Edit tour
Windows
Analysis Report
file.exe
Overview
General Information
| Sample name: | file.exe |
| Analysis ID: | 1545970 |
| MD5: | fd89c359ab4ac38da6cf7fe6dabdb457 |
| SHA1: | 9c2a99beb692849ba3eb11d114334636df04f5ff |
| SHA256: | a19257d178d7f240c830b29e8bb55d9b6320dc1b56795e4fa90267419ed4070c |
| Tags: | exeuser-Bitsight |
| Infos: |  |
 | |
Detection
CredGrabber, Meduza Stealer
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Found malware configuration
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected CredGrabber
Yara detected Meduza Stealer
AI detected suspicious sample
Found many strings related to Crypto-Wallets (likely being stolen)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to dynamically determine API calls
Contains functionality to launch a program with higher privileges
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to record screenshots
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Queries time zone information
Suricata IDS alerts with low severity for network traffic
Terminates after testing mutex exists (may check infected machine status)
Uses Microsoft's Enhanced Cryptographic Provider
Yara detected Credential Stealer
Classification
- System is w10x64
file.exe (PID: 5592 cmdline: "C:\Users\ user\Deskt op\file.ex e" MD5: FD89C359AB4AC38DA6CF7FE6DABDB457)
- cleanup
{"C2 url": "109.172.94.66", "grabber_max_size": 1048576, "anti_vm": true, "anti_dbg": true, "self_destruct": false, "extensions": ".txt", "build_name": "Install", "links": "", "port": 15666}| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_MeduzaStealer | Yara detected Meduza Stealer | Joe Security | ||
| JoeSecurity_MeduzaStealer | Yara detected Meduza Stealer | Joe Security | ||
| JoeSecurity_MeduzaStealer | Yara detected Meduza Stealer | Joe Security | ||
| JoeSecurity_MeduzaStealer | Yara detected Meduza Stealer | Joe Security | ||
| JoeSecurity_CredGrabber | Yara detected CredGrabber | Joe Security | ||
| Click to see the 1 entries | ||||
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_MeduzaStealer | Yara detected Meduza Stealer | Joe Security | ||
| JoeSecurity_MeduzaStealer | Yara detected Meduza Stealer | Joe Security | ||
| JoeSecurity_MeduzaStealer | Yara detected Meduza Stealer | Joe Security | ||
| JoeSecurity_MeduzaStealer | Yara detected Meduza Stealer | Joe Security |
⊘No Sigma rule has matched
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-10-31T11:10:07.468567+0100 | 2022930 | 1 | A Network Trojan was detected | 4.245.163.56 | 443 | 192.168.2.6 | 49719 | TCP |
| 2024-10-31T11:10:45.635342+0100 | 2022930 | 1 | A Network Trojan was detected | 4.245.163.56 | 443 | 192.168.2.6 | 49724 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-10-31T11:09:55.586930+0100 | 2049441 | 1 | A Network Trojan was detected | 192.168.2.6 | 49717 | 109.172.94.66 | 15666 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-10-31T11:09:55.586930+0100 | 2050806 | 1 | A Network Trojan was detected | 192.168.2.6 | 49717 | 109.172.94.66 | 15666 | TCP |
| 2024-10-31T11:09:55.592027+0100 | 2050806 | 1 | A Network Trojan was detected | 192.168.2.6 | 49717 | 109.172.94.66 | 15666 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-10-31T11:09:55.586930+0100 | 2050807 | 1 | A Network Trojan was detected | 192.168.2.6 | 49717 | 109.172.94.66 | 15666 | TCP |
| 2024-10-31T11:09:55.592027+0100 | 2050807 | 1 | A Network Trojan was detected | 192.168.2.6 | 49717 | 109.172.94.66 | 15666 | TCP |
Click to jump to signature section
Show All Signature Results
AV Detection |   |
|---|
| Source: | Malware Configuration Extractor: | ||
| Source: | ReversingLabs: | ||
| Source: | Integrated Neural Analysis Model: | ||
| Source: | Code function: | 0_2_0000012A222D3B40 | |
| Source: | Code function: | 0_2_0000012A222D3E40 | |
| Source: | Code function: | 0_2_0000012A22298060 | |
| Source: | Code function: | 0_2_0000012A22337090 | |
| Source: | Code function: | 0_2_0000012A22337098 | |
| Source: | HTTPS traffic detected: | ||
| Source: | Static PE information: | ||
| Source: | Code function: | 0_2_0000012A22297350 | |
| Source: | Code function: | 0_2_0000012A2231B6BC | |
| Source: | Code function: | 0_2_0000012A2231B76C | |
| Source: | Code function: | 0_2_0000012A22337100 | |
| Source: | Code function: | 0_2_0000012A222E2D90 | |
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
Networking | |
|---|
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | TCP traffic: | ||
| Source: | HTTP traffic detected: | ||
| Source: | IP Address: | ||
| Source: | IP Address: | ||
| Source: | ASN Name: | ||
| Source: | JA3 fingerprint: | ||
| Source: | DNS query: | ||
| Source: | DNS query: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | Code function: | 0_2_0000012A222E0CC0 | |
| Source: | HTTP traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | Code function: | 0_2_0000012A222E1580 | |
| Source: | Code function: | 0_2_0000012A222E6060 | |
| Source: | Code function: | 0_2_0000012A223376D0 | |
| Source: | Code function: | 0_2_0000012A223376C0 | |
| Source: | Code function: | 0_2_0000012A222E5920 | |
| Source: | Code function: | 0_2_00007FF7A44DD190 | |
| Source: | Code function: | 0_2_00007FF7A44EA200 | |
| Source: | Code function: | 0_2_00007FF7A44DCE20 | |
| Source: | Code function: | 0_2_00007FF7A44DC9F0 | |
| Source: | Code function: | 0_2_0000012A222F8E40 | |
| Source: | Code function: | 0_2_0000012A222E8F60 | |
| Source: | Code function: | 0_2_0000012A222FEFBC | |
| Source: | Code function: | 0_2_0000012A222E0CC0 | |
| Source: | Code function: | 0_2_0000012A2229CDE0 | |
| Source: | Code function: | 0_2_0000012A222C3210 | |
| Source: | Code function: | 0_2_0000012A222E2240 | |
| Source: | Code function: | 0_2_0000012A223022FC | |
| Source: | Code function: | 0_2_0000012A22297350 | |
| Source: | Code function: | 0_2_0000012A2229F060 | |
| Source: | Code function: | 0_2_0000012A222E3040 | |
| Source: | Code function: | 0_2_0000012A22291130 | |
| Source: | Code function: | 0_2_0000012A2231B76C | |
| Source: | Code function: | 0_2_0000012A222A43F0 | |
| Source: | Code function: | 0_2_0000012A222E0480 | |
| Source: | Code function: | 0_2_0000012A222E8578 | |
| Source: | Code function: | 0_2_0000012A222E1580 | |
| Source: | Code function: | 0_2_0000012A222E3A60 | |
| Source: | Code function: | 0_2_0000012A222EAAE0 | |
| Source: | Code function: | 0_2_0000012A22291820 | |
| Source: | Code function: | 0_2_0000012A222DA8F0 | |
| Source: | Code function: | 0_2_0000012A2229D930 | |
| Source: | Code function: | 0_2_0000012A2229E9C0 | |
| Source: | Code function: | 0_2_0000012A22291E50 | |
| Source: | Code function: | 0_2_0000012A22299E39 | |
| Source: | Code function: | 0_2_0000012A2230AE2C | |
| Source: | Code function: | 0_2_0000012A22305EC4 | |
| Source: | Code function: | 0_2_0000012A222D1EB0 | |
| Source: | Code function: | 0_2_0000012A222ACF20 | |
| Source: | Code function: | 0_2_0000012A222CEF60 | |
| Source: | Code function: | 0_2_0000012A2231DF80 | |
| Source: | Code function: | 0_2_0000012A222CDFC0 | |
| Source: | Code function: | 0_2_0000012A222CEC30 | |
| Source: | Code function: | 0_2_0000012A222FFC34 | |
| Source: | Code function: | 0_2_0000012A222D0D50 | |
| Source: | Code function: | 0_2_0000012A222D6D60 | |
| Source: | Code function: | 0_2_0000012A222F6D5C | |
| Source: | Code function: | 0_2_0000012A222BCD2D | |
| Source: | Code function: | 0_2_0000012A222BB290 | |
| Source: | Code function: | 0_2_0000012A222922AE | |
| Source: | Code function: | 0_2_0000012A222982B0 | |
| Source: | Code function: | 0_2_0000012A222CE2C0 | |
| Source: | Code function: | 0_2_0000012A222B7300 | |
| Source: | Code function: | 0_2_0000012A2229C300 | |
| Source: | Code function: | 0_2_0000012A222D2360 | |
| Source: | Code function: | 0_2_0000012A222F6344 | |
| Source: | Code function: | 0_2_0000012A2230B398 | |
| Source: | Code function: | 0_2_0000012A22267010 | |
| Source: | Code function: | 0_2_0000012A22323010 | |
| Source: | Code function: | 0_2_0000012A222E6060 | |
| Source: | Code function: | 0_2_0000012A223000E4 | |
