Edit tour
Windows
Analysis Report
dZIZhRHDXv.exe
Overview
General Information
| Sample name: | dZIZhRHDXv.exerenamed because original name is a hash value |
| Original sample name: | e5a12459a39aa142a12c58d9afbe5b0d.exe |
| Analysis ID: | 1543219 |
| MD5: | e5a12459a39aa142a12c58d9afbe5b0d |
| SHA1: | bebd558572194c56815a2fbaf016d1d4d0922ed3 |
| SHA256: | a45e9fae49d4af114a252f3cd5b69f33cb5994915a75cb51983910c9f21d81e5 |
| Tags: | exeuser-abuse_ch |
| Infos: |  |
 | |
Detection
RHADAMANTHYS
| Score: | 80 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected RHADAMANTHYS Stealer
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Switches to a custom stack to bypass stack traces
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
AV process strings found (often used to terminate AV products)
Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
One or more processes crash
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara detected Keylogger Generic
Classification
- System is w10x64
dZIZhRHDXv.exe (PID: 7624 cmdline: "C:\Users\ user\Deskt op\dZIZhRH DXv.exe" MD5: E5A12459A39AA142A12C58D9AFBE5B0D) 
dialer.exe (PID: 7684 cmdline: "C:\Window s\system32 \dialer.ex e" MD5: E4BD77FB64DDE78F1A95ECE09F6A9B85) 
WerFault.exe (PID: 7756 cmdline: C:\Windows \SysWOW64\ WerFault.e xe -u -p 7 624 -s 708 MD5: C31336C1EFC2CCB44B4326EA793040F2) - WerFault.exe (PID: 7788 cmdline:
C:\Windows \SysWOW64\ WerFault.e xe -u -p 7 624 -s 704 MD5: C31336C1EFC2CCB44B4326EA793040F2)
- cleanup
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| Rhadamanthys | According to PCrisk, Rhadamanthys is a stealer-type malware, and as its name implies - it is designed to extract data from infected machines.At the time of writing, this malware is spread through malicious websites mirroring those of genuine software such as AnyDesk, Zoom, Notepad++, and others. Rhadamanthys is downloaded alongside the real program, thus diminishing immediate user suspicion. These sites were promoted through Google ads, which superseded the legitimate search results on the Google search engine. |
{"C2 url": "https://138.201.226.224:9292/bcacc1e7778c536b694/6wlh52ro.x0plp"}| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_RHADAMANTHYS | Yara detected RHADAMANTHYS Stealer | Joe Security | ||
| JoeSecurity_RHADAMANTHYS | Yara detected RHADAMANTHYS Stealer | Joe Security | ||
| JoeSecurity_RHADAMANTHYS | Yara detected RHADAMANTHYS Stealer | Joe Security | ||
| JoeSecurity_RHADAMANTHYS | Yara detected RHADAMANTHYS Stealer | Joe Security | ||
| JoeSecurity_Keylogger_Generic | Yara detected Keylogger Generic | Joe Security | ||
| Click to see the 6 entries | ||||
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_Keylogger_Generic | Yara detected Keylogger Generic | Joe Security | ||
| JoeSecurity_Keylogger_Generic | Yara detected Keylogger Generic | Joe Security | ||
| JoeSecurity_Keylogger_Generic | Yara detected Keylogger Generic | Joe Security | ||
| JoeSecurity_Keylogger_Generic | Yara detected Keylogger Generic | Joe Security | ||
| JoeSecurity_Keylogger_Generic | Yara detected Keylogger Generic | Joe Security |
⊘No Sigma rule has matched
⊘No Suricata rule has matched
Click to jump to signature section
Show All Signature Results
AV Detection |   |
|---|
| Source: | Malware Configuration Extractor: | ||
| Source: | ReversingLabs: | ||
| Source: | Integrated Neural Analysis Model: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Code function: | 0_2_00E4CEA5 | |
Networking | |
|---|
| Source: | URLs: | ||
| Source: | TCP traffic: | ||
| Source: | ASN Name: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | Code function: | 1_2_057C9F64 | |
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | Code function: | 0_2_00E02050 | |
| Source: | Code function: | 0_2_00E02050 | |
| Source: | Binary or memory string: | memstr_cd5390ae-4 | |
| Source: | Binary or memory string: | memstr_c3e6f367-8 | |
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | Code function: | 0_3_02902F40 | |
| Source: | Code function: | 0_3_02902640 | |
| Source: | Code function: | 0_3_02901A40 | |
| Source: | Code function: | 0_3_02901FA0 | |
| Source: | Code function: | 0_3_02901710 | |
| Source: | Code function: | 0_2_00DEA0B0 | |
| Source: | Code function: | 0_2_00DFEFB0 | |
| Source: | Code function: | 0_2_00E1A080 | |
| Source: | Code function: | 0_2_00E30020 | |
| Source: | Code function: | 0_2_00E3037E | |
| Source: | Code function: | 0_2_00E306EB | |
| Source: | Code function: | 0_2_00E1A620 | |
| Source: | Code function: | 0_2_00E009E0 | |
| Source: | Code function: | 0_2_00E5690C | |
| Source: | Code function: | 0_2_00E1AA70 | |
| Source: | Code function: | 0_2_00E30A49 | |
| Source: | Code function: | 0_2_00E2EC1F | |
| Source: | Code function: | 0_2_00E30E3D | |
| Source: | Code function: | 0_2_00E2EF61 | |
| Source: | Code function: | 0_2_00E2F2B2 | |
| Source: | Code function: | 0_2_00E31240 | |
| Source: | Code function: | 0_2_00E5F21D | |
| Source: | Code function: | 0_2_00E173E0 | |
| Source: | Code function: | 0_2_00E554EF | |
| Source: | Code function: | 0_2_00E2F5F4 | |
| Source: | Code function: | 0_2_00D83987 | |
| Source: | Code function: | 0_2_00E2F953 | |
| Source: | Code function: | 0_2_00E2FCC1 | |
| Source: | Code function: | 0_2_00E0DFC9 | |
| Source: | Code function: | 0_2_00E17F77 | |
| Source: | Code function: | 1_2_057D3573 | |
| Source: | Code function: | 1_2_057E3524 | |
| Source: | Code function: | 1_2_057DC458 | |
| Source: | Code function: | 1_2_057DBC11 | |
| Source: | Code function: | 1_2_057E2CBD | |
| Source: | Code function: | 1_2_057CD73D | |
| Source: | Code function: | 1_2_057E2721 | |
| Source: | Code function: | 1_2_057DC7EB | |
| Source: | Code function: | 1_2_057E7FA2 | |
| Source: | Code function: | 1_2_057E3F8C | |
| Source: | Code function: | 1_2_057C8653 | |
| Source: | Code function: | 1_2_057E2009 | |
| Source: | Code function: | 1_2_057D38DB | |
| Source: | Code function: | 1_2_057C834D | |
| Source: | Code function: | 1_2_057E3BC5 | |
| Source: | Code function: | 1_2_057E5BA4 | |
| Source: | Code function: | 1_2_057E22B4 | |
| Source: | Process created: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Static PE information: | ||
| Source: | Classification label: | ||
| Source: | Code function: | 0_2_00DF86E0 | |
| Source: | Code function: | 0_2_00DFB810 | |
| Source: | Code function: | 0_2_00DFD1D0 | |
| Source: | Mutant created: | ||
| Source: | File created: | Jump to behavior | ||
| Source: | Static PE information: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | ReversingLabs: | ||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Key value queried: | Jump to behavior | ||
| Source: | Static file information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Code function: | 0_2_00E009E0 | |
| Source: | Code function: | 0_3_0291428A | |
| Source: | Code function: | 0_3_02913B03 | |
| Source: | Code function: | 0_3_02914F49 | |
| Source: | Code function: | 0_3_02910F4F | |
| Source: | Code function: | 0_3_02913DD5 | |
