Edit tour
Windows
Analysis Report
CCuITQzvd4.exe
Overview
General Information
| Sample name: | CCuITQzvd4.exerenamed because original name is a hash value |
| Original sample name: | 06833640b01d9b8dcbc8001f0ff1cbc3aaa4ba1d45e08238c076b0d0d477c966.exe |
| Analysis ID: | 1565143 |
| MD5: | 197de30a59fc9af28d140cc2c530c8b7 |
| SHA1: | bc3be4bcbf7066ef83fc1da055dbc14429fcdeff |
| SHA256: | 06833640b01d9b8dcbc8001f0ff1cbc3aaa4ba1d45e08238c076b0d0d477c966 |
| Tags: | exevirustotal-vm-blacklistuser-JAMESWT_MHT |
| Infos: | |
 | |
Detection
| Score: | 68 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Multi AV Scanner detection for submitted file
AI detected suspicious sample
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Hides threads from debuggers
Machine Learning detection for sample
Tries to detect sandboxes and other dynamic analysis tools (window names)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to communicate with device drivers
Contains functionality to create an SMB header
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
One or more processes crash
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Suricata IDS alerts with low severity for network traffic
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Classification
- System is w10x64
CCuITQzvd4.exe (PID: 1912 cmdline: "C:\Users\ user\Deskt op\CCuITQz vd4.exe" MD5: 197DE30A59FC9AF28D140CC2C530C8B7) 
conhost.exe (PID: 2672 cmdline: C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - cmd.exe (PID: 3800 cmdline:
C:\Windows \system32\ cmd.exe /c color 4 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - cmd.exe (PID: 4896 cmdline:
C:\Windows \system32\ cmd.exe /c certutil -hashfile "C:\Users\ user\Deskt op\CCuITQz vd4.exe" M D5 | find /i /v "md5 " | find / i /v "cert util" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) 
certutil.exe (PID: 3856 cmdline: certutil - hashfile " C:\Users\u ser\Deskto p\CCuITQzv d4.exe" MD 5 MD5: F17616EC0522FC5633151F7CAA278CAA) - find.exe (PID: 5936 cmdline:
find /i /v "md5" MD5: 4BF76A28D31FC73AA9FC970B22D056AF) - find.exe (PID: 1112 cmdline:
find /i /v "certutil " MD5: 4BF76A28D31FC73AA9FC970B22D056AF) - cmd.exe (PID: 4904 cmdline:
C:\Windows \system32\ cmd.exe /c start cmd /C "color b && titl e Error && echo SSL connect er ror && tim eout /t 5" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - cmd.exe (PID: 6684 cmdline:
cmd /C "co lor b && t itle Error && echo S SL connect error && timeout /t 5" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 3940 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - timeout.exe (PID: 3532 cmdline:
timeout /t 5 MD5: 100065E21CFBBDE57CBA2838921F84D6) 
WerFault.exe (PID: 3536 cmdline: C:\Windows \system32\ WerFault.e xe -u -p 1 912 -s 214 8 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
- cleanup
⊘No configs have been found
⊘No yara matches
⊘No Sigma rule has matched
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-11-29T10:57:10.751419+0100 | 2803274 | 2 | Potentially Bad Traffic | 192.168.2.6 | 49714 | 185.199.108.133 | 443 | TCP |
| 2024-11-29T10:57:12.475813+0100 | 2803274 | 2 | Potentially Bad Traffic | 192.168.2.6 | 49716 | 185.199.108.133 | 443 | TCP |
Click to jump to signature section
Show All Signature Results
AV Detection |   |
|---|
| Source: | ReversingLabs: | ||
| Source: | Integrated Neural Analysis Model: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Code function: | 0_2_00007FF7C419A13D | |
| Source: | Code function: | 0_2_00007FF7C419C1F0 | |
| Source: | Code function: | 0_2_00007FF7C419C240 | |
| Source: | Code function: | 0_2_00007FF7C419C250 | |
| Source: | Code function: | 0_2_00007FF7C41B62E0 | |
| Source: | Code function: | 0_2_00007FF7C4199430 | |
| Source: | Code function: | 0_2_00007FF7C4199500 | |
| Source: | Code function: | 0_2_00007FF7C41BCD30 | |
| Source: | Code function: | 0_2_00007FF7C41BEE20 | |
| Source: | Code function: | 0_2_00007FF7C41B59C0 | |
| Source: | Code function: | 0_2_00007FF7C4180100 | |
| Source: | Binary or memory string: | ||
| Source: | Code function: | 0_2_00007FF7C41A8B30 | |
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | Static PE information: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | IP Address: | ||
| Source: | IP Address: | ||
| Source: | IP Address: | ||
| Source: | JA3 fingerprint: | ||
| Source: | JA3 fingerprint: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | Code function: | 0_2_00007FF7C4176DF0 | |
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | Code function: | 0_2_00007FF7C41BCD30 | |
| Source: | Code function: | 0_2_00007FF7C4151550 | |
| Source: | Code function: | 0_2_00007FF7C4151230 | |
| Source: | Code function: | 0_2_00007FF7C414C440 | |
| Source: | Code function: | 0_2_00007FF7C4150E40 | |
| Source: | Code function: | 0_2_00007FF7C415B7F0 | |
| Source: | Code function: | 0_2_00007FF7C41603C0 | |
| Source: | Code function: | 0_2_00007FF7C415C670 | |
| Source: | Code function: | 0_2_00007FF7C4154680 | |
| Source: | Code function: | 0_2_00007FF7C414C660 | |
| Source: | Code function: | 0_2_00007FF7C41426B0 | |
| Source: | Code function: | 0_2_00007FF7C41536E0 | |
| Source: | Code function: | 0_2_00007FF7C416B7F9 | |
| Source: | Code function: | 0_2_00007FF7C41558F0 | |
| Source: | Code function: | 0_2_00007FF7C41878F0 | |
| Source: | Code function: | 0_2_00007FF7C4150320 | |
| Source: | Code function: | 0_2_00007FF7C4145330 | |
| Source: | Code function: | 0_2_00007FF7C4156D82 | |
| Source: | Code function: | 0_2_00007FF7C416CDC0 | |
| Source: | Code function: | 0_2_00007FF7C4151DA0 | |
| Source: | Code function: | 0_2_00007FF7C4153EC0 | |
| Source: | Code function: | 0_2_00007FF7C4168EF0 | |
| Source: | Code function: | 0_2_00007FF7C4150A00 | |
| Source: | Code function: | 0_2_00007FF7C4143C10 | |
| Source: | Code function: | 0_2_00007FF7C4168C40 | |
| Source: | Code function: | 0_2_00007FF7C4188C30 | |
| Source: | Code function: | 0_2_00007FF7C41A9550 | |
| Source: | Code function: | 0_2_00007FF7C415A520 | |
| Source: | Code function: | 0_2_00007FF7C4169580 | |
| Source: | Code function: | 0_2_00007FF7C419C600 | |
| Source: | Code function: | 0_2_00007FF7C4145600 | |
| Source: | Code function: | 0_2_00007FF7C41955E0 | |
| Source: | Code function: | 0_2_00007FF7C4152620 | |
| Source: | Code function: | 0_2_00007FF7C4181620 | |
| Source: | Code function: | 0_2_00007FF7C415C670 | |
| Source: | Code function: | 0_2_00007FF7C418A6B0 | |
| Source: | Code function: | 0_2_00007FF7C418F790 | |
| Source: | Code function: | 0_2_00007FF7C415B7F0 | |
| Source: | Code function: | 0_2_00007FF7C4189850 | |
| Source: | Code function: | 0_2_00007FF7C416A890 | |
| Source: | Code function: | 0_2_00007FF7C41478A0 | |
| Source: | Code function: | 0_2_00007FF7C419A13D | |
| Source: | Code function: | 0_2_00007FF7C416E120 | |
| Source: | Code function: | 0_2_00007FF7C4147190 | |
| Source: | Code function: | 0_2_00007FF7C41641F8 | |
| Source: | Code function: | 0_2_00007FF7C419A205 | |
| Source: | Code function: | 0_2_00007FF7C419A1FC | |
| Source: | Code function: | 0_2_00007FF7C41AD250 | |
| Source: | Code function: | 0_2_00007FF7C41552CA | |
| Source: | Code function: | 0_2_00007FF7C41642F8 | |
| Source: | Code function: | 0_2_00007FF7C4184350 | |
| Source: | Code function: | 0_2_00007FF7C41603C0 | |
| Source: | Code function: | 0_2_00007FF7C41B0470 | |
| Source: | Code function: | 0_2_00007FF7C41B14A0 | |
| Source: | Code function: | 0_2_00007FF7C415B4B0 | |
| Source: | Code function: | 0_2_00007FF7C41654DE | |
| Source: | Code function: | 0_2_00007FF7C41BCD30 | |
| Source: | Code function: | 0_2_00007FF7C41BEDB0 | |
| Source: | Code function: | 0_2_00007FF7C4152E80 | |
| Source: | Code function: | 0_2_00007FF7C4197EC0 | |
| Source: | Code function: | 0_2_00007FF7C414BEA0 | |