| Source: | Code function: | 0_2_0000012A222660C0 | |
| Source: | Code function: | 0_2_0000012A222F70EC | |
| Source: | Code function: | 0_2_0000012A222B0189 | |
| Source: | Code function: | 0_2_0000012A223011E4 | |
| Source: | Code function: | 0_2_0000012A2229B1E0 | |
| Source: | Code function: | 0_2_0000012A222ED60A | |
| Source: | Code function: | 0_2_0000012A222F75F4 | |
| Source: | Code function: | 0_2_0000012A222CE5F0 | |
| Source: | Code function: | 0_2_0000012A222CA660 | |
| Source: | Code function: | 0_2_0000012A22306634 | |
| Source: | Code function: | 0_2_0000012A222F263C | |
| Source: | Code function: | 0_2_0000012A222F6714 | |
| Source: | Code function: | 0_2_0000012A22300764 | |
| Source: | Code function: | 0_2_0000012A222AE7A9 | |
| Source: | Code function: | 0_2_0000012A223097C4 | |
| Source: | Code function: | 0_2_0000012A2231E400 | |
| Source: | Code function: | 0_2_0000012A222E6460 | |
| Source: | Code function: | 0_2_0000012A222D8490 | |
| Source: | Code function: | 0_2_0000012A22266480 | |
| Source: | Code function: | 0_2_0000012A222D4520 | |
| Source: | Code function: | 0_2_0000012A222F652C | |
| Source: | Code function: | 0_2_0000012A22302578 | |
| Source: | Code function: | 0_2_0000012A222C65D0 | |
| Source: | Code function: | 0_2_0000012A222FA5CC | |
| Source: | Code function: | 0_2_0000012A222DE9F3 | |
| Source: | Code function: | 0_2_0000012A22287A00 | |
| Source: | Code function: | 0_2_0000012A222F4A50 | |
| Source: | Code function: | 0_2_0000012A22302B00 | |
| Source: | Code function: | 0_2_0000012A22307B08 | |
| Source: | Code function: | 0_2_0000012A222F2B34 | |
| Source: | Code function: | 0_2_0000012A222D1B80 | |
| Source: | Code function: | 0_2_0000012A222D9BD0 | |
| Source: | Code function: | 0_2_0000012A222DC840 | |
| Source: | Code function: | 0_2_0000012A222AC870 | |
| Source: | Code function: | 0_2_0000012A222CE910 | |
| Source: | Code function: | 0_2_0000012A22266900 | |
| Source: | Code function: | 0_2_0000012A222DE9E3 | |
| Source: | Code function: | 0_2_0000012A222899B0 | |
| Source: | Code function: | 0_2_0000012A222869C0 | |
| Source: | Code function: | 0_2_00007FF7A44DD5E0 | |
| Source: | Code function: | 0_2_00007FF7A45216C0 | |
| Source: | Code function: | 0_2_00007FF7A44DD2E0 | |
| Source: | Code function: | 0_2_00007FF7A4522DD0 | |
| Source: | Code function: | 0_2_00007FF7A44F956C | |
| Source: | Code function: | 0_2_00007FF7A44EC558 | |
| Source: | Code function: | 0_2_00007FF7A4520540 | |
| Source: | Code function: | 0_2_00007FF7A44FD674 | |
| Source: | Code function: | 0_2_00007FF7A450E777 | |
| Source: | Code function: | 0_2_00007FF7A454678C | |
| Source: | Code function: | 0_2_00007FF7A44DC7E0 | |
| Source: | Code function: | 0_2_00007FF7A4510810 | |
| Source: | Code function: | 0_2_00007FF7A4514810 | |
| Source: | Code function: | 0_2_00007FF7A45157F0 | |
| Source: | Code function: | 0_2_00007FF7A44F279C | |
| Source: | Code function: | 0_2_00007FF7A44FF87C | |
| Source: | Code function: | 0_2_00007FF7A45028E8 | |
| Source: | Code function: | 0_2_00007FF7A44EC8E8 | |
| Source: | Code function: | 0_2_00007FF7A45048DC | |
| Source: | Code function: | 0_2_00007FF7A44F08B4 | |
| Source: | Code function: | 0_2_00007FF7A4518130 | |
| Source: | Code function: | 0_2_00007FF7A4525210 | |
| Source: | Code function: | 0_2_00007FF7A44F51A0 | |
| Source: | Code function: | 0_2_00007FF7A45292E0 | |
| Source: | Code function: | 0_2_00007FF7A452E350 | |
| Source: | Code function: | 0_2_00007FF7A452A3F0 | |
| Source: | Code function: | 0_2_00007FF7A44E2470 | |
| Source: | Code function: | 0_2_00007FF7A44DB420 | |
| Source: | Code function: | 0_2_00007FF7A44FA514 | |
| Source: | Code function: | 0_2_00007FF7A44E9500 | |
| Source: | Code function: | 0_2_00007FF7A44DC4B0 | |
| Source: | Code function: | 0_2_00007FF7A44F6D8C | |
| Source: | Code function: | 0_2_00007FF7A4539D70 | |
| Source: | Code function: | 0_2_00007FF7A4515D20 | |
| Source: | Code function: | 0_2_00007FF7A452CD30 | |
| Source: | Code function: | 0_2_00007FF7A44ECDF0 | |
| Source: | Code function: | 0_2_00007FF7A4500DAC | |
| Source: | Code function: | 0_2_00007FF7A44D4DA0 | |
| Source: | Code function: | 0_2_00007FF7A4513DB0 | |
| Source: | Code function: | 0_2_00007FF7A44F8EEC | |
| Source: | Code function: | 0_2_00007FF7A450DEC8 | |
| Source: | Code function: | 0_2_00007FF7A44EBEA0 | |
| Source: | Code function: | 0_2_00007FF7A4526FF0 | |
| Source: | Code function: | 0_2_00007FF7A4539070 | |
| Source: | Code function: | 0_2_00007FF7A4539050 | |
| Source: | Code function: | 0_2_00007FF7A4520100 | |
| Source: | Code function: | 0_2_00007FF7A451C110 | |
| Source: | Code function: | 0_2_00007FF7A44FF10C | |
| Source: | Code function: | 0_2_00007FF7A45050D4 | |
| Source: | Code function: | 0_2_00007FF7A45450B0 | |
| Source: | Code function: | 0_2_00007FF7A44DC9F0 | |
| Source: | Code function: | 0_2_00007FF7A44DB9A0 | |
| Source: | Code function: | 0_2_00007FF7A44F19D0 | |
| Source: | Code function: | 0_2_00007FF7A4522A70 | |
| Source: | Code function: | 0_2_00007FF7A44F8A3C | |
| Source: | Code function: | 0_2_00007FF7A44DAAB0 | |
| Source: | Code function: | 0_2_00007FF7A44EBAD0 | |
| Source: | Code function: | 0_2_00007FF7A44E2B80 | |
| Source: | Code function: | 0_2_00007FF7A44E5B80 | |
| Source: | Code function: | 0_2_00007FF7A4513B70 | |
| Source: | Code function: | 0_2_00007FF7A4516B36 | |
| Source: | Code function: | 0_2_00007FF7A44F4BB0 | |
| Source: | Code function: | 0_2_00007FF7A452BBB0 | |
| Source: | Code function: | 0_2_00007FF7A44F2C94 | |
| Source: | Code function: | 0_2_00007FF7A44E1C50 | |
| Source: | Code function: | 0_2_00007FF7A44EBCB8 | |
| Source: | Classification label: | ||
| Source: | Code function: | 0_2_0000012A222E78B0 | |
| Source: | Code function: | 0_2_0000012A22337008 | |
| Source: | Code function: | 0_2_0000012A2229E9C0 | |
| Source: | Code function: | 0_2_0000012A222D0F97 | |
| Source: | Mutant created: | ||
| Source: | Static PE information: | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | ReversingLabs: | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Key value queried: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Static PE information: | ||
| Source: | Static file information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Code function: | 0_2_0000012A2229D930 | |
| Source: | Static PE information: | ||
| Source: | Code function: | 0_2_0000012A222D8020 | |
| Source: | Code function: | 0_2_0000012A22297350 | |
| Source: | Code function: | 0_2_0000012A2231B6BC | |
| Source: | Code function: | 0_2_0000012A2231B76C | |
| Source: | Code function: | 0_2_0000012A22337100 | |
| Source: | Code function: | 0_2_0000012A222E2D90 | |
| Source: | Code function: | 0_2_0000012A222F8CE0 | |
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | API call chain: | graph_0-105728 | ||
| Source: | API call chain: | graph_0-105732 | ||
| Source: | Process information queried: | Jump to behavior | ||
| Source: | Code function: | 0_2_0000012A222E6060 | |
| Source: | Code function: | 0_2_0000012A222F1688 | |
| Source: | Code function: | 0_2_0000012A2231D6E0 | |
| Source: | Code function: | 0_2_0000012A2229D930 | |
| Source: | Code function: | 0_2_0000012A22309084 | |
| Source: | Process token adjusted: | Jump to behavior | ||
| Source: | Code function: | 0_2_0000012A223372E0 | |
| Source: | Code function: | 0_2_0000012A222F1688 | |
| Source: | Code function: | 0_2_00007FF7A45075E8 | |
| Source: | Code function: | 0_2_00007FF7A4507908 | |
| Source: | Code function: | 0_2_00007FF7A44EE950 | |
| Source: | Code function: | 0_2_00007FF7A4507AEC | |
| Source: | Code function: | 0_2_0000012A222D6D60 | |
| Source: | Code function: | 0_2_00007FF7A45068D0 | |
| Source: | Code function: | 0_2_0000012A2231B330 | |
| Source: | Code function: | 0_2_0000012A223080AC | |
| Source: | Code function: | 0_2_0000012A222FD620 | |
| Source: | Code function: | 0_2_0000012A223087AC | |
| Source: | Code function: | 0_2_0000012A223083F8 | |
| Source: | Code function: | 0_2_0000012A223084C8 | |
