Edit tour
Windows
Analysis Report
nsdksetup.dll
Overview
General Information
| Sample name: | nsdksetup.dll |
| Analysis ID: | 1576918 |
| MD5: | e0b7d6b9d4f1666b6ac5e52dd78a0273 |
| SHA1: | 3cdd84acf09a5905e7dd93fc1043b59bdd0231bb |
| SHA256: | 5060a37c40ba559ab4bd39f6b838dd7142d400b6d2d2876abe37019509a53d0a |
| Tags: | dlluser-smica83 |
| Infos: |  |
 | |
Detection
| Score: | 56 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
System process connects to network (likely due to code injection or exploit)
AI detected suspicious sample
Sigma detected: Windows Binaries Write Suspicious Extensions
Binary contains a suspicious time stamp
Contains functionality for read data from the clipboard
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to query locales information (e.g. system language)
Contains functionality to retrieve information about pressed keystrokes
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found decision node followed by non-executed suspicious APIs
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
PE file contains sections with non-standard names
Potential key logger detected (key state polling based)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Classification
- System is w10x64
loaddll32.exe (PID: 7416 cmdline: loaddll32. exe "C:\Us ers\user\D esktop\nsd ksetup.dll " MD5: 51E6071F9CBA48E79F10C84515AAE618) 
conhost.exe (PID: 7424 cmdline: C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - cmd.exe (PID: 7468 cmdline:
cmd.exe /C rundll32. exe "C:\Us ers\user\D esktop\nsd ksetup.dll ",#1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) 
rundll32.exe (PID: 7492 cmdline: rundll32.e xe "C:\Use rs\user\De sktop\nsdk setup.dll" ,#1 MD5: 889B99C52A60DD49227C5E485A016679) - cmd.exe (PID: 8092 cmdline:
cmd.exe /B /c "C:\Us ers\user\A ppData\Loc al\Temp\\m onitor.bat " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 8132 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - tasklist.exe (PID: 1256 cmdline:
tasklist / FI "IMAGEN AME eq run dll32.exe" MD5: 0A4448B31CE7F83CB7691A2657F330F1) - findstr.exe (PID: 2288 cmdline:
findstr /I "rundll32 .exe" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E) - timeout.exe (PID: 3480 cmdline:
timeout /t 30 /nobre ak MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3) - tasklist.exe (PID: 4872 cmdline:
tasklist / FI "IMAGEN AME eq run dll32.exe" MD5: 0A4448B31CE7F83CB7691A2657F330F1) - findstr.exe (PID: 5972 cmdline:
findstr /I "rundll32 .exe" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E) - rundll32.exe (PID: 7408 cmdline:
"C:\Window s\SysWOW64 \rundll32. exe" MD5: 889B99C52A60DD49227C5E485A016679) - timeout.exe (PID: 5476 cmdline:
timeout /t 30 /nobre ak MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3) - tasklist.exe (PID: 3492 cmdline:
tasklist / FI "IMAGEN AME eq run dll32.exe" MD5: 0A4448B31CE7F83CB7691A2657F330F1) - findstr.exe (PID: 1820 cmdline:
findstr /I "rundll32 .exe" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E) - rundll32.exe (PID: 2192 cmdline:
"C:\Window s\SysWOW64 \rundll32. exe" MD5: 889B99C52A60DD49227C5E485A016679) - timeout.exe (PID: 1524 cmdline:
timeout /t 30 /nobre ak MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3) - tasklist.exe (PID: 1404 cmdline:
tasklist / FI "IMAGEN AME eq run dll32.exe" MD5: 0A4448B31CE7F83CB7691A2657F330F1) - findstr.exe (PID: 4112 cmdline:
findstr /I "rundll32 .exe" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E) - rundll32.exe (PID: 4680 cmdline:
"C:\Window s\SysWOW64 \rundll32. exe" MD5: 889B99C52A60DD49227C5E485A016679) - timeout.exe (PID: 4944 cmdline:
timeout /t 30 /nobre ak MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3) - rundll32.exe (PID: 7476 cmdline:
rundll32.e xe C:\User s\user\Des ktop\nsdks etup.dll,S teamAPI_In it MD5: 889B99C52A60DD49227C5E485A016679) - cmd.exe (PID: 8084 cmdline:
cmd.exe /B /c "C:\Us ers\user\A ppData\Loc al\Temp\\m onitor.bat " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 8104 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - tasklist.exe (PID: 3332 cmdline:
tasklist / FI "IMAGEN AME eq run dll32.exe" MD5: 0A4448B31CE7F83CB7691A2657F330F1) - findstr.exe (PID: 7212 cmdline:
findstr /I "rundll32 .exe" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E) - timeout.exe (PID: 3956 cmdline:
timeout /t 30 /nobre ak MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3) - tasklist.exe (PID: 3952 cmdline:
tasklist / FI "IMAGEN AME eq run dll32.exe" MD5: 0A4448B31CE7F83CB7691A2657F330F1) - findstr.exe (PID: 7252 cmdline:
findstr /I "rundll32 .exe" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E) - rundll32.exe (PID: 6864 cmdline:
"C:\Window s\SysWOW64 \rundll32. exe" MD5: 889B99C52A60DD49227C5E485A016679) - timeout.exe (PID: 6536 cmdline:
timeout /t 30 /nobre ak MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3) - tasklist.exe (PID: 2072 cmdline:
tasklist / FI "IMAGEN AME eq run dll32.exe" MD5: 0A4448B31CE7F83CB7691A2657F330F1) - findstr.exe (PID: 2016 cmdline:
findstr /I "rundll32 .exe" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E) - rundll32.exe (PID: 2292 cmdline:
"C:\Window s\SysWOW64 \rundll32. exe" MD5: 889B99C52A60DD49227C5E485A016679) - timeout.exe (PID: 3236 cmdline:
timeout /t 30 /nobre ak MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3) - tasklist.exe (PID: 5700 cmdline:
tasklist / FI "IMAGEN AME eq run dll32.exe" MD5: 0A4448B31CE7F83CB7691A2657F330F1) - findstr.exe (PID: 3856 cmdline:
findstr /I "rundll32 .exe" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E) - rundll32.exe (PID: 4516 cmdline:
"C:\Window s\SysWOW64 \rundll32. exe" MD5: 889B99C52A60DD49227C5E485A016679) - timeout.exe (PID: 6896 cmdline:
timeout /t 30 /nobre ak MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3) - rundll32.exe (PID: 7600 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\nsdk setup.dll" ,SteamAPI_ Init MD5: 889B99C52A60DD49227C5E485A016679)
- cleanup
⊘No configs have been found
⊘No yara matches
System Summary |   |
|---|
| Source: | Author: Nasreddine Bencherchali (Nextron Systems): | ||
⊘No Suricata rule has matched
Click to jump to signature section
Show All Signature Results
AV Detection | |
|---|
| Source: | Integrated Neural Analysis Model: | ||
| Source: | Code function: | 3_2_6D0200A0 | |
| Source: | Code function: | 3_2_6D01FDE0 | |
| Source: | Code function: | 3_2_6D021100 | |
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Code function: | 3_2_6D0882AF | |
| Source: | Code function: | 3_2_6D19F18B | |
| Source: | Code function: | 3_2_6D19F23C | |
Networking | |
|---|
| Source: | Network Connect: | Jump to behavior | ||
| Source: | Code function: | 3_2_6D038080 | |
| Source: | Code function: | 3_2_6D0C41AD | |
| Source: | Code function: | 3_2_6D06C1C4 | |
| Source: | Code function: | 3_2_6D0644F7 | |
| Source: | Code function: | 3_2_6D04D23E | |
| Source: | Code function: | 3_2_6D021100 | |
| Source: | Code function: | 3_2_6D03ED00 | |
| Source: | Code function: | 3_2_6D034F70 | |
| Source: | Code function: | 3_2_6D1A69F2 | |
| Source: | Code function: | 3_2_6D18A804 | |
| Source: | Code function: | 3_2_6D182BE0 | |
| Source: | Code function: | 3_2_6D0345C0 | |
| Source: | Code function: | 3_2_6D04849D | |
| Source: | Code function: | 3_2_6D04476E | |
| Source: | Code function: | 3_2_6D186651 | |
| Source: | Code function: | 3_2_6D1906A6 | |
| Source: | Code function: | 3_2_6D07A181 | |
| Source: | Code function: | 3_2_6D0722EB | |
| Source: | Code function: | 3_2_6D06BDBD | |
| Source: | Code function: | 3_2_6D04DC7F | |
| Source: | Code function: | 3_2_6D189E80 | |
| Source: | Code function: | 3_2_6D011ED0 | |
| Source: | Code function: | 3_2_6D03B860 | |
| Source: | Code function: | 3_2_6D07B58F | |
| Source: | Code function: | 3_2_6D05D435 | |
| Source: | Code function: | 3_2_6D01F470 | |
| Source: | Code function: | 3_2_6D05908D | |
| Source: | Code function: | 3_2_6D03F0B0 | |
| Source: | Static PE information: | ||
| Source: | Binary or memory string: | ||
| Source: | Static PE information: | ||
| Source: | Classification label: | ||
| Source: | Code function: | 3_2_6D03A5E0 | |
| Source: | Code function: | 3_2_6D05AD46 | |
| Source: | Code function: | 3_2_6D04AF5B | |
| Source: | File created: | Jump to behavior | ||
| Source: | Mutant created: | ||
| Source: | Mutant created: | ||
| Source: | Mutant created: | ||
| Source: | File created: | Jump to behavior | ||
| Source: | Process created: | ||
| Source: | Static PE information: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Process created: | ||
| Source: | Binary or memory string: | ||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Key value queried: | Jump to behavior | ||
| Source: | Process created: | ||
| Source: | Window detected: | ||
| Source: | Static PE information: | ||
| Source: | Static file information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Code function: | 3_2_6D03F754 | |
| Source: | Code function: | 3_2_6D04FDA5 | |
| Source: | Code function: | 3_2_6D05F740 | |
| Source: | File created: | Jump to dropped file | ||
| Source: | Code function: | 3_2_6D04E94E | |
| Source: | Code function: | 3_2_6D0787A4 | |
| Source: | Code function: | 3_2_6D06305D | |
| Source: | Code function: | 3_2_6D0472BF | |
| Source: | Code function: | 3_2_6D0532C4 | |
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Code function: | 3_2_6D03A5E0 | |
| Source: | Decision node followed by non-executed suspicious API: | graph_3-63201 | ||
| Source: | API coverage: | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep count: | Jump to behavior | ||
| Source: | Thread sleep count: | Jump to behavior | ||
| Source: | Thread sleep count: | Jump to behavior | ||
| Source: | Thread sleep count: | Jump to behavior | ||
| Source: | Thread sleep count: | Jump to behavior | ||
| Source: | Thread sleep count: | |||
| Source: | Thread sleep count: | |||
| Source: | Thread sleep count: | |||
| Source: | Last function: | ||
| Source: | Last function: | ||
| Source: | Last function: | ||
| Source: | Last function: | ||
| Source: | Last function: | ||
| Source: | Last function: | ||
| Source: | Last function: | ||
| Source: | Last function: | ||
| Source: | Last function: | ||
| Source: | Code function: | 3_2_6D0882AF | |
| Source: | Code function: | 3_2_6D19F18B | |
| Source: | Code function: | 3_2_6D19F23C | |
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | Code function: | 3_2_6D05C225 | |
| Source: | Code function: | 3_2_6D041008 | |
| Source: | Code function: | 3_2_6D03A5E0 | |
| Source: | Code function: | 3_2_6D0126C0 | |
| Source: | Process token adjusted: | Jump to behavior | ||
| Source: | Process token adjusted: | Jump to behavior | ||