| Source: | Code function: | 0_3_02912137 | |
| Source: | Code function: | 0_3_02914580 | |
| Source: | Code function: | 0_3_0291217B | |
| Source: | Code function: | 0_2_00D861EE | |
| Source: | Code function: | 0_2_00D861EE | |
| Source: | Code function: | 0_2_00E605FA | |
| Source: | Code function: | 0_2_00D84A14 | |
| Source: | Code function: | 0_2_00D854B8 | |
| Source: | Code function: | 0_2_00D83406 | |
| Source: | Code function: | 0_2_00D83840 | |
| Source: | Code function: | 0_2_00D83983 | |
| Source: | Code function: | 1_3_0307430A | |
| Source: | Code function: | 1_3_03073B83 | |
| Source: | Code function: | 1_3_030721B7 | |
| Source: | Code function: | 1_3_03070FCF | |
| Source: | Code function: | 1_3_03074FC9 | |
| Source: | Code function: | 1_3_030721FB | |
| Source: | Code function: | 1_3_03074600 | |
| Source: | Code function: | 1_3_03073E55 | |
| Source: | Code function: | 1_3_03075CDF | |
| Source: | Code function: | 1_2_057E991E | |
| Source: | Static PE information: | ||
| Source: | Code function: | 0_2_00E06140 | |
| Source: | Code function: | 0_2_00DFEFB0 | |
| Source: | Code function: | 0_2_00E066D0 | |
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
Malware Analysis System Evasion | |
|---|
| Source: | API/Special instruction interceptor: | ||
| Source: | API/Special instruction interceptor: | ||
| Source: | API/Special instruction interceptor: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | API coverage: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | Code function: | 0_2_00E4CEA5 | |
| Source: | Code function: | 0_2_00E0874A | |
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Process information queried: | Jump to behavior | ||
| Source: | Process queried: | Jump to behavior | ||
| Source: | Process queried: | Jump to behavior | ||
| Source: | Code function: | 0_3_029102CC | |
| Source: | Code function: | 0_2_00E503BC | |
| Source: | Code function: | 0_2_00E009E0 | |
| Source: | Code function: | 0_3_02910277 | |
| Source: | Code function: | 1_3_0307027F | |
| Source: | Code function: | 0_2_00E0934F | |
| Source: | Code function: | 0_2_00E377CE | |
| Source: | Code function: | 0_2_00E09D68 | |
| Source: | Process created: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Code function: | 0_2_00E09B84 | |
| Source: | Code function: | 0_2_00DFE070 | |
| Source: | Code function: | 0_2_00E52DDB | |
| Source: | Code function: | 0_2_00E52D72 | |
| Source: | Code function: | 0_2_00E52E76 | |
| Source: | Code function: | 0_2_00E52F01 | |
| Source: | Code function: | 0_2_00E53154 | |
| Source: | Code function: | 0_2_00E0710F | |
| Source: | Code function: | 0_2_00E5327D | |
| Source: | Code function: | 0_2_00E53383 | |
| Source: | Code function: | 0_2_00E07391 | |
| Source: | Code function: | 0_2_00E53459 | |
| Source: | Code function: | 0_2_00E49502 | |
| Source: | Code function: | 0_2_00E496A1 | |
| Source: | Code function: | 0_2_00DFDD80 | |
| Source: | Code function: | 0_2_00DFBE60 | |
| Source: | Code function: | 0_2_00E49FE8 | |
| Source: | Code function: | 0_2_00E4A027 | |
| Source: | Code function: | 0_2_00DFE360 | |
| Source: | Binary or memory string: | ||
Stealing of Sensitive Information | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
Remote Access Functionality | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | Code function: | 1_2_057C9A57 | |
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | 11 Windows Management Instrumentation | 1 DLL Side-Loading | 12 Process Injection | 2 Virtualization/Sandbox Evasion | 21 Input Capture | 1 System Time Discovery | Remote Services | 21 Input Capture | 1 Encrypted Channel | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
| Credentials | Domains | Default Accounts | 1 Native API | Boot or Logon Initialization Scripts | 1 DLL Side-Loading | 12 Process Injection | LSASS Memory | 241 Security Software Discovery | Remote Desktop Protocol | 1 Archive Collected Data | 1 Non-Standard Port | Exfiltration Over Bluetooth | Network Denial of Service |
| Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | Logon Script (Windows) | 1 Deobfuscate/Decode Files or Information | Security Account Manager | 2 Virtualization/Sandbox Evasion | SMB/Windows Admin Shares | 2 Clipboard Data | 1 Ingress Tool Transfer | Automated Exfiltration | Data Encrypted for Impact |
| Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | 3 Obfuscated Files or Information | NTDS | 2 Process Discovery | Distributed Component Object Model | Input Capture | 1 Application Layer Protocol | Traffic Duplication | Data Destruction |
| Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | 1 Software Packing | LSA Secrets | 1 Application Window Discovery | SSH | Keylogging | Fallback Channels | Scheduled Transfer | Data Encrypted for Impact |
| Domain Properties | Botnet | Replication Through Removable Media | Scheduled Task | RC Scripts | RC Scripts | 1 DLL Side-Loading | Cached Domain Credentials | 1 File and Directory Discovery | VNC | GUI Input Capture | Multiband Communication | Data Transfer Size Limits | Service Stop |
| DNS | Web Services | External Remote Services | Systemd Timers | Startup Items | Startup Items | Compile After Delivery | DCSync | 125 System Information Discovery | Windows Remote Management | Web Portal Capture | Commonly Used Port | Exfiltration Over C2 Channel | Inhibit System Recovery |
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetThis section contains all screenshots as thumbnails, including those not shown in the slideshow.
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 47% | ReversingLabs | Win32.Trojan.Generic |
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
⊘No contacted domains info
| Name | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|
| true | unknown |
| Name | Source | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|
| false | unknown | |||
| false | unknown |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
| IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
|---|---|---|---|---|---|---|
| 138.201.226.224 | unknown | Germany | 24940 | HETZNER-ASDE | true |
| Joe Sandbox version: | 41.0.0 Charoite |
| Analysis ID: | 1543219 |
| Start date and time: | 2024-10-27 13:33:04 +01:00 |
| Joe Sandbox product: | CloudBasic |
| Overall analysis duration: | 0h 6m 21s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
| Number of analysed new started processes analysed: | 11 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Sample name: | dZIZhRHDXv.exerenamed because original name is a hash value |
| Original Sample Name: | e5a12459a39aa142a12c58d9afbe5b0d.exe |
| Detection: | MAL |
| Classification: | mal80.troj.evad.winEXE@5/0@0/1 |
| EGA Information: |
|
| HCA Information: | Failed |
| Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
- Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
- Not all processes where analyzed, report is missing behavior information
- Report size getting too big, too many NtOpenKeyEx calls found.
- Report size getting too big, too many NtQueryValueKey calls found.