| Source: | Code function: | 0_2_00007FF7C4148FD0 | |
| Source: | Code function: | 0_2_00007FF7C41B59C0 | |
| Source: | Code function: | 0_2_00007FF7C41799B0 | |
| Source: | Code function: | 0_2_00007FF7C415A9E0 | |
| Source: | Code function: | 0_2_00007FF7C41A4A20 | |
| Source: | Code function: | 0_2_00007FF7C4192A90 | |
| Source: | Code function: | 0_2_00007FF7C4146A90 | |
| Source: | Code function: | 0_2_00007FF7C4169AE0 | |
| Source: | Code function: | 0_2_00007FF7C4145BD0 | |
| Source: | Code function: | 0_2_00007FF7C4141CD0 | |
| Source: | Process created: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary string: | ||
| Source: | Classification label: | ||
| Source: | Code function: | 0_2_00007FF7C41710A0 | |
| Source: | Code function: | 0_2_00007FF7C414C660 | |
| Source: | File created: | Jump to behavior | ||
| Source: | Mutant created: | ||
| Source: | Mutant created: | ||
| Source: | Mutant created: | ||
| Source: | File created: | Jump to behavior | ||
| Source: | Static PE information: | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | ReversingLabs: | ||
| Source: | String found in binary or memory: | ||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Key value queried: | Jump to behavior | ||
| Source: | Window detected: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Code function: | 0_2_00007FF7C4189530 | |
| Source: | Code function: | 0_2_00007FF7C417652E | |
| Source: | Registry key monitored for changes: | Jump to behavior | ||
| Source: | Registry key monitored for changes: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Code function: | 0_2_00007FF7C4150A00 | |
| Source: | API coverage: | ||
| Source: | Thread sleep count: | Jump to behavior | ||
| Source: | Last function: | ||
| Source: | Last function: | ||
| Source: | Last function: | ||
| Source: | Binary or memory string: | ||
| Source: | Process information queried: | Jump to behavior | ||
Anti Debugging | |
|---|
| Source: | Code function: | 0_2_00007FF7C4151B30 | |
| Source: | Thread information set: | Jump to behavior | ||
| Source: | Open window title or class name: | ||
| Source: | File opened: | ||
| Source: | File opened: | ||
| Source: | Process queried: | Jump to behavior | ||
| Source: | Process queried: | Jump to behavior | ||
| Source: | Process queried: | Jump to behavior | ||
| Source: | Process queried: | Jump to behavior | ||
| Source: | Code function: | 0_2_00007FF7C41C0228 | |
| Source: | Code function: | 0_2_00007FF7C41C0228 | |
| Source: | Code function: | 0_2_00007FF7C4150A00 | |
| Source: | Code function: | 0_2_00007FF7C4189530 | |
| Source: | Code function: | 0_2_00007FF7C41BF504 | |
| Source: | Code function: | 0_2_00007FF7C41BFE08 | |
| Source: | Code function: | 0_2_00007FF7C41BFFB0 | |
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Code function: | 0_2_00007FF7C41C0020 | |
| Source: | Code function: | 0_2_00007FF7C41558F0 | |
| Source: | Code function: | 0_2_00007FF7C4194C60 | |
| Source: | Code function: | 0_2_00007FF7C41AB554 | |
| Source: | Code function: | 0_2_00007FF7C41885A0 | |
| Source: | Code function: | 0_2_00007FF7C41AB780 | |
| Source: | Code function: | 0_2_00007FF7C41A4A20 | |
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | 2 Command and Scripting Interpreter | 1 DLL Side-Loading | 12 Process Injection | 1 Masquerading | OS Credential Dumping | 1 System Time Discovery | 1 Exploitation of Remote Services | 12 Archive Collected Data | 21 Encrypted Channel | Exfiltration Over Other Network Medium | 1 Data Encrypted for Impact |
| Credentials | Domains | Default Accounts | 1 Native API | Boot or Logon Initialization Scripts | 1 DLL Side-Loading | 23 Virtualization/Sandbox Evasion | LSASS Memory | 1 Query Registry | Remote Desktop Protocol | Data from Removable Media | 2 Ingress Tool Transfer | Exfiltration Over Bluetooth | Network Denial of Service |
| Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | Logon Script (Windows) | 12 Process Injection | Security Account Manager | 351 Security Software Discovery | SMB/Windows Admin Shares | Data from Network Shared Drive | 2 Non-Application Layer Protocol | Automated Exfiltration | Data Encrypted for Impact |
| Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | 1 Deobfuscate/Decode Files or Information | NTDS | 23 Virtualization/Sandbox Evasion | Distributed Component Object Model | Input Capture | 13 Application Layer Protocol | Traffic Duplication | Data Destruction |
| Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | 2 Obfuscated Files or Information | LSA Secrets | 3 Process Discovery | SSH | Keylogging | Fallback Channels | Scheduled Transfer | Data Encrypted for Impact |
| Domain Properties | Botnet | Replication Through Removable Media | Scheduled Task | RC Scripts | RC Scripts | 1 DLL Side-Loading | Cached Domain Credentials | 1 Account Discovery | VNC | GUI Input Capture | Multiband Communication | Data Transfer Size Limits | Service Stop |
| DNS | Web Services | External Remote Services | Systemd Timers | Startup Items | Startup Items | Compile After Delivery | DCSync | 1 System Owner/User Discovery | Windows Remote Management | Web Portal Capture | Commonly Used Port | Exfiltration Over C2 Channel | Inhibit System Recovery |
| Network Trust Dependencies | Serverless | Drive-by Compromise | Container Orchestration Job | Scheduled Task/Job | Scheduled Task/Job | Indicator Removal from Tools | Proc Filesystem | 2 System Information Discovery | Cloud Services | Credential API Hooking | Application Layer Protocol | Exfiltration Over Alternative Protocol | Defacement |
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetThis section contains all screenshots as thumbnails, including those not shown in the slideshow.
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 55% | ReversingLabs | Win64.Trojan.Generic | ||
| 100% | Joe Sandbox ML |
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
| Name | IP | Active | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|---|
| keyauth.win | 104.26.1.5 | true | false | high | |
| raw.githubusercontent.com | 185.199.108.133 | true | false | high |
| Name | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|
| false | high | ||
| false | high |
| Name | Source | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
| IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
|---|---|---|---|---|---|---|
| 104.26.1.5 | keyauth.win | United States | 13335 | CLOUDFLARENETUS | false | |
| 185.199.108.133 | raw.githubusercontent.com | Netherlands | 54113 | FASTLYUS | false |
| IP |
|---|
| 127.0.0.1 |
| Joe Sandbox version: | 41.0.0 Charoite |
| Analysis ID: | 1565143 |
| Start date and time: | 2024-11-29 10:56:12 +01:00 |
| Joe Sandbox product: | CloudBasic |
| Overall analysis duration: | 0h 5m 10s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
| Number of analysed new started processes analysed: | 27 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Sample name: | CCuITQzvd4.exerenamed because original name is a hash value |
| Original Sample Name: | 06833640b01d9b8dcbc8001f0ff1cbc3aaa4ba1d45e08238c076b0d0d477c966.exe |
| Detection: | MAL |
| Classification: | mal68.evad.winEXE@20/2@2/3 |
| EGA Information: |
|
| HCA Information: |
|
| Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): dllhost.exe, BackgroundTransferHost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe, svchost.exe
- Excluded domains from analysis (whitelisted): www.bing.com, ris.api.iris.microsoft.com, client.wns.windows.com, fs.microsoft.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, tse1.mm.bing.net, g.bing.com, arc.msn.com, fe3cr.delivery.mp.microsoft.com
- Not all processes where analyzed, report is missing behavior information
- Report size exceeded maximum capacity and may have missing disassembly code.