| Source: | Process token adjusted: | Jump to behavior | ||
| Source: | Process token adjusted: | Jump to behavior | ||
| Source: | Process token adjusted: | Jump to behavior | ||
| Source: | Process token adjusted: | Jump to behavior | ||
| Source: | Process token adjusted: | |||
| Source: | Process token adjusted: | |||
| Source: | Code function: | 3_2_6D0B8786 | |
| Source: | Code function: | 3_2_6D191F18 | |
| Source: | Code function: | 3_2_6D05D776 | |
HIPS / PFW / Operating System Protection Evasion | |
|---|
| Source: | Network Connect: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Code function: | 3_2_6D1A6143 | |
| Source: | Code function: | 3_2_6D1A61EA | |
| Source: | Code function: | 3_2_6D1A6023 | |
| Source: | Code function: | 3_2_6D0660D1 | |
| Source: | Code function: | 3_2_6D1A60F8 | |
| Source: | Code function: | 3_2_6D1A62F0 | |
| Source: | Code function: | 3_2_6D1A5D71 | |
| Source: | Code function: | 3_2_6D19BC5B | |
| Source: | Code function: | 3_2_6D1A5CD6 | |
| Source: | Code function: | 3_2_6D1A5FC4 | |
| Source: | Code function: | 3_2_6D1A5A85 | |
| Source: | Code function: | 3_2_6D19B63C | |
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | |||
| Source: | Code function: | 3_2_6D192EE2 | |
| Source: | Code function: | 3_2_6D0495C5 | |
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Gather Victim Identity Information | 1 Scripting | Valid Accounts | 1 Windows Management Instrumentation | 1 Scripting | 111 Process Injection | 1 Masquerading | 21 Input Capture | 1 System Time Discovery | Remote Services | 21 Input Capture | 2 Encrypted Channel | Exfiltration Over Other Network Medium | 1 Data Encrypted for Impact |
| Credentials | Domains | Default Accounts | Scheduled Task/Job | 1 DLL Side-Loading | 1 DLL Side-Loading | 11 Virtualization/Sandbox Evasion | LSASS Memory | 41 Security Software Discovery | Remote Desktop Protocol | 11 Archive Collected Data | 1 Ingress Tool Transfer | Exfiltration Over Bluetooth | Network Denial of Service |
| Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | Logon Script (Windows) | 111 Process Injection | Security Account Manager | 11 Virtualization/Sandbox Evasion | SMB/Windows Admin Shares | 1 Clipboard Data | Steganography | Automated Exfiltration | Data Encrypted for Impact |
| Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | 1 Deobfuscate/Decode Files or Information | NTDS | 2 Process Discovery | Distributed Component Object Model | Input Capture | Protocol Impersonation | Traffic Duplication | Data Destruction |
| Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | 2 Obfuscated Files or Information | LSA Secrets | 1 Application Window Discovery | SSH | Keylogging | Fallback Channels | Scheduled Transfer | Data Encrypted for Impact |
| Domain Properties | Botnet | Replication Through Removable Media | Scheduled Task | RC Scripts | RC Scripts | 1 Rundll32 | Cached Domain Credentials | 1 File and Directory Discovery | VNC | GUI Input Capture | Multiband Communication | Data Transfer Size Limits | Service Stop |
| DNS | Web Services | External Remote Services | Systemd Timers | Startup Items | Startup Items | 1 Timestomp | DCSync | 24 System Information Discovery | Windows Remote Management | Web Portal Capture | Commonly Used Port | Exfiltration Over C2 Channel | Inhibit System Recovery |
| Network Trust Dependencies | Serverless | Drive-by Compromise | Container Orchestration Job | Scheduled Task/Job | Scheduled Task/Job | 1 DLL Side-Loading | Proc Filesystem | System Owner/User Discovery | Cloud Services | Credential API Hooking | Application Layer Protocol | Exfiltration Over Alternative Protocol | Defacement |
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetThis section contains all screenshots as thumbnails, including those not shown in the slideshow.
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 5% | ReversingLabs |
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 0% | ReversingLabs |
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
| Name | IP | Active | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|---|
| s-part-0035.t-0009.t-msedge.net | 13.107.246.63 | true | false | high |
⊘No contacted IP infos
| Joe Sandbox version: | 41.0.0 Charoite |
| Analysis ID: | 1576918 |
| Start date and time: | 2024-12-17 18:13:10 +01:00 |
| Joe Sandbox product: | CloudBasic |
| Overall analysis duration: | 0h 7m 40s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
| Run name: | Run with higher sleep bypass |
| Number of analysed new started processes analysed: | 45 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Sample name: | nsdksetup.dll |
| Detection: | MAL |
| Classification: | mal56.evad.winDLL@76/14@0/0 |
| EGA Information: |
|
| HCA Information: |
|
| Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
- Excluded IPs from analysis (whitelisted): 13.107.246.63, 20.109.210.53, 20.12.23.50
- Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, otelrules.afd.azureedge.net, azureedge-t-prod.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
- Not all processes where analyzed, report is missing behavior information
- Report size exceeded maximum capacity and may have missing behavior information.
- Report size exceeded maximum capacity and may have missing disassembly code.
- VT rate limit hit for: nsdksetup.dll
⊘No simulations
⊘No context
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| s-part-0035.t-0009.t-msedge.net | Get hash | malicious | Unknown | Browse |
| |
| Get hash | malicious | HTMLPhisher | Browse |
| ||
| Get hash | malicious | CobaltStrike | Browse |
| ||
| Get hash | malicious | HTMLPhisher | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | RHADAMANTHYS | Browse |
| ||
| Get hash | malicious | RHADAMANTHYS | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
|
⊘No context
⊘No context
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| C:\Users\user\AppData\Local\Temp\backup.exe | Get hash | malicious | Gh0stCringe, Neshta, RunningRAT | Browse | ||
| Get hash | malicious | Gh0stCringe, Neshta, RunningRAT | Browse | |||
| Get hash | malicious | Gh0stCringe, Neshta, RunningRAT | Browse | |||
| Get hash | malicious | GhostRat, Mimikatz, Nitol | Browse | |||
| Get hash | malicious | GhostRat, Mimikatz, Nitol | Browse | |||
| Get hash | malicious | GhostRat, Mimikatz, Nitol | Browse | |||
| Get hash | malicious | GhostRat, Mimikatz, Nitol | Browse | |||
| Get hash | malicious | GhostRat, Mimikatz, Nitol | Browse | |||
| Get hash | malicious | GhostRat, Mimikatz, Nitol | Browse | |||
| Get hash | malicious | Mimikatz, RunningRAT | Browse |
| Process: | C:\Windows\SysWOW64\rundll32.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 1893 |
| Entropy (8bit): | 5.212287775015203 |
| Encrypted: | false |
| SSDEEP: | 48:c55XzDl4Q2ZbXL6Q0QFdOFQOzN33O4OiDdKrKsTLXbGMv:O5XzDl4Q2ZbGQhFdOFQOzBdKrKsTLXbV |
| MD5: | E3FB2ECD2AD10C30913339D97E0E9042 |
| SHA1: | A004CE2B3D398312B80E2955E76BDA69EF9B7203 |
| SHA-256: | 1BD6DB55FFF870C9DF7A0AAC11B895B50F57774F20A5744E63BBC3BD40D11F28 |
| SHA-512: | 9D6F0C1E344F1DC5A0EF4CAAD86281F92A6C108E1085BACD8D6143F9C742198C2F759CA5BDFFAD4D9E40203E6B0460E84896D1C6B8B1759350452E1DE809B716 |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\SysWOW64\rundll32.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 61440 |
| Entropy (8bit): | 6.199746098562656 |
| Encrypted: | false |
| SSDEEP: | 1536:H9ykYCTdiHQKrFXmw2RQln5IUmDjoX6+:HlMHprF2nRQln5I |
| MD5: | 889B99C52A60DD49227C5E485A016679 |
| SHA1: | 8FA889E456AA646A4D0A4349977430CE5FA5E2D7 |
| SHA-256: | 6CBE0E1F046B13B29BFA26F8B368281D2DDA7EB9B718651D5856F22CC3E02910 |
| SHA-512: | 08933106EAF338DD119C45CBF1F83E723AFF77CC0F8D3FC84E36253B1EB31557A54211D1D5D1CB58958188E32064D451F6C66A24B3963CCCD3DE07299AB90641 |
| Malicious: | false |
| Antivirus: |
|
| Joe Sandbox View: |
|
| Preview: |
| Process: | C:\Windows\SysWOW64\rundll32.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 719 |
| Entropy (8bit): | 5.1641048528391025 |
| Encrypted: | false |
| SSDEEP: | 12:NFWdVWCPSmOWdVW+ZMmOWE+IwZzWcR7RwZ9/FZ+0Yp9Sqe/tA5dKQ+0Z+0VbphJm:NFW/W17W/WgM7WERwZzWcRlwZZKx31S1 |
| MD5: | 2610FFC2D40535D08C0B9CF2C8A3F461 |
| SHA1: | D8F9770AC52B6D9D73F571B962365C4074F128D8 |
| SHA-256: | 62F2B62072F49D7A56AE16362B43611C9B03053AA48C03B3B177B7FCC79B216D |
| SHA-512: | C0C0381E97420B1A61145B8437EADD5364DADA05F87CBDCEC50EF6F1E4B2B2D375EC00CDB2D14C0C96DE2054DEDB24DCD706281029D9C4777B55FFD5C4FD18FD |
| Malicious: | true |
| Preview: |
| Process: | C:\Windows\SysWOW64\rundll32.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 4 |
| Entropy (8bit): | 2.0 |
| Encrypted: | false |
| SSDEEP: | 3:MX:MX |
| MD5: | 630EFF1B380505A67570DFF952CE4AD7 |
| SHA1: | C4DA4A14965F073D44330CDE4508905DF52E81EA |
| SHA-256: | BC7FE627D446AA7BF9D91C98487D414BEAF56EFAF7BA1748A354CA07850D889D |
| SHA-512: | 60C813FD4303173CB98DB599892E515A7F73617C6D04D1226548953B23B5201E76BE6415E22EA39216F7EB6AEE6CEFC8826FD1C9A6D2FDA6A628F450657C3DC1 |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\SysWOW64\timeout.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 146 |
| Entropy (8bit): | 4.007045619960759 |
| Encrypted: | false |
| SSDEEP: | 3:hYFRZARcWmFsFJQZ/ctXvY/4to/9uF8cttEfYhnQUqg2Htysn:hYFRamFSQZ0lv5y/9JctESnQUq3tys |
| MD5: | 142C2305671DED58170E6E5A0E4C59CB |
| SHA1: | C5AE6FDF759486E120830439E9102B616BA926C5 |
| SHA-256: | 3E26B1E9AAEC708A4924E2FD93ECA5F7418029AC568908430FB09B069D02A56E |
| SHA-512: | E96AF73EE8BC497C1AB2F3DF27155F0D17C84FC8C643955EB25335C59DC91013F572AA591FA71A01FDC3ABAEB715AAE73173FA4323FFA92CA4E7C44C50F52A3B |
| Malicious: | false |
| Preview: |
| File type: | |
| Entropy (8bit): | 6.606106523352761 |
| TrID: |
|
| File name: | nsdksetup.dll |
| File size: | 2'291'000 bytes |
| MD5: | e0b7d6b9d4f1666b6ac5e52dd78a0273 |
| SHA1: | 3cdd84acf09a5905e7dd93fc1043b59bdd0231bb |
| SHA256: | 5060a37c40ba559ab4bd39f6b838dd7142d400b6d2d2876abe37019509a53d0a |
| SHA512: | bd5908294adc6abc83cdcb99829323392654d2ded5bf299726714cd95fc595b8b3beec2b12e0ccb34130cf898c7016e4cb9dadb41985036e2c8d35c36511e587 |
| SSDEEP: | 49152:F/kcCMJuG+opH4CLOpd7ioYiKq8iBh3n1XK0pcioOgTjJ:FMcCMJuGhB4CLmZioYQ8iBh3nhK0pciC |
| TLSH: | EDB58D2135187877D35F02316D19B279E5FCAE302B3901DBE7449E1839364A286F7AAF |
| File Content Preview: | MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...^8^g...........!.........<.......!.......................................`#...........@.............................N.......h.. |
 | |
| Icon Hash: | 7ae282899bbab082 |
| Entrypoint: | 0x10172193 |
| Entrypoint Section: | .text |
| Digitally signed: | true |
| Imagebase: | 0x10000000 |
| Subsystem: | windows gui |