| Source: | Code function: | 0_2_0000012A22308560 | |
| Source: | Code function: | 0_2_0000012A22308AE0 | |
| Source: | Code function: | 0_2_0000012A222FDB64 | |
| Source: | Code function: | 0_2_0000012A22308904 | |
| Source: | Code function: | 0_2_0000012A223089B4 | |
| Source: | Code function: | 0_2_00007FF7A450169C | |
| Source: | Code function: | 0_2_00007FF7A450176C | |
| Source: | Code function: | 0_2_00007FF7A4501804 | |
| Source: | Code function: | 0_2_00007FF7A4501350 | |
| Source: | Code function: | 0_2_00007FF7A44FC468 | |
| Source: | Code function: | 0_2_00007FF7A4501D84 | |
| Source: | Code function: | 0_2_00007FF7A44FC114 | |
| Source: | Code function: | 0_2_00007FF7A4501A50 | |
| Source: | Code function: | 0_2_00007FF7A4501BA8 | |
| Source: | Code function: | 0_2_00007FF7A4501C58 | |
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Key value queried: | Jump to behavior | ||
| Source: | Code function: | 0_2_0000012A222F83E0 | |
| Source: | Code function: | 0_2_0000012A222E1B60 | |
| Source: | Code function: | 0_2_0000012A223022FC | |
Stealing of Sensitive Information | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | File source: | ||
Remote Access Functionality | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | 1 Native API | 1 DLL Side-Loading | 1 Exploitation for Privilege Escalation | 1 Access Token Manipulation | 1 OS Credential Dumping | 12 System Time Discovery | Remote Services | 1 Screen Capture | 21 Encrypted Channel | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
| Credentials | Domains | Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | 1 Access Token Manipulation | 1 Deobfuscate/Decode Files or Information | LSASS Memory | 31 Security Software Discovery | Remote Desktop Protocol | 1 Email Collection | 1 Non-Standard Port | Exfiltration Over Bluetooth | Network Denial of Service |
| Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | 1 DLL Side-Loading | 1 Obfuscated Files or Information | Security Account Manager | 2 Process Discovery | SMB/Windows Admin Shares | 1 Archive Collected Data | 2 Ingress Tool Transfer | Automated Exfiltration | Data Encrypted for Impact |
| Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | 1 DLL Side-Loading | NTDS | 1 Account Discovery | Distributed Component Object Model | 2 Data from Local System | 2 Non-Application Layer Protocol | Traffic Duplication | Data Destruction |
| Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | Software Packing | LSA Secrets | 1 System Owner/User Discovery | SSH | Keylogging | 3 Application Layer Protocol | Scheduled Transfer | Data Encrypted for Impact |
| Domain Properties | Botnet | Replication Through Removable Media | Scheduled Task | RC Scripts | RC Scripts | Steganography | Cached Domain Credentials | 1 System Network Configuration Discovery | VNC | GUI Input Capture | Multiband Communication | Data Transfer Size Limits | Service Stop |
| DNS | Web Services | External Remote Services | Systemd Timers | Startup Items | Startup Items | Compile After Delivery | DCSync | 3 File and Directory Discovery | Windows Remote Management | Web Portal Capture | Commonly Used Port | Exfiltration Over C2 Channel | Inhibit System Recovery |
| Network Trust Dependencies | Serverless | Drive-by Compromise | Container Orchestration Job | Scheduled Task/Job | Scheduled Task/Job | Indicator Removal from Tools | Proc Filesystem | 34 System Information Discovery | Cloud Services | Credential API Hooking | Application Layer Protocol | Exfiltration Over Alternative Protocol | Defacement |
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetThis section contains all screenshots as thumbnails, including those not shown in the slideshow.
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 13% | ReversingLabs |
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe |
| Name | IP | Active | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|---|
| api.ipify.org | 104.26.12.205 | true | false | unknown |
| Name | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|
| false |
| unknown |
| Name | Source | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|
| false | unknown | |||
| false |
| unknown | ||
| false |
| unknown | ||
| false | unknown | |||
| false | unknown | |||
| false | unknown | |||
| false | unknown | |||
| false | unknown | |||
| false | unknown | |||
| false |
| unknown | ||
| false |
| unknown | ||
| false | unknown | |||
| false |
| unknown | ||
| false |
| unknown | ||
| false | unknown | |||
| false | unknown | |||
| false |
| unknown | ||
| false |
| unknown | ||
| false | unknown | |||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false | unknown | |||
| false | unknown |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
| IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
|---|---|---|---|---|---|---|
| 109.172.94.66 | unknown | Russian Federation | 41691 | SUMTEL-AS-RIPEMoscowRussiaRU | true | |
| 104.26.12.205 | api.ipify.org | United States | 13335 | CLOUDFLARENETUS | false |
| Joe Sandbox version: | 41.0.0 Charoite |
| Analysis ID: | 1545970 |
| Start date and time: | 2024-10-31 11:08:37 +01:00 |
| Joe Sandbox product: | CloudBasic |
| Overall analysis duration: | 0h 5m 27s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
| Number of analysed new started processes analysed: | 5 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Sample name: | file.exe |
| Detection: | MAL |
| Classification: | mal100.troj.spyw.winEXE@1/0@1/2 |
| EGA Information: |
|
| HCA Information: |
|
| Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
- Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
- Report size exceeded maximum capacity and may have missing disassembly code.
- Report size getting too big, too many NtOpenKeyEx calls found.
- Report size getting too big, too many NtQueryValueKey calls found.
- VT rate limit hit for: file.exe
⊘No simulations
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| 104.26.12.205 | Get hash | malicious | Unknown | Browse |
| |
| Get hash | malicious | Remcos | Browse |
| ||
| Get hash | malicious | Xmrig | Browse |
| ||
| Get hash | malicious | RDPWrap Tool | Browse |
| ||
| Get hash | malicious | RDPWrap Tool | Browse |
| ||
| Get hash | malicious | RDPWrap Tool | Browse |
| ||
| Get hash | malicious | RDPWrap Tool | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| api.ipify.org | Get hash | malicious | AgentTesla | Browse |
| |
| Get hash | malicious | AgentTesla, GuLoader | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | HTMLPhisher | Browse |
| ||
| Get hash | malicious | HTMLPhisher | Browse |
| ||
| Get hash | malicious | AgentTesla | Browse |
| ||
| Get hash | malicious | EvilProxy, HTMLPhisher | Browse |
| ||
| Get hash | malicious | Skuld Stealer | Browse |
| ||
| Get hash | malicious | AgentTesla, GuLoader | Browse |
| ||
| Get hash | malicious | AgentTesla, DBatLoader, PureLog Stealer | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| CLOUDFLARENETUS | Get hash | malicious | Unknown | Browse |
| |
| Get hash | malicious | MassLogger RAT, PureLog Stealer | Browse |
| ||
| Get hash | malicious | Snake Keylogger | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | PureLog Stealer, Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | AgentTesla | Browse |
| ||
| Get hash | malicious | HTMLPhisher | Browse |
| ||
| SUMTEL-AS-RIPEMoscowRussiaRU | Get hash | malicious | Unknown | Browse |
| |
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | GO Backdoor | Browse |
| ||
| Get hash | malicious | GO Backdoor | Browse |
| ||
| Get hash | malicious | Mirai, Moobot | Browse |
| ||
| Get hash | malicious | GO Backdoor | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | FormBook, PureLog Stealer | Browse |
| ||
| Get hash | malicious | LummaC, AsyncRAT, Go Injector, LummaC Stealer, SmokeLoader, VenomRAT | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| 37f463bf4616ecd445d4a1937da06e19 | Get hash | malicious | AgentTesla, GuLoader | Browse |
| |
| Get hash | malicious | DarkCloud | Browse |
| ||