- Report size getting too big, too many NtOpenKeyEx calls found.
- Report size getting too big, too many NtQueryValueKey calls found.
- VT rate limit hit for: CCuITQzvd4.exe
⊘No simulations
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| 104.26.1.5 | Get hash | malicious | Unknown | Browse | ||
| Get hash | malicious | Unknown | Browse | |||
| Get hash | malicious | Unknown | Browse | |||
| Get hash | malicious | Unknown | Browse | |||
| Get hash | malicious | Unknown | Browse | |||
| Get hash | malicious | Unknown | Browse | |||
| Get hash | malicious | Unknown | Browse | |||
| Get hash | malicious | Unknown | Browse | |||
| Get hash | malicious | Unknown | Browse | |||
| Get hash | malicious | Unknown | Browse | |||
| 185.199.108.133 | Get hash | malicious | Unknown | Browse |
| |
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | AsyncRAT, XWorm | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| keyauth.win | Get hash | malicious | Unknown | Browse |
| |
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | XWorm | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| raw.githubusercontent.com | Get hash | malicious | Stealerium | Browse |
| |
| Get hash | malicious | RDPWrap Tool, Ducktail | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | DCRat, PureLog Stealer, Xmrig, zgRAT | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| CLOUDFLARENETUS | Get hash | malicious | LummaC | Browse |
| |
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | GiftCardfraud | Browse |
| ||
| Get hash | malicious | FormBook | Browse |
| ||
| Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | GuLoader, Snake Keylogger | Browse |
| ||
| Get hash | malicious | Ducktail | Browse |
| ||
| Get hash | malicious | FormBook, PureLog Stealer | Browse |
| ||
| Get hash | malicious | Ducktail | Browse |
| ||
| Get hash | malicious | Ducktail | Browse |
| ||
| FASTLYUS | Get hash | malicious | Stealerium | Browse |
| |
| Get hash | malicious | Credential Flusher | Browse |
| ||
| Get hash | malicious | Credential Flusher | Browse |
| ||
| Get hash | malicious | GiftCardfraud | Browse |
| ||
| Get hash | malicious | Credential Flusher | Browse |
| ||
| Get hash | malicious | Credential Flusher | Browse |
| ||
| Get hash | malicious | Credential Flusher | Browse |
| ||
| Get hash | malicious | Credential Flusher | Browse |
| ||
| Get hash | malicious | Credential Flusher | Browse |
| ||
| Get hash | malicious | Credential Flusher | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| ce5f3254611a8c095a3d821d44539877 | Get hash | malicious | Unknown | Browse |
| |
| Get hash | malicious | XWorm | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| 37f463bf4616ecd445d4a1937da06e19 | Get hash | malicious | Unknown | Browse |
| |
| Get hash | malicious | Remcos, GuLoader | Browse |
| ||
| Get hash | malicious | Remcos, GuLoader | Browse |
| ||
| Get hash | malicious | Remcos, GuLoader | Browse |
| ||
| Get hash | malicious | Remcos, GuLoader | Browse |
| ||
| Get hash | malicious | GuLoader, Snake Keylogger | Browse |
| ||
| Get hash | malicious | FormBook, GuLoader | Browse |
| ||
| Get hash | malicious | Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Nymaim, Stealc, Vidar | Browse |
| ||
| Get hash | malicious | Vidar | Browse |
| ||
| Get hash | malicious | Amadey | Browse |
|
⊘No context
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\pc_name_list[1].txt
Download File
| Process: | C:\Users\user\Desktop\CCuITQzvd4.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 3145 |
| Entropy (8bit): | 4.991276116977138 |
| Encrypted: | false |
| SSDEEP: | 96:oiDjZkeTuUruqwyZdrRnSpG5lr8druckP:oiDjZkeT7qqwyZdrRn/5lKrkP |
| MD5: | DD8E526AEA8FD5CBE26E02ABFB61104C |
| SHA1: | B2EA96BB16DA297B34DF121A5A59FDB5D9905351 |
| SHA-256: | C4FACF7ECA009951F63280521105C4EFE7359CA7D8036B714B6A9597EDF7402D |
| SHA-512: | 5552BD4E05BE02E47A2B3FEFF6120BF57E598D11550FB674D4A2CBAFC7C97DB3B0D88AECA5C14FBA6889A5D5CBCB93511D86CB1592774AFAED11B01BF1E096EC |
| Malicious: | false |
| Preview: |
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\pc_username_list[1].txt
Download File
| Process: | C:\Users\user\Desktop\CCuITQzvd4.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 1275 |
| Entropy (8bit): | 5.686349299485424 |
| Encrypted: | false |
| SSDEEP: | 24:8YGEgnRyOQWvFyIDrVgaQ9d0zdRExKU8lN9iyqrVvX9OADV10OKMIVBtK8g0n:rGEgnRyxqZG/9d0zSEJiyqrRLloztPg0 |
| MD5: | 1D67516CC29BB3DD51B882AD9E82CD2E |
| SHA1: | 267E80B9E0AA1982838238B67765BD840F7C788B |
| SHA-256: | F411221BF6E51E6DEB4E8D5CDC7E2E1BA4BBB3868DA5BB1BC0C29A3A3A02D0A7 |
| SHA-512: | 25D6D92314F59C3EDE98E7D485AEDAAC09D0B2781D6DBAEF3B9D003FAA838BE47249A14163652BD46A18DAB951DC22A1BDC463BB4973B8F66359AB4CDE4AEE35 |
| Malicious: | false |
| Preview: |
| File type: | |
| Entropy (8bit): | 6.490907561003706 |
| TrID: |
|
| File name: | CCuITQzvd4.exe |
| File size: | 728'576 bytes |
| MD5: | 197de30a59fc9af28d140cc2c530c8b7 |
| SHA1: | bc3be4bcbf7066ef83fc1da055dbc14429fcdeff |
| SHA256: | 06833640b01d9b8dcbc8001f0ff1cbc3aaa4ba1d45e08238c076b0d0d477c966 |
| SHA512: | cfaec1fda5db873655edd080b03de83cfc5b03ccf53e1e7267ffc35f60fb7ce9d07559772f24bcaca593547e75ace2cdaead6e41d7d6d91e2ff409cc6ee75a08 |
| SSDEEP: | 12288:I+wgmeCSSJWIVrEvxMIgrbukxrTyMUteYksJZe9FXV:I+wrerSJXVgDgraYrThUssvuX |
| TLSH: | B9F49D5656B509E9D1ABD03DC1178603F7B2B05923209BEB13E486B92F23BE46F3E711 |
| File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........i<...o...o...o...o...o...n...o...o...o...n...o...n...o...n...oR..n...ok..n...ok..n...o...n...o...oz..o...n...o...o...o...n... |
 | |
| Icon Hash: | 00928e8e8686b000 |
| Entrypoint: | 0x14007fa00 |
| Entrypoint Section: | .text |
| Digitally signed: | false |
| Imagebase: | 0x140000000 |
| Subsystem: | windows cui |
| Image File Characteristics: | EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE |
| DLL Characteristics: | HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE |
| Time Stamp: | 0x663BF2AC [Wed May 8 21:46:20 2024 UTC] |
| TLS Callbacks: | |
| CLR (.Net) Version: | |
| OS Version Major: | 6 |
| OS Version Minor: | 0 |
| File Version Major: | 6 |
| File Version Minor: | 0 |
| Subsystem Version Major: | 6 |
| Subsystem Version Minor: | 0 |
| Import Hash: | 6e395037e41e00776b67c2ad9c72c7e9 |
| Instruction |
|---|
| dec eax |
| sub esp, 28h |
| call 00007F9B80833EACh |
| dec eax |
| add esp, 28h |
| jmp 00007F9B80833707h |
| int3 |
| int3 |
| dec eax |
| sub esp, 28h |
| dec ebp |
| mov eax, dword ptr [ecx+38h] |
| dec eax |
| mov ecx, edx |
| dec ecx |
| mov edx, ecx |
| call 00007F9B808338A2h |
| mov eax, 00000001h |
| dec eax |
| add esp, 28h |
| ret |
| int3 |
| int3 |
| int3 |
| inc eax |
| push ebx |
| inc ebp |
| mov ebx, dword ptr [eax] |
| dec eax |
| mov ebx, edx |
| inc ecx |
| and ebx, FFFFFFF8h |
| dec esp |
| mov ecx, ecx |
| inc ecx |
| test byte ptr [eax], 00000004h |
| dec esp |
| mov edx, ecx |
| je 00007F9B808338A5h |
| inc ecx |
| mov eax, dword ptr [eax+08h] |
| dec ebp |
| arpl word ptr [eax+04h], dx |
| neg eax |
| dec esp |
| add edx, ecx |
| dec eax |
| arpl ax, cx |
| dec esp |
| and edx, ecx |
| dec ecx |
| arpl bx, ax |
| dec edx |
| mov edx, dword ptr [eax+edx] |
| dec eax |
| mov eax, dword ptr [ebx+10h] |
| mov ecx, dword ptr [eax+08h] |
| dec eax |
| mov eax, dword ptr [ebx+08h] |
| test byte ptr [ecx+eax+03h], 0000000Fh |
| je 00007F9B8083389Dh |
| movzx eax, byte ptr [ecx+eax+03h] |
| and eax, FFFFFFF0h |
| dec esp |
| add ecx, eax |
| dec esp |
| xor ecx, edx |
| dec ecx |
| mov ecx, ecx |
| pop ebx |
| jmp 00007F9B80832EF6h |
| int3 |
| dec eax |
| mov eax, esp |
| dec eax |
| mov dword ptr [eax+08h], ebx |
| dec eax |
| mov dword ptr [eax+10h], ebp |
| dec eax |
| mov dword ptr [eax+18h], esi |
| dec eax |
| mov dword ptr [eax+20h], edi |
| inc ecx |
| push esi |
| dec eax |
| sub esp, 20h |
| dec ecx |
| mov ebx, dword ptr [ecx+38h] |
| dec eax |
| mov esi, edx |
| dec ebp |
| mov esi, eax |
| dec eax |
| mov ebp, ecx |
| dec ecx |
| mov edx, ecx |
| dec eax |
| mov ecx, esi |
| dec ecx |
| mov edi, ecx |
| dec esp |
| lea eax, dword ptr [ebx+04h] |
| call 00007F9B80833801h |
| Programming Language: |
|
| Name | Virtual Address | Virtual Size | Is in Section |
|---|---|---|---|
| IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IMPORT | 0xa4760 | 0x208 | .rdata |
| IMAGE_DIRECTORY_ENTRY_RESOURCE | 0xea000 | 0x1e8 | .rsrc |
| IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0xe5000 | 0x4fb0 | .pdata |
| IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BASERELOC | 0xeb000 | 0x57c | .reloc |