| Image File Characteristics: | EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL |
| DLL Characteristics: | DYNAMIC_BASE, NX_COMPAT |
| Time Stamp: | 0x675E385E [Sun Dec 15 02:01:02 2024 UTC] |
| TLS Callbacks: | |
| CLR (.Net) Version: | |
| OS Version Major: | 6 |
| OS Version Minor: | 0 |
| File Version Major: | 6 |
| File Version Minor: | 0 |
| Subsystem Version Major: | 6 |
| Subsystem Version Minor: | 0 |
| Import Hash: | e8e10a9a26ea7946a143d94d30a79a47 |
| Signature Valid: | false |
| Signature Issuer: | CN=Microsoft Code Signing PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US |
| Signature Validation Error: | The digital signature of the object did not verify |
| Error Number: | -2146869232 |
| Not Before, Not After |
|
| Subject Chain |
|
| Version: | 3 |
| Thumbprint MD5: | 430565BEA94CD2EBC1BA24A3A2D7FC84 |
| Thumbprint SHA-1: | 724C8D7BBEB78F2618147BF7BA8060AC308B7468 |
| Thumbprint SHA-256: | A7F501CB1578B030063B4490C3DAD52AFA6820FCB0CA047961B459E7DC43BDDF |
| Serial: | 33000003D2DA19165D6DC749AF0000000003D2 |
| Instruction |
|---|
| push ebp |
| mov ebp, esp |
| cmp dword ptr [ebp+0Ch], 01h |
| jne 00007EFF2CC16157h |
| call 00007EFF2CC1616Ah |
| push dword ptr [ebp+10h] |
| push dword ptr [ebp+0Ch] |
| push dword ptr [ebp+08h] |
| call 00007EFF2CC1602Eh |
| add esp, 0Ch |
| pop ebp |
| retn 000Ch |
| mov ecx, dword ptr [10200DC0h] |
| push esi |
| push edi |
| mov edi, BB40E64Eh |
| mov esi, FFFF0000h |
| cmp ecx, edi |
| je 00007EFF2CC16156h |
| test esi, ecx |
| jne 00007EFF2CC16178h |
| call 00007EFF2CC16181h |
| mov ecx, eax |
| cmp ecx, edi |
| jne 00007EFF2CC16159h |
| mov ecx, BB40E64Fh |
| jmp 00007EFF2CC16160h |
| test esi, ecx |
| jne 00007EFF2CC1615Ch |
| or eax, 00004711h |
| shl eax, 10h |
| or ecx, eax |
| mov dword ptr [10200DC0h], ecx |
| not ecx |
| pop edi |
| mov dword ptr [10200E00h], ecx |
| pop esi |
| ret |
| push ebp |
| mov ebp, esp |
| sub esp, 14h |
| lea eax, dword ptr [ebp-0Ch] |
| xorps xmm0, xmm0 |
| push eax |
| movlpd qword ptr [ebp-0Ch], xmm0 |
| call dword ptr [101EC87Ch] |
| mov eax, dword ptr [ebp-08h] |
| xor eax, dword ptr [ebp-0Ch] |
| mov dword ptr [ebp-04h], eax |
| call dword ptr [101EC804h] |
| xor dword ptr [ebp-04h], eax |
| call dword ptr [101EC7FCh] |
| xor dword ptr [ebp-04h], eax |
| lea eax, dword ptr [ebp-14h] |
| push eax |
| call dword ptr [101EC968h] |
| mov eax, dword ptr [ebp-10h] |
| lea ecx, dword ptr [ebp-04h] |
| xor eax, dword ptr [ebp-14h] |
| xor eax, dword ptr [ebp-04h] |
| xor eax, ecx |
| leave |
| ret |
| push 1020A018h |
| call dword ptr [101EC8FCh] |
| ret |
| Name | Virtual Address | Virtual Size | Is in Section |
|---|---|---|---|
| IMAGE_DIRECTORY_ENTRY_EXPORT | 0x1ebb8c | 0x4e | .rdata |
| IMAGE_DIRECTORY_ENTRY_IMPORT | 0x1ebbda | 0x168 | .rdata |
| IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x20d000 | 0x4800 | .rsrc |
| IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_SECURITY | 0x22cc00 | 0x2938 | .reloc |
| IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x212000 | 0x230bc | .reloc |
| IMAGE_DIRECTORY_ENTRY_DEBUG | 0x1ea8a4 | 0x1c | .rdata |
| IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_TLS | 0x1d6220 | 0x18 | .rdata |
| IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x1d1170 | 0xc0 | .rdata |
| IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IAT | 0x1ec754 | 0xa10 | .rdata |
| IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
| Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
|---|---|---|---|---|---|---|---|---|---|
| .text | 0x1000 | 0x1a8ac9 | 0x1a8c00 | abaaae5f1f08ebe7cce61d8c25d46985 | False | 0.5223954118231312 | data | 6.515437951178249 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
| .rdata | 0x1aa000 | 0x55eac | 0x56000 | 495869d5a3f54fafe2a8b3bfe198025b | False | 0.27931106922238375 | 0421 Alliant compact executable not stripped | 5.3516520657079205 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .data | 0x200000 | 0xa800 | 0x5e00 | 98490a19b33f42cd9e6c6024e6fef6ae | False | 0.24243683510638298 | data | 4.7964348900886815 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .00cfg | 0x20b000 | 0x8 | 0x200 | 9b3fb53df9de8537e98313fc981a1ebb | False | 0.033203125 | data | 0.08153941234324169 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .tls | 0x20c000 | 0x9 | 0x200 | 1f354d76203061bfdd5a53dae48d5435 | False | 0.033203125 | data | 0.020393135236084953 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .rsrc | 0x20d000 | 0x4800 | 0x4800 | d02b766042ee6bd9361ea19b0bdc4c44 | False | 0.3206922743055556 | data | 4.363281198997168 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .reloc | 0x212000 | 0x230bc | 0x23200 | ee21bd4c6ceca71325aab0cc3f930ccd | False | 0.46352313167259784 | data | 6.571525218821168 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
| Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
|---|---|---|---|---|---|---|
| AFX_DIALOG_LAYOUT | 0x20e004 | 0x40 | openssl enc'd data with salted password, base64 encoded | 1.125 | ||
| RT_CURSOR | 0x20e044 | 0x134 | Targa image data - RGB 64 x 65536 x 1 +32 "\001" | Chinese | China | 0.4805194805194805 |
| RT_CURSOR | 0x20e178 | 0xb4 | Targa image data - Map 32 x 65536 x 1 +16 "\001" | Chinese | China | 0.7 |
| RT_CURSOR | 0x20e22c | 0x134 | data | Chinese | China | 0.4090909090909091 |
| RT_CURSOR | 0x20e360 | 0xb4 | Targa image data - RLE 32 x 65536 x 1 +16 "\001" | Chinese | China | 0.5944444444444444 |
| RT_CURSOR | 0x20e414 | 0x134 | AmigaOS bitmap font "(", fc_YSize 4294967288, 3840 elements, 2nd "\377\370\037\377\377\370\037\377\377\370\037\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377", 3rd | Chinese | China | 0.32142857142857145 |
| RT_CURSOR | 0x20e548 | 0xb4 | Targa image data - RLE 32 x 65536 x 1 +16 "\001" | Chinese | China | 0.49444444444444446 |
| RT_CURSOR | 0x20e5fc | 0x134 | AmigaOS bitmap font "(", fc_YSize 4294967288, 3840 elements, 2nd "\377\360\037\377\377\370?\377\377\374\177\377\377\376\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377", 3rd | Chinese | China | 0.33766233766233766 |
| RT_CURSOR | 0x20e730 | 0xb4 | Targa image data - RLE 32 x 65536 x 1 +16 "\001" | Chinese | China | 0.5 |
| RT_CURSOR | 0x20e7e4 | 0x134 | AmigaOS bitmap font "(", fc_YSize 4294966787, 3840 elements, 2nd "\377\003\300\377\377\200\001\377\377\300\003\377\377\340\007\377\377\370\037\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377", 3rd | Chinese | China | 0.5616883116883117 |
| RT_CURSOR | 0x20e918 | 0xb4 | Targa image data - RLE 32 x 65536 x 1 +16 "\001" | Chinese | China | 0.5444444444444444 |
| RT_CURSOR | 0x20e9cc | 0x134 | AmigaOS bitmap font "(", fc_YSize 4294967264, 5120 elements, 2nd "\377\360?\377\377\370\177\377\377\374\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377", 3rd | Chinese | China | 0.36363636363636365 |
| RT_CURSOR | 0x20eb00 | 0x134 | Targa image data - RLE 64 x 65536 x 1 +32 "\001" | Chinese | China | 0.35714285714285715 |
| RT_CURSOR | 0x20ec34 | 0x134 | data | Chinese | China | 0.37337662337662336 |
| RT_CURSOR | 0x20ed68 | 0x134 | data | Chinese | China | 0.37662337662337664 |
| RT_CURSOR | 0x20ee9c | 0x134 | Targa image data 64 x 65536 x 1 +32 "\001" | Chinese | China | 0.36688311688311687 |
| RT_CURSOR | 0x20efd0 | 0x134 | Targa image data 64 x 65536 x 1 +32 "\001" | Chinese | China | 0.37662337662337664 |
| RT_CURSOR | 0x20f104 | 0x134 | Targa image data - Mono - RLE 64 x 65536 x 1 +32 "\001" | Chinese | China | 0.36688311688311687 |
| RT_CURSOR | 0x20f238 | 0x134 | Targa image data - RGB - RLE 64 x 65536 x 1 +32 "\001" | Chinese | China | 0.38636363636363635 |
| RT_CURSOR | 0x20f36c | 0x134 | data | Chinese | China | 0.44155844155844154 |
| RT_CURSOR | 0x20f4a0 | 0x134 | data | Chinese | China | 0.4155844155844156 |
| RT_CURSOR | 0x20f5d4 | 0x134 | AmigaOS bitmap font "(", fc_YSize 4294966847, 3840 elements, 2nd "\377?\374\377\377\300\003\377\377\300\003\377\377\340\007\377\377\360\017\377\377\370\037\377\377\374?\377\377\376\177\377\377\377\377\377\377\377\377\377\377\377\377\377", 3rd | Chinese | China | 0.5422077922077922 |
| RT_CURSOR | 0x20f708 | 0x134 | data | Chinese | China | 0.2662337662337662 |
| RT_CURSOR | 0x20f83c | 0x134 | data | Chinese | China | 0.2824675324675325 |
| RT_CURSOR | 0x20f970 | 0x134 | data | Chinese | China | 0.3246753246753247 |
| RT_BITMAP | 0x20faa4 | 0x2c0 | Device independent bitmap graphic, 80 x 15 x 4, image size 600 | Chinese | China | 0.37642045454545453 |
| RT_BITMAP | 0x20fd64 | 0xb8 | Device independent bitmap graphic, 12 x 10 x 4, image size 80 | Chinese | China | 0.44565217391304346 |
| RT_BITMAP | 0x20fe1c | 0x144 | Device independent bitmap graphic, 33 x 11 x 4, image size 220 | Chinese | China | 0.37962962962962965 |
| RT_MENU | 0x20ff60 | 0xb2 | data | Chinese | China | 0.7584269662921348 |
| RT_MENU | 0x210014 | 0x192 | data | Chinese | China | 0.599502487562189 |
| RT_DIALOG | 0x2101a8 | 0x104 | data | Chinese | China | 0.6307692307692307 |
| RT_DIALOG | 0x2102ac | 0xe2 | data | Chinese | China | 0.6769911504424779 |
| RT_DIALOG | 0x210390 | 0x34 | data | Chinese | China | 0.8653846153846154 |
| RT_STRING | 0x2103c4 | 0x36 | data | Chinese | China | 0.48148148148148145 |
| RT_STRING | 0x2103fc | 0x2a | data | Chinese | China | 0.5476190476190477 |
| RT_STRING | 0x210428 | 0x42 | data | Chinese | China | 0.6818181818181818 |
| RT_STRING | 0x21046c | 0x120 | data | Chinese | China | 0.65625 |
| RT_STRING | 0x21058c | 0xbe | data | Chinese | China | 0.5578947368421052 |
| RT_STRING | 0x21064c | 0x64 | data | Chinese | China | 0.76 |
| RT_STRING | 0x2106b0 | 0x54 | data | Chinese | China | 0.5357142857142857 |
| RT_STRING | 0x210704 | 0x46 | data | Chinese | China | 0.7428571428571429 |
| RT_STRING | 0x21074c | 0x3c | data | Chinese | China | 0.6166666666666667 |
| RT_STRING | 0x210788 | 0x9e | data | Chinese | China | 0.7151898734177216 |
| RT_STRING | 0x210828 | 0x4a | data | Chinese | China | 0.7837837837837838 |
| RT_STRING | 0x210874 | 0x4e | data | Chinese | China | 0.8461538461538461 |
| RT_STRING | 0x2108c4 | 0x2c | data | Chinese | China | 0.5909090909090909 |
| RT_STRING | 0x2108f0 | 0x84 | data | Chinese | China | 0.9166666666666666 |
| RT_STRING | 0x210974 | 0x1cc | data | Chinese | China | 0.7934782608695652 |
| RT_STRING | 0x210b40 | 0x14e | data | Chinese | China | 0.5179640718562875 |
| RT_STRING | 0x210c90 | 0x10e | data | Chinese | China | 0.7037037037037037 |
| RT_STRING | 0x210da0 | 0x50 | data | Chinese | China | 0.7125 |
| RT_STRING | 0x210df0 | 0x44 | data | Chinese | China | 0.6764705882352942 |
| RT_STRING | 0x210e34 | 0x68 | data | Chinese | China | 0.7019230769230769 |
| RT_STRING | 0x210e9c | 0x1b2 | data | Chinese | China | 0.6474654377880185 |