- VT rate limit hit for: dZIZhRHDXv.exe
⊘No simulations
⊘No context
⊘No context
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| HETZNER-ASDE | Get hash | malicious | Unknown | Browse |
| |
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Mirai, Moobot | Browse |
| ||
| Get hash | malicious | Captcha Phish | Browse |
| ||
| Get hash | malicious | Captcha Phish | Browse |
|
⊘No context
⊘No context
⊘No created / dropped files found
| File type: | |
| Entropy (8bit): | 7.058694163921743 |
| TrID: |
|
| File name: | dZIZhRHDXv.exe |
| File size: | 1'374'208 bytes |
| MD5: | e5a12459a39aa142a12c58d9afbe5b0d |
| SHA1: | bebd558572194c56815a2fbaf016d1d4d0922ed3 |
| SHA256: | a45e9fae49d4af114a252f3cd5b69f33cb5994915a75cb51983910c9f21d81e5 |
| SHA512: | 471c88d109ebabc6d288a19f604ccabdc6ad6709acabc5bee1f3885ac917870f4349a98b03ec62d89b3c40e9f8477dfc1faf735484dc750ecb6111dcbd824086 |
| SSDEEP: | 24576:E/Pa9WKjYx31wk3AKLbTuruhXaJYKwcC4nS/AildFu8hod/zodlY:KQWKjc1wk3AKLbCZYKwcC4nSZFadkd |
| TLSH: | 7955D041B580C032D9B66570443AEBB5497EBC708B261ACF6BC4793B6F325C19A36B1F |
| File Content Preview: | MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$...................................C....$.......$.......$.......................$..........................I....$.......$........o.... |
 | |
| Icon Hash: | 3fc7a3c665f3c37d |
| Entrypoint: | 0x489903 |
| Entrypoint Section: | .text |
| Digitally signed: | false |
| Imagebase: | 0x400000 |
| Subsystem: | windows gui |
| Image File Characteristics: | EXECUTABLE_IMAGE, 32BIT_MACHINE |
| DLL Characteristics: | DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE |
| Time Stamp: | 0x65C782C5 [Sat Feb 10 14:05:57 2024 UTC] |
| TLS Callbacks: | |
| CLR (.Net) Version: | |
| OS Version Major: | 6 |
| OS Version Minor: | 0 |
| File Version Major: | 6 |
| File Version Minor: | 0 |
| Subsystem Version Major: | 6 |
| Subsystem Version Minor: | 0 |
| Import Hash: | c18bcc1175f8fcf1adc36bc1ee87c82a |
| Instruction |
|---|
| call 00007F7BC8B5B7C3h |
| jmp 00007F7BC8B5AE78h |
| retn 0000h |
| push ebp |
| mov ebp, esp |
| mov eax, dword ptr [ebp+08h] |
| mov eax, dword ptr [eax] |
| pop ebp |
| ret |
| push ebp |
| mov ebp, esp |
| mov eax, dword ptr [ebp+08h] |
| mov eax, dword ptr [eax] |
| pop ebp |
| ret |
| push ebp |
| mov ebp, esp |
| mov eax, dword ptr [ebp+0Ch] |
| mov ecx, dword ptr [ebp+08h] |
| xchg dword ptr [ecx], eax |
| pop ebp |
| ret |
| push ebp |
| mov ebp, esp |
| mov eax, dword ptr [ebp+08h] |
| mov edx, 004F5980h |
| mov ecx, 004F5980h |
| sub eax, edx |
| sub ecx, edx |
| cmp eax, ecx |
| jnbe 00007F7BC8B5B053h |
| int3 |
| pop ebp |
| ret |
| push ebp |
| mov ebp, esp |
| mov eax, dword ptr [ebp+08h] |
| mov edx, 004F5980h |
| mov ecx, 004F5980h |
| sub eax, edx |
| sub ecx, edx |
| cmp eax, ecx |
| jnbe 00007F7BC8B5B057h |
| push 00000041h |
| pop ecx |
| int 29h |
| pop ebp |
| ret |
| retn 0000h |
| push ebp |
| mov ebp, esp |
| mov eax, dword ptr [ebp+08h] |
| mov edx, 004F5980h |
| mov ecx, 004F5980h |
| sub eax, edx |
| sub ecx, edx |
| cmp eax, ecx |
| jnbe 00007F7BC8B5B05Eh |
| mov eax, dword ptr [004E5644h] |
| test eax, eax |
| je 00007F7BC8B5B055h |
| pop ebp |
| jmp eax |
| pop ebp |
| ret |
| push ebp |
| mov ebp, esp |
| mov eax, dword ptr [004E5644h] |
| test eax, eax |
| je 00007F7BC8B5B055h |
| pop ebp |
| jmp eax |
| pop ebp |
| ret |
| push ebp |
| mov ebp, esp |
| mov eax, dword ptr [ebp+08h] |
| mov edx, 004F5980h |
| mov ecx, 004F5980h |
| sub eax, edx |
| sub ecx, edx |
| cmp eax, ecx |
| jnbe 00007F7BC8B5B06Ch |
| push esi |
| mov esi, dword ptr [004FC194h] |
| test esi, esi |
| je 00007F7BC8B5B060h |
| push dword ptr [ebp+08h] |
| Name | Virtual Address | Virtual Size | Is in Section |
|---|---|---|---|
| IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IMPORT | 0xf8210 | 0xf0 | .rdata |
| IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x102000 | 0x502e8 | .rsrc |
| IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x153000 | 0x51d8 | .reloc |
| IMAGE_DIRECTORY_ENTRY_DEBUG | 0xf58d0 | 0x70 | .rdata |
| IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_TLS | 0xf59c0 | 0x18 | .rdata |
| IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0xec5f8 | 0x40 | .rdata |
| IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IAT | 0xe5000 | 0x63c | .rdata |
| IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0xf8000 | 0x40 | .rdata |
| IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
| Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
|---|---|---|---|---|---|---|---|---|---|
| .text | 0x1000 | 0xe379a | 0xe3800 | b44216b9d2fe6c289604c8df6be3b335 | False | 0.6444013993818681 | data | 7.308659196103948 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
| .rdata | 0xe5000 | 0x15504 | 0x15600 | 356232fdefb6b47702c1b772e1c7f498 | False | 0.5792443347953217 | data | 6.150072189047563 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .data | 0xfb000 | 0x6d10 | 0x1000 | 95cc1f43963611e0dc709b32d9d6a0e9 | False | 0.201904296875 | data | 2.8247194529459554 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .rsrc | 0x102000 | 0x502e8 | 0x50400 | 2e7224c2f3367da182f384150418a77f | False | 0.5011378017912772 | data | 5.821073929631435 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .reloc | 0x153000 | 0x51d8 | 0x5200 | 1cd1efc4664cbefcafddbec54260c8d1 | False | 0.7885861280487805 | data | 6.787527296370238 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
| Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
|---|---|---|---|---|---|---|
| RT_CURSOR | 0x12b588 | 0x134 | Targa image data 64 x 65536 x 1 +32 "\001" | English | United States | 0.4935064935064935 |
| RT_BITMAP | 0x12b6d8 | 0x3c28 | Device independent bitmap graphic, 240 x 16 x 32, image size 15360, resolution 3779 x 3779 px/m | English | United States | 0.3574675324675325 |
| RT_BITMAP | 0x12f300 | 0x428 | Device independent bitmap graphic, 16 x 16 x 32, image size 1024, resolution 3779 x 3779 px/m | English | United States | 0.46522556390977443 |
| RT_ICON | 0x102c00 | 0x1011a | PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced | English | United States | 0.9996657449329971 |
| RT_ICON | 0x112d20 | 0x10828 | Device independent bitmap graphic, 128 x 256 x 32, image size 67584 | English | United States | 0.3587927363066367 |
| RT_ICON | 0x123548 | 0x4228 | Device independent bitmap graphic, 64 x 128 x 32, image size 16896 | English | United States | 0.49120217288615964 |
| RT_ICON | 0x127770 | 0x25a8 | Device independent bitmap graphic, 48 x 96 x 32, image size 9600 | English | United States | 0.5267634854771784 |
| RT_ICON | 0x129d18 | 0x10a8 | Device independent bitmap graphic, 32 x 64 x 32, image size 4224 | English | United States | 0.6088180112570356 |
| RT_ICON | 0x12adc0 | 0x468 | Device independent bitmap graphic, 16 x 32 x 32, image size 1088 | English | United States | 0.775709219858156 |
| RT_ICON | 0x12b288 | 0x2e8 | Device independent bitmap graphic, 32 x 64 x 4, image size 512, 16 important colors | English | United States | 0.1303763440860215 |
| RT_ICON | 0x12faf8 | 0x10828 | Device independent bitmap graphic, 128 x 256 x 32, image size 0 | English | United States | 0.35873358570921565 |
| RT_ICON | 0x140320 | 0x4228 | Device independent bitmap graphic, 64 x 128 x 32, image size 0 | English | United States | 0.4910840812470477 |
| RT_ICON | 0x144548 | 0x25a8 | Device independent bitmap graphic, 48 x 96 x 32, image size 0 | English | United States | 0.5263485477178423 |
| RT_ICON | 0x146af0 | 0x10a8 | Device independent bitmap graphic, 32 x 64 x 32, image size 0 | English | United States | 0.6074108818011257 |
| RT_ICON | 0x147b98 | 0x468 | Device independent bitmap graphic, 16 x 32 x 32, image size 0 | English | United States | 0.7695035460992907 |
| RT_ICON | 0x148050 | 0x10a8 | Device independent bitmap graphic, 32 x 64 x 32, image size 4224 | English | United States | 0.31636960600375236 |
| RT_ICON | 0x149110 | 0x10a8 | Device independent bitmap graphic, 32 x 64 x 32, image size 4224 | English | United States | 0.17659474671669795 |
