.2.5 |
| Oct 13, 2024 01:58:08.044724941 CEST | 49705 | 443 | 192.168.2.5 | 104.21.76.57 |
| Oct 13, 2024 01:58:08.047029018 CEST | 49705 | 443 | 192.168.2.5 | 104.21.76.57 |
| Oct 13, 2024 01:58:08.087414980 CEST | 443 | 49705 | 104.21.76.57 | 192.168.2.5 |
| Oct 13, 2024 01:58:08.149981022 CEST | 443 | 49705 | 104.21.76.57 | 192.168.2.5 |
| Oct 13, 2024 01:58:08.150052071 CEST | 49705 | 443 | 192.168.2.5 | 104.21.76.57 |
| Oct 13, 2024 01:58:08.150099993 CEST | 443 | 49705 | 104.21.76.57 | 192.168.2.5 |
| Oct 13, 2024 01:58:08.150146961 CEST | 49705 | 443 | 192.168.2.5 | 104.21.76.57 |
| Oct 13, 2024 01:58:08.150161982 CEST | 443 | 49705 | 104.21.76.57 | 192.168.2.5 |
| Oct 13, 2024 01:58:08.150243044 CEST | 49705 | 443 | 192.168.2.5 | 104.21.76.57 |
| Oct 13, 2024 01:58:08.150249004 CEST | 443 | 49705 | 104.21.76.57 | 192.168.2.5 |
| Oct 13, 2024 01:58:08.150263071 CEST | 49705 | 443 | 192.168.2.5 | 104.21.76.57 |
| Oct 13, 2024 01:58:08.150285959 CEST | 443 | 49705 | 104.21.76.57 | 192.168.2.5 |
| Oct 13, 2024 01:58:08.150294065 CEST | 49705 | 443 | 192.168.2.5 | 104.21.76.57 |
| Oct 13, 2024 01:58:08.150312901 CEST | 49705 | 443 | 192.168.2.5 | 104.21.76.57 |
| Oct 13, 2024 01:58:08.150348902 CEST | 49705 | 443 | 192.168.2.5 | 104.21.76.57 |
| Oct 13, 2024 01:58:25.573832035 CEST | 49750 | 443 | 192.168.2.5 | 104.21.76.57 |
| Oct 13, 2024 01:58:25.573860884 CEST | 443 | 49750 | 104.21.76.57 | 192.168.2.5 |
| Oct 13, 2024 01:58:25.573920965 CEST | 49750 | 443 | 192.168.2.5 | 104.21.76.57 |
| Oct 13, 2024 01:58:25.587884903 CEST | 49750 | 443 | 192.168.2.5 | 104.21.76.57 |
| Oct 13, 2024 01:58:25.587897062 CEST | 443 | 49750 | 104.21.76.57 | 192.168.2.5 |
| Oct 13, 2024 01:58:26.073281050 CEST | 443 | 49750 | 104.21.76.57 | 192.168.2.5 |
| Oct 13, 2024 01:58:26.073338985 CEST | 49750 | 443 | 192.168.2.5 | 104.21.76.57 |
| Oct 13, 2024 01:58:26.076822996 CEST | 49750 | 443 | 192.168.2.5 | 104.21.76.57 |
| Oct 13, 2024 01:58:26.076828957 CEST | 443 | 49750 | 104.21.76.57 | 192.168.2.5 |
| Oct 13, 2024 01:58:26.077173948 CEST | 443 | 49750 | 104.21.76.57 | 192.168.2.5 |
| Oct 13, 2024 01:58:26.077219963 CEST | 49750 | 443 | 192.168.2.5 | 104.21.76.57 |
| Oct 13, 2024 01:58:26.079257965 CEST | 49750 | 443 | 192.168.2.5 | 104.21.76.57 |
| Oct 13, 2024 01:58:26.119401932 CEST | 443 | 49750 | 104.21.76.57 | 192.168.2.5 |
| Oct 13, 2024 01:58:26.202858925 CEST | 443 | 49750 | 104.21.76.57 | 192.168.2.5 |
| Oct 13, 2024 01:58:26.202903986 CEST | 49750 | 443 | 192.168.2.5 | 104.21.76.57 |
| Oct 13, 2024 01:58:26.202913046 CEST | 443 | 49750 | 104.21.76.57 | 192.168.2.5 |
| Oct 13, 2024 01:58:26.202948093 CEST | 443 | 49750 | 104.21.76.57 | 192.168.2.5 |
| Oct 13, 2024 01:58:26.202950001 CEST | 49750 | 443 | 192.168.2.5 | 104.21.76.57 |
| Oct 13, 2024 01:58:26.202960968 CEST | 443 | 49750 | 104.21.76.57 | 192.168.2.5 |
| Oct 13, 2024 01:58:26.202981949 CEST | 49750 | 443 | 192.168.2.5 | 104.21.76.57 |
| Oct 13, 2024 01:58:26.203020096 CEST | 49750 | 443 | 192.168.2.5 | 104.21.76.57 |
| Oct 13, 2024 01:58:26.203023911 CEST | 443 | 49750 | 104.21.76.57 | 192.168.2.5 |
| Oct 13, 2024 01:58:26.203063965 CEST | 49750 | 443 | 192.168.2.5 | 104.21.76.57 |
| Oct 13, 2024 01:58:26.203077078 CEST | 443 | 49750 | 104.21.76.57 | 192.168.2.5 |
| Oct 13, 2024 01:58:26.203078985 CEST | 49750 | 443 | 192.168.2.5 | 104.21.76.57 |
| Oct 13, 2024 01:58:26.203102112 CEST | 49750 | 443 | 192.168.2.5 | 104.21.76.57 |
| Oct 13, 2024 01:58:26.203119040 CEST | 49750 | 443 | 192.168.2.5 | 104.21.76.57 |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Oct 13, 2024 01:58:07.480621099 CEST | 60388 | 53 | 192.168.2.5 | 1.1.1.1 |
| Oct 13, 2024 01:58:07.488492012 CEST | 53 | 60388 | 1.1.1.1 | 192.168.2.5 |
| Oct 13, 2024 01:58:08.154128075 CEST | 61192 | 53 | 192.168.2.5 | 1.1.1.1 |
| Oct 13, 2024 01:58:08.163526058 CEST | 53 | 61192 | 1.1.1.1 | 192.168.2.5 |
| Oct 13, 2024 01:58:26.210021973 CEST | 64734 | 53 | 192.168.2.5 | 1.1.1.1 |
| Oct 13, 2024 01:58:26.218853951 CEST | 53 | 64734 | 1.1.1.1 | 192.168.2.5 |
| Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|
| Oct 13, 2024 01:58:07.480621099 CEST | 192.168.2.5 | 1.1.1.1 | 0x4589 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Oct 13, 2024 01:58:08.154128075 CEST | 192.168.2.5 | 1.1.1.1 | 0xd6b3 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Oct 13, 2024 01:58:26.210021973 CEST | 192.168.2.5 | 1.1.1.1 | 0xc880 | Standard query (0) | A (IP address) | IN (0x0001) | false |
| Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|---|---|
| Oct 13, 2024 01:58:07.488492012 CEST | 1.1.1.1 | 192.168.2.5 | 0x4589 | No error (0) | 104.21.76.57 | A (IP address) | IN (0x0001) | false | ||
| Oct 13, 2024 01:58:07.488492012 CEST | 1.1.1.1 | 192.168.2.5 | 0x4589 | No error (0) | 172.67.188.178 | A (IP address) | IN (0x0001) | false | ||
| Oct 13, 2024 01:58:08.163526058 CEST | 1.1.1.1 | 192.168.2.5 | 0xd6b3 | Name error (3) | none | none | A (IP address) | IN (0x0001) | false | |
| Oct 13, 2024 01:58:26.218853951 CEST | 1.1.1.1 | 192.168.2.5 | 0xc880 | Name error (3) | none | none | A (IP address) | IN (0x0001) | false |
|
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 0 | 192.168.2.5 | 49705 | 104.21.76.57 | 443 | 2696 | C:\Users\user\AppData\Local\Temp\103495\Powder.pif |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-10-12 23:58:08 UTC | 65 | OUT | |
| 2024-10-12 23:58:08 UTC | 688 | IN | |
| 2024-10-12 23:58:08 UTC | 681 | IN | |
| 2024-10-12 23:58:08 UTC | 1369 | IN | |
| 2024-10-12 23:58:08 UTC | 1369 | IN | |
| 2024-10-12 23:58:08 UTC | 1102 | IN | |