| Get hash | malicious | Remcos, GuLoader | Browse |
| ||
| Get hash | malicious | Stealc, Vidar, Xmrig | Browse |
| ||
| Get hash | malicious | Stealc, Vidar | Browse |
| ||
| Get hash | malicious | GuLoader, Snake Keylogger | Browse |
| ||
| Get hash | malicious | FormBook, GuLoader | Browse |
| ||
| Get hash | malicious | FormBook, GuLoader | Browse |
| ||
| Get hash | malicious | FormBook, GuLoader | Browse |
| ||
| Get hash | malicious | FormBook, GuLoader | Browse |
|
⊘No context
⊘No created / dropped files found
| File type: | |
| Entropy (8bit): | 6.9131202226603605 |
| TrID: |
|
| File name: | file.exe |
| File size: | 1'937'920 bytes |
| MD5: | fd89c359ab4ac38da6cf7fe6dabdb457 |
| SHA1: | 9c2a99beb692849ba3eb11d114334636df04f5ff |
| SHA256: | a19257d178d7f240c830b29e8bb55d9b6320dc1b56795e4fa90267419ed4070c |
| SHA512: | 27e63d09f31a33bbaeae48bb64c3802623a20352657e218b04c0378e88a1b090629c85a09cce6f56a417abb12c1dc6f5cc8b7456c9c58bf05ffd33a0e2eb5904 |
| SSDEEP: | 24576:mH7eZ9qb3yhIK20e6yaftS/h0lhSMXlEnuxl6XjxIp/jZKUSd5gnU+ZpdF:S7eZu3y+wsuxgXjCtj5Sd5Grn |
| TLSH: | AC95CF67F94434FAE83091348DA7076BA33BB441876187DB5698362A5E53BD02F3BF48 |
| File Content Preview: | MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......t...0...0...0...............<...x...........o....... .......8...............<.......'.......5...0.......$...$...$.`.1...$...1.. |
 | |
| Icon Hash: | 00928e8e8686b000 |
| Entrypoint: | 0x1400375d4 |
| Entrypoint Section: | .text |
| Digitally signed: | false |
| Imagebase: | 0x140000000 |
| Subsystem: | windows gui |
| Image File Characteristics: | EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE |
| DLL Characteristics: | HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE |
| Time Stamp: | 0x671BD104 [Fri Oct 25 17:10:28 2024 UTC] |
| TLS Callbacks: | |
| CLR (.Net) Version: | |
| OS Version Major: | 6 |
| OS Version Minor: | 0 |
| File Version Major: | 6 |
| File Version Minor: | 0 |
| Subsystem Version Major: | 6 |
| Subsystem Version Minor: | 0 |
| Import Hash: | b747ef4e0e7f8f3178c8471e453f4b5f |
| Instruction |
|---|
| dec eax |
| sub esp, 28h |
| call 00007F0494D5AFD4h |
| dec eax |
| add esp, 28h |
| jmp 00007F0494D5A79Fh |
| int3 |
| int3 |
| inc eax |
| push ebx |
| dec eax |
| sub esp, 20h |
| dec eax |
| mov ebx, ecx |
| xor ecx, ecx |
| call dword ptr [00050AF7h] |
| dec eax |
| mov ecx, ebx |
| call dword ptr [00050AE6h] |
| call dword ptr [00050A58h] |
| dec eax |
| mov ecx, eax |
| mov edx, C0000409h |
| dec eax |
| add esp, 20h |
| pop ebx |
| dec eax |
| jmp dword ptr [00050ADCh] |
| dec eax |
| mov dword ptr [esp+08h], ecx |
| dec eax |
| sub esp, 38h |
| mov ecx, 00000017h |
| call dword ptr [00050AD0h] |
| test eax, eax |
| je 00007F0494D5A929h |
| mov ecx, 00000002h |
| int 29h |
| dec eax |
| lea ecx, dword ptr [0019C0CEh] |
| call 00007F0494D5AAEEh |
| dec eax |
| mov eax, dword ptr [esp+38h] |
| dec eax |
| mov dword ptr [0019C1B5h], eax |
| dec eax |
| lea eax, dword ptr [esp+38h] |
| dec eax |
| add eax, 08h |
| dec eax |
| mov dword ptr [0019C145h], eax |
| dec eax |
| mov eax, dword ptr [0019C19Eh] |
| dec eax |
| mov dword ptr [0019C00Fh], eax |
| dec eax |
| mov eax, dword ptr [esp+40h] |
| dec eax |
| mov dword ptr [0019C113h], eax |
| mov dword ptr [0019BFE9h], C0000409h |
| mov dword ptr [0019BFE3h], 00000001h |
| mov dword ptr [0019BFEDh], 00000001h |
| Name | Virtual Address | Virtual Size | Is in Section |
|---|---|---|---|
| IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IMPORT | 0x1d0034 | 0x3c | .rdata |
| IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x1dc000 | 0x1e0 | .rsrc |
| IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x1d5000 | 0x5964 | .pdata |
| IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x1dd000 | 0x1eb4 | .reloc |
| IMAGE_DIRECTORY_ENTRY_DEBUG | 0x1c4c90 | 0x38 | .rdata |
| IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_TLS | 0x1c4d00 | 0x28 | .rdata |
| IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x1c4b50 | 0x140 | .rdata |
| IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IAT | 0x88000 | 0x3b8 | .rdata |
| IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
| Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
|---|---|---|---|---|---|---|---|---|---|
| .text | 0x1000 | 0x8629c | 0x86400 | 533170075dada125e4df006d984c4596 | False | 0.515928698207635 | data | 6.523847644421667 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
| .rdata | 0x88000 | 0x148cde | 0x148e00 | 0beb3fa0e7ade7713727b8def3bb4f9e | False | 0.6084982836849107 | data | 6.832328378432915 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .data | 0x1d1000 | 0x390c | 0x1e00 | 5f28058a9e2c02cd2ebfa105aba2e6b5 | False | 0.18138020833333332 | data | 3.709621146255121 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .pdata | 0x1d5000 | 0x5964 | 0x5a00 | 3597e95df5d4ec5a41fd8a11d049b4f6 | False | 0.49053819444444446 | data | 5.822333171427356 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| _RDATA | 0x1db000 | 0x15c | 0x200 | 36a456dd95baf0d7ac9f08a622399347 | False | 0.400390625 | data | 3.296204586134003 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .rsrc | 0x1dc000 | 0x1e0 | 0x200 | 91f1bb59b414c9eaf8ca19c8e69d2965 | False | 0.533203125 | data | 4.7176788329467545 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .reloc | 0x1dd000 | 0x1eb4 | 0x2000 | 9d98248e7ab3e09e0dea40168f7cf982 | False | 0.6422119140625 | data | 6.409576570710691 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
| Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
|---|---|---|---|---|---|---|
| RT_MANIFEST | 0x1dc060 | 0x17d | XML 1.0 document, ASCII text, with CRLF line terminators | English | United States | 0.5931758530183727 |
| DLL | Import |
|---|---|
| KERNEL32.dll | VirtualFree, VirtualAlloc, GetModuleHandleW, LoadLibraryA, ReadFile, WriteFile, CreateFileW, UnmapViewOfFile, CloseHandle, CreateFileMappingW, MapViewOfFile, GetProcAddress, GetCurrentProcess, VirtualQuery, RemoveVectoredExceptionHandler, MultiByteToWideChar, LoadLibraryW, AddVectoredExceptionHandler, WideCharToMultiByte, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineW, GetCommandLineA, GetLastError, SetLastError, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, IsDebuggerPresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TerminateProcess, IsProcessorFeaturePresent, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, HeapAlloc, HeapFree, GetCurrentThreadId, GetStdHandle, GetFileType, GetStartupInfoW, RaiseException, GetFileSizeEx, SetFilePointerEx, FlushFileBuffers, GetConsoleOutputCP, GetConsoleMode, FlsAlloc, FlsGetValue, FlsSetValue, FlsFree, InitializeCriticalSectionAndSpinCount, GetSystemTimeAsFileTime, FreeLibrary, LoadLibraryExW, LCMapStringW, GetLocaleInfoW, IsValidLocale, GetUserDefaultLCID, EnumSystemLocalesW, ReadConsoleW, HeapReAlloc, HeapSize, GetProcessHeap, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, GetStringTypeW, ExitProcess, GetModuleHandleExW, SetStdHandle, GetModuleFileNameW, WriteConsoleW, QueryPerformanceCounter, GetCurrentProcessId, InitializeSListHead, RtlUnwindEx, RtlUnwind, RtlPcToFileHeader, EncodePointer, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, VirtualProtect, VirtualQueryEx, ReadProcessMemory, WriteProcessMemory, GetSystemInfo, InitializeCriticalSection, FindClose, FindFirstFileExW, FindNextFileW, InitializeSRWLock, ReleaseSRWLockExclusive, AcquireSRWLockExclusive, TryAcquireSRWLockExclusive, InitializeCriticalSectionEx, DecodePointer, LCMapStringEx, CreateEventW |
| ntdll.dll | NtRaiseHardError, NtMapViewOfSection, RtlCreateUnicodeString, NtOpenSection, NtQueryObject, NtContinue, NtUnmapViewOfSection, RtlFreeHeap, NtClose, RtlAdjustPrivilege, RtlAllocateHeap, NtGetContextThread, RtlCompareUnicodeString, NtCreateSection |
| Language of compilation system | Country where language is spoken | Map |
|---|---|---|