| RT_ICON | 0x14a1d0 | 0x10a8 | Device independent bitmap graphic, 32 x 64 x 32, image size 4224 | English | United States | 0.2598499061913696 |
| RT_ICON | 0x14b290 | 0x10a8 | Device independent bitmap graphic, 32 x 64 x 32, image size 4224 | English | United States | 0.2298311444652908 |
| RT_ICON | 0x14c350 | 0x2e8 | Device independent bitmap graphic, 32 x 64 x 4, image size 512, 16 important colors | English | United States | 0.34139784946236557 |
| RT_ICON | 0x14c650 | 0x10a8 | Device independent bitmap graphic, 32 x 64 x 32, image size 4224 | English | United States | 0.3334896810506567 |
| RT_ICON | 0x14d710 | 0x2e8 | Device independent bitmap graphic, 32 x 64 x 4, image size 512, 16 important colors | English | United States | 0.21370967741935484 |
| RT_MENU | 0x14da10 | 0x53e | data | English | United States | 0.39046199701937406 |
| RT_DIALOG | 0x14df50 | 0x1a8 | data | English | United States | 0.46226415094339623 |
| RT_DIALOG | 0x14e0f8 | 0x1b0 | data | English | United States | 0.5393518518518519 |
| RT_DIALOG | 0x14e480 | 0x1dc | data | English | United States | 0.5315126050420168 |
| RT_DIALOG | 0x14e660 | 0x1dc | data | English | United States | 0.5294117647058824 |
| RT_DIALOG | 0x14e840 | 0x130 | data | English | United States | 0.569078947368421 |
| RT_DIALOG | 0x14eaa0 | 0x210 | data | English | United States | 0.48295454545454547 |
| RT_DIALOG | 0x14e2a8 | 0x1d4 | data | English | United States | 0.5512820512820513 |
| RT_DIALOG | 0x14e970 | 0x130 | data | English | United States | 0.5756578947368421 |
| RT_DIALOG | 0x14fbe0 | 0x560 | data | English | United States | 0.375 |
| RT_DIALOG | 0x150140 | 0x244 | data | English | United States | 0.5017241379310344 |
| RT_DIALOG | 0x14ecb0 | 0x4a2 | data | English | United States | 0.3979763912310287 |
| RT_DIALOG | 0x14f158 | 0x4ae | data | English | United States | 0.43906510851419034 |
| RT_DIALOG | 0x14f608 | 0x3ba | data | English | United States | 0.40146750524109015 |
| RT_DIALOG | 0x14f9c8 | 0x218 | data | English | United States | 0.5093283582089553 |
| RT_STRING | 0x150928 | 0xa6 | data | English | United States | 0.6204819277108434 |
| RT_STRING | 0x151510 | 0x1e0 | Matlab v4 mat-file (little endian) i, numeric, rows 0, columns 0 | English | United States | 0.40625 |
| RT_STRING | 0x151738 | 0x1b0 | data | English | United States | 0.41203703703703703 |
| RT_STRING | 0x150800 | 0x124 | data | English | United States | 0.6027397260273972 |
| RT_STRING | 0x1509d0 | 0xb3e | data | English | United States | 0.24009728978457262 |
| RT_STRING | 0x150388 | 0x478 | data | English | United States | 0.388986013986014 |
| RT_STRING | 0x1516f0 | 0x48 | data | English | United States | 0.6111111111111112 |
| RT_ACCELERATOR | 0x12f728 | 0x1a0 | data | English | United States | 0.5913461538461539 |
| RT_GROUP_CURSOR | 0x12b6c0 | 0x14 | Lotus unknown worksheet or configuration, revision 0x1 | English | United States | 1.3 |
| RT_GROUP_ICON | 0x12b228 | 0x5a | Targa image data - Map 32 x 282 x 1 +1 | English | United States | 0.7777777777777778 |
| RT_GROUP_ICON | 0x1490f8 | 0x14 | data | English | United States | 1.2 |
| RT_GROUP_ICON | 0x14c638 | 0x14 | data | English | United States | 1.25 |
| RT_GROUP_ICON | 0x14b278 | 0x14 | data | English | United States | 1.2 |
| RT_GROUP_ICON | 0x14c338 | 0x14 | data | English | United States | 1.2 |
| RT_GROUP_ICON | 0x14d6f8 | 0x14 | data | English | United States | 1.2 |
| RT_GROUP_ICON | 0x14a1b8 | 0x14 | data | English | United States | 1.2 |
| RT_GROUP_ICON | 0x14d9f8 | 0x14 | data | English | United States | 1.25 |
| RT_GROUP_ICON | 0x12b570 | 0x14 | data | English | United States | 1.25 |
| RT_GROUP_ICON | 0x148000 | 0x4c | data | English | United States | 0.8157894736842105 |
| RT_VERSION | 0x12f8c8 | 0x22c | data | English | United States | 0.5269784172661871 |
| RT_MANIFEST | 0x1518e8 | 0x9fb | XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (2495), with CRLF line terminators | English | United States | 0.30176125244618396 |
| DLL | Import |
|---|---|
| SHLWAPI.dll | PathGetDriveNumberW, StrCmpNIW, StrDupW, StrChrA, PathRelativePathToW, PathIsPrefixW, PathUnExpandEnvStringsW, PathIsRootW, PathCanonicalizeW, PathFindExtensionW, PathFindFileNameW, PathCommonPrefixW, PathCompactPathExW, PathRemoveExtensionW, StrStrIW, StrFormatByteSizeW, PathStripPathW, PathRemoveBackslashW, StrRetToBufW, PathMatchSpecW, StrCatBuffW, PathUnquoteSpacesW, StrChrW, StrTrimW, SHAutoComplete, StrCpyNW, PathQuoteSpacesW, PathRenameExtensionW, PathIsDirectoryW, StrRChrW, PathAppendW, PathIsRelativeW, PathFileExistsW, PathAddBackslashW, PathRemoveFileSpecW, PathIsSameRootW |
| PSAPI.DLL | EnumProcessModules, GetModuleFileNameExW |
| USER32.dll | LoadAcceleratorsW, DeleteMenu, ShowOwnedPopups, CopyImage, MessageBoxW, EqualRect, IsWindowVisible, ShowWindowAsync, GetMessagePos, LoadMenuW, CharUpperW, GetKeyState, DefWindowProcW, GetMenuItemInfoW, DeferWindowPos, GetMessageW, GetSubMenu, BeginDeferWindowPos, OpenClipboard, OffsetRect, SetTimer, CloseClipboard, SetMenuItemInfoW, EmptyClipboard, RegisterClassW, SetWindowPlacement, FrameRect, SetMenuDefaultItem, EnumWindows, GetMessageTime, CreateWindowExA, IntersectRect, SetFocus, BringWindowToTop, TranslateAcceleratorW, GetWindowDC, EndDeferWindowPos, SetClipboardData, CheckMenuItem, IsZoomed, KillTimer, PostQuitMessage, GetSysColorBrush, EnableMenuItem, RegisterWindowMessageW, UpdateWindow, IsIconic, GetWindowThreadProcessId, DrawAnimatedRects, FindWindowExW, GetDC, MonitorFromRect, SetActiveWindow, LoadStringA, TrackPopupMenu, SetWindowCompositionAttribute, SystemParametersInfoW, SetPropW, RedrawWindow, SendMessageW, wsprintfW, GetSysColor, CharPrevW, GetWindowPlacement, GetSystemMetrics, SetWindowTextW, LoadStringW, DdeCreateStringHandleW, DdeConnect, GetMonitorInfoW, DdeInitializeW, DdeUninitialize, DialogBoxIndirectParamW, DdeClientTransaction, SetLayeredWindowAttributes, CharUpperBuffW, DdeDisconnect, DdeFreeStringHandle, SetForegroundWindow, LoadImageW, ReleaseDC, GetPropW, RemovePropW, DispatchMessageW, PeekMessageW, TranslateMessage, GetWindowLongW, GetWindowTextLengthW, GetSystemMenu, AdjustWindowRectEx, PostMessageW, CheckMenuRadioItem, GetWindowRect, GetFocus, DestroyWindow, SetWindowPos, CheckRadioButton, MessageBoxExW, CreateWindowExW, EndDialog, MessageBeep, CreatePopupMenu, WindowFromPoint, DestroyCursor, ShowWindow, DestroyIcon, GetDlgCtrlID, SetDlgItemTextW, MapWindowPoints, GetDlgItemTextW, SendDlgItemMessageW, IsWindowEnabled, IsDlgButtonChecked, DestroyMenu, GetMenuStringW, CharNextW, LoadIconW, LoadCursorW, GetClassNameW, SetCapture, InsertMenuW, SetCursor, SetWindowLongW, TrackPopupMenuEx, GetComboBoxInfo, GetClientRect, GetDlgItem, AppendMenuW, CheckDlgButton, GetParent, ReleaseCapture, InvalidateRect, ChildWindowFromPoint, GetCursorPos, EnableWindow, GetWindowTextW, SetRect |