| 2024-10-12 23:58:08 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 1 | 192.168.2.5 | 49750 | 104.21.76.57 | 443 | 1716 | C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-10-12 23:58:26 UTC | 65 | OUT | |
| 2024-10-12 23:58:26 UTC | 692 | IN | |
| 2024-10-12 23:58:26 UTC | 677 | IN | |
| 2024-10-12 23:58:26 UTC | 1369 | IN | |
| 2024-10-12 23:58:26 UTC | 1369 | IN | |
| 2024-10-12 23:58:26 UTC | 1106 | IN | |
| 2024-10-12 23:58:26 UTC | 5 | IN |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
| Target ID: | 0 |
| Start time: | 19:58:00 |
| Start date: | 12/10/2024 |
| Path: | C:\Users\user\Desktop\cW5i0RdQ4L.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x400000 |
| File size: | 1'086'602 bytes |
| MD5 hash: | C065BA22909FC8DBDED4EA0EEBB24AD5 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | low |
| Has exited: | true |
| Target ID: | 2 |
| Start time: | 19:58:01 |
| Start date: | 12/10/2024 |
| Path: | C:\Windows\SysWOW64\cmd.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x790000 |
| File size: | 236'544 bytes |
| MD5 hash: | D0FCE3AFA6AA1D58CE9FA336CC2B675B |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 3 |
| Start time: | 19:58:01 |
| Start date: | 12/10/2024 |
| Path: | C:\Windows\System32\conhost.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff6d64d0000 |
| File size: | 862'208 bytes |
| MD5 hash: | 0D698AF330FD17BEE3BF90011D49251D |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 4 |
| Start time: | 19:58:03 |
| Start date: | 12/10/2024 |
| Path: | C:\Windows\SysWOW64\tasklist.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0xd70000 |
| File size: | 79'360 bytes |
| MD5 hash: | 0A4448B31CE7F83CB7691A2657F330F1 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | moderate |
| Has exited: | true |
| Target ID: | 5 |
| Start time: | 19:58:03 |
| Start date: | 12/10/2024 |
| Path: | C:\Windows\SysWOW64\findstr.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x770000 |
| File size: | 29'696 bytes |
| MD5 hash: | F1D4BE0E99EC734376FDE474A8D4EA3E |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | moderate |
| Has exited: | true |
| Target ID: | 6 |
| Start time: | 19:58:04 |
| Start date: | 12/10/2024 |
| Path: | C:\Windows\SysWOW64\tasklist.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0xd70000 |
| File size: | 79'360 bytes |
| MD5 hash: | 0A4448B31CE7F83CB7691A2657F330F1 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | moderate |
| Has exited: | true |
| Target ID: | 7 |
| Start time: | 19:58:04 |
| Start date: | 12/10/2024 |
| Path: | C:\Windows\SysWOW64\findstr.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x770000 |
| File size: | 29'696 bytes |
| MD5 hash: | F1D4BE0E99EC734376FDE474A8D4EA3E |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | moderate |
| Has exited: | true |
| Target ID: | 8 |
| Start time: | 19:58:04 |
| Start date: | 12/10/2024 |
| Path: | C:\Windows\SysWOW64\cmd.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x790000 |
| File size: | 236'544 bytes |
| MD5 hash: | D0FCE3AFA6AA1D58CE9FA336CC2B675B |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 9 |
| Start time: | 19:58:04 |
| Start date: | 12/10/2024 |
| Path: | C:\Windows\SysWOW64\findstr.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x770000 |
| File size: | 29'696 bytes |
| MD5 hash: | F1D4BE0E99EC734376FDE474A8D4EA3E |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | moderate |
| Has exited: | true |
| Target ID: | 10 |
| Start time: | 19:58:04 |
| Start date: | 12/10/2024 |
| Path: | C:\Windows\SysWOW64\cmd.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x790000 |
| File size: | 236'544 bytes |
| MD5 hash: | D0FCE3AFA6AA1D58CE9FA336CC2B675B |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 11 |
| Start time: | 19:58:05 |
| Start date: | 12/10/2024 |
| Path: | C:\Users\user\AppData\Local\Temp\103495\Powder.pif |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0xc80000 |
| File size: | 893'608 bytes |
| MD5 hash: | 18CE19B57F43CE0A5AF149C96AECC685 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Antivirus matches: |
|
| Reputation: | moderate |
| Has exited: | false |
| Target ID: | 12 |
| Start time: | 19:58:05 |
| Start date: | 12/10/2024 |
| Path: | C:\Windows\SysWOW64\choice.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x370000 |
| File size: | 28'160 bytes |
| MD5 hash: | FCE0E41C87DC4ABBE976998AD26C27E4 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | moderate |
| Has exited: | true |
| Target ID: | 13 |
| Start time: | 19:58:06 |
| Start date: | 12/10/2024 |
| Path: | C:\Windows\SysWOW64\cmd.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x790000 |
| File size: | 236'544 bytes |
| MD5 hash: | D0FCE3AFA6AA1D58CE9FA336CC2B675B |
| Has elevated privileges: | false |
| Has administrator privileges: | false |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 14 |
| Start time: | 19:58:06 |
| Start date: | 12/10/2024 |
| Path: | C:\Windows\System32\conhost.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff6d64d0000 |
| File size: | 862'208 bytes |
| MD5 hash: | 0D698AF330FD17BEE3BF90011D49251D |
| Has elevated privileges: | false |
| Has administrator privileges: | false |
| Programmed in: | C, C++ or other language |
| Has exited: | true |
| Target ID: | 16 |
| Start time: | 19:58:18 |
| Start date: | 12/10/2024 |
| Path: | C:\Windows\System32\wscript.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff702770000 |
| File size: | 170'496 bytes |
| MD5 hash: | A47CBE969EA935BDD3AB568BB126BC80 |
| Has elevated privileges: | false |
| Has administrator privileges: | false |
| Programmed in: | C, C++ or other language |
| Has exited: | true |
| Target ID: | 17 |
| Start time: | 19:58:18 |
| Start date: | 12/10/2024 |