| English | United States |  |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library Node| Timestamp | SID | Signature | Severity | Source IP | Source Port | Dest IP | Dest Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-10-31T11:09:55.586930+0100 | 2049441 | ET MALWARE Win32/Unknown Grabber Base64 Data Exfiltration Attempt | 1 | 192.168.2.6 | 49717 | 109.172.94.66 | 15666 | TCP |
| 2024-10-31T11:09:55.586930+0100 | 2050806 | ET MALWARE [ANY.RUN] Meduza Stealer Exfiltration M2 | 1 | 192.168.2.6 | 49717 | 109.172.94.66 | 15666 | TCP |
| 2024-10-31T11:09:55.586930+0100 | 2050807 | ET MALWARE [ANY.RUN] Possible Meduza Stealer Exfiltration (TCP) | 1 | 192.168.2.6 | 49717 | 109.172.94.66 | 15666 | TCP |
| 2024-10-31T11:09:55.592027+0100 | 2050806 | ET MALWARE [ANY.RUN] Meduza Stealer Exfiltration M2 | 1 | 192.168.2.6 | 49717 | 109.172.94.66 | 15666 | TCP |
| 2024-10-31T11:09:55.592027+0100 | 2050807 | ET MALWARE [ANY.RUN] Possible Meduza Stealer Exfiltration (TCP) | 1 | 192.168.2.6 | 49717 | 109.172.94.66 | 15666 | TCP |
| 2024-10-31T11:10:07.468567+0100 | 2022930 | ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow | 1 | 4.245.163.56 | 443 | 192.168.2.6 | 49719 | TCP |
| 2024-10-31T11:10:45.635342+0100 | 2022930 | ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow | 1 | 4.245.163.56 | 443 | 192.168.2.6 | 49724 | TCP |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Oct 31, 2024 11:09:50.367592096 CET | 49717 | 15666 | 192.168.2.6 | 109.172.94.66 |
| Oct 31, 2024 11:09:50.373773098 CET | 15666 | 49717 | 109.172.94.66 | 192.168.2.6 |
| Oct 31, 2024 11:09:50.373888969 CET | 49717 | 15666 | 192.168.2.6 | 109.172.94.66 |
| Oct 31, 2024 11:09:50.980947971 CET | 49718 | 443 | 192.168.2.6 | 104.26.12.205 |
| Oct 31, 2024 11:09:50.981056929 CET | 443 | 49718 | 104.26.12.205 | 192.168.2.6 |
| Oct 31, 2024 11:09:50.981221914 CET | 49718 | 443 | 192.168.2.6 | 104.26.12.205 |
| Oct 31, 2024 11:09:50.990537882 CET | 49718 | 443 | 192.168.2.6 | 104.26.12.205 |
| Oct 31, 2024 11:09:50.990566969 CET | 443 | 49718 | 104.26.12.205 | 192.168.2.6 |
| Oct 31, 2024 11:09:51.624218941 CET | 443 | 49718 | 104.26.12.205 | 192.168.2.6 |
| Oct 31, 2024 11:09:51.624298096 CET | 49718 | 443 | 192.168.2.6 | 104.26.12.205 |
| Oct 31, 2024 11:09:51.706485033 CET | 49718 | 443 | 192.168.2.6 | 104.26.12.205 |
| Oct 31, 2024 11:09:51.706509113 CET | 443 | 49718 | 104.26.12.205 | 192.168.2.6 |
| Oct 31, 2024 11:09:51.706916094 CET | 443 | 49718 | 104.26.12.205 | 192.168.2.6 |
| Oct 31, 2024 11:09:51.706965923 CET | 49718 | 443 | 192.168.2.6 | 104.26.12.205 |
| Oct 31, 2024 11:09:51.708926916 CET | 49718 | 443 | 192.168.2.6 | 104.26.12.205 |
| Oct 31, 2024 11:09:51.755321980 CET | 443 | 49718 | 104.26.12.205 | 192.168.2.6 |
| Oct 31, 2024 11:09:51.889919043 CET | 443 | 49718 | 104.26.12.205 | 192.168.2.6 |
| Oct 31, 2024 11:09:51.889978886 CET | 443 | 49718 | 104.26.12.205 | 192.168.2.6 |
| Oct 31, 2024 11:09:51.890008926 CET | 49718 | 443 | 192.168.2.6 | 104.26.12.205 |
| Oct 31, 2024 11:09:51.890055895 CET | 49718 | 443 | 192.168.2.6 | 104.26.12.205 |
| Oct 31, 2024 11:09:51.911125898 CET | 49718 | 443 | 192.168.2.6 | 104.26.12.205 |
| Oct 31, 2024 11:09:51.911145926 CET | 443 | 49718 | 104.26.12.205 | 192.168.2.6 |
| Oct 31, 2024 11:09:55.586930037 CET | 49717 | 15666 | 192.168.2.6 | 109.172.94.66 |
| Oct 31, 2024 11:09:55.591922045 CET | 15666 | 49717 | 109.172.94.66 | 192.168.2.6 |
| Oct 31, 2024 11:09:55.591943979 CET | 15666 | 49717 | 109.172.94.66 | 192.168.2.6 |
| Oct 31, 2024 11:09:55.591965914 CET | 15666 | 49717 | 109.172.94.66 | 192.168.2.6 |
| Oct 31, 2024 11:09:55.591979027 CET | 15666 | 49717 | 109.172.94.66 | 192.168.2.6 |
| Oct 31, 2024 11:09:55.591990948 CET | 15666 | 49717 | 109.172.94.66 | 192.168.2.6 |
| Oct 31, 2024 11:09:55.592026949 CET | 49717 | 15666 | 192.168.2.6 | 109.172.94.66 |
| Oct 31, 2024 11:09:55.592041016 CET | 15666 | 49717 | 109.172.94.66 | 192.168.2.6 |
| Oct 31, 2024 11:09:55.592071056 CET | 49717 | 15666 | 192.168.2.6 | 109.172.94.66 |
| Oct 31, 2024 11:09:55.592082977 CET | 15666 | 49717 | 109.172.94.66 | 192.168.2.6 |
| Oct 31, 2024 11:09:55.592089891 CET | 49717 | 15666 | 192.168.2.6 | 109.172.94.66 |
| Oct 31, 2024 11:09:55.592097044 CET | 15666 | 49717 | 109.172.94.66 | 192.168.2.6 |
| Oct 31, 2024 11:09:55.592111111 CET | 15666 | 49717 | 109.172.94.66 | 192.168.2.6 |
| Oct 31, 2024 11:09:55.592123032 CET | 49717 | 15666 | 192.168.2.6 | 109.172.94.66 |
| Oct 31, 2024 11:09:55.592158079 CET | 15666 | 49717 | 109.172.94.66 | 192.168.2.6 |
| Oct 31, 2024 11:09:55.592166901 CET | 49717 | 15666 | 192.168.2.6 | 109.172.94.66 |
| Oct 31, 2024 11:09:55.592197895 CET | 49717 | 15666 | 192.168.2.6 | 109.172.94.66 |
| Oct 31, 2024 11:09:55.596910954 CET | 15666 | 49717 | 109.172.94.66 | 192.168.2.6 |
| Oct 31, 2024 11:09:55.596971989 CET | 15666 | 49717 | 109.172.94.66 | 192.168.2.6 |
| Oct 31, 2024 11:09:55.596980095 CET | 49717 | 15666 | 192.168.2.6 | 109.172.94.66 |
| Oct 31, 2024 11:09:55.596986055 CET | 15666 | 49717 | 109.172.94.66 | 192.168.2.6 |
| Oct 31, 2024 11:09:55.596997976 CET | 15666 | 49717 | 109.172.94.66 | 192.168.2.6 |
| Oct 31, 2024 11:09:55.597013950 CET | 15666 | 49717 | 109.172.94.66 | 192.168.2.6 |
| Oct 31, 2024 11:09:55.597013950 CET | 49717 | 15666 | 192.168.2.6 | 109.172.94.66 |
| Oct 31, 2024 11:09:55.597027063 CET | 15666 | 49717 | 109.172.94.66 | 192.168.2.6 |
| Oct 31, 2024 11:09:55.597032070 CET | 49717 | 15666 | 192.168.2.6 | 109.172.94.66 |
| Oct 31, 2024 11:09:55.597057104 CET | 49717 | 15666 | 192.168.2.6 | 109.172.94.66 |
| Oct 31, 2024 11:09:55.597074032 CET | 49717 | 15666 | 192.168.2.6 | 109.172.94.66 |
| Oct 31, 2024 11:09:55.637362957 CET | 15666 | 49717 | 109.172.94.66 | 192.168.2.6 |
| Oct 31, 2024 11:09:55.637581110 CET | 49717 | 15666 | 192.168.2.6 | 109.172.94.66 |
| Oct 31, 2024 11:09:55.689229965 CET | 15666 | 49717 | 109.172.94.66 | 192.168.2.6 |
| Oct 31, 2024 11:09:55.689354897 CET | 49717 | 15666 | 192.168.2.6 | 109.172.94.66 |
| Oct 31, 2024 11:09:55.737231970 CET | 15666 | 49717 | 109.172.94.66 | 192.168.2.6 |
| Oct 31, 2024 11:09:55.737349987 CET | 49717 | 15666 | 192.168.2.6 | 109.172.94.66 |
| Oct 31, 2024 11:09:55.789151907 CET | 15666 | 49717 | 109.172.94.66 | 192.168.2.6 |
| Oct 31, 2024 11:09:55.789339066 CET | 49717 | 15666 | 192.168.2.6 | 109.172.94.66 |
| Oct 31, 2024 11:09:55.841262102 CET | 15666 | 49717 | 109.172.94.66 | 192.168.2.6 |
| Oct 31, 2024 11:09:55.841438055 CET | 49717 | 15666 | 192.168.2.6 | 109.172.94.66 |
| Oct 31, 2024 11:09:55.889173985 CET | 15666 | 49717 | 109.172.94.66 | 192.168.2.6 |
| Oct 31, 2024 11:09:55.889339924 CET | 49717 | 15666 | 192.168.2.6 | 109.172.94.66 |
| Oct 31, 2024 11:09:55.939790964 CET | 15666 | 49717 | 109.172.94.66 | 192.168.2.6 |
| Oct 31, 2024 11:09:55.939951897 CET | 49717 | 15666 | 192.168.2.6 | 109.172.94.66 |
| Oct 31, 2024 11:09:55.986650944 CET | 15666 | 49717 | 109.172.94.66 | 192.168.2.6 |
| Oct 31, 2024 11:09:55.986804962 CET | 49717 | 15666 | 192.168.2.6 | 109.172.94.66 |
| Oct 31, 2024 11:09:56.037189007 CET | 15666 | 49717 | 109.172.94.66 | 192.168.2.6 |
| Oct 31, 2024 11:09:56.037264109 CET | 49717 | 15666 | 192.168.2.6 | 109.172.94.66 |
| Oct 31, 2024 11:09:56.085182905 CET | 15666 | 49717 | 109.172.94.66 | 192.168.2.6 |
| Oct 31, 2024 11:09:56.085251093 CET | 49717 | 15666 | 192.168.2.6 | 109.172.94.66 |
| Oct 31, 2024 11:09:56.134612083 CET | 15666 | 49717 | 109.172.94.66 | 192.168.2.6 |
| Oct 31, 2024 11:09:56.134788036 CET | 49717 | 15666 | 192.168.2.6 | 109.172.94.66 |
| Oct 31, 2024 11:09:56.182636023 CET | 15666 | 49717 | 109.172.94.66 | 192.168.2.6 |
| Oct 31, 2024 11:09:56.182787895 CET | 49717 | 15666 | 192.168.2.6 | 109.172.94.66 |
| Oct 31, 2024 11:09:56.229147911 CET | 15666 | 49717 | 109.172.94.66 | 192.168.2.6 |
| Oct 31, 2024 11:09:56.229398966 CET | 49717 | 15666 | 192.168.2.6 | 109.172.94.66 |
| Oct 31, 2024 11:09:56.277483940 CET | 15666 | 49717 | 109.172.94.66 | 192.168.2.6 |
| Oct 31, 2024 11:09:56.277751923 CET | 49717 | 15666 | 192.168.2.6 | 109.172.94.66 |
| Oct 31, 2024 11:09:56.325288057 CET | 15666 | 49717 | 109.172.94.66 | 192.168.2.6 |
| Oct 31, 2024 11:09:56.325366974 CET | 49717 | 15666 | 192.168.2.6 | 109.172.94.66 |