| KERNEL32.dll | RaiseException, GetSystemInfo, VirtualQuery, GetModuleHandleW, LoadLibraryExA, ReleaseSRWLockExclusive, AcquireSRWLockExclusive, DecodePointer, WakeAllConditionVariable, SleepConditionVariableSRW, UnhandledExceptionFilter, ReadConsoleW, GetConsoleMode, VirtualProtect, CompareStringOrdinal, FreeLibrary, LoadLibraryExW, ReadFile, lstrlenW, WriteFile, lstrcpynW, ExpandEnvironmentStringsW, GetModuleFileNameW, SetFilePointer, SetEndOfFile, UnlockFileEx, CreateFileW, GetSystemDirectoryW, MultiByteToWideChar, lstrcatW, CloseHandle, LockFileEx, GetFileSize, WideCharToMultiByte, lstrcpyW, lstrcmpiW, lstrcmpW, FlushFileBuffers, GetShortPathNameW, LocalAlloc, GetFileAttributesW, SetFileAttributesW, FormatMessageW, GetLastError, GetCurrentDirectoryW, LocalFree, WaitForSingleObject, CreateEventW, SetEvent, GlobalAlloc, GlobalFree, ResetEvent, SizeofResource, SearchPathW, GetLocaleInfoEx, FreeResource, OpenProcess, LockResource, LoadLibraryW, LoadResource, FindResourceW, GetWindowsDirectoryW, GetProcAddress, GlobalLock, GlobalUnlock, MulDiv, CreateDirectoryW, FindFirstFileW, GetCommandLineW, SetThreadUILanguage, SetErrorMode, FindClose, GetUserPreferredUILanguages, FindFirstChangeNotificationW, GetVersion, ResolveLocaleName, GlobalSize, FileTimeToSystemTime, FindCloseChangeNotification, FileTimeToLocalFileTime, FindNextChangeNotification, SetCurrentDirectoryW, GetTimeFormatW, VerSetConditionMask, CopyFileW, VerifyVersionInfoW, SetThreadPreferredUILanguages, IsValidLocaleName, GetDateFormatW, MapViewOfFile, CreateFileMappingW, LocaleNameToLCID, FindResourceExW, LCIDToLocaleName, UnmapViewOfFile, GetVersionExW, GetLocaleInfoW, GetUserDefaultUILanguage, GetSystemDefaultUILanguage, SetLastError, SetUnhandledExceptionFilter, GetConsoleOutputCP, HeapReAlloc, HeapSize, SetFilePointerEx, GetFileSizeEx, GetStringTypeW, SetStdHandle, OutputDebugStringW, SetConsoleCtrlHandler, GetProcessHeap, SetEnvironmentVariableW, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineA, GetCPInfo, GetOEMCP, GetACP, IsValidCodePage, FindNextFileW, FindFirstFileExW, EnumSystemLocalesW, GetUserDefaultLCID, IsValidLocale, LCMapStringW, CompareStringW, GetTempPathW, GetFileType, HeapAlloc, HeapFree, GetCurrentThread, GetStdHandle, ExitProcess, GetModuleHandleExW, FreeLibraryAndExitThread, ResumeThread, ExitThread, CreateThread, TlsFree, TlsSetValue, TlsGetValue, TlsAlloc, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, EncodePointer, InterlockedFlushSList, InterlockedPushEntrySList, RtlUnwind, InitializeSListHead, GetSystemTimeAsFileTime, GetCurrentThreadId, GetCurrentProcessId, QueryPerformanceCounter, GetStartupInfoW, IsDebuggerPresent, IsProcessorFeaturePresent, TerminateProcess, GetCurrentProcess, WriteConsoleW |
| GDI32.dll | GetStockObject, SetBkColor, ExtTextOutW, EnumFontsW, GetDeviceCaps, SetTextColor, GetObjectW, DeleteObject, CreateSolidBrush, CreateFontIndirectW |
| COMDLG32.dll | GetOpenFileNameW, ChooseColorW, GetSaveFileNameW |
| ADVAPI32.dll | RegQueryValueExW, RegOpenKeyExW, RegCloseKey |
| SHELL32.dll | SHGetFolderPathW, SHGetSpecialFolderPathW, ShellExecuteW, SHCreateDirectoryExW, SHFileOperationW, SHBrowseForFolderW, SHGetSpecialFolderLocation, ShellExecuteExW, SHGetPathFromIDListW, SHGetFileInfoW, SHGetDesktopFolder, SHAppBarMessage, DragQueryFileW, Shell_NotifyIconW, DragAcceptFiles, DragFinish, SHGetDataFromIDListW |
| ole32.dll | OleUninitialize, CoCreateInstance, OleInitialize, CoUninitialize, CoTaskMemAlloc, CoTaskMemFree, CoInitialize, DoDragDrop |
| ntdll.dll | RtlGetNtVersionNumbers |
| COMCTL32.dll | ImageList_Create, PropertySheetW, ImageList_Destroy, InitCommonControlsEx, InitMUILanguage, ImageList_AddMasked |
| Language of compilation system | Country where language is spoken | Map |
|---|---|---|
| English | United States |  |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library Node| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Oct 27, 2024 13:34:11.783355951 CET | 49730 | 9292 | 192.168.2.4 | 138.201.226.224 |
| Oct 27, 2024 13:34:11.789092064 CET | 9292 | 49730 | 138.201.226.224 | 192.168.2.4 |
| Oct 27, 2024 13:34:11.789196014 CET | 49730 | 9292 | 192.168.2.4 | 138.201.226.224 |
| Oct 27, 2024 13:34:11.789288044 CET | 49730 | 9292 | 192.168.2.4 | 138.201.226.224 |
| Oct 27, 2024 13:34:11.794573069 CET | 9292 | 49730 | 138.201.226.224 | 192.168.2.4 |
| Oct 27, 2024 13:34:16.787244081 CET | 49730 | 9292 | 192.168.2.4 | 138.201.226.224 |
| Oct 27, 2024 13:34:16.833224058 CET | 9292 | 49730 | 138.201.226.224 | 192.168.2.4 |
| Oct 27, 2024 13:34:20.280524969 CET | 9292 | 49730 | 138.201.226.224 | 192.168.2.4 |
| Oct 27, 2024 13:34:20.280611992 CET | 49730 | 9292 | 192.168.2.4 | 138.201.226.224 |
| Oct 27, 2024 13:34:21.799123049 CET | 49732 | 9292 | 192.168.2.4 | 138.201.226.224 |
| Oct 27, 2024 13:34:21.805236101 CET | 9292 | 49732 | 138.201.226.224 | 192.168.2.4 |
| Oct 27, 2024 13:34:21.805329084 CET | 49732 | 9292 | 192.168.2.4 | 138.201.226.224 |
| Oct 27, 2024 13:34:21.805419922 CET | 49732 | 9292 | 192.168.2.4 | 138.201.226.224 |
| Oct 27, 2024 13:34:21.810806036 CET | 9292 | 49732 | 138.201.226.224 | 192.168.2.4 |
| Oct 27, 2024 13:34:26.819540024 CET | 49732 | 9292 | 192.168.2.4 | 138.201.226.224 |
| Oct 27, 2024 13:34:26.869214058 CET | 9292 | 49732 | 138.201.226.224 | 192.168.2.4 |
| Oct 27, 2024 13:34:30.277496099 CET | 9292 | 49732 | 138.201.226.224 | 192.168.2.4 |
| Oct 27, 2024 13:34:30.277601004 CET | 49732 | 9292 | 192.168.2.4 | 138.201.226.224 |
| Oct 27, 2024 13:34:31.814790964 CET | 57285 | 9292 | 192.168.2.4 | 138.201.226.224 |
| Oct 27, 2024 13:34:31.820261955 CET | 9292 | 57285 | 138.201.226.224 | 192.168.2.4 |
| Oct 27, 2024 13:34:31.820384979 CET | 57285 | 9292 | 192.168.2.4 | 138.201.226.224 |
| Oct 27, 2024 13:34:31.826812983 CET | 57285 | 9292 | 192.168.2.4 | 138.201.226.224 |
| Oct 27, 2024 13:34:31.832305908 CET | 9292 | 57285 | 138.201.226.224 | 192.168.2.4 |
| Oct 27, 2024 13:34:36.817424059 CET | 57285 | 9292 | 192.168.2.4 | 138.201.226.224 |
| Oct 27, 2024 13:34:36.864985943 CET | 9292 | 57285 | 138.201.226.224 | 192.168.2.4 |
| Oct 27, 2024 13:34:40.304459095 CET | 9292 | 57285 | 138.201.226.224 | 192.168.2.4 |
| Oct 27, 2024 13:34:40.304517984 CET | 57285 | 9292 | 192.168.2.4 | 138.201.226.224 |
| Oct 27, 2024 13:34:41.830601931 CET | 61613 | 9292 | 192.168.2.4 | 138.201.226.224 |
| Oct 27, 2024 13:34:41.836396933 CET | 9292 | 61613 | 138.201.226.224 | 192.168.2.4 |
| Oct 27, 2024 13:34:41.836488008 CET | 61613 | 9292 | 192.168.2.4 | 138.201.226.224 |
| Oct 27, 2024 13:34:41.836597919 CET | 61613 | 9292 | 192.168.2.4 | 138.201.226.224 |
| Oct 27, 2024 13:34:41.841995001 CET | 9292 | 61613 | 138.201.226.224 | 192.168.2.4 |
| Oct 27, 2024 13:34:46.835638046 CET | 61613 | 9292 | 192.168.2.4 | 138.201.226.224 |
| Oct 27, 2024 13:34:46.885063887 CET | 9292 | 61613 | 138.201.226.224 | 192.168.2.4 |
| Oct 27, 2024 13:34:50.330899954 CET | 9292 | 61613 | 138.201.226.224 | 192.168.2.4 |
| Oct 27, 2024 13:34:50.330985069 CET | 61613 | 9292 | 192.168.2.4 | 138.201.226.224 |
| Oct 27, 2024 13:34:51.846118927 CET | 61614 | 9292 | 192.168.2.4 | 138.201.226.224 |
| Oct 27, 2024 13:34:51.851573944 CET | 9292 | 61614 | 138.201.226.224 | 192.168.2.4 |
| Oct 27, 2024 13:34:51.851684093 CET | 61614 | 9292 | 192.168.2.4 | 138.201.226.224 |
| Oct 27, 2024 13:34:51.851799965 CET | 61614 | 9292 | 192.168.2.4 | 138.201.226.224 |
| Oct 27, 2024 13:34:51.857112885 CET | 9292 | 61614 | 138.201.226.224 | 192.168.2.4 |
| Oct 27, 2024 13:34:56.864299059 CET | 61614 | 9292 | 192.168.2.4 | 138.201.226.224 |
| Oct 27, 2024 13:34:56.916925907 CET | 9292 | 61614 | 138.201.226.224 | 192.168.2.4 |
| Oct 27, 2024 13:35:00.346184015 CET | 9292 | 61614 | 138.201.226.224 | 192.168.2.4 |
| Oct 27, 2024 13:35:00.346270084 CET | 61614 | 9292 | 192.168.2.4 | 138.201.226.224 |
| Oct 27, 2024 13:35:01.861726999 CET | 61656 | 9292 | 192.168.2.4 | 138.201.226.224 |
| Oct 27, 2024 13:35:01.867188931 CET | 9292 | 61656 | 138.201.226.224 | 192.168.2.4 |
| Oct 27, 2024 13:35:01.867331028 CET | 61656 | 9292 | 192.168.2.4 | 138.201.226.224 |
| Oct 27, 2024 13:35:01.869628906 CET | 61656 | 9292 | 192.168.2.4 | 138.201.226.224 |
| Oct 27, 2024 13:35:01.875085115 CET | 9292 | 61656 | 138.201.226.224 | 192.168.2.4 |
| Oct 27, 2024 13:35:06.864937067 CET | 61656 | 9292 | 192.168.2.4 | 138.201.226.224 |
| Oct 27, 2024 13:35:06.912849903 CET | 9292 | 61656 | 138.201.226.224 | 192.168.2.4 |
| Oct 27, 2024 13:35:10.350969076 CET | 9292 | 61656 | 138.201.226.224 | 192.168.2.4 |
| Oct 27, 2024 13:35:10.351082087 CET | 61656 | 9292 | 192.168.2.4 | 138.201.226.224 |
| Oct 27, 2024 13:35:11.861601114 CET | 61703 | 9292 | 192.168.2.4 | 138.201.226.224 |
| Oct 27, 2024 13:35:11.868324995 CET | 9292 | 61703 | 138.201.226.224 | 192.168.2.4 |
| Oct 27, 2024 13:35:11.868417978 CET | 61703 | 9292 | 192.168.2.4 | 138.201.226.224 |
| Oct 27, 2024 13:35:11.868556023 CET | 61703 | 9292 | 192.168.2.4 | 138.201.226.224 |
| Oct 27, 2024 13:35:11.874031067 CET | 9292 | 61703 | 138.201.226.224 | 192.168.2.4 |
| Oct 27, 2024 13:35:16.880661011 CET | 61703 | 9292 | 192.168.2.4 | 138.201.226.224 |