| RT_STRING | 0x211050 | 0xf4 | data | Chinese | China | 0.6065573770491803 |
| RT_STRING | 0x211144 | 0x24 | data | Chinese | China | 0.4722222222222222 |
| RT_STRING | 0x211168 | 0x1a8 | data | Chinese | China | 0.6674528301886793 |
| RT_ACCELERATOR | 0x211310 | 0x58 | data | Chinese | China | 0.7727272727272727 |
| RT_GROUP_CURSOR | 0x211368 | 0x22 | Lotus unknown worksheet or configuration, revision 0x2 | Chinese | China | 0.9705882352941176 |
| RT_GROUP_CURSOR | 0x21138c | 0x22 | Lotus unknown worksheet or configuration, revision 0x2 | Chinese | China | 1.0294117647058822 |
| RT_GROUP_CURSOR | 0x2113b0 | 0x22 | Lotus unknown worksheet or configuration, revision 0x2 | Chinese | China | 1.0294117647058822 |
| RT_GROUP_CURSOR | 0x2113d4 | 0x22 | Lotus unknown worksheet or configuration, revision 0x2 | Chinese | China | 1.0294117647058822 |
| RT_GROUP_CURSOR | 0x2113f8 | 0x22 | Lotus unknown worksheet or configuration, revision 0x2 | Chinese | China | 1.0294117647058822 |
| RT_GROUP_CURSOR | 0x21141c | 0x14 | Lotus unknown worksheet or configuration, revision 0x1 | Chinese | China | 1.3 |
| RT_GROUP_CURSOR | 0x211430 | 0x14 | Lotus unknown worksheet or configuration, revision 0x1 | Chinese | China | 1.3 |
| RT_GROUP_CURSOR | 0x211444 | 0x14 | Lotus unknown worksheet or configuration, revision 0x1 | Chinese | China | 1.3 |
| RT_GROUP_CURSOR | 0x211458 | 0x14 | Lotus unknown worksheet or configuration, revision 0x1 | Chinese | China | 1.3 |
| RT_GROUP_CURSOR | 0x21146c | 0x14 | Lotus unknown worksheet or configuration, revision 0x1 | Chinese | China | 1.3 |
| RT_GROUP_CURSOR | 0x211480 | 0x14 | Lotus unknown worksheet or configuration, revision 0x1 | Chinese | China | 1.3 |
| RT_GROUP_CURSOR | 0x211494 | 0x14 | Lotus unknown worksheet or configuration, revision 0x1 | Chinese | China | 1.3 |
| RT_GROUP_CURSOR | 0x2114a8 | 0x14 | Lotus unknown worksheet or configuration, revision 0x1 | Chinese | China | 1.3 |
| RT_GROUP_CURSOR | 0x2114bc | 0x14 | Lotus unknown worksheet or configuration, revision 0x1 | Chinese | China | 1.3 |
| RT_GROUP_CURSOR | 0x2114d0 | 0x14 | Lotus unknown worksheet or configuration, revision 0x1 | Chinese | China | 1.3 |
| RT_GROUP_CURSOR | 0x2114e4 | 0x14 | Lotus unknown worksheet or configuration, revision 0x1 | Chinese | China | 1.3 |
| RT_GROUP_CURSOR | 0x2114f8 | 0x14 | Lotus unknown worksheet or configuration, revision 0x1 | Chinese | China | 1.3 |
| RT_GROUP_CURSOR | 0x21150c | 0x14 | Lotus unknown worksheet or configuration, revision 0x1 | Chinese | China | 1.3 |
| RT_GROUP_CURSOR | 0x211520 | 0x14 | Lotus unknown worksheet or configuration, revision 0x1 | Chinese | China | 1.3 |
| RT_VERSION | 0x211534 | 0x2b4 | data | Chinese | China | 0.4884393063583815 |
| None | 0x2117e8 | 0x16 | data | Chinese | China | 1.3181818181818181 |
| DLL | Import |
|---|---|
| KERNEL32.dll | AcquireSRWLockExclusive, CloseHandle, CompareStringW, CopyFileA, CopyFileW, CreateFileW, CreateProcessA, CreateThread, CreateToolhelp32Snapshot, DecodePointer, DeleteCriticalSection, DeleteFileA, DeleteFileW, DuplicateHandle, EncodePointer, EnterCriticalSection, EnumSystemLocalesW, ExitProcess, ExitThread, FileTimeToLocalFileTime, FileTimeToSystemTime, FindClose, FindFirstFileExW, FindFirstFileW, FindNextFileW, FindResourceExW, FindResourceW, FlushFileBuffers, FormatMessageW, FreeEnvironmentStringsW, FreeLibrary, FreeLibraryAndExitThread, FreeResource, GetACP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetConsoleCP, GetConsoleMode, GetConsoleOutputCP, GetCurrentDirectoryW, GetCurrentProcess, GetCurrentProcessId, GetCurrentThread, GetCurrentThreadId, GetEnvironmentStringsW, GetFileAttributesA, GetFileAttributesExW, GetFileAttributesW, GetFileSize, GetFileSizeEx, GetFileTime, GetFileType, GetFullPathNameW, GetLastError, GetLocaleInfoW, GetModuleFileNameA, GetModuleFileNameW, GetModuleHandleA, GetModuleHandleExW, GetModuleHandleW, GetNumberOfConsoleInputEvents, GetOEMCP, GetPrivateProfileIntW, GetPrivateProfileStringW, GetProcAddress, GetProcessHeap, GetProfileIntW, GetStartupInfoW, GetStdHandle, GetStringTypeW, GetSystemDefaultUILanguage, GetSystemDirectoryW, GetSystemInfo, GetSystemTimeAsFileTime, GetTempFileNameW, GetTempPathA, GetTempPathW, GetTickCount64, GetTimeZoneInformation, GetUserDefaultLCID, GetUserDefaultUILanguage, GetVersionExW, GetVolumeInformationW, GetWindowsDirectoryW, GlobalAddAtomW, GlobalAlloc, GlobalDeleteAtom, GlobalFindAtomW, GlobalFlags, GlobalFree, GlobalGetAtomNameW, GlobalHandle, GlobalLock, GlobalReAlloc, GlobalSize, GlobalUnlock, HeapAlloc, HeapDestroy, HeapFree, HeapQueryInformation, HeapReAlloc, HeapSize, InitializeCriticalSection, InitializeCriticalSectionAndSpinCount, InitializeCriticalSectionEx, InitializeSListHead, InterlockedFlushSList, IsDebuggerPresent, IsProcessorFeaturePresent, IsValidCodePage, IsValidLocale, LCMapStringEx, LCMapStringW, LeaveCriticalSection, LoadLibraryA, LoadLibraryExW, LoadLibraryW, LoadResource, LocalAlloc, LocalFree, LocalReAlloc, LockFile, LockResource, MulDiv, MultiByteToWideChar, OpenProcess, OpenThread, OutputDebugStringA, OutputDebugStringW, PeekConsoleInputA, Process32FirstW, Process32NextW, QueryPerformanceCounter, QueryPerformanceFrequency, RaiseException, ReadConsoleInputW, ReadConsoleW, ReadFile, ReleaseSRWLockExclusive, ResumeThread, RtlUnwind, SearchPathW, SetConsoleMode, SetEndOfFile, SetEnvironmentVariableW, SetFilePointer, SetFilePointerEx, SetLastError, SetStdHandle, SetThreadPriority, SetUnhandledExceptionFilter, SizeofResource, Sleep, SleepConditionVariableSRW, SuspendThread, SystemTimeToTzSpecificLocalTime, TerminateProcess, Thread32First, Thread32Next, TlsAlloc, TlsFree, TlsGetValue, TlsSetValue, UnhandledExceptionFilter, UnlockFile, VerSetConditionMask, VerifyVersionInfoW, VirtualAlloc, VirtualProtect, VirtualQuery, WaitForSingleObject, WakeAllConditionVariable, WideCharToMultiByte, WinExec, WriteConsoleW, WriteFile, WritePrivateProfileStringW, lstrcmpA, lstrcmpW, lstrcmpiW, lstrcpyW |
| USER32.dll | AdjustWindowRectEx, AppendMenuW, BeginDeferWindowPos, BeginPaint, BringWindowToTop, CallNextHookEx, CallWindowProcW, CharUpperBuffW, CharUpperW, CheckDlgButton, CheckMenuItem, ClientToScreen, CloseClipboard, CopyAcceleratorTableW, CopyIcon, CopyImage, CopyRect, CreateAcceleratorTableW, CreateDialogIndirectParamW, CreateMenu, CreatePopupMenu, CreateWindowExW, DefFrameProcW, DefMDIChildProcW, DefWindowProcW, DeferWindowPos, DeleteMenu, DestroyAcceleratorTable, DestroyCursor, DestroyIcon, DestroyMenu, DestroyWindow, DispatchMessageW, DrawEdge, DrawFocusRect, DrawFrameControl, DrawIcon, DrawIconEx, DrawMenuBar, DrawStateW, DrawTextExW, DrawTextW, EmptyClipboard, EnableMenuItem, EnableScrollBar, EnableWindow, EndDeferWindowPos, EndDialog, EndPaint, EnumDisplayMonitors, EqualRect, FillRect, FrameRect, GetActiveWindow, GetAsyncKeyState, GetCapture, GetClassInfoExW, GetClassInfoW, GetClassLongW, GetClassNameW, GetClientRect, GetComboBoxInfo, GetCursorPos, GetDC, GetDCEx, GetDesktopWindow, GetDlgCtrlID, GetDlgItem, GetDoubleClickTime, GetFocus, GetForegroundWindow, GetIconInfo, GetKeyNameTextW, GetKeyState, GetKeyboardLayout, GetKeyboardState, GetLastActivePopup, GetMenu, GetMenuCheckMarkDimensions, GetMenuDefaultItem, GetMenuItemCount, GetMenuItemID, GetMenuItemInfoW, GetMenuState, GetMenuStringW, GetMessagePos, GetMessageTime, GetMessageW, GetMonitorInfoW, GetNextDlgGroupItem, GetNextDlgTabItem, GetParent, GetPropW, GetScrollInfo, GetScrollPos, GetScrollRange, GetSubMenu, GetSysColor, GetSysColorBrush, GetSystemMenu, GetSystemMetrics, GetTopWindow, GetUpdateRect, GetWindow, GetWindowDC, GetWindowLongW, GetWindowPlacement, GetWindowRect, GetWindowRgn, GetWindowTextLengthW, GetWindowTextW, GetWindowThreadProcessId, GrayStringW, HideCaret, InflateRect, InsertMenuItemW, InsertMenuW, IntersectRect, InvalidateRect, InvertRect, IsCharLowerW, IsChild, IsClipboardFormatAvailable, IsDialogMessageW, IsIconic, IsMenu, IsRectEmpty, IsWindow, IsWindowEnabled, IsWindowVisible, IsZoomed, KillTimer, LoadAcceleratorsW, LoadBitmapW, LoadCursorW, LoadIconW, LoadImageW, LoadMenuW, LockWindowUpdate, MapDialogRect, MapVirtualKeyExW, MapVirtualKeyW, MapWindowPoints, MessageBeep, MessageBoxW, ModifyMenuW, MonitorFromPoint, MonitorFromWindow, MoveWindow, NotifyWinEvent, OffsetRect, OpenClipboard, PeekMessageW, PostMessageW, PostQuitMessage, PostThreadMessageW, PtInRect, RealChildWindowFromPoint, RedrawWindow, RegisterClassW, RegisterClipboardFormatW, RegisterWindowMessageW, ReleaseCapture, ReleaseDC, RemoveMenu, RemovePropW, ReuseDDElParam, ScreenToClient, ScrollWindow, SendDlgItemMessageA, SendMessageW, SetActiveWindow, SetCapture, SetClassLongW, SetClipboardData, SetCursor, SetCursorPos, SetFocus, SetForegroundWindow, SetLayeredWindowAttributes, SetMenu, SetMenuDefaultItem, SetMenuItemBitmaps, SetMenuItemInfoW, SetParent, SetPropW, SetRect, SetRectEmpty, SetScrollInfo, SetScrollPos, SetScrollRange, SetTimer, SetWindowLongW, SetWindowPlacement, SetWindowPos, SetWindowRgn, SetWindowTextW, SetWindowsHookExW, ShowOwnedPopups, ShowScrollBar, ShowWindow, SubtractRect, SystemParametersInfoW, TabbedTextOutW, ToUnicodeEx, TrackMouseEvent, TrackPopupMenu, TranslateAcceleratorW, TranslateMDISysAccel, TranslateMessage, UnhookWindowsHookEx, UnionRect, UnpackDDElParam, UnregisterClassW, UpdateLayeredWindow, UpdateWindow, ValidateRect, WaitMessage, WinHelpW, WindowFromPoint |
| GDI32.dll | BitBlt, CombineRgn, CopyMetaFileW, CreateBitmap, CreateCompatibleBitmap, CreateCompatibleDC, CreateDCW, CreateDIBSection, CreateDIBitmap, CreateEllipticRgn, CreateFontIndirectW, CreateFontW, CreateHatchBrush, CreatePalette, CreatePatternBrush, CreatePen, CreatePolygonRgn, CreateRectRgn, CreateRectRgnIndirect, CreateRoundRectRgn, CreateSolidBrush, DPtoLP, DeleteDC, DeleteObject, Ellipse, EnumFontFamiliesExW, EnumFontFamiliesW, Escape, ExcludeClipRect, ExtFloodFill, ExtSelectClipRgn, ExtTextOutW, FillRgn, FrameRgn, GetBkColor, GetBoundsRect, GetCharWidthW, GetClipBox, GetDeviceCaps, GetLayout, GetNearestPaletteIndex, GetObjectType, GetObjectW, GetPaletteEntries, GetPixel, GetRgnBox, GetStockObject, GetSystemPaletteEntries, GetTextCharsetInfo, GetTextColor, GetTextExtentPoint32W, GetTextFaceW, GetTextMetricsW, GetViewportExtEx, GetViewportOrgEx, GetWindowExtEx, GetWindowOrgEx, IntersectClipRect, LPtoDP, LineTo, MoveToEx, OffsetRgn, OffsetViewportOrgEx, OffsetWindowOrgEx, PatBlt, Polygon, Polyline, PtInRegion, PtVisible, RealizePalette, RectVisible, Rectangle, RestoreDC, RoundRect, SaveDC, ScaleViewportExtEx, ScaleWindowExtEx, SelectClipRgn, SelectObject, SelectPalette, SetBkColor, SetBkMode, SetDIBColorTable, SetLayout, SetMapMode, SetPaletteEntries, SetPixel, SetPixelV, SetPolyFillMode, SetROP2, SetRectRgn, SetTextAlign, SetTextColor, SetViewportExtEx, SetViewportOrgEx, SetWindowExtEx, SetWindowOrgEx, StretchBlt, StretchDIBits, TextOutW |