| Oct 31, 2024 11:09:56.373330116 CET | 15666 | 49717 | 109.172.94.66 | 192.168.2.6 |
| Oct 31, 2024 11:09:56.373460054 CET | 49717 | 15666 | 192.168.2.6 | 109.172.94.66 |
| Oct 31, 2024 11:09:56.425209045 CET | 15666 | 49717 | 109.172.94.66 | 192.168.2.6 |
| Oct 31, 2024 11:09:56.425333023 CET | 49717 | 15666 | 192.168.2.6 | 109.172.94.66 |
| Oct 31, 2024 11:09:56.477134943 CET | 15666 | 49717 | 109.172.94.66 | 192.168.2.6 |
| Oct 31, 2024 11:09:56.477202892 CET | 49717 | 15666 | 192.168.2.6 | 109.172.94.66 |
| Oct 31, 2024 11:09:56.709542990 CET | 15666 | 49717 | 109.172.94.66 | 192.168.2.6 |
| Oct 31, 2024 11:09:56.709635973 CET | 49717 | 15666 | 192.168.2.6 | 109.172.94.66 |
| Oct 31, 2024 11:09:56.714526892 CET | 15666 | 49717 | 109.172.94.66 | 192.168.2.6 |
| Oct 31, 2024 11:09:56.714602947 CET | 49717 | 15666 | 192.168.2.6 | 109.172.94.66 |
| Oct 31, 2024 11:09:56.761104107 CET | 15666 | 49717 | 109.172.94.66 | 192.168.2.6 |
| Oct 31, 2024 11:09:56.761209965 CET | 49717 | 15666 | 192.168.2.6 | 109.172.94.66 |
| Oct 31, 2024 11:09:56.813162088 CET | 15666 | 49717 | 109.172.94.66 | 192.168.2.6 |
| Oct 31, 2024 11:09:56.813288927 CET | 49717 | 15666 | 192.168.2.6 | 109.172.94.66 |
| Oct 31, 2024 11:09:56.861154079 CET | 15666 | 49717 | 109.172.94.66 | 192.168.2.6 |
| Oct 31, 2024 11:09:56.861267090 CET | 49717 | 15666 | 192.168.2.6 | 109.172.94.66 |
| Oct 31, 2024 11:09:56.909171104 CET | 15666 | 49717 | 109.172.94.66 | 192.168.2.6 |
| Oct 31, 2024 11:09:56.909274101 CET | 49717 | 15666 | 192.168.2.6 | 109.172.94.66 |
| Oct 31, 2024 11:09:56.957227945 CET | 15666 | 49717 | 109.172.94.66 | 192.168.2.6 |
| Oct 31, 2024 11:09:56.957427025 CET | 49717 | 15666 | 192.168.2.6 | 109.172.94.66 |
| Oct 31, 2024 11:09:57.005597115 CET | 15666 | 49717 | 109.172.94.66 | 192.168.2.6 |
| Oct 31, 2024 11:09:57.005665064 CET | 49717 | 15666 | 192.168.2.6 | 109.172.94.66 |
| Oct 31, 2024 11:09:57.053107977 CET | 15666 | 49717 | 109.172.94.66 | 192.168.2.6 |
| Oct 31, 2024 11:09:57.053206921 CET | 49717 | 15666 | 192.168.2.6 | 109.172.94.66 |
| Oct 31, 2024 11:09:57.101352930 CET | 15666 | 49717 | 109.172.94.66 | 192.168.2.6 |
| Oct 31, 2024 11:09:57.101488113 CET | 49717 | 15666 | 192.168.2.6 | 109.172.94.66 |
| Oct 31, 2024 11:09:57.149168015 CET | 15666 | 49717 | 109.172.94.66 | 192.168.2.6 |
| Oct 31, 2024 11:09:57.149245024 CET | 49717 | 15666 | 192.168.2.6 | 109.172.94.66 |
| Oct 31, 2024 11:09:57.201143026 CET | 15666 | 49717 | 109.172.94.66 | 192.168.2.6 |
| Oct 31, 2024 11:09:57.201216936 CET | 49717 | 15666 | 192.168.2.6 | 109.172.94.66 |
| Oct 31, 2024 11:09:57.249150038 CET | 15666 | 49717 | 109.172.94.66 | 192.168.2.6 |
| Oct 31, 2024 11:09:57.249207020 CET | 49717 | 15666 | 192.168.2.6 | 109.172.94.66 |
| Oct 31, 2024 11:09:57.297209024 CET | 15666 | 49717 | 109.172.94.66 | 192.168.2.6 |
| Oct 31, 2024 11:09:57.297291994 CET | 49717 | 15666 | 192.168.2.6 | 109.172.94.66 |
| Oct 31, 2024 11:09:57.349123001 CET | 15666 | 49717 | 109.172.94.66 | 192.168.2.6 |
| Oct 31, 2024 11:09:57.349237919 CET | 49717 | 15666 | 192.168.2.6 | 109.172.94.66 |
| Oct 31, 2024 11:09:57.397177935 CET | 15666 | 49717 | 109.172.94.66 | 192.168.2.6 |
| Oct 31, 2024 11:09:57.397289991 CET | 49717 | 15666 | 192.168.2.6 | 109.172.94.66 |
| Oct 31, 2024 11:09:57.445178986 CET | 15666 | 49717 | 109.172.94.66 | 192.168.2.6 |
| Oct 31, 2024 11:09:57.445281029 CET | 49717 | 15666 | 192.168.2.6 | 109.172.94.66 |
| Oct 31, 2024 11:09:57.497133017 CET | 15666 | 49717 | 109.172.94.66 | 192.168.2.6 |
| Oct 31, 2024 11:09:57.497231007 CET | 49717 | 15666 | 192.168.2.6 | 109.172.94.66 |
| Oct 31, 2024 11:09:57.545165062 CET | 15666 | 49717 | 109.172.94.66 | 192.168.2.6 |
| Oct 31, 2024 11:09:57.545324087 CET | 49717 | 15666 | 192.168.2.6 | 109.172.94.66 |
| Oct 31, 2024 11:09:57.597203970 CET | 15666 | 49717 | 109.172.94.66 | 192.168.2.6 |
| Oct 31, 2024 11:09:57.597268105 CET | 49717 | 15666 | 192.168.2.6 | 109.172.94.66 |
| Oct 31, 2024 11:09:57.645184040 CET | 15666 | 49717 | 109.172.94.66 | 192.168.2.6 |
| Oct 31, 2024 11:09:57.645271063 CET | 49717 | 15666 | 192.168.2.6 | 109.172.94.66 |
| Oct 31, 2024 11:09:57.697123051 CET | 15666 | 49717 | 109.172.94.66 | 192.168.2.6 |
| Oct 31, 2024 11:09:57.697194099 CET | 49717 | 15666 | 192.168.2.6 | 109.172.94.66 |
| Oct 31, 2024 11:09:57.745156050 CET | 15666 | 49717 | 109.172.94.66 | 192.168.2.6 |
| Oct 31, 2024 11:09:57.745260000 CET | 49717 | 15666 | 192.168.2.6 | 109.172.94.66 |
| Oct 31, 2024 11:09:57.793230057 CET | 15666 | 49717 | 109.172.94.66 | 192.168.2.6 |
| Oct 31, 2024 11:09:57.793298960 CET | 49717 | 15666 | 192.168.2.6 | 109.172.94.66 |
| Oct 31, 2024 11:09:57.845124960 CET | 15666 | 49717 | 109.172.94.66 | 192.168.2.6 |
| Oct 31, 2024 11:09:57.845315933 CET | 49717 | 15666 | 192.168.2.6 | 109.172.94.66 |
| Oct 31, 2024 11:09:57.893167019 CET | 15666 | 49717 | 109.172.94.66 | 192.168.2.6 |
| Oct 31, 2024 11:09:57.893285990 CET | 49717 | 15666 | 192.168.2.6 | 109.172.94.66 |
| Oct 31, 2024 11:09:57.941190004 CET | 15666 | 49717 | 109.172.94.66 | 192.168.2.6 |
| Oct 31, 2024 11:09:57.941416979 CET | 49717 | 15666 | 192.168.2.6 | 109.172.94.66 |
| Oct 31, 2024 11:09:57.990497112 CET | 15666 | 49717 | 109.172.94.66 | 192.168.2.6 |
| Oct 31, 2024 11:09:57.990581989 CET | 49717 | 15666 | 192.168.2.6 | 109.172.94.66 |
| Oct 31, 2024 11:09:58.037149906 CET | 15666 | 49717 | 109.172.94.66 | 192.168.2.6 |
| Oct 31, 2024 11:09:58.037246943 CET | 49717 | 15666 | 192.168.2.6 | 109.172.94.66 |
| Oct 31, 2024 11:09:58.089195013 CET | 15666 | 49717 | 109.172.94.66 | 192.168.2.6 |
| Oct 31, 2024 11:09:58.089366913 CET | 49717 | 15666 | 192.168.2.6 | 109.172.94.66 |
| Oct 31, 2024 11:09:58.137173891 CET | 15666 | 49717 | 109.172.94.66 | 192.168.2.6 |
| Oct 31, 2024 11:09:58.137259960 CET | 49717 | 15666 | 192.168.2.6 | 109.172.94.66 |
| Oct 31, 2024 11:09:58.189166069 CET | 15666 | 49717 | 109.172.94.66 | 192.168.2.6 |
| Oct 31, 2024 11:09:58.189364910 CET | 49717 | 15666 | 192.168.2.6 | 109.172.94.66 |
| Oct 31, 2024 11:09:58.241101027 CET | 15666 | 49717 | 109.172.94.66 | 192.168.2.6 |
| Oct 31, 2024 11:09:58.241168976 CET | 49717 | 15666 | 192.168.2.6 | 109.172.94.66 |
| Oct 31, 2024 11:09:58.293140888 CET | 15666 | 49717 | 109.172.94.66 | 192.168.2.6 |
| Oct 31, 2024 11:09:58.293210983 CET | 49717 | 15666 | 192.168.2.6 | 109.172.94.66 |
| Oct 31, 2024 11:09:58.345088959 CET | 15666 | 49717 | 109.172.94.66 | 192.168.2.6 |
| Oct 31, 2024 11:09:58.345153093 CET | 49717 | 15666 | 192.168.2.6 | 109.172.94.66 |
| Oct 31, 2024 11:09:58.397156000 CET | 15666 | 49717 | 109.172.94.66 | 192.168.2.6 |
| Oct 31, 2024 11:09:58.397232056 CET | 49717 | 15666 | 192.168.2.6 | 109.172.94.66 |
| Oct 31, 2024 11:09:58.445139885 CET | 15666 | 49717 | 109.172.94.66 | 192.168.2.6 |
| Oct 31, 2024 11:09:58.445321083 CET | 49717 | 15666 | 192.168.2.6 | 109.172.94.66 |
| Oct 31, 2024 11:09:58.493129969 CET | 15666 | 49717 | 109.172.94.66 | 192.168.2.6 |
| Oct 31, 2024 11:09:58.493395090 CET | 49717 | 15666 | 192.168.2.6 | 109.172.94.66 |
| Oct 31, 2024 11:09:58.541125059 CET | 15666 | 49717 | 109.172.94.66 | 192.168.2.6 |
| Oct 31, 2024 11:09:58.541218996 CET | 49717 | 15666 | 192.168.2.6 | 109.172.94.66 |
| Oct 31, 2024 11:09:58.589072943 CET | 15666 | 49717 | 109.172.94.66 | 192.168.2.6 |
| Oct 31, 2024 11:09:58.589268923 CET | 49717 | 15666 | 192.168.2.6 | 109.172.94.66 |
| Oct 31, 2024 11:09:58.637166023 CET | 15666 | 49717 | 109.172.94.66 | 192.168.2.6 |
| Oct 31, 2024 11:09:58.637279987 CET | 49717 | 15666 | 192.168.2.6 | 109.172.94.66 |
| Oct 31, 2024 11:09:58.685162067 CET | 15666 | 49717 | 109.172.94.66 | 192.168.2.6 |
| Oct 31, 2024 11:09:58.685257912 CET | 49717 | 15666 | 192.168.2.6 | 109.172.94.66 |
| Oct 31, 2024 11:09:58.733144999 CET | 15666 | 49717 | 109.172.94.66 | 192.168.2.6 |
| Oct 31, 2024 11:09:58.733303070 CET | 49717 | 15666 | 192.168.2.6 | 109.172.94.66 |
| Oct 31, 2024 11:09:58.781207085 CET | 15666 | 49717 | 109.172.94.66 | 192.168.2.6 |