| Oct 27, 2024 13:35:16.932826042 CET | 9292 | 61703 | 138.201.226.224 | 192.168.2.4 |
| Oct 27, 2024 13:35:20.352214098 CET | 9292 | 61703 | 138.201.226.224 | 192.168.2.4 |
| Oct 27, 2024 13:35:20.352279902 CET | 61703 | 9292 | 192.168.2.4 | 138.201.226.224 |
| Oct 27, 2024 13:35:21.877628088 CET | 61763 | 9292 | 192.168.2.4 | 138.201.226.224 |
| Oct 27, 2024 13:35:21.883035898 CET | 9292 | 61763 | 138.201.226.224 | 192.168.2.4 |
| Oct 27, 2024 13:35:21.883117914 CET | 61763 | 9292 | 192.168.2.4 | 138.201.226.224 |
| Oct 27, 2024 13:35:21.885938883 CET | 61763 | 9292 | 192.168.2.4 | 138.201.226.224 |
| Oct 27, 2024 13:35:21.891283989 CET | 9292 | 61763 | 138.201.226.224 | 192.168.2.4 |
| Oct 27, 2024 13:35:26.879899025 CET | 61763 | 9292 | 192.168.2.4 | 138.201.226.224 |
| Oct 27, 2024 13:35:26.928884983 CET | 9292 | 61763 | 138.201.226.224 | 192.168.2.4 |
| Oct 27, 2024 13:35:30.373018026 CET | 9292 | 61763 | 138.201.226.224 | 192.168.2.4 |
| Oct 27, 2024 13:35:30.373071909 CET | 61763 | 9292 | 192.168.2.4 | 138.201.226.224 |
| Oct 27, 2024 13:35:31.877552986 CET | 61815 | 9292 | 192.168.2.4 | 138.201.226.224 |
| Oct 27, 2024 13:35:31.883064032 CET | 9292 | 61815 | 138.201.226.224 | 192.168.2.4 |
| Oct 27, 2024 13:35:31.883183002 CET | 61815 | 9292 | 192.168.2.4 | 138.201.226.224 |
| Oct 27, 2024 13:35:31.883372068 CET | 61815 | 9292 | 192.168.2.4 | 138.201.226.224 |
| Oct 27, 2024 13:35:31.888717890 CET | 9292 | 61815 | 138.201.226.224 | 192.168.2.4 |
| Oct 27, 2024 13:35:36.895448923 CET | 61815 | 9292 | 192.168.2.4 | 138.201.226.224 |
| Oct 27, 2024 13:35:36.944798946 CET | 9292 | 61815 | 138.201.226.224 | 192.168.2.4 |
| Oct 27, 2024 13:35:40.615582943 CET | 9292 | 61815 | 138.201.226.224 | 192.168.2.4 |
| Oct 27, 2024 13:35:40.615657091 CET | 61815 | 9292 | 192.168.2.4 | 138.201.226.224 |
| Oct 27, 2024 13:35:40.615808964 CET | 9292 | 61815 | 138.201.226.224 | 192.168.2.4 |
| Oct 27, 2024 13:35:40.615875006 CET | 61815 | 9292 | 192.168.2.4 | 138.201.226.224 |
| Oct 27, 2024 13:35:40.621521950 CET | 9292 | 61815 | 138.201.226.224 | 192.168.2.4 |
| Oct 27, 2024 13:35:41.908468962 CET | 61870 | 9292 | 192.168.2.4 | 138.201.226.224 |
| Oct 27, 2024 13:35:41.913906097 CET | 9292 | 61870 | 138.201.226.224 | 192.168.2.4 |
| Oct 27, 2024 13:35:41.914000988 CET | 61870 | 9292 | 192.168.2.4 | 138.201.226.224 |
| Oct 27, 2024 13:35:41.914097071 CET | 61870 | 9292 | 192.168.2.4 | 138.201.226.224 |
| Oct 27, 2024 13:35:41.919430017 CET | 9292 | 61870 | 138.201.226.224 | 192.168.2.4 |
| Oct 27, 2024 13:35:46.926808119 CET | 61870 | 9292 | 192.168.2.4 | 138.201.226.224 |
| Oct 27, 2024 13:35:46.972876072 CET | 9292 | 61870 | 138.201.226.224 | 192.168.2.4 |
| Oct 27, 2024 13:35:50.421715021 CET | 9292 | 61870 | 138.201.226.224 | 192.168.2.4 |
| Oct 27, 2024 13:35:50.421792984 CET | 61870 | 9292 | 192.168.2.4 | 138.201.226.224 |
| Oct 27, 2024 13:35:51.924335957 CET | 61886 | 9292 | 192.168.2.4 | 138.201.226.224 |
| Oct 27, 2024 13:35:52.008287907 CET | 9292 | 61886 | 138.201.226.224 | 192.168.2.4 |
| Oct 27, 2024 13:35:52.008548021 CET | 61886 | 9292 | 192.168.2.4 | 138.201.226.224 |
| Oct 27, 2024 13:35:52.008642912 CET | 61886 | 9292 | 192.168.2.4 | 138.201.226.224 |
| Oct 27, 2024 13:35:52.014027119 CET | 9292 | 61886 | 138.201.226.224 | 192.168.2.4 |
| Oct 27, 2024 13:35:56.943942070 CET | 61886 | 9292 | 192.168.2.4 | 138.201.226.224 |
| Oct 27, 2024 13:35:56.992861032 CET | 9292 | 61886 | 138.201.226.224 | 192.168.2.4 |
| Oct 27, 2024 13:36:00.754256010 CET | 9292 | 61886 | 138.201.226.224 | 192.168.2.4 |
| Oct 27, 2024 13:36:00.754374027 CET | 61886 | 9292 | 192.168.2.4 | 138.201.226.224 |
| Oct 27, 2024 13:36:00.754688978 CET | 9292 | 61886 | 138.201.226.224 | 192.168.2.4 |
| Oct 27, 2024 13:36:00.754750013 CET | 61886 | 9292 | 192.168.2.4 | 138.201.226.224 |
| Oct 27, 2024 13:36:00.760144949 CET | 9292 | 61886 | 138.201.226.224 | 192.168.2.4 |
| Oct 27, 2024 13:36:01.956406116 CET | 61887 | 9292 | 192.168.2.4 | 138.201.226.224 |
| Oct 27, 2024 13:36:01.961944103 CET | 9292 | 61887 | 138.201.226.224 | 192.168.2.4 |
| Oct 27, 2024 13:36:01.962044954 CET | 61887 | 9292 | 192.168.2.4 | 138.201.226.224 |
| Oct 27, 2024 13:36:01.962173939 CET | 61887 | 9292 | 192.168.2.4 | 138.201.226.224 |
| Oct 27, 2024 13:36:01.967758894 CET | 9292 | 61887 | 138.201.226.224 | 192.168.2.4 |
| Oct 27, 2024 13:36:06.959000111 CET | 61887 | 9292 | 192.168.2.4 | 138.201.226.224 |
| Oct 27, 2024 13:36:07.005232096 CET | 9292 | 61887 | 138.201.226.224 | 192.168.2.4 |
| Oct 27, 2024 13:36:10.440973043 CET | 9292 | 61887 | 138.201.226.224 | 192.168.2.4 |
| Oct 27, 2024 13:36:10.441144943 CET | 61887 | 9292 | 192.168.2.4 | 138.201.226.224 |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Oct 27, 2024 13:34:25.540486097 CET | 53 | 51059 | 1.1.1.1 | 192.168.2.4 |
| Oct 27, 2024 13:34:39.244575977 CET | 53 | 54382 | 1.1.1.1 | 192.168.2.4 |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
| Target ID: | 0 |
| Start time: | 08:34:03 |
| Start date: | 27/10/2024 |
| Path: | C:\Users\user\Desktop\dZIZhRHDXv.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0xd80000 |
| File size: | 1'374'208 bytes |
| MD5 hash: | E5A12459A39AA142A12C58D9AFBE5B0D |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Yara matches: |
|
| Reputation: | low |
| Has exited: | true |
| Target ID: | 1 |
| Start time: | 08:34:07 |
| Start date: | 27/10/2024 |
| Path: | C:\Windows\SysWOW64\dialer.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x340000 |
| File size: | 32'256 bytes |
| MD5 hash: | E4BD77FB64DDE78F1A95ECE09F6A9B85 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Yara matches: |
|
| Reputation: | moderate |
| Has exited: | false |
| Target ID: | 4 |
| Start time: | 08:34:07 |
| Start date: | 27/10/2024 |
| Path: | C:\Windows\SysWOW64\WerFault.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x570000 |
| File size: | 483'680 bytes |
| MD5 hash: | C31336C1EFC2CCB44B4326EA793040F2 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 6 |
| Start time: | 08:34:07 |
| Start date: | 27/10/2024 |
| Path: | C:\Windows\SysWOW64\WerFault.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x570000 |
| File size: | 483'680 bytes |
| MD5 hash: | C31336C1EFC2CCB44B4326EA793040F2 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
Execution Graph
| Execution Coverage: | 1.2% |
| Dynamic/Decrypted Code Coverage: | 0% |
| Signature Coverage: | 42.3% |
| Total number of Nodes: | 787 |
| Total number of Limit Nodes: | 17 |
Graph
Function 00DEA0B0 Relevance: 130.0, APIs: 18, Strings: 56, Instructions: 534stringCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00DFE360 Relevance: 93.1, APIs: 43, Strings: 10, Instructions: 336windowcomregistryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 02902F40 Relevance: 9.4, APIs: 4, Strings: 1, Instructions: 614memoryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 029102CC Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 128memoryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00DE9C80 Relevance: 91.2, APIs: 47, Strings: 5, Instructions: 199stringCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00DFE910 Relevance: 49.3, APIs: 22, Strings: 6, Instructions: 303windowstringCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00DE96A0 Relevance: 42.1, APIs: 23, Strings: 1, Instructions: 145stringCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00E077E6 Relevance: 28.5, APIs: 12, Strings: 4, Instructions: 501libraryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00DE7440 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 115memorylibraryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 029010D0 Relevance: 3.1, APIs: 2, Instructions: 85memoryCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 02910098 Relevance: 2.7, APIs: 2, Instructions: 163memoryCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00E009E0 Relevance: 158.5, APIs: 77, Strings: 13, Instructions: 1034windowlibrarystringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00E02050 Relevance: 114.6, APIs: 60, Strings: 5, Instructions: 892windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00E066D0 Relevance: 73.9, APIs: 40, Strings: 2, Instructions: 409stringwindowmemoryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00E0DFC9 Relevance: 46.7, APIs: 25, Strings: 1, Instructions: 1201COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00DF86E0 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 70windowstringmemoryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00E1A080 Relevance: 11.0, APIs: 4, Strings: 2, Instructions: 455COMMONLIBRARYCODE