| IMAGE_DIRECTORY_ENTRY_DEBUG | 0x9bfa0 | 0x70 | .rdata |
| IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_TLS | 0x9c080 | 0x28 | .rdata |
| IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x9be60 | 0x140 | .rdata |
| IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IAT | 0x82000 | 0xc18 | .rdata |
| IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
| Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
|---|---|---|---|---|---|---|---|---|---|
| .text | 0x1000 | 0x8093c | 0x80a00 | 866f65bbe02578c94f101d8a9227b4db | False | 0.4993261813654033 | data | 6.441053204093362 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
| .rdata | 0x82000 | 0x25770 | 0x25800 | f102cf3c1dea4af9c6e6f87553bba060 | False | 0.42796875 | data | 6.003501322593407 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .data | 0xa8000 | 0x3c5c0 | 0x6000 | 3a8dd05ccdb8e48c1a3f7590b06acb5c | False | 0.3218994140625 | data | 5.0332079448205285 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .pdata | 0xe5000 | 0x4fb0 | 0x5000 | 0716f0fcab7da248b0ecd502129c2101 | False | 0.487451171875 | data | 5.963051317619714 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .rsrc | 0xea000 | 0x1e8 | 0x200 | e9f115b7a129575544ad9e589233eba2 | False | 0.54296875 | data | 4.772037401703051 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .reloc | 0xeb000 | 0x57c | 0x600 | c304b933a197955c131827a83c81c161 | False | 0.5520833333333334 | data | 5.091835132103112 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
| Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
|---|---|---|---|---|---|---|
| RT_MANIFEST | 0xea060 | 0x188 | XML 1.0 document, ASCII text, with CRLF line terminators | English | United States | 0.5892857142857143 |
| DLL | Import |
|---|---|
| KERNEL32.dll | OpenProcess, CreateToolhelp32Snapshot, Process32NextW, MapViewOfFile, UnmapViewOfFile, GetModuleFileNameA, GetModuleHandleW, QueryFullProcessImageNameW, SetLastError, CreateFileA, LoadLibraryA, LeaveCriticalSection, SleepEx, QueryPerformanceFrequency, GetSystemDirectoryA, FreeLibrary, VerifyVersionInfoA, QueryPerformanceCounter, GetTickCount, MoveFileExA, WaitForSingleObjectEx, GetEnvironmentVariableA, GetFileType, WaitForMultipleObjects, GetFileSizeEx, WideCharToMultiByte, ReleaseSRWLockExclusive, AcquireSRWLockExclusive, WakeAllConditionVariable, SleepConditionVariableSRW, UnhandledExceptionFilter, Process32FirstW, EnterCriticalSection, CreateFileMappingW, CreateThread, GetTempPathW, VirtualAlloc, DeviceIoControl, VirtualFree, OpenThread, ReadProcessMemory, DeleteCriticalSection, GetProcAddress, GetModuleHandleA, SetUnhandledExceptionFilter, TerminateProcess, IsProcessorFeaturePresent, IsDebuggerPresent, GetSystemTimeAsFileTime, InitializeSListHead, OutputDebugStringW, OpenFileMappingW, GetCurrentThreadId, InitializeCriticalSectionEx, GetStdHandle, GetCurrentProcess, VirtualProtect, MultiByteToWideChar, GetModuleFileNameW, lstrlenW, WaitNamedPipeW, GetCurrentProcessId, CloseHandle, GetLastError, CreateFileW, PeekNamedPipe, WriteFile, FormatMessageA, ReadFile, Sleep |
| USER32.dll | FindWindowW, MessageBoxA, FindWindowA |
| ADVAPI32.dll | CryptEncrypt, CryptDestroyKey, CryptDestroyHash, CryptHashData, CryptCreateHash, CryptGenRandom, CryptGetHashParam, CryptReleaseContext, CryptAcquireContextA, SetSecurityInfo, IsValidSid, InitializeAcl, GetTokenInformation, GetLengthSid, AddAccessAllowedAce, OpenProcessToken, CryptImportKey, RegSetKeyValueW, RegDeleteKeyW, RegCreateKeyW, RegOpenKeyW, GetUserNameA, RegCloseKey, RegCreateKeyExW, RegSetValueExW |
| MSVCP140.dll | ?good@ios_base@std@@QEBA_NXZ, ?always_noconv@codecvt_base@std@@QEBA_NXZ, ??Bid@locale@std@@QEAA_KXZ, ?_Fiopen@std@@YAPEAU_iobuf@@PEB_WHH@Z, ??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z, ??1?$basic_ostream@DU?$char_traits@D@std@@@std@@UEAA@XZ, ?write@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@PEBD_J@Z, ??7ios_base@std@@QEBA_NXZ, ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAVios_base@1@AEAV21@@Z@Z, ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z, ??0?$basic_iostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@@Z, ??1?$basic_iostream@DU?$char_traits@D@std@@@std@@UEAA@XZ, ?_Xbad_function_call@std@@YAXXZ, ?setw@std@@YA?AU?$_Smanip@_J@1@_J@Z, ?imbue@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAXAEBVlocale@2@@Z, ?sync@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAHXZ, ?setbuf@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAPEAV12@PEAD_J@Z, ?uflow@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAHXZ, ?_Unlock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAAXXZ, ?_Lock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAAXXZ, _Mtx_current_owns, ??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEAH@Z, ??1?$basic_istream@DU?$char_traits@D@std@@@std@@UEAA@XZ, ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z, ??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ, ?xsputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEBD_J@Z, ?xsgetn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEAD_J@Z, ?showmanyc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JXZ, ??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAA@XZ, _Cnd_init_in_situ, ?_Throw_Cpp_error@std@@YAXH@Z, ?_Pninc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAPEADXZ, _Cnd_timedwait, ?out@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z, ?in@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z, ??0?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z, ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ, ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z, ?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ, ?unshift@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEAD1AEAPEAD@Z, ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z, ?sgetc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ, ?sbumpc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ, ?getloc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEBA?AVlocale@2@XZ, ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ, ?widen@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBADD@Z, ?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ, ?put@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@D@Z, ?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z, ?snextc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ, ?_Getcat@?$codecvt@DDU_Mbstatet@@@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z, ?_Ipfx@?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA_N_N@Z, ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ, _Thrd_detach, ?_Xlength_error@std@@YAXPEBD@Z, ?_Fiopen@std@@YAPEAU_iobuf@@PEBDHH@Z, ?id@?$codecvt@DDU_Mbstatet@@@std@@2V0locale@2@A, ?_Xout_of_range@std@@YAXPEBD@Z, ?cin@std@@3V?$basic_istream@DU?$char_traits@D@std@@@1@A, ?_Getgloballocale@locale@std@@CAPEAV_Locimp@12@XZ, ?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A, ?uncaught_exceptions@std@@YAHXZ, ??0_Lockit@std@@QEAA@H@Z, ??1_Lockit@std@@QEAA@XZ, _Mtx_destroy_in_situ, _Cnd_broadcast, _Mtx_unlock, _Xtime_get_ticks, _Cnd_do_broadcast_at_thread_exit, _Mtx_init_in_situ, _Mtx_lock |
| ntdll.dll | RtlLookupFunctionEntry, RtlCaptureContext, VerSetConditionMask, RtlInitUnicodeString, NtQuerySystemInformation, RtlVirtualUnwind |
| WININET.dll | InternetOpenA, InternetOpenUrlA, InternetReadFile, InternetCloseHandle |
| Normaliz.dll | IdnToAscii |
| WLDAP32.dll | |
| CRYPT32.dll | CertEnumCertificatesInStore, CertFindCertificateInStore, CertFreeCertificateContext, CryptStringToBinaryA, PFXImportCertStore, CryptDecodeObjectEx, CertAddCertificateContextToStore, CertFindExtension, CertGetNameStringA, CryptQueryObject, CertCreateCertificateChainEngine, CertFreeCertificateChainEngine, CertGetCertificateChain, CertFreeCertificateChain, CertCloseStore, CertOpenStore |
| WS2_32.dll | select, getaddrinfo, ioctlsocket, freeaddrinfo, listen, htonl, accept, WSAStartup, WSAIoctl, WSASetLastError, socket, recvfrom, sendto, gethostname, ntohl, setsockopt, ntohs, htons, getsockopt, __WSAFDIsSet, getsockname, getpeername, connect, bind, WSAGetLastError, closesocket, recv, send, WSACleanup |
| RPCRT4.dll | UuidCreate, RpcStringFreeA, UuidToStringA |
| PSAPI.DLL | GetModuleInformation |
| VCRUNTIME140_1.dll | __CxxFrameHandler4 |
| VCRUNTIME140.dll | __C_specific_handler, __std_exception_destroy, __std_exception_copy, _CxxThrowException, memchr, memcmp, __std_terminate, memmove, memset, strchr, strrchr, strstr, __current_exception, __current_exception_context, memcpy, _local_unwind |