| ADVAPI32.dll | CryptAcquireContextW, CryptCreateHash, CryptDecrypt, CryptDestroyHash, CryptDestroyKey, CryptGetHashParam, CryptHashData, CryptImportKey, CryptReleaseContext, CryptSetKeyParam, RegCloseKey, RegCreateKeyExW, RegDeleteKeyW, RegDeleteValueW, RegEnumKeyExW, RegEnumKeyW, RegEnumValueW, RegOpenKeyExW, RegQueryValueExW, RegQueryValueW, RegSetValueExW |
| SHELL32.dll | DragFinish, DragQueryFileW, SHAppBarMessage, SHBrowseForFolderW, SHGetDesktopFolder, SHGetFileInfoW, SHGetFolderPathA, SHGetPathFromIDListW, SHGetSpecialFolderLocation, ShellExecuteW |
| ole32.dll | CoCreateGuid, CoCreateInstance, CoDisconnectObject, CoInitialize, CoInitializeEx, CoLockObjectExternal, CoTaskMemAlloc, CoTaskMemFree, CoUninitialize, CreateStreamOnHGlobal, DoDragDrop, IsAccelerator, OleCreateMenuDescriptor, OleDestroyMenuDescriptor, OleDuplicateData, OleGetClipboard, OleLockRunning, OleTranslateAccelerator, RegisterDragDrop, ReleaseStgMedium, RevokeDragDrop |
| gdiplus.dll | GdipAlloc, GdipBitmapLockBits, GdipBitmapUnlockBits, GdipCloneImage, GdipCreateBitmapFromHBITMAP, GdipCreateBitmapFromScan0, GdipCreateBitmapFromStream, GdipCreateFromHDC, GdipDeleteGraphics, GdipDisposeImage, GdipDrawImageI, GdipDrawImageRectI, GdipFree, GdipGetImageGraphicsContext, GdipGetImageHeight, GdipGetImagePalette, GdipGetImagePaletteSize, GdipGetImagePixelFormat, GdipGetImageWidth, GdipSetInterpolationMode, GdiplusShutdown, GdiplusStartup |
| CRYPT32.dll | CryptStringToBinaryA |
| WS2_32.dll | WSACleanup, WSAStartup, closesocket, connect, freeaddrinfo, getaddrinfo, recv, socket |
| UxTheme.dll | CloseThemeData, DrawThemeBackground, DrawThemeParentBackground, DrawThemeText, GetCurrentThemeName, GetThemeColor, GetThemePartSize, GetThemeSysColor, GetWindowTheme, IsAppThemed, IsThemeBackgroundPartiallyTransparent, OpenThemeData |
| OLEAUT32.dll | LoadTypeLib, SysAllocString, SysAllocStringLen, SysFreeString, SysStringLen, SystemTimeToVariantTime, VarBstrFromDate, VariantChangeType, VariantClear, VariantCopy, VariantInit, VariantTimeToSystemTime |
| SHLWAPI.dll | PathFindExtensionW, PathFindFileNameW, PathIsUNCW, PathRemoveFileSpecW, PathStripToRootW, StrFormatKBSizeW |
| WINSPOOL.DRV | ClosePrinter, DocumentPropertiesW, OpenPrinterW |
| OLEACC.dll | AccessibleObjectFromWindow, CreateStdAccessibleObject, LresultFromObject |
| MSIMG32.dll | AlphaBlend, TransparentBlt |
| IMM32.dll | ImmGetContext, ImmGetOpenStatus, ImmReleaseContext |
| WINMM.dll | PlaySoundW |
| Name | Ordinal | Address |
|---|---|---|
| SteamAPI_Init | 1 | 0x1002a760 |
| Language of compilation system | Country where language is spoken | Map |
|---|---|---|
| Chinese | China |  |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library Node| Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|---|---|
| Dec 17, 2024 18:13:58.212939024 CET | 1.1.1.1 | 192.168.2.9 | 0x7b90 | No error (0) | s-part-0035.t-0009.t-msedge.net | CNAME (Canonical name) | IN (0x0001) | false | ||
| Dec 17, 2024 18:13:58.212939024 CET | 1.1.1.1 | 192.168.2.9 | 0x7b90 | No error (0) | 13.107.246.63 | A (IP address) | IN (0x0001) | false |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
| Target ID: | 0 |
| Start time: | 12:14:01 |
| Start date: | 17/12/2024 |
| Path: | C:\Windows\System32\loaddll32.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x780000 |
| File size: | 126'464 bytes |
| MD5 hash: | 51E6071F9CBA48E79F10C84515AAE618 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 1 |
| Start time: | 12:14:01 |
| Start date: | 17/12/2024 |
| Path: | C:\Windows\System32\conhost.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff70f010000 |
| File size: | 862'208 bytes |
| MD5 hash: | 0D698AF330FD17BEE3BF90011D49251D |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 2 |
| Start time: | 12:14:01 |
| Start date: | 17/12/2024 |
| Path: | C:\Windows\SysWOW64\cmd.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0xc50000 |
| File size: | 236'544 bytes |
| MD5 hash: | D0FCE3AFA6AA1D58CE9FA336CC2B675B |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 3 |
| Start time: | 12:14:01 |
| Start date: | 17/12/2024 |
| Path: | C:\Windows\SysWOW64\rundll32.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x320000 |
| File size: | 61'440 bytes |
| MD5 hash: | 889B99C52A60DD49227C5E485A016679 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 4 |
| Start time: | 12:14:01 |
| Start date: | 17/12/2024 |
| Path: | C:\Windows\SysWOW64\rundll32.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x320000 |
| File size: | 61'440 bytes |
| MD5 hash: | 889B99C52A60DD49227C5E485A016679 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 6 |
| Start time: | 12:14:04 |
| Start date: | 17/12/2024 |
| Path: | C:\Windows\SysWOW64\rundll32.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x320000 |
| File size: | 61'440 bytes |
| MD5 hash: | 889B99C52A60DD49227C5E485A016679 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 10 |
| Start time: | 12:15:11 |
| Start date: | 17/12/2024 |
| Path: | C:\Windows\SysWOW64\cmd.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0xc50000 |
| File size: | 236'544 bytes |
| MD5 hash: | D0FCE3AFA6AA1D58CE9FA336CC2B675B |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | false |
| Target ID: | 11 |
| Start time: | 12:15:11 |
| Start date: | 17/12/2024 |
| Path: | C:\Windows\SysWOW64\cmd.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0xc50000 |
| File size: | 236'544 bytes |
| MD5 hash: | D0FCE3AFA6AA1D58CE9FA336CC2B675B |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | false |
| Target ID: | 12 |
| Start time: | 12:15:11 |
| Start date: | 17/12/2024 |
| Path: | C:\Windows\System32\conhost.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff70f010000 |
| File size: | 862'208 bytes |
| MD5 hash: | 0D698AF330FD17BEE3BF90011D49251D |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | false |
| Target ID: | 13 |
| Start time: | 12:15:11 |
| Start date: | 17/12/2024 |
| Path: | C:\Windows\System32\conhost.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff70f010000 |
| File size: | 862'208 bytes |
| MD5 hash: | 0D698AF330FD17BEE3BF90011D49251D |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | false |
| Target ID: | 14 |
| Start time: | 12:15:11 |
| Start date: | 17/12/2024 |
| Path: | C:\Windows\SysWOW64\tasklist.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x310000 |
| File size: | 79'360 bytes |
| MD5 hash: | 0A4448B31CE7F83CB7691A2657F330F1 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | true |
| Target ID: | 15 |
| Start time: | 12:15:11 |
| Start date: | 17/12/2024 |
| Path: | C:\Windows\SysWOW64\findstr.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x530000 |
| File size: | 29'696 bytes |
| MD5 hash: | F1D4BE0E99EC734376FDE474A8D4EA3E |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | true |
| Target ID: | 16 |
| Start time: | 12:15:11 |
| Start date: | 17/12/2024 |
| Path: | C:\Windows\SysWOW64\tasklist.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x310000 |
| File size: | 79'360 bytes |
| MD5 hash: | 0A4448B31CE7F83CB7691A2657F330F1 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | true |
| Target ID: | 17 |
| Start time: | 12:15:11 |
| Start date: | 17/12/2024 |
| Path: | C:\Windows\SysWOW64\findstr.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x530000 |
| File size: | 29'696 bytes |
| MD5 hash: | F1D4BE0E99EC734376FDE474A8D4EA3E |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | true |
| Target ID: | 18 |
| Start time: | 12:15:12 |
| Start date: | 17/12/2024 |
| Path: | C:\Windows\SysWOW64\timeout.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x8e0000 |
| File size: | 25'088 bytes |
| MD5 hash: | 976566BEEFCCA4A159ECBDB2D4B1A3E3 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | true |
| Target ID: | 19 |
| Start time: | 12:15:12 |
| Start date: | 17/12/2024 |
| Path: | C:\Windows\SysWOW64\timeout.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x8e0000 |
| File size: | 25'088 bytes |
| MD5 hash: | 976566BEEFCCA4A159ECBDB2D4B1A3E3 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | true |
| Target ID: | 20 |
| Start time: | 12:15:42 |
| Start date: | 17/12/2024 |
| Path: | C:\Windows\SysWOW64\tasklist.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x310000 |
| File size: | 79'360 bytes |
| MD5 hash: | 0A4448B31CE7F83CB7691A2657F330F1 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | true |
| Target ID: | 21 |
| Start time: | 12:15:42 |
| Start date: | 17/12/2024 |
| Path: | C:\Windows\SysWOW64\findstr.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x530000 |
| File size: | 29'696 bytes |
| MD5 hash: | F1D4BE0E99EC734376FDE474A8D4EA3E |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | true |
| Target ID: | 22 |
| Start time: | 12:15:42 |
| Start date: | 17/12/2024 |
| Path: | C:\Windows\SysWOW64\tasklist.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x310000 |
| File size: | 79'360 bytes |
| MD5 hash: | 0A4448B31CE7F83CB7691A2657F330F1 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | true |
| Target ID: | 23 |
| Start time: | 12:15:42 |
| Start date: | 17/12/2024 |
| Path: | C:\Windows\SysWOW64\findstr.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x530000 |
| File size: | 29'696 bytes |
| MD5 hash: | F1D4BE0E99EC734376FDE474A8D4EA3E |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | true |
| Target ID: | 24 |
| Start time: | 12:15:42 |
| Start date: | 17/12/2024 |
| Path: | C:\Windows\SysWOW64\rundll32.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x320000 |
| File size: | 61'440 bytes |
| MD5 hash: | 889B99C52A60DD49227C5E485A016679 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | true |
| Target ID: | 25 |
| Start time: | 12:15:42 |
| Start date: | 17/12/2024 |
| Path: | C:\Windows\SysWOW64\timeout.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x8e0000 |
| File size: | 25'088 bytes |
| MD5 hash: | 976566BEEFCCA4A159ECBDB2D4B1A3E3 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | true |
| Target ID: | 26 |
| Start time: | 12:15:42 |
| Start date: | 17/12/2024 |
| Path: | C:\Windows\SysWOW64\rundll32.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x320000 |
| File size: | 61'440 bytes |
| MD5 hash: | 889B99C52A60DD49227C5E485A016679 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | true |
| Target ID: | 27 |
| Start time: | 12:15:42 |
| Start date: | 17/12/2024 |
| Path: | C:\Windows\SysWOW64\timeout.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x8e0000 |