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00E5690C Relevance: 10.2, APIs: 1, Strings: 4, Instructions: 1473COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00DFBE60 Relevance: 9.1, APIs: 6, Instructions: 75stringCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00E53459 Relevance: 7.7, APIs: 5, Instructions: 182COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00DFE070 Relevance: 7.6, APIs: 5, Instructions: 109memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00E4CEA5 Relevance: 6.1, APIs: 4, Instructions: 129fileCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00E09D68 Relevance: 6.1, APIs: 4, Instructions: 70COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00E0874A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMONLIBRARYCODE
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00E52F01 Relevance: 4.7, APIs: 3, Instructions: 205COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00E503BC Relevance: 3.0, APIs: 2, Instructions: 50COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00E07391 Relevance: 3.0, APIs: 2, Instructions: 38COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00E30E3D Relevance: 2.9, Strings: 2, Instructions: 389COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00E31240 Relevance: 2.9, Strings: 2, Instructions: 385COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00E554EF Relevance: 2.8, APIs: 1, Instructions: 1290COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00E09B84 Relevance: 1.6, APIs: 1, Instructions: 147COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00E30A49 Relevance: 1.6, Strings: 1, Instructions: 385COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00E2F953 Relevance: 1.6, Strings: 1, Instructions: 337COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00E53154 Relevance: 1.6, APIs: 1, Instructions: 83COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00E3037E Relevance: 1.6, Strings: 1, Instructions: 332COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00E30020 Relevance: 1.6, Strings: 1, Instructions: 328COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00E306EB Relevance: 1.6, Strings: 1, Instructions: 328COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00E2EF61 Relevance: 1.6, Strings: 1, Instructions: 322COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00E2EC1F Relevance: 1.6, Strings: 1, Instructions: 318COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00E2F2B2 Relevance: 1.6, Strings: 1, Instructions: 318COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00E52DDB Relevance: 1.6, APIs: 1, Instructions: 63COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00E53383 Relevance: 1.5, APIs: 1, Instructions: 48COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00E52E76 Relevance: 1.5, APIs: 1, Instructions: 41COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00E0710F Relevance: 1.5, APIs: 1, Instructions: 34COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00E49502 Relevance: 1.5, APIs: 1, Instructions: 33COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00E52D72 Relevance: 1.5, APIs: 1, Instructions: 31COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00E49FE8 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00E496A1 Relevance: 1.5, APIs: 1, Instructions: 14COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D83987 Relevance: 1.5, Strings: 1, Instructions: 234COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00E4A027 Relevance: 1.3, Strings: 1, Instructions: 23COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 02902640 Relevance: .6, Instructions: 629COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 02901FA0 Relevance: .6, Instructions: 616COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00E173E0 Relevance: .5, Instructions: 525COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 02901A40 Relevance: .5, Instructions: 503COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00E1AA70 Relevance: .4, Instructions: 402COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00E2FCC1 Relevance: .3, Instructions: 333COMMONLIBRARYCODE
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00E1A620 Relevance: .3, Instructions: 262COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00E17F77 Relevance: .2, Instructions: 156COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 02901710 Relevance: .1, Instructions: 52COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 02910277 Relevance: .0, Instructions: 35COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00E04FE0 Relevance: 105.4, APIs: 53, Strings: 7, Instructions: 387stringwindowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00DF4C70 Relevance: 103.7, APIs: 54, Strings: 5, Instructions: 415stringwindowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00E055E0 Relevance: 70.4, APIs: 39, Strings: 1, Instructions: 368stringmemoryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00DF5610 Relevance: 54.5, APIs: 28, Strings: 3, Instructions: 249windowstringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00DE9990 Relevance: 54.5, APIs: 25, Strings: 6, Instructions: 207stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00E01DD0 Relevance: 47.5, APIs: 25, Strings: 2, Instructions: 208windowstringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00DF7B90 Relevance: 44.0, APIs: 23, Strings: 2, Instructions: 253windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00DF8AD0 Relevance: 42.4, APIs: 20, Strings: 4, Instructions: 380windowstringmemoryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00DFB430 Relevance: 35.1, APIs: 18, Strings: 2, Instructions: 148stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00DFB620 Relevance: 31.6, APIs: 16, Strings: 2, Instructions: 114stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00E064A0 Relevance: 25.6, APIs: 6, Strings: 11, Instructions: 123stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00DF9CB0 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 201windowmemoryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00DFB090 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 120stringwindowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00E13C69 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 185COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00DF8830 Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 88windowmemorystringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00DF8A30 Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 50windowsynchronizationCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00DF9000 Relevance: 18.2, APIs: 12, Instructions: 231windowmemorysynchronizationCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00DFB200 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 155windowstringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00DFD430 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 124windowCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00DE95B0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 80fileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00DF8540 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 122stringwindowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00DF3180 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 93stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00DFBDC0 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 59stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00E47897 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 329COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00E0C4E2 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 303COMMONLIBRARYCODE