| api-ms-win-crt-stdio-l1-1-0.dll | __stdio_common_vswprintf, __stdio_common_vfprintf, __stdio_common_vsprintf, fputc, _open, _close, _write, _read, fflush, __p__commode, _set_fmode, fclose, fgetc, fwrite, _lseeki64, fgetpos, setvbuf, ungetc, fsetpos, ftell, fseek, feof, fread, __stdio_common_vsscanf, fputs, fopen, _fseeki64, _get_stream_buffer_pointers, fgets, __acrt_iob_func, _popen, _pclose |
| api-ms-win-crt-heap-l1-1-0.dll | _callnewh, realloc, free, malloc, _set_new_mode, calloc |
| api-ms-win-crt-runtime-l1-1-0.dll | _initterm, _initterm_e, _exit, exit, __p___argc, __p___argv, _c_exit, _register_thread_local_exe_atexit_callback, _register_onexit_function, _set_app_type, _initialize_onexit_table, _invalid_parameter_noinfo_noreturn, _initialize_narrow_environment, _configure_narrow_argv, _getpid, system, abort, _seh_filter_exe, _cexit, terminate, strerror, __sys_nerr, _errno, _crt_atexit, _beginthreadex, _get_initial_narrow_environment |
| api-ms-win-crt-time-l1-1-0.dll | _time64, _gmtime64 |
| api-ms-win-crt-string-l1-1-0.dll | _stricmp, strncpy, _wcsicmp, strncmp, _strdup, tolower, strpbrk, isupper, strcmp, strcspn, strspn |
| api-ms-win-crt-filesystem-l1-1-0.dll | _unlink, _stat64, _lock_file, _fstat64, _unlock_file, _access, _wremove |
| api-ms-win-crt-utility-l1-1-0.dll | srand, qsort, rand |
| api-ms-win-crt-convert-l1-1-0.dll | strtod, strtol, strtoull, atoi, strtoul, strtoll |
| api-ms-win-crt-locale-l1-1-0.dll | localeconv, _configthreadlocale |
| api-ms-win-crt-math-l1-1-0.dll | __setusermatherr, _dclass |
| SHELL32.dll | ShellExecuteA |
| Language of compilation system | Country where language is spoken | Map |
|---|---|---|
| English | United States |  |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library Node| Timestamp | SID | Signature | Severity | Source IP | Source Port | Dest IP | Dest Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-11-29T10:57:10.751419+0100 | 2803274 | ETPRO MALWARE Common Downloader Header Pattern UH | 2 | 192.168.2.6 | 49714 | 185.199.108.133 | 443 | TCP |
| 2024-11-29T10:57:12.475813+0100 | 2803274 | ETPRO MALWARE Common Downloader Header Pattern UH | 2 | 192.168.2.6 | 49716 | 185.199.108.133 | 443 | TCP |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Nov 29, 2024 10:57:08.837232113 CET | 49714 | 443 | 192.168.2.6 | 185.199.108.133 |
| Nov 29, 2024 10:57:08.837281942 CET | 443 | 49714 | 185.199.108.133 | 192.168.2.6 |
| Nov 29, 2024 10:57:08.837471962 CET | 49714 | 443 | 192.168.2.6 | 185.199.108.133 |
| Nov 29, 2024 10:57:08.848164082 CET | 49714 | 443 | 192.168.2.6 | 185.199.108.133 |
| Nov 29, 2024 10:57:08.848181009 CET | 443 | 49714 | 185.199.108.133 | 192.168.2.6 |
| Nov 29, 2024 10:57:10.069813013 CET | 443 | 49714 | 185.199.108.133 | 192.168.2.6 |
| Nov 29, 2024 10:57:10.069896936 CET | 49714 | 443 | 192.168.2.6 | 185.199.108.133 |
| Nov 29, 2024 10:57:10.418203115 CET | 49714 | 443 | 192.168.2.6 | 185.199.108.133 |
| Nov 29, 2024 10:57:10.418231964 CET | 443 | 49714 | 185.199.108.133 | 192.168.2.6 |
| Nov 29, 2024 10:57:10.418597937 CET | 443 | 49714 | 185.199.108.133 | 192.168.2.6 |
| Nov 29, 2024 10:57:10.418709993 CET | 49714 | 443 | 192.168.2.6 | 185.199.108.133 |
| Nov 29, 2024 10:57:10.421008110 CET | 49714 | 443 | 192.168.2.6 | 185.199.108.133 |
| Nov 29, 2024 10:57:10.463334084 CET | 443 | 49714 | 185.199.108.133 | 192.168.2.6 |
| Nov 29, 2024 10:57:10.751436949 CET | 443 | 49714 | 185.199.108.133 | 192.168.2.6 |
| Nov 29, 2024 10:57:10.751626968 CET | 49714 | 443 | 192.168.2.6 | 185.199.108.133 |
| Nov 29, 2024 10:57:10.752474070 CET | 443 | 49714 | 185.199.108.133 | 192.168.2.6 |
| Nov 29, 2024 10:57:10.752532005 CET | 49714 | 443 | 192.168.2.6 | 185.199.108.133 |
| Nov 29, 2024 10:57:10.757165909 CET | 443 | 49714 | 185.199.108.133 | 192.168.2.6 |
| Nov 29, 2024 10:57:10.757240057 CET | 443 | 49714 | 185.199.108.133 | 192.168.2.6 |
| Nov 29, 2024 10:57:10.757241011 CET | 49714 | 443 | 192.168.2.6 | 185.199.108.133 |
| Nov 29, 2024 10:57:10.757281065 CET | 49714 | 443 | 192.168.2.6 | 185.199.108.133 |
| Nov 29, 2024 10:57:10.757560968 CET | 49714 | 443 | 192.168.2.6 | 185.199.108.133 |
| Nov 29, 2024 10:57:10.757576942 CET | 443 | 49714 | 185.199.108.133 | 192.168.2.6 |
| Nov 29, 2024 10:57:10.782363892 CET | 49716 | 443 | 192.168.2.6 | 185.199.108.133 |
| Nov 29, 2024 10:57:10.782393932 CET | 443 | 49716 | 185.199.108.133 | 192.168.2.6 |
| Nov 29, 2024 10:57:10.782562017 CET | 49716 | 443 | 192.168.2.6 | 185.199.108.133 |
| Nov 29, 2024 10:57:10.782761097 CET | 49716 | 443 | 192.168.2.6 | 185.199.108.133 |
| Nov 29, 2024 10:57:10.782776117 CET | 443 | 49716 | 185.199.108.133 | 192.168.2.6 |
| Nov 29, 2024 10:57:11.993194103 CET | 443 | 49716 | 185.199.108.133 | 192.168.2.6 |
| Nov 29, 2024 10:57:11.993362904 CET | 49716 | 443 | 192.168.2.6 | 185.199.108.133 |
| Nov 29, 2024 10:57:11.994026899 CET | 49716 | 443 | 192.168.2.6 | 185.199.108.133 |
| Nov 29, 2024 10:57:11.994033098 CET | 443 | 49716 | 185.199.108.133 | 192.168.2.6 |
| Nov 29, 2024 10:57:11.994235992 CET | 49716 | 443 | 192.168.2.6 | 185.199.108.133 |
| Nov 29, 2024 10:57:11.994240046 CET | 443 | 49716 | 185.199.108.133 | 192.168.2.6 |
| Nov 29, 2024 10:57:12.475860119 CET | 443 | 49716 | 185.199.108.133 | 192.168.2.6 |
| Nov 29, 2024 10:57:12.475938082 CET | 49716 | 443 | 192.168.2.6 | 185.199.108.133 |
| Nov 29, 2024 10:57:12.476982117 CET | 443 | 49716 | 185.199.108.133 | 192.168.2.6 |
| Nov 29, 2024 10:57:12.477041960 CET | 443 | 49716 | 185.199.108.133 | 192.168.2.6 |
| Nov 29, 2024 10:57:12.477055073 CET | 49716 | 443 | 192.168.2.6 | 185.199.108.133 |
| Nov 29, 2024 10:57:12.477080107 CET | 49716 | 443 | 192.168.2.6 | 185.199.108.133 |
| Nov 29, 2024 10:57:12.479682922 CET | 49716 | 443 | 192.168.2.6 | 185.199.108.133 |
| Nov 29, 2024 10:57:12.479701996 CET | 443 | 49716 | 185.199.108.133 | 192.168.2.6 |
| Nov 29, 2024 10:57:13.631671906 CET | 49722 | 443 | 192.168.2.6 | 104.26.1.5 |
| Nov 29, 2024 10:57:13.631690979 CET | 443 | 49722 | 104.26.1.5 | 192.168.2.6 |
| Nov 29, 2024 10:57:13.631767988 CET | 49722 | 443 | 192.168.2.6 | 104.26.1.5 |
| Nov 29, 2024 10:57:13.632236958 CET | 49722 | 443 | 192.168.2.6 | 104.26.1.5 |
| Nov 29, 2024 10:57:13.632250071 CET | 443 | 49722 | 104.26.1.5 | 192.168.2.6 |
| Nov 29, 2024 10:57:14.896155119 CET | 443 | 49722 | 104.26.1.5 | 192.168.2.6 |
| Nov 29, 2024 10:57:14.896267891 CET | 49722 | 443 | 192.168.2.6 | 104.26.1.5 |
| Nov 29, 2024 10:57:14.906691074 CET | 49722 | 443 | 192.168.2.6 | 104.26.1.5 |
| Nov 29, 2024 10:57:14.906712055 CET | 443 | 49722 | 104.26.1.5 | 192.168.2.6 |
| Nov 29, 2024 10:57:14.906862020 CET | 443 | 49722 | 104.26.1.5 | 192.168.2.6 |
| Nov 29, 2024 10:57:14.906991005 CET | 49722 | 443 | 192.168.2.6 | 104.26.1.5 |
| Nov 29, 2024 10:57:14.907103062 CET | 49722 | 443 | 192.168.2.6 | 104.26.1.5 |
| Nov 29, 2024 10:57:14.907115936 CET | 443 | 49722 | 104.26.1.5 | 192.168.2.6 |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Nov 29, 2024 10:57:08.690001965 CET | 51062 | 53 | 192.168.2.6 | 1.1.1.1 |
| Nov 29, 2024 10:57:08.829447031 CET | 53 | 51062 | 1.1.1.1 | 192.168.2.6 |
| Nov 29, 2024 10:57:13.486445904 CET | 59206 | 53 | 192.168.2.6 | 1.1.1.1 |
| Nov 29, 2024 10:57:13.629631996 CET | 53 | 59206 | 1.1.1.1 | 192.168.2.6 |
| Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|
| Nov 29, 2024 10:57:08.690001965 CET | 192.168.2.6 | 1.1.1.1 | 0x318e | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Nov 29, 2024 10:57:13.486445904 CET | 192.168.2.6 | 1.1.1.1 | 0x958c | Standard query (0) | A (IP address) | IN (0x0001) | false |
| Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|---|---|
| Nov 29, 2024 10:57:08.829447031 CET | 1.1.1.1 | 192.168.2.6 | 0x318e | No error (0) | 185.199.108.133 | A (IP address) | IN (0x0001) | false | ||
| Nov 29, 2024 10:57:08.829447031 CET | 1.1.1.1 | 192.168.2.6 | 0x318e | No error (0) | 185.199.111.133 | A (IP address) | IN (0x0001) | false | ||
| Nov 29, 2024 10:57:08.829447031 CET | 1.1.1.1 | 192.168.2.6 | 0x318e | No error (0) | 185.199.110.133 | A (IP address) | IN (0x0001) | false | ||
| Nov 29, 2024 10:57:08.829447031 CET | 1.1.1.1 | 192.168.2.6 | 0x318e | No error (0) | 185.199.109.133 | A (IP address) | IN (0x0001) | false | ||
| Nov 29, 2024 10:57:13.629631996 CET | 1.1.1.1 | 192.168.2.6 | 0x958c | No error (0) | 104.26.1.5 | A (IP address) | IN (0x0001) | false | ||
| Nov 29, 2024 10:57:13.629631996 CET | 1.1.1.1 | 192.168.2.6 | 0x958c | No error (0) | 104.26.0.5 | A (IP address) | IN (0x0001) | false | ||
| Nov 29, 2024 10:57:13.629631996 CET | 1.1.1.1 | 192.168.2.6 | 0x958c | No error (0) | 172.67.72.57 | A (IP address) | IN (0x0001) | false |