| File size: | 25'088 bytes |
| MD5 hash: | 976566BEEFCCA4A159ECBDB2D4B1A3E3 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | true |
| Target ID: | 29 |
| Start time: | 12:16:12 |
| Start date: | 17/12/2024 |
| Path: | C:\Windows\SysWOW64\tasklist.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x310000 |
| File size: | 79'360 bytes |
| MD5 hash: | 0A4448B31CE7F83CB7691A2657F330F1 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | true |
| Target ID: | 30 |
| Start time: | 12:16:12 |
| Start date: | 17/12/2024 |
| Path: | C:\Windows\SysWOW64\findstr.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x530000 |
| File size: | 29'696 bytes |
| MD5 hash: | F1D4BE0E99EC734376FDE474A8D4EA3E |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | true |
| Target ID: | 31 |
| Start time: | 12:16:12 |
| Start date: | 17/12/2024 |
| Path: | C:\Windows\SysWOW64\tasklist.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x310000 |
| File size: | 79'360 bytes |
| MD5 hash: | 0A4448B31CE7F83CB7691A2657F330F1 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | true |
| Target ID: | 32 |
| Start time: | 12:16:12 |
| Start date: | 17/12/2024 |
| Path: | C:\Windows\SysWOW64\findstr.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x530000 |
| File size: | 29'696 bytes |
| MD5 hash: | F1D4BE0E99EC734376FDE474A8D4EA3E |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | true |
| Target ID: | 33 |
| Start time: | 12:16:12 |
| Start date: | 17/12/2024 |
| Path: | C:\Windows\SysWOW64\rundll32.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x320000 |
| File size: | 61'440 bytes |
| MD5 hash: | 889B99C52A60DD49227C5E485A016679 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | true |
| Target ID: | 34 |
| Start time: | 12:16:12 |
| Start date: | 17/12/2024 |
| Path: | C:\Windows\SysWOW64\timeout.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x8e0000 |
| File size: | 25'088 bytes |
| MD5 hash: | 976566BEEFCCA4A159ECBDB2D4B1A3E3 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | true |
| Target ID: | 35 |
| Start time: | 12:16:12 |
| Start date: | 17/12/2024 |
| Path: | C:\Windows\SysWOW64\rundll32.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x320000 |
| File size: | 61'440 bytes |
| MD5 hash: | 889B99C52A60DD49227C5E485A016679 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | true |
| Target ID: | 36 |
| Start time: | 12:16:12 |
| Start date: | 17/12/2024 |
| Path: | C:\Windows\SysWOW64\timeout.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x8e0000 |
| File size: | 25'088 bytes |
| MD5 hash: | 976566BEEFCCA4A159ECBDB2D4B1A3E3 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | true |
| Target ID: | 37 |
| Start time: | 12:16:42 |
| Start date: | 17/12/2024 |
| Path: | C:\Windows\SysWOW64\tasklist.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x310000 |
| File size: | 79'360 bytes |
| MD5 hash: | 0A4448B31CE7F83CB7691A2657F330F1 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | true |
| Target ID: | 38 |
| Start time: | 12:16:42 |
| Start date: | 17/12/2024 |
| Path: | C:\Windows\SysWOW64\findstr.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x530000 |
| File size: | 29'696 bytes |
| MD5 hash: | F1D4BE0E99EC734376FDE474A8D4EA3E |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | true |
| Target ID: | 39 |
| Start time: | 12:16:42 |
| Start date: | 17/12/2024 |
| Path: | C:\Windows\SysWOW64\tasklist.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x310000 |
| File size: | 79'360 bytes |
| MD5 hash: | 0A4448B31CE7F83CB7691A2657F330F1 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | true |
| Target ID: | 40 |
| Start time: | 12:16:42 |
| Start date: | 17/12/2024 |
| Path: | C:\Windows\SysWOW64\findstr.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x530000 |
| File size: | 29'696 bytes |
| MD5 hash: | F1D4BE0E99EC734376FDE474A8D4EA3E |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | true |
| Target ID: | 41 |
| Start time: | 12:16:42 |
| Start date: | 17/12/2024 |
| Path: | C:\Windows\SysWOW64\rundll32.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x320000 |
| File size: | 61'440 bytes |
| MD5 hash: | 889B99C52A60DD49227C5E485A016679 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | true |
| Target ID: | 42 |
| Start time: | 12:16:42 |
| Start date: | 17/12/2024 |
| Path: | C:\Windows\SysWOW64\timeout.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x8e0000 |
| File size: | 25'088 bytes |
| MD5 hash: | 976566BEEFCCA4A159ECBDB2D4B1A3E3 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | false |
| Target ID: | 43 |
| Start time: | 12:16:42 |
| Start date: | 17/12/2024 |
| Path: | C:\Windows\SysWOW64\rundll32.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x320000 |
| File size: | 61'440 bytes |
| MD5 hash: | 889B99C52A60DD49227C5E485A016679 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | true |
| Target ID: | 44 |
| Start time: | 12:16:42 |
| Start date: | 17/12/2024 |
| Path: | C:\Windows\SysWOW64\timeout.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x8e0000 |
| File size: | 25'088 bytes |
| MD5 hash: | 976566BEEFCCA4A159ECBDB2D4B1A3E3 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | false |
Execution Graph
| Execution Coverage: | 5.4% |
| Dynamic/Decrypted Code Coverage: | 0% |
| Signature Coverage: | 3.2% |
| Total number of Nodes: | 1534 |
| Total number of Limit Nodes: | 49 |
Graph
Function 6D038080 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 274networkmemoryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D0495C5 Relevance: 6.1, APIs: 4, Instructions: 121threadCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D05E9FA Relevance: 54.5, APIs: 26, Strings: 5, Instructions: 278stringCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D032110 Relevance: 16.7, APIs: 3, Strings: 6, Instructions: 927sleepprocessCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D03A760 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 216threadsynchronizationCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D19B9AD Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D05A7B1 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 25libraryloaderCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D05C4EE Relevance: 3.0, APIs: 2, Instructions: 32COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D05E09B Relevance: 1.6, APIs: 1, Instructions: 96COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D01A050 Relevance: 1.6, APIs: 1, Instructions: 79COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D19FE22 Relevance: 1.6, APIs: 1, Instructions: 59COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D199441 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D04329A Relevance: 1.5, APIs: 1, Instructions: 8COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D015460 Relevance: 1.3, APIs: 1, Instructions: 86sleepCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D039650 Relevance: 1.3, APIs: 1, Instructions: 14sleepCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D07B58F Relevance: 33.8, APIs: 22, Instructions: 845timeCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D07A181 Relevance: 32.0, APIs: 15, Strings: 3, Instructions: 539windowtimeCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D0644F7 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 189keyboardCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D0660D1 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 42libraryloaderCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D0C41AD Relevance: 12.1, APIs: 8, Instructions: 135clipboardwindowCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D0882AF Relevance: 10.6, APIs: 7, Instructions: 138fileCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D05908D Relevance: 9.2, APIs: 6, Instructions: 229windowCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D1A61EA Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMONLIBRARYCODE
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D04476E Relevance: 7.8, APIs: 5, Instructions: 266COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D189E80 Relevance: 6.5, APIs: 4, Instructions: 455COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D06305D Relevance: 6.1, APIs: 4, Instructions: 79windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D01FDE0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111encryptionCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D1A5D71 Relevance: 4.7, APIs: 3, Instructions: 205COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D04AF5B Relevance: 4.5, APIs: 3, Instructions: 33COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D04DC7F Relevance: 3.4, APIs: 2, Instructions: 404COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D192EE2 Relevance: 3.0, APIs: 2, Instructions: 44timeCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D05AD46 Relevance: 3.0, APIs: 2, Instructions: 33comCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D03B860 Relevance: 1.7, APIs: 1, Instructions: 201COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D186651 Relevance: 1.6, Strings: 1, Instructions: 333COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D1A6023 Relevance: 1.6, APIs: 1, Instructions: 83COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D1A6143 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D1A62F0 Relevance: 1.5, APIs: 1, Instructions: 48COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D04E94E Relevance: 1.5, APIs: 1, Instructions: 13windowCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D03ED00 Relevance: 1.4, Strings: 1, Instructions: 196COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D03F0B0 Relevance: 1.4, Strings: 1, Instructions: 121COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D011ED0 Relevance: 1.3, APIs: 1, Instructions: 89COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D0126C0 Relevance: 1.3, APIs: 1, Instructions: 78COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D0345C0 Relevance: .5, Instructions: 511COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D034F70 Relevance: .3, Instructions: 343COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D01F470 Relevance: .2, Instructions: 174COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D18A804 Relevance: .2, Instructions: 156COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D182BE0 Relevance: .1, Instructions: 76COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D05FA2F Relevance: 45.9, APIs: 25, Strings: 1, Instructions: 428windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D0C2373 Relevance: 44.1, APIs: 24, Strings: 1, Instructions: 327fileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D04050D