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00E103E6 Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 192COMMONLIBRARYCODE
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00DE8AE0 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 118fileCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00DE8FE0 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 106fileCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00DE9860 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 85stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00DE7F10 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 80fileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00DFC7A0 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 187stringCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00DF9FB0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 83windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00DFAF00 Relevance: 12.1, APIs: 8, Instructions: 65windowCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00E11D79 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 178COMMONLIBRARYCODE
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00DE9280 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 174fileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00DE89E0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 83stringfileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00E49A61 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00E0716C Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59registryCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00E00930 Relevance: 10.6, APIs: 7, Instructions: 51COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00E08695 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 45libraryloaderCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00E5CADA Relevance: 9.3, APIs: 6, Instructions: 292COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00E5D002 Relevance: 9.2, APIs: 6, Instructions: 248COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00DF9480 Relevance: 9.1, APIs: 6, Instructions: 119windowCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00DFD650 Relevance: 9.0, APIs: 6, Instructions: 41COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00DFB010 Relevance: 9.0, APIs: 6, Instructions: 35COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00DFB930 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 59stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00E41B40 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00E49C27 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 35libraryCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00DFE010 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 30threadCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00DFBB00 Relevance: 7.6, APIs: 5, Instructions: 53stringCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00E0C887 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 112COMMONLIBRARYCODE
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00E1063A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 102COMMONLIBRARYCODE
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00E13278 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 96COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00E06360 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 53stringwindowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00E14776 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00E4C686 Relevance: 6.1, APIs: 4, Instructions: 82COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00E4D6CB Relevance: 6.1, APIs: 4, Instructions: 79COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00E4E947 Relevance: 6.1, APIs: 4, Instructions: 74COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00E37D5D Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00E5C279 Relevance: 6.1, APIs: 4, Instructions: 54COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00E5E971 Relevance: 6.0, APIs: 4, Instructions: 32COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00E4F761 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 311COMMONLIBRARYCODE
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00E12B85 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144COMMONLIBRARYCODE
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00E10CEE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 71COMMONLIBRARYCODE
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00E0D6AD Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMONLIBRARYCODE
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00E0D70D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41COMMONLIBRARYCODE
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00DFB790 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 35stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Execution Graph
| Execution Coverage: | 2.4% |
| Dynamic/Decrypted Code Coverage: | 100% |
| Signature Coverage: | 1.5% |
| Total number of Nodes: | 1579 |
| Total number of Limit Nodes: | 17 |
Graph
Function 057C9F64 Relevance: 12.1, APIs: 8, Instructions: 122networkregistryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 030702D4 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167memoryfileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 057CA387 Relevance: 10.7, APIs: 7, Instructions: 157networkregistryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 057C9B02 Relevance: 7.6, APIs: 5, Instructions: 94networkCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 057CA0C0 Relevance: 4.6, APIs: 3, Instructions: 136COMMON
Download Yara Rule
Control-flow Graph
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 057CAA5B Relevance: 4.6, APIs: 3, Instructions: 119COMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 057CA983 Relevance: 3.1, APIs: 2, Instructions: 86networkCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 030700A0 Relevance: 2.7, APIs: 2, Instructions: 163memoryCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 057CF03C Relevance: 2.6, APIs: 2, Instructions: 82stringCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 057C46ED Relevance: 2.5, APIs: 2, Instructions: 38COMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 057C9EF3 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 057CE7AC Relevance: 1.3, APIs: 1, Instructions: 66COMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 057C1BD9 Relevance: 1.3, APIs: 1, Instructions: 28COMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 057C4AB5 Relevance: 31.6, APIs: 25, Instructions: 300COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 057C9CA2 Relevance: 16.7, APIs: 11, Instructions: 168networkregistryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 057C2E70 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 263stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 057CB2A0 Relevance: 10.6, APIs: 7, Instructions: 83networksynchronizationCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 057C4F5A Relevance: 8.8, APIs: 7, Instructions: 82COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 057D51E4 Relevance: 7.8, APIs: 6, Instructions: 347COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 057CC5F6 Relevance: 7.7, APIs: 3, Strings: 2, Instructions: 158stringCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 057C50CC Relevance: 6.3, APIs: 5, Instructions: 62COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 057C5199 Relevance: 6.3, APIs: 5, Instructions: 58COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 057C39C1 Relevance: 6.1, APIs: 4, Instructions: 89networkCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 057CA53B Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 248networkCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|