| Oct 31, 2024 11:09:58.781383038 CET | 49717 | 15666 | 192.168.2.6 | 109.172.94.66 |
| Oct 31, 2024 11:09:58.829283953 CET | 15666 | 49717 | 109.172.94.66 | 192.168.2.6 |
| Oct 31, 2024 11:09:58.829457045 CET | 49717 | 15666 | 192.168.2.6 | 109.172.94.66 |
| Oct 31, 2024 11:09:58.856662989 CET | 15666 | 49717 | 109.172.94.66 | 192.168.2.6 |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Oct 31, 2024 11:09:50.968107939 CET | 55004 | 53 | 192.168.2.6 | 1.1.1.1 |
| Oct 31, 2024 11:09:50.975121021 CET | 53 | 55004 | 1.1.1.1 | 192.168.2.6 |
| Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|
| Oct 31, 2024 11:09:50.968107939 CET | 192.168.2.6 | 1.1.1.1 | 0xa346 | Standard query (0) | A (IP address) | IN (0x0001) | false |
| Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|---|---|
| Oct 31, 2024 11:09:50.975121021 CET | 1.1.1.1 | 192.168.2.6 | 0xa346 | No error (0) | 104.26.12.205 | A (IP address) | IN (0x0001) | false | ||
| Oct 31, 2024 11:09:50.975121021 CET | 1.1.1.1 | 192.168.2.6 | 0xa346 | No error (0) | 104.26.13.205 | A (IP address) | IN (0x0001) | false | ||
| Oct 31, 2024 11:09:50.975121021 CET | 1.1.1.1 | 192.168.2.6 | 0xa346 | No error (0) | 172.67.74.152 | A (IP address) | IN (0x0001) | false |
|
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 0 | 192.168.2.6 | 49718 | 104.26.12.205 | 443 | 5592 | C:\Users\user\Desktop\file.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-10-31 10:09:51 UTC | 100 | OUT | |
| 2024-10-31 10:09:51 UTC | 211 | IN | |
| 2024-10-31 10:09:51 UTC | 14 | IN |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
| Target ID: | 0 |
| Start time: | 06:09:48 |
| Start date: | 31/10/2024 |
| Path: | C:\Users\user\Desktop\file.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff7a44d0000 |
| File size: | 1'937'920 bytes |
| MD5 hash: | FD89C359AB4AC38DA6CF7FE6DABDB457 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Yara matches: |
|
| Reputation: | low |
| Has exited: | true |
Execution Graph
| Execution Coverage: | 6% |
| Dynamic/Decrypted Code Coverage: | 0.1% |
| Signature Coverage: | 21.5% |
| Total number of Nodes: | 2000 |
| Total number of Limit Nodes: | 99 |
Graph
Function 0000012A222E1580 Relevance: 45.7, APIs: 25, Strings: 1, Instructions: 225windowCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00007FF7A45216C0 Relevance: 43.1, APIs: 9, Strings: 15, Instructions: 1071COMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7A4522A70 Relevance: 36.3, APIs: 12, Strings: 8, Instructions: 1303COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7A4522DD0 Relevance: 28.9, APIs: 9, Strings: 7, Instructions: 929COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00007FF7A44DD190 Relevance: 22.8, APIs: 9, Strings: 4, Instructions: 76memorynativelibraryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0000012A222E3A60 Relevance: 22.6, APIs: 3, Strings: 9, Instructions: 1618COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0000012A2229D930 Relevance: 20.1, APIs: 8, Strings: 3, Instructions: 864libraryloaderCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00007FF7A44DD5E0 Relevance: 19.6, APIs: 7, Strings: 4, Instructions: 316COMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0000012A222D8020 Relevance: 16.0, APIs: 7, Strings: 2, Instructions: 256synchronizationCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0000012A223022FC Relevance: 14.3, APIs: 6, Strings: 2, Instructions: 335timeCOMMONLIBRARYCODE
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0000012A222E0CC0 Relevance: 13.9, APIs: 9, Instructions: 377networkfileCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0000012A222DA8F0 Relevance: 12.7, APIs: 3, Strings: 4, Instructions: 452fileCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0000012A222FEFBC Relevance: 10.8, APIs: 7, Instructions: 286COMMONLIBRARYCODE
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0000012A22302578 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 143timeCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0000012A22297350 Relevance: 9.5, APIs: 2, Strings: 3, Instructions: 716fileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0000012A222EAAE0 Relevance: 9.2, APIs: 4, Strings: 1, Instructions: 408COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0000012A2229E9C0 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 324processCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00007FF7A44DCE20 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 140nativeCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0000012A2229CDE0 Relevance: 5.9, APIs: 2, Strings: 1, Instructions: 668COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00007FF7A44DD2E0 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 208COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0000012A222E3040 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 171timeCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0000012A222D3B40 Relevance: 3.1, APIs: 2, Instructions: 86encryptionCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0000012A2229F060 Relevance: .7, Instructions: 716COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0000012A22291130 Relevance: .3, Instructions: 336COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0000012A22291820 Relevance: .3, Instructions: 328COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0000012A222DA4D0 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 192windowCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0000012A222DB650 Relevance: 16.0, APIs: 7, Strings: 2, Instructions: 286networkCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00007FF7A45269E0 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 53librarymemoryloaderCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7A44EA9A0 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 87libraryloaderCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7A451F8C0 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 59COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7A451ED00 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 199COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7A44DD070 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 78COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7A451F9F0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 26COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7A4527DE0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 89COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7A44FC6BC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 53COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0000012A222E1E80 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 45registryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0000012A222E2AF1 Relevance: 4.7, APIs: 3, Instructions: 163registryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00007FF7A44FE6A8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 128COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0000012A222A7940 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 111COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0000012A222E2610 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 74COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0000012A222D8216 Relevance: 3.1, APIs: 2, Instructions: 132synchronizationCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0000012A222D824A Relevance: 3.1, APIs: 2, Instructions: 121synchronizationCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0000012A222FF530 Relevance: 3.0, APIs: 2, Instructions: 46COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00007FF7A4507184 Relevance: 3.0, APIs: 2, Instructions: 22COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0000012A2230E200 Relevance: 3.0, APIs: 2, Instructions: 21COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00007FF7A44F5D5C Relevance: 3.0, APIs: 2, Instructions: 19memoryCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0000012A222FCF0C Relevance: 2.5, APIs: 2, Instructions: 18memoryCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0000012A222FD408 