|
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 0 | 192.168.2.6 | 49714 | 185.199.108.133 | 443 | 1912 | C:\Users\user\Desktop\CCuITQzvd4.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-11-29 09:57:10 UTC | 125 | OUT | |
| 2024-11-29 09:57:10 UTC | 898 | IN | |
| 2024-11-29 09:57:10 UTC | 1378 | IN | |
| 2024-11-29 09:57:10 UTC | 1378 | IN | |
| 2024-11-29 09:57:10 UTC | 389 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 1 | 192.168.2.6 | 49716 | 185.199.108.133 | 443 | 1912 | C:\Users\user\Desktop\CCuITQzvd4.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-11-29 09:57:11 UTC | 129 | OUT | |
| 2024-11-29 09:57:12 UTC | 897 | IN | |
| 2024-11-29 09:57:12 UTC | 1275 | IN |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
| Target ID: | 0 |
| Start time: | 04:57:07 |
| Start date: | 29/11/2024 |
| Path: | C:\Users\user\Desktop\CCuITQzvd4.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff7c4140000 |
| File size: | 728'576 bytes |
| MD5 hash: | 197DE30A59FC9AF28D140CC2C530C8B7 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | low |
| Has exited: | true |
| Target ID: | 1 |
| Start time: | 04:57:07 |
| Start date: | 29/11/2024 |
| Path: | C:\Windows\System32\conhost.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff66e660000 |
| File size: | 862'208 bytes |
| MD5 hash: | 0D698AF330FD17BEE3BF90011D49251D |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 3 |
| Start time: | 04:57:11 |
| Start date: | 29/11/2024 |
| Path: | C:\Windows\System32\cmd.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff7c4cf0000 |
| File size: | 289'792 bytes |
| MD5 hash: | 8A2122E8162DBEF04694B9C3E0B6CDEE |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 4 |
| Start time: | 04:57:12 |
| Start date: | 29/11/2024 |
| Path: | C:\Windows\System32\cmd.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff7c4cf0000 |
| File size: | 289'792 bytes |
| MD5 hash: | 8A2122E8162DBEF04694B9C3E0B6CDEE |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 5 |
| Start time: | 04:57:12 |
| Start date: | 29/11/2024 |
| Path: | C:\Windows\System32\certutil.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff65a7f0000 |
| File size: | 1'651'712 bytes |
| MD5 hash: | F17616EC0522FC5633151F7CAA278CAA |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | moderate |
| Has exited: | true |
| Target ID: | 6 |
| Start time: | 04:57:12 |
| Start date: | 29/11/2024 |
| Path: | C:\Windows\System32\find.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff67f0d0000 |
| File size: | 17'920 bytes |
| MD5 hash: | 4BF76A28D31FC73AA9FC970B22D056AF |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | moderate |
| Has exited: | true |
| Target ID: | 7 |
| Start time: | 04:57:12 |
| Start date: | 29/11/2024 |
| Path: | C:\Windows\System32\find.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff67f0d0000 |
| File size: | 17'920 bytes |
| MD5 hash: | 4BF76A28D31FC73AA9FC970B22D056AF |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | moderate |
| Has exited: | true |
| Target ID: | 8 |
| Start time: | 04:57:13 |
| Start date: | 29/11/2024 |
| Path: | C:\Windows\System32\cmd.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff7c4cf0000 |
| File size: | 289'792 bytes |
| MD5 hash: | 8A2122E8162DBEF04694B9C3E0B6CDEE |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 9 |
| Start time: | 04:57:13 |
| Start date: | 29/11/2024 |
| Path: | C:\Windows\System32\cmd.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff7c4cf0000 |
| File size: | 289'792 bytes |
| MD5 hash: | 8A2122E8162DBEF04694B9C3E0B6CDEE |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 10 |
| Start time: | 04:57:13 |
| Start date: | 29/11/2024 |
| Path: | C:\Windows\System32\conhost.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff66e660000 |
| File size: | 862'208 bytes |
| MD5 hash: | 0D698AF330FD17BEE3BF90011D49251D |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 13 |
| Start time: | 04:57:14 |
| Start date: | 29/11/2024 |
| Path: | C:\Windows\System32\timeout.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff7e1670000 |
| File size: | 32'768 bytes |
| MD5 hash: | 100065E21CFBBDE57CBA2838921F84D6 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | moderate |
| Has exited: | true |
| Target ID: | 14 |
| Start time: | 04:57:14 |
| Start date: | 29/11/2024 |
| Path: | C:\Windows\System32\WerFault.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff7e3a50000 |
| File size: | 570'736 bytes |
| MD5 hash: | FD27D9F6D02763BDE32511B5DF7FF7A0 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | true |
Execution Graph
| Execution Coverage: | 6.5% |
| Dynamic/Decrypted Code Coverage: | 0% |
| Signature Coverage: | 23.3% |
| Total number of Nodes: | 1847 |
| Total number of Limit Nodes: | 98 |
Graph
Function 00007FF7C4143C10 Relevance: 137.8, APIs: 15, Strings: 63, Instructions: 1331COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7C416B7F9 Relevance: 90.2, APIs: 22, Strings: 29, Instructions: 981windowCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7C41426B0 Relevance: 67.6, APIs: 24, Strings: 14, Instructions: 1077registrystringCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7C416CDC0 Relevance: 42.2, APIs: 19, Strings: 5, Instructions: 217COMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7C41558F0 Relevance: 41.5, APIs: 18, Strings: 5, Instructions: 1256COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7C4188C30 Relevance: 38.9, APIs: 15, Strings: 7, Instructions: 357networkCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7C4168EF0 Relevance: 30.0, APIs: 12, Strings: 5, Instructions: 280COMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7C41710A0 Relevance: 28.1, APIs: 9, Strings: 7, Instructions: 134COMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7C414C660 Relevance: 26.0, APIs: 7, Strings: 6, Instructions: 3293processCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7C4150A00 Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 237processlibraryloaderCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7C4189530 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 128librarystringloaderCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7C4194C60 Relevance: 24.1, APIs: 16, Instructions: 127networkCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7C4168C40 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 172filememoryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7C4145330 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 156COMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7C4156D82 Relevance: 22.0, APIs: 5, Strings: 7, Instructions: 1037COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7C41552CA Relevance: 21.7, APIs: 9, Strings: 3, Instructions: 714COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7C41878F0 Relevance: 21.3, APIs: 7, Strings: 5, Instructions: 337COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7C41536E0 Relevance: 16.3, APIs: 7, Strings: 2, Instructions: 506COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7C4151550 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 183librarynativeloaderCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7C414C440 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 123threadlibrarynativeCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7C4154680 Relevance: 9.2, APIs: 4, Strings: 1, Instructions: 414COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7C4151230 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 181librarynativeloaderCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7C4150E40 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 179librarynativeloaderCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7C4153EC0 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 159COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7C4150320 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 408fileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7C419AC50 Relevance: 31.9, APIs: 9, Strings: 9, Instructions: 415encryptionCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7C4199E70 Relevance: 30.1, APIs: 4, Strings: 13, Instructions: 348libraryloaderCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7C4183940 Relevance: 28.6, APIs: 6, Strings: 10, Instructions: 557COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7C4146C60 Relevance: 23.0, APIs: 9, Strings: 4, Instructions: 252filestringpipeCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7C416E7FE Relevance: 