| Path: | C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x2f0000 |
| File size: | 893'608 bytes |
| MD5 hash: | 18CE19B57F43CE0A5AF149C96AECC685 |
| Has elevated privileges: | false |
| Has administrator privileges: | false |
| Programmed in: | C, C++ or other language |
| Antivirus matches: |
|
| Has exited: | false |
Execution Graph
| Execution Coverage: | 17.7% |
| Dynamic/Decrypted Code Coverage: | 0% |
| Signature Coverage: | 20.7% |
| Total number of Nodes: | 1528 |
| Total number of Limit Nodes: | 34 |
Graph
Function 004050CD Relevance: 68.5, APIs: 36, Strings: 3, Instructions: 295windowclipboardmemoryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00403883 Relevance: 54.6, APIs: 22, Strings: 9, Instructions: 304filestringcomCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004074BB Relevance: 5.4, APIs: 4, Instructions: 382COMMON
Download Yara Rule
Control-flow Graph
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004062D5 Relevance: 3.0, APIs: 2, Instructions: 14fileCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405479 Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 345windowstringCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004015A0 Relevance: 56.4, APIs: 15, Strings: 17, Instructions: 351sleepfilewindowCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040592C Relevance: 45.7, APIs: 15, Strings: 11, Instructions: 233stringregistrylibraryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00401A1F Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 185stringtimeCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040337F Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 166fileCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004078C5 Relevance: 5.2, APIs: 4, Instructions: 238COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00407AC3 Relevance: 5.2, APIs: 4, Instructions: 211COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00407312 Relevance: 5.2, APIs: 4, Instructions: 201COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00407752 Relevance: 5.2, APIs: 4, Instructions: 179COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00407854 Relevance: 5.2, APIs: 4, Instructions: 169COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004077B2 Relevance: 5.2, APIs: 4, Instructions: 166COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00407C5F Relevance: 5.2, APIs: 4, Instructions: 156memoryCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040139D Relevance: 3.0, APIs: 2, Instructions: 42windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405E50 Relevance: 3.0, APIs: 2, Instructions: 15fileCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405E30 Relevance: 3.0, APIs: 2, Instructions: 9COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00403336 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004037CC Relevance: 1.5, APIs: 1, Instructions: 20COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00403DAF Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00403368 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00403D98 Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00403D85 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040497C Relevance: 65.2, APIs: 33, Strings: 4, Instructions: 470windowmemoryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004044A5 Relevance: 33.6, APIs: 15, Strings: 4, Instructions: 300stringkeyboardCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00406ED2 Relevance: 30.0, APIs: 14, Strings: 3, Instructions: 270filestringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00406C9B Relevance: 29.9, APIs: 9, Strings: 8, Instructions: 190filestringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00406805 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 212stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00402E18 Relevance: 1.5, APIs: 1, Instructions: 27fileCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004063AC Relevance: 70.3, APIs: 29, Strings: 11, Instructions: 256libraryloadermemoryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004040B8 Relevance: 40.5, APIs: 20, Strings: 3, Instructions: 210windowstringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00406A99 Relevance: 33.4, APIs: 15, Strings: 4, Instructions: 163filestringmemoryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00402880 Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 131registrystringCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00402E55 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 103memoryfileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004060E7 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 72filestringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00403DCA Relevance: 12.1, APIs: 8, Instructions: 60COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004023F0 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 83libraryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00402238 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59synchronizationCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040484E Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040324C Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004043AD Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 73stringCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004022FD Relevance: 7.6, APIs: 5, Instructions: 56memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040209F Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00401F80 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004027E3 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 60registryCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004048CC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 58windowCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00402665 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 56stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00406224 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 53stringCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004020F9 Relevance: 6.0, APIs: 4, Instructions: 45COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004071F8 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 43stringCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004032D2 Relevance: 6.0, APIs: 4, Instructions: 33COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00406365 Relevance: 6.0, APIs: 4, Instructions: 31memorylibraryloaderCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00402797 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25stringCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405C3F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004062A3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13stringCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405DB6 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Execution Graph
| Execution Coverage: | 4.2% |
| Dynamic/Decrypted Code Coverage: | 0% |
| Signature Coverage: | 2.2% |
| Total number of Nodes: | 2000 |
| Total number of Limit Nodes: | 97 |
Graph
Function 00C95240 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 147windowCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00CE3CE2 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167fileCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00C95D13 Relevance: 10.7, APIs: 7, Instructions: 223COMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00CE4005 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00CE4148 Relevance: 6.1, APIs: 4, Instructions: 85processCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00C8B020 Relevance: 5.6, APIs: 3, Instructions: 1146COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00CE494A Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00C894E0 Relevance: 3.5, APIs: 2, Instructions: 539COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00C8BC70 Relevance: 50.4, APIs: 22, Strings: 6, Instructions: 1379sleeptimeCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00C92FC5 Relevance: 19.5, APIs: 6, Strings: 5, Instructions: 201registryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00C833E6 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 72windowregistryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00C83411 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54windowregistryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00C9514C Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71windowregistryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00CF5E1D Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00C94D83 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151windowtimeregistryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00CF20E1 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 134networkCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00C956F8 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 117windowCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00C852B0 Relevance: 7.6, APIs: 5, Instructions: 99windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00C81284 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00CE3F1D Relevance: 6.1, APIs: 4, Instructions: 78COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00CF2C5A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00CF28A2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00CFD1C6 Relevance: 4.9, APIs: 3, Instructions: 392COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00C959D3 Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00CA593C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00CF2953 Relevance: 4.5, APIs: 3, Instructions: 46networkCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00CFE139 Relevance: 3.2, APIs: 2, Instructions: 227COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00CA0E38 Relevance: 3.1, APIs: 2, Instructions: 94COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00C95F8B Relevance: 3.1, APIs: 2, Instructions: 59COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00C942F9 Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00CA5E80 Relevance: 3.0, APIs: 2, Instructions: 29COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00C95AC3 Relevance: 3.0, APIs: 2, Instructions: 25windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00CFC355 Relevance: 1.8, APIs: 1, Instructions: 288COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00C8A820 Relevance: 1.7, APIs: 1, Instructions: 193COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00C8D679 Relevance: 1.7, APIs: 1, Instructions: 171COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00C9343F Relevance: 1.6, APIs: 1, Instructions: 103COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00C9410A Relevance: 1.6, APIs: 1, Instructions: 97COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00CBE2DF Relevance: 1.6, APIs: 1, Instructions: 88COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00C949C2 Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00CBE3C2 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00C94220 Relevance: 1.6, APIs: 1, Instructions: 53fileCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00C91A36 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00CDFEF8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00CF495B Relevance: 1.5, APIs: 1, Instructions: 44COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00CE7C7F Relevance: 1.5, APIs: 1, Instructions: 39COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00C94A8C Relevance: 1.5, APIs: 1, Instructions: 31COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00C94A2F Relevance: 1.5, APIs: 1, Instructions: 28COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00C94AB2 Relevance: 1.5, APIs: 1, Instructions: 27COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00CF2D68 Relevance: 1.5, APIs: 1, Instructions: 25COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00CA09C5 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00CE4D18 Relevance: 1.5, APIs: 1, Instructions: 21COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00CE394D Relevance: 1.5, APIs: 1, Instructions: 20fileCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00CE3EF7 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00C942AE Relevance: 1.5, APIs: 1, Instructions: 16COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00CE4FEC Relevance: 1.5, APIs: 1, Instructions: 10COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00CA547B Relevance: 1.5, APIs: 1, Instructions: 9COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00CED6BE Relevance: 1.4, APIs: 1, Instructions: 198COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00CEC270 Relevance: 1.3, APIs: 1, Instructions: 31COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00C942CF Relevance: 1.3, APIs: 1, Instructions: 19COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D0D164 Relevance: 74.1, APIs: 40, Strings: 2, Instructions: 637windowkeyboardCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00CECD9F Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 280timefileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00CEF5D8 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 119fileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D00EB7 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00CEF735 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 112fileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00CF4830 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00CEFA36 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120filesleepCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00CE5778 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59shutdownCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00CF696E Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00C81663 Relevance: 7.9, APIs: 5, Instructions: 379COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00CEC2FF Relevance: 7.6, APIs: 5, Instructions: 143fileCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D059B3 Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00CD9399 Relevance: 4.6, APIs: 3, Instructions: 67COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00CE42D5 Relevance: 4.6, APIs: 3, Instructions: 61fileCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00CE4F1C Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00CEA6AD Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00CD8DE9 Relevance: 3.0, APIs: 2, Instructions: 22COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00CE51E2 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00CD9369 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00CC0722 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00CAA354 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D03BA9 Relevance: 51.1, APIs: 6, Strings: 23, Instructions: 365windowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D0ABFF Relevance: 49.8, APIs: 33, Instructions: 274COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00C82FE8 Relevance: 49.5, APIs: 27, Strings: 1, Instructions: 486windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00CF7B95 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 284windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D0A041 Relevance: 42.5, APIs: 23, Strings: 1, Instructions: 455windowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D08FFA Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 401windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D04ECC Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00C82BA9 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 286windowtimeCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D0441F Relevance: 28.3, APIs: 3, Strings: 13, Instructions: 283windowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00CF56C8 Relevance: 27.1, APIs: 18, Instructions: 124COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00CDB13A Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D0A7DE Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D0CCA6 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 181windowfileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00CE82D5 Relevance: 23.1, APIs: 11, Strings: 2, Instructions: 378timeCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D049CF Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 251windowCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00CEE25D Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 185timeCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00CE0065 Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 138windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00CEA832 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D0C854 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00CF7A04 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00CE9710 Relevance: 19.8, APIs: 13, Instructions: 322fileCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00CD83FA Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 128registryshareCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00CE4C0C Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networkCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00CE5530 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00CEDBD0 Relevance: 18.3, APIs: 12, Instructions: 283comCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00CDCE00 Relevance: 18.2, APIs: 12, Instructions: 174COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00C823F7 Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00C82581 Relevance: 18.1, APIs: 12, Instructions: 132COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D07777 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D07AE0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00CA7030 Relevance: 16.8, APIs: 11, Instructions: 258COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00CF8AA5 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00CD9B47 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 82windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00CD9C32 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00CF8F95 Relevance: 15.3, APIs: 10, Instructions: 324fileCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00C8AD98 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 264comCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00C831F6 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 186windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D0C634 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 149windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00CF9330 Relevance: 13.9, APIs: 9, Instructions: 438COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D08C6A Relevance: 13.7, APIs: 9, Instructions: 168COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00CDA226 Relevance: 13.6, APIs: 9, Instructions: 66sleepkeyboardwindowCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D073A5 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 143windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00CE34DD Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 82windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00CE47E8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00C82E2B Relevance: 12.1, APIs: 8, Instructions: 129COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00CE7681 Relevance: 12.1, APIs: 8, Instructions: 101fileCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D067F8 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00CDC748 Relevance: 12.1, APIs: 8, Instructions: 92COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00C81800 Relevance: 10.7, APIs: 7, Instructions: 219COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00CE5BB8 Relevance: 10.6, APIs: 7, Instructions: 138timeCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00CE3B64 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111filestringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D078B6 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D068F2 Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00CDE287 Relevance: 10.6, APIs: 7, Instructions: 95memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00CDE360 Relevance: 10.6, APIs: 7, Instructions: 90memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D07BF2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00CA41B9 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 24libraryloaderCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00CA428E Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00C8218F Relevance: 9.3, APIs: 6, Instructions: 254COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00CE6A73 Relevance: 9.2, APIs: 6, Instructions: 205COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D05DD6 Relevance: 9.2, APIs: 6, Instructions: 160windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00CDF688 Relevance: 9.2, APIs: 6, Instructions: 159COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00CE29B1 Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00C81B41 Relevance: 9.1, APIs: 6, Instructions: 113COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00CF7788 Relevance: 9.1, APIs: 6, Instructions: 97COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00CD9431 Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00CD91CF Relevance: 9.1, APIs: 6, Instructions: 65processCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00CDC329 Relevance: 9.0, APIs: 6, Instructions: 49COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D0C552 Relevance: 9.0, APIs: 6, Instructions: 49COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00CE77EB Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00CD954A Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00CE323D Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195windowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00CE2EFA Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00CD9A48 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D06A0C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00CE7357 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00CE7425 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00CDAC05 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 68windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00CFF23E Relevance: 7.7, APIs: 5, Instructions: 247COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00CEEBB4 Relevance: 7.6, APIs: 5, Instructions: 135COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D0A67B Relevance: 7.6, APIs: 5, Instructions: 130COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00CDBD85 Relevance: 7.6, APIs: 5, Instructions: 88windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D0B7BD Relevance: 7.6, APIs: 5, Instructions: 85COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00CF6138 Relevance: 7.6, APIs: 5, Instructions: 70COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00C816CF Relevance: 7.6, APIs: 5, Instructions: 67COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00CDC837 Relevance: 7.6, APIs: 5, Instructions: 61COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00CE504E Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadwindowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00CD8E20 Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00CE57FF Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00CD8CC7 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00CD8D28 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00C8178C Relevance: 7.5, APIs: 5, Instructions: 29COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00CDA3AD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 122windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D079FE Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90windowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D081B8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 88windowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D072D5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00CFC6D9 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00C94BAA Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00C94B77 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D01447 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00C955F0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00CF97CA Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00CD7D9B Relevance: 6.3, APIs: 4, Instructions: 333COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00CFE713 Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00CF877D Relevance: 6.3, APIs: 4, Instructions: 267COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00CD814E Relevance: 6.2, APIs: 4, Instructions: 231COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00CD749B Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00CA492A Relevance: 6.1, APIs: 4, Instructions: 136COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00CDA638 Relevance: 6.1, APIs: 4, Instructions: 129windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00CF6B05 Relevance: 6.1, APIs: 4, Instructions: 116COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D08E76 Relevance: 6.1, APIs: 4, Instructions: 109COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D0B1A9 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D0552B Relevance: 6.1, APIs: 4, Instructions: 95COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D0CB40 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00CA0BC0 Relevance: 6.1, APIs: 4, Instructions: 79COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00CD9274 Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D0634E Relevance: 6.1, APIs: 4, Instructions: 69COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00CDE45A Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00CE4365 Relevance: 6.1, APIs: 4, Instructions: 65fileCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00CF6A54 Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00CD96F9 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00C8166C Relevance: 6.1, APIs: 4, Instructions: 59COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00C82111 Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00CE1941 Relevance: 6.1, APIs: 4, Instructions: 51sleepCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D0B937 Relevance: 6.0, APIs: 4, Instructions: 47COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D0BCA7 Relevance: 6.0, APIs: 4, Instructions: 40processCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00CE7195 Relevance: 6.0, APIs: 4, Instructions: 33COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D0C3C4 Relevance: 6.0, APIs: 4, Instructions: 31COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00C825F4 Relevance: 6.0, APIs: 4, Instructions: 23COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00CD9330 Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00CC0679 Relevance: 6.0, APIs: 4, Instructions: 20COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00CC068D Relevance: 6.0, APIs: 4, Instructions: 19COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00CEB5EF Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201shareCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00C8E00D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D08096 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97windowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00CE3049 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88windowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D06CF9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D06F45 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00CE3156 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00CF8475 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55networkCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00CD99BD Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00CD98B5 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00CA9632 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMONLIBRARYCODE
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00CD993A Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00CD8892 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00C94D8C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 11windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|