Relevance: 42.0, APIs: 12, Strings: 12, Instructions: 43registryclipboardCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D07DF44 Relevance: 40.8, APIs: 27, Instructions: 324COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D04BD73 Relevance: 29.9, APIs: 16, Strings: 1, Instructions: 179windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D12F516 Relevance: 24.4, APIs: 16, Instructions: 395COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D064A9E Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 204timekeyboardCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D06614A Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 172libraryloaderCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D054BC8 Relevance: 22.8, APIs: 15, Instructions: 313windowkeyboardCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D07F275 Relevance: 22.8, APIs: 15, Instructions: 254timeCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D059854 Relevance: 21.4, APIs: 14, Instructions: 439COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D07EE2B Relevance: 21.3, APIs: 11, Strings: 1, Instructions: 347windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D05B302 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 171windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D0F6FD3 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 131windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D04F542 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 118windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D05FF39 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 102windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D068003 Relevance: 16.1, APIs: 8, Strings: 1, Instructions: 389windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D0BC84E Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 139memoryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D050148 Relevance: 15.5, APIs: 10, Instructions: 482COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D0790CF Relevance: 15.2, APIs: 10, Instructions: 233COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D062A1E Relevance: 15.2, APIs: 10, Instructions: 212timeCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D0C4C94 Relevance: 15.2, APIs: 10, Instructions: 200COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D07CA75 Relevance: 15.2, APIs: 10, Instructions: 163timeCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D0519EC Relevance: 15.1, APIs: 10, Instructions: 137COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D064E20 Relevance: 15.1, APIs: 10, Instructions: 103COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D06277C Relevance: 15.1, APIs: 10, Instructions: 100timeCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D049780 Relevance: 14.3, APIs: 6, Strings: 2, Instructions: 301windowCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D04122A Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 118libraryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D0D9371 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 100sleepthreadCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D04AA44 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 73libraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D04ECA8 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 65windowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D06C6EA Relevance: 13.6, APIs: 9, Instructions: 67windowCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D0C1978 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 261windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D04D88B Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 209libraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D04D715 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 130libraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D066606 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 49libraryloaderCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D077630 Relevance: 12.1, APIs: 8, Instructions: 129COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D07A952 Relevance: 12.1, APIs: 8, Instructions: 95COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D057DF4 Relevance: 12.1, APIs: 8, Instructions: 67windowCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D05EDF1 Relevance: 12.1, APIs: 8, Instructions: 65COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D058227 Relevance: 12.0, APIs: 8, Instructions: 49memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D0636FF Relevance: 12.0, APIs: 8, Instructions: 34COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D046537 Relevance: 10.8, APIs: 7, Instructions: 347COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D19E355 Relevance: 10.8, APIs: 7, Instructions: 329COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D074515 Relevance: 10.6, APIs: 7, Instructions: 143COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D0C71B5 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 137registryclipboardCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D05A0F8 Relevance: 10.6, APIs: 7, Instructions: 123COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D05B9DC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 119registryCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D05B83B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 102registryCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D0AF612 Relevance: 10.6, APIs: 7, Instructions: 85COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D0C0F31 Relevance: 10.6, APIs: 7, Instructions: 79COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D05AE2D Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 79registryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D0603C6 Relevance: 10.6, APIs: 7, Instructions: 66COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D04FA45 Relevance: 10.6, APIs: 7, Instructions: 65COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D04DB50 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 46libraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D06673F Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 36libraryloaderCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D066A9A Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 35libraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D06654F Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 35libraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D0664EA Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 35libraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D066378 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 35libraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D06648E Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 33libraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D0667A4 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 33libraryloaderCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D066319 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 33libraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D0663DD Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 32libraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D066439 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 30libraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D0665B4 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 29libraryloaderCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D066695 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 29libraryloaderCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D0666EA Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 29libraryloaderCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D066A4F Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 27libraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D0636AD Relevance: 10.5, APIs: 7, Instructions: 25COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D0719EA Relevance: 9.3, APIs: 6, Instructions: 333COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D19229E Relevance: 9.3, APIs: 6, Instructions: 295COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D063FED Relevance: 9.3, APIs: 6, Instructions: 295COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D039BD0 Relevance: 9.2, APIs: 6, Instructions: 240COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D0741D6 Relevance: 9.2, APIs: 6, Instructions: 205COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D045B04 Relevance: 9.2, APIs: 6, Instructions: 195COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D05937F Relevance: 9.2, APIs: 6, Instructions: 191COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D08856A Relevance: 9.2, APIs: 6, Instructions: 177COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D0710F6 Relevance: 9.2, APIs: 6, Instructions: 167windowCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D0764D4 Relevance: 9.2, APIs: 6, Instructions: 156windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D05268D Relevance: 9.1, APIs: 6, Instructions: 145windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D048308 Relevance: 9.1, APIs: 6, Instructions: 140windowCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D06B853 Relevance: 9.1, APIs: 6, Instructions: 140memoryCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D0837CE Relevance: 9.1, APIs: 6, Instructions: 92windowCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D04B629 Relevance: 9.1, APIs: 6, Instructions: 86windowCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D056177 Relevance: 9.1, APIs: 6, Instructions: 85windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D05EEBD Relevance: 9.1, APIs: 6, Instructions: 84windowCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D048C8B Relevance: 9.1, APIs: 6, Instructions: 80windowCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D057520 Relevance: 9.1, APIs: 6, Instructions: 71COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D0CEF45 Relevance: 9.1, APIs: 6, Instructions: 67COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D053773 Relevance: 9.1, APIs: 6, Instructions: 59COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D06033D Relevance: 9.0, APIs: 6, Instructions: 50COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D0601E7 Relevance: 9.0, APIs: 6, Instructions: 48windowCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D04D360 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 118windowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D079A0A Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 87windowCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D066DDA Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 57libraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D18F93B Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D066803 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 37libraryloaderCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D0669EA Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 36libraryloaderCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D0668C7 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 36libraryloaderCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D06692C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 35libraryloaderCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D066868 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 35libraryloaderCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D06698E Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 33libraryloaderCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D075607 Relevance: 7.9, APIs: 5, Instructions: 357COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D07AE37 Relevance: 7.7, APIs: 5, Instructions: 227COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D051631 Relevance: 7.7, APIs: 5, Instructions: 159COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D07DE07 Relevance: 7.6, APIs: 5, Instructions: 120COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D06139F Relevance: 7.6, APIs: 5, Instructions: 116COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D0777CB Relevance: 7.6, APIs: 5, Instructions: 113COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D078CD3 Relevance: 7.6, APIs: 5, Instructions: 102COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D04276F Relevance: 7.6, APIs: 5, Instructions: 90COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D04246D Relevance: 7.6, APIs: 5, Instructions: 88windowCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D07CE59 Relevance: 7.6, APIs: 5, Instructions: 86windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D07E770 Relevance: 7.6, APIs: 5, Instructions: 86COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D078E0C Relevance: 7.6, APIs: 5, Instructions: 81windowCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D04BC64 Relevance: 7.6, APIs: 5, Instructions: 81windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D048F96 Relevance: 7.6, APIs: 5, Instructions: 75windowCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D0463AE Relevance: 7.6, APIs: 5, Instructions: 70COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D053F3C Relevance: 7.6, APIs: 5, Instructions: 70windowCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D048DD1 Relevance: 7.6, APIs: 5, Instructions: 66windowCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D07C078 Relevance: 7.6, APIs: 5, Instructions: 65windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D056092 Relevance: 7.6, APIs: 5, Instructions: 63windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D0655E4 Relevance: 7.6, APIs: 5, Instructions: 61memoryCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D07684C Relevance: 7.6, APIs: 5, Instructions: 59COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D047969 Relevance: 7.6, APIs: 5, Instructions: 56windowCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D0544F1 Relevance: 7.5, APIs: 5, Instructions: 47windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D044BAF Relevance: 7.5, APIs: 5, Instructions: 44windowCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D05C6CA Relevance: 7.5, APIs: 5, Instructions: 44COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D07380B Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 96windowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D04A392 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70registryCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D0604F9 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 60libraryloaderCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D05A68A Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 44libraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D05B7DC Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 43libraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D05A6FA Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 40libraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D0B9D96 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 38libraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D1A4093 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D0C5869 Relevance: 6.4, APIs: 4, Instructions: 433COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D08023C Relevance: 6.2, APIs: 4, Instructions: 250windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D063D6B Relevance: 6.2, APIs: 4, Instructions: 228COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D07F596 Relevance: 6.2, APIs: 4, Instructions: 195COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D0C4779 Relevance: 6.2, APIs: 4, Instructions: 177COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D1987C6 Relevance: 6.2, APIs: 4, Instructions: 168COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D04564A Relevance: 6.2, APIs: 4, Instructions: 158COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D045800 Relevance: 6.2, APIs: 4, Instructions: 151COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D1A056C Relevance: 6.1, APIs: 4, Instructions: 137COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D07E420 Relevance: 6.1, APIs: 4, Instructions: 130COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D031030 Relevance: 6.1, APIs: 4, Instructions: 119COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D07ACF8 Relevance: 6.1, APIs: 4, Instructions: 111windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D05DDF0 Relevance: 6.1, APIs: 4, Instructions: 108windowCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D04E96F Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D0790DA Relevance: 6.1, APIs: 4, Instructions: 98COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D069E2F Relevance: 6.1, APIs: 4, Instructions: 96COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D06F64A Relevance: 6.1, APIs: 4, Instructions: 96windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D0C9250 Relevance: 6.1, APIs: 4, Instructions: 96COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D14ABE9 Relevance: 6.1, APIs: 4, Instructions: 90COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D0DC603 Relevance: 6.1, APIs: 4, Instructions: 86COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D047453 Relevance: 6.1, APIs: 4, Instructions: 86COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D07CC97 Relevance: 6.1, APIs: 4, Instructions: 81windowCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D044ABF Relevance: 6.1, APIs: 4, Instructions: 81COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D089684 Relevance: 6.1, APIs: 4, Instructions: 81COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D190997 Relevance: 6.1, APIs: 4, Instructions: 75COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D07D443 Relevance: 6.1, APIs: 4, Instructions: 74windowCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D07CD93 Relevance: 6.1, APIs: 4, Instructions: 64windowCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D069FEA Relevance: 6.1, APIs: 4, Instructions: 63COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D06B6AD Relevance: 6.1, APIs: 4, Instructions: 63COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D04EFC2 Relevance: 6.1, APIs: 4, Instructions: 62windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D0522F6 Relevance: 6.1, APIs: 4, Instructions: 60COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D04EC1E Relevance: 6.1, APIs: 4, Instructions: 56COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D055508 Relevance: 6.1, APIs: 4, Instructions: 55fileCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D18F5F9 Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D046FB7 Relevance: 6.1, APIs: 4, Instructions: 52windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D047048 Relevance: 6.1, APIs: 4, Instructions: 52windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D074490 Relevance: 6.0, APIs: 4, Instructions: 48COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D041872 Relevance: 6.0, APIs: 4, Instructions: 48windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D042380 Relevance: 6.0, APIs: 4, Instructions: 47COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D04EEAE Relevance: 6.0, APIs: 4, Instructions: 46COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D04EE37 Relevance: 6.0, APIs: 4, Instructions: 45COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D05C00E Relevance: 6.0, APIs: 4, Instructions: 41windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D19FF6D Relevance: 6.0, APIs: 4, Instructions: 27COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D19FED5 Relevance: 6.0, APIs: 4, Instructions: 27COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D182201 Relevance: 6.0, APIs: 4, Instructions: 25timethreadCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D179F31 Relevance: 6.0, APIs: 4, Instructions: 25COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D1A0005 Relevance: 6.0, APIs: 4, Instructions: 23COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D19FF27 Relevance: 6.0, APIs: 4, Instructions: 23COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D19FFBF Relevance: 6.0, APIs: 4, Instructions: 23COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D1A5189 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 191COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D0BE360 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 121registryCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D05862E Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 109windowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D05AC36 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 83registryCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D05F482 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 74windowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D04FAED Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32threadCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D04AD2B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 20windowtimeCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D0634A0 Relevance: 5.0, APIs: 4, Instructions: 37COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D0656D6 Relevance: 5.0, APIs: 4, Instructions: 36COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|