Relevance: 1.6, APIs: 1, Instructions: 105COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0000012A222FEEA0 Relevance: 1.6, APIs: 1, Instructions: 74COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0000012A2231CFA0 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00007FF7A4526FA0 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7A44F5CE4 Relevance: 1.3, APIs: 1, Instructions: 36memoryCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0000012A222FF8AC Relevance: 1.3, APIs: 1, Instructions: 29memoryCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00007FF7A44F86B4 Relevance: 1.3, APIs: 1, Instructions: 29memoryCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0000012A222E6060 Relevance: 37.8, APIs: 18, Strings: 3, Instructions: 1064stringmemorynativeCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0000012A222B0189 Relevance: 33.0, APIs: 3, Strings: 15, Instructions: 1494COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0000012A222AE7A9 Relevance: 33.0, APIs: 3, Strings: 15, Instructions: 1482COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0000012A222D0D50 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 279COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0000012A223097C4 Relevance: 24.0, APIs: 9, Strings: 4, Instructions: 1203COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0000012A222D6D60 Relevance: 18.0, APIs: 1, Strings: 9, Instructions: 472COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0000012A222922AE Relevance: 11.3, APIs: 1, Strings: 5, Instructions: 804COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0000012A223080AC Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 222COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0000012A22308AE0 Relevance: 10.7, APIs: 7, Instructions: 171COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0000012A222C65D0 Relevance: 9.2, APIs: 4, Strings: 1, Instructions: 408COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0000012A222F1688 Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0000012A222F4A50 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 329COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0000012A2231D6E0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0000012A222CA660 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 366COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0000012A22302B00 Relevance: 5.5, APIs: 3, Instructions: 1005COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0000012A2231B330 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 39windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0000012A223011E4 Relevance: 3.2, APIs: 2, Instructions: 232COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0000012A22298060 Relevance: 3.1, APIs: 2, Instructions: 145encryptionCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0000012A222D3E40 Relevance: 3.1, APIs: 2, Instructions: 86encryptionCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0000012A223083F8 Relevance: 1.6, APIs: 1, Instructions: 61COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0000012A223084C8 Relevance: 1.5, APIs: 1, Instructions: 41COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0000012A222FD620 Relevance: 1.5, APIs: 1, Instructions: 32COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0000012A222DE9F3 Relevance: .7, Instructions: 696COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0000012A222F75F4 Relevance: .3, Instructions: 317COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0000012A22287A00 Relevance: .3, Instructions: 309COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0000012A222F263C Relevance: .3, Instructions: 283COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0000012A222F70EC Relevance: .2, Instructions: 244COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0000012A22267010 Relevance: .2, Instructions: 198COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0000012A22300764 Relevance: .2, Instructions: 198COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0000012A222ACF20 Relevance: .2, Instructions: 190COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0000012A222D1EB0 Relevance: .2, Instructions: 174COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0000012A22337008 Relevance: .1, Instructions: 141COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0000012A222F6344 Relevance: .1, Instructions: 137COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0000012A222F6714 Relevance: .1, Instructions: 137COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0000012A222F652C Relevance: .1, Instructions: 137COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0000012A2230AE2C Relevance: .1, Instructions: 126COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0000012A22337090 Relevance: .1, Instructions: 80COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0000012A22337098 Relevance: .1, Instructions: 77COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0000012A223376D0 Relevance: .0, Instructions: 44COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0000012A22337100 Relevance: .0, Instructions: 38COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0000012A223376C0 Relevance: .0, Instructions: 9COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0000012A222D0A40 Relevance: 28.7, APIs: 19, Instructions: 177processCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0000012A222B00A0 Relevance: 17.7, APIs: 2, Strings: 8, Instructions: 213COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0000012A222D67D0 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 173COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0000012A222F5014 Relevance: 12.7, APIs: 3, Strings: 4, Instructions: 489COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0000012A222FD69C Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117libraryloaderCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0000012A222D6C10 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 81networkfileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0000012A2230BB28 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0000012A2231D314 Relevance: 9.2, APIs: 6, Instructions: 240COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0000012A222D1290 Relevance: 9.2, APIs: 4, Strings: 1, Instructions: 471COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0000012A2231CFB8 Relevance: 9.2, APIs: 6, Instructions: 200COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0000012A222F9D0C Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0000012A22304410 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0000012A2230CED0 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0000012A222F9DD4 Relevance: 7.6, APIs: 5, Instructions: 54COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0000012A22321D64 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 219COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0000012A222A8470 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 172COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0000012A222BB690 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 140COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0000012A2228EA30 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 127COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0000012A222FC220 Relevance: 6.3, APIs: 4, Instructions: 305fileCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0000012A222FCBFC Relevance: 6.2, APIs: 4, Instructions: 218COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0000012A222D6A40 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 132COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0000012A222B6720 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0000012A22302218 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 122COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0000012A22301550 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0000012A22311108 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|