22.9, APIs: 4, Strings: 9, Instructions: 177COMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7C4188270 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 161networkCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7C41988D0 Relevance: 19.6, APIs: 13, Instructions: 128networkCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7C41961E0 Relevance: 16.7, APIs: 11, Instructions: 241sleepnetworkCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7C41711D2 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 70stringwindowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7C4171202 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 70stringwindowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7C417120E Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 70stringwindowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7C41711DE Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 70stringwindowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7C41711EA Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 70stringwindowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7C41711F6 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 70stringwindowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7C417121A Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 70stringwindowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7C417111E Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 69stringwindowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7C4185F10 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 153COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7C416A680 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 135processCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7C4195E40 Relevance: 10.7, APIs: 7, Instructions: 242sleepnetworkCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7C41990B0 Relevance: 10.7, APIs: 4, Strings: 3, Instructions: 184COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7C4177D30 Relevance: 9.2, APIs: 4, Strings: 2, Instructions: 193COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7C41821B0 Relevance: 9.1, APIs: 4, Strings: 2, Instructions: 147COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7C4151870 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 161fileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7C4186E40 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 113networkCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7C414C240 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 109librarymemoryloaderCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7C4176BF0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 95COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7C41B2370 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 31libraryloaderCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7C41914D0 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 97COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7C4199C80 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 129COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7C4150150 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 123COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7C4182EB0 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 106COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7C4141100 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 7COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7C418F790 Relevance: 178.5, APIs: 31, Strings: 70, Instructions: 1702stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7C419A13D Relevance: 116.1, APIs: 43, Strings: 23, Instructions: 552stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7C41AD250 Relevance: 102.1, APIs: 45, Strings: 13, Instructions: 581COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7C41A9550 Relevance: 77.4, APIs: 26, Strings: 18, Instructions: 435networkfilepipeCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7C41641F8 Relevance: 62.1, APIs: 30, Strings: 5, Instructions: 823COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7C41B62E0 Relevance: 52.8, APIs: 17, Strings: 13, Instructions: 253fileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7C4189850 Relevance: 43.9, APIs: 20, Strings: 5, Instructions: 191libraryloadernetworkCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7C41885A0 Relevance: 38.8, APIs: 14, Strings: 8, Instructions: 317stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7C4145600 Relevance: 38.8, APIs: 1, Strings: 21, Instructions: 303COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7C419A1FC Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 203stringfileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7C419A205 Relevance: 37.0, APIs: 19, Strings: 2, Instructions: 202stringfileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7C416A890 Relevance: 30.2, APIs: 12, Strings: 5, Instructions: 486COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7C415A520 Relevance: 26.6, APIs: 14, Strings: 1, Instructions: 362COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7C41642F8 Relevance: 24.8, APIs: 12, Strings: 2, Instructions: 347COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7C4147190 Relevance: 24.8, APIs: 9, Strings: 5, Instructions: 316filepipeCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7C416E120 Relevance: 19.6, APIs: 9, Strings: 2, Instructions: 309COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7C415C670 Relevance: 16.2, APIs: 6, Strings: 3, Instructions: 410COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7C4169580 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 288COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7C415B7F0 Relevance: 13.7, APIs: 9, Instructions: 191nativememoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7C419C600 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 223COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7C41AB780 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 127networkCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7C41AB554 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 110networkCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7C41C0228 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7C419C250 Relevance: 6.0, APIs: 4, Instructions: 33encryptionCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7C419C1F0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 20encryptionCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7C418A6B0 Relevance: .5, Instructions: 460COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7C419C240 Relevance: .0, Instructions: 3COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7C4199630 Relevance: 145.9, APIs: 50, Strings: 47, Instructions: 399stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7C419B7C0 Relevance: 38.9, APIs: 6, Strings: 16, Instructions: 385COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7C415F6B0 Relevance: 38.7, APIs: 13, Strings: 9, Instructions: 230registrylibraryloaderCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7C4194680 Relevance: 33.2, APIs: 6, Strings: 16, Instructions: 206COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7C41AE270 Relevance: 31.7, APIs: 13, Strings: 5, Instructions: 214stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7C41A9170 Relevance: 31.7, APIs: 9, Strings: 12, Instructions: 208stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7C418E7D0 Relevance: 30.1, APIs: 7, Strings: 10, Instructions: 312stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7C4185260 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 219COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7C4196640 Relevance: 27.3, APIs: 1, Strings: 17, Instructions: 341COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7C41B88B0 Relevance: 24.2, APIs: 1, Strings: 15, Instructions: 179COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7C416628D Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 217COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7C4171890 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 88stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7C41B4820 Relevance: 19.8, APIs: 8, Strings: 5, Instructions: 266COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7C41B6700 Relevance: 19.7, APIs: 5, Strings: 8, Instructions: 165COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7C41AC5D3 Relevance: 19.5, APIs: 4, Strings: 7, Instructions: 292COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7C41AA880 Relevance: 19.4, APIs: 4, Strings: 7, Instructions: 180networkCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7C41AC230 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 179COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7C41855B0 Relevance: 17.8, APIs: 7, Strings: 3, Instructions: 280stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7C41BB570 Relevance: 16.8, APIs: 2, Strings: 9, Instructions: 279COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7C419D6E0 Relevance: 16.7, APIs: 5, Strings: 6, Instructions: 223COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7C41AF221 Relevance: 16.6, APIs: 9, Strings: 2, Instructions: 140COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7C41C1630 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 177COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7C41A45C0 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 117COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7C41A77E0 Relevance: 15.2, APIs: 7, Strings: 3, Instructions: 168COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7C41BE130 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 230COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7C417A1D5 Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 206COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7C41926B0 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 181COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7C417A2E3 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 169COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7C41A06D0 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 135stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7C4173637 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 109COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7C41AE910 Relevance: 13.7, APIs: 3, Strings: 6, Instructions: 223COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7C41B783C Relevance: 13.7, APIs: 5, Strings: 4, Instructions: 174COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7C416D130 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 268COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7C41A65BF Relevance: 12.5, APIs: 2, Strings: 5, Instructions: 258COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7C418D570 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 227networkCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7C4164170 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 156COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7C41B96A5 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 155COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7C41AA6D0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 113networkCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7C41B75AE Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 82COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7C41B76AD Relevance: 12.2, APIs: 2, Strings: 6, Instructions: 173COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7C41B75E4 Relevance: 12.1, APIs: 2, Strings: 6, Instructions: 130COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7C41B7844 Relevance: 12.1, APIs: 4, Strings: 4, Instructions: 110COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7C41A57E6 Relevance: 12.1, APIs: 5, Strings: 3, Instructions: 104COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7C41B3590 Relevance: 10.9, APIs: 5, Strings: 2, Instructions: 424stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7C41868E0 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 165fileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7C41B951A Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 154COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7C417A19C Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 154COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7C41A02F0 Relevance: 10.6, APIs: 6, Strings: 1, Instructions: 146COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7C41A3200 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 145networkCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7C415D150 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 120libraryloaderCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7C4194190 Relevance: 10.6, APIs: 3, Strings: 4, Instructions: 109stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7C418C560 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 106COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7C41B96AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 92COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7C4186660 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7C4191910 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 138COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7C41B72CC Relevance: 9.1, APIs: 4, Strings: 2, Instructions: 126COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7C41B77FF Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 98COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7C41BD740 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 91COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7C41B7575 Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 88COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7C41B75C6 Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 84COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7C41B7593 Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 83COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7C417A2C8 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 155COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7C417A1BD Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 153COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7C41625F0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 124COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7C415D550 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 122libraryloaderCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7C41601C0 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 122libraryloaderCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7C41AF5B0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 116stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7C418F150 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 109COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7C41B4220 Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 146COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7C418B8D0 Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 127COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7C41B7143 Relevance: 7.6, APIs: 1, Strings: 4, Instructions: 125COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7C41B72D4 Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 62COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7C4160720 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7C415F530 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 144COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7C41A27E0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 120networkCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7C41B98E5 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 113COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7C41B965F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 82COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7C41A25C0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 73networkCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7C41738E3 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7C414B120 Relevance: 6.2, APIs: 1, Strings: 3, Instructions: 190COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7C41BA720 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 105COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7C41A61FD Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 84COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7C4181260 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 70COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7C41756BD Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 55stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7C41755AA Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 24stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7C41755B2 Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 24stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7C41AE78F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 81COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|