Edit tour
Windows
Analysis Report
nikDoCvpJa.exe
Overview
General Information
| Sample name: | nikDoCvpJa.exerenamed because original name is a hash value |
| Original sample name: | d2729f574a3ba69a10c00a5992986226.exe |
| Analysis ID: | 1578615 |
| MD5: | d2729f574a3ba69a10c00a5992986226 |
| SHA1: | 827b50066bf4509c1f293f2e2170b86070f3bcd6 |
| SHA256: | 2027658fe07e8ef66d192bf1697cf0d9e91f9813ded69da4408747fb3724b3ec |
| Tags: | exeRATRemcosRATuser-abuse_ch |
| Infos: |   |
 | |
Detection
Remcos
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Sigma detected: Search for Antivirus process
Suricata IDS alerts for network traffic
Yara detected Remcos RAT
AI detected suspicious sample
Drops PE files with a suspicious file extension
Found API chain indicative of sandbox detection
Installs a global keyboard hook
Sigma detected: Suspicious Command Patterns In Scheduled Task Creation
Sigma detected: WScript or CScript Dropper
Uses schtasks.exe or at.exe to add and modify task schedules
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Wscript called in batch mode (surpress errors)
Abnormal high CPU Usage
Contains functionality for read data from the clipboard
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Creates files inside the system directory
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
PE / OLE file has an invalid certificate
PE file contains an invalid checksum
Potential key logger detected (key state polling based)
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Suspicious Copy From or To System Directory
Sigma detected: Suspicious Schtasks From Env Var Folder
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Stores files to the Windows start menu directory
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Classification
- System is w10x64
nikDoCvpJa.exe (PID: 5252 cmdline: "C:\Users\ user\Deskt op\nikDoCv pJa.exe" MD5: D2729F574A3BA69A10C00A5992986226) 
cmd.exe (PID: 5572 cmdline: "C:\Window s\System32 \cmd.exe" /c copy Ca b Cab.cmd & Cab.cmd MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 6464 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) 
tasklist.exe (PID: 380 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1) - findstr.exe (PID: 1096 cmdline:
findstr /I "opssvc w rsa" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E) - tasklist.exe (PID: 1732 cmdline:
tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1) - findstr.exe (PID: 2748 cmdline:
findstr "A vastUI AVG UI bdservi cehost nsW scSvc ekrn SophosHea lth" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E) - cmd.exe (PID: 1516 cmdline:
cmd /c md 638933 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - findstr.exe (PID: 1576 cmdline:
findstr /V "Chosen" Bugs MD5: F1D4BE0E99EC734376FDE474A8D4EA3E) - cmd.exe (PID: 1784 cmdline:
cmd /c cop y /b ..\Wi chita + .. \Sign + .. \Idol + .. \Lauren + ..\Rice + ..\Bold + ..\Loops + ..\Shore + ..\Marie g MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) 
Beth.com (PID: 6976 cmdline: Beth.com g MD5: 62D09F076E6E0240548C2F837536A46A) - cmd.exe (PID: 7108 cmdline:
cmd /c sch tasks.exe /create /t n "Config" /tr "wscr ipt //B 'C :\Users\us er\AppData \Local\Sec ureScope D ynamics\Cy berScope.j s'" /sc mi nute /mo 5 /F MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 5640 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - schtasks.exe (PID: 2300 cmdline:
schtasks.e xe /create /tn "Conf ig" /tr "w script //B 'C:\Users \user\AppD ata\Local\ SecureScop e Dynamics \CyberScop e.js'" /sc minute /m o 5 /F MD5: 48C2FE20575769DE916F48EF0676A965) - cmd.exe (PID: 7140 cmdline:
cmd /k ech o [Interne tShortcut] > "C:\Use rs\user\Ap pData\Roam ing\Micros oft\Window s\Start Me nu\Program s\Startup\ CyberScope .url" & ec ho URL="C: \Users\use r\AppData\ Local\Secu reScope Dy namics\Cyb erScope.js " >> "C:\U sers\user\ AppData\Ro aming\Micr osoft\Wind ows\Start Menu\Progr ams\Startu p\CyberSco pe.url" & exit MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 5428 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - choice.exe (PID: 7156 cmdline:
choice /d y /t 5 MD5: FCE0E41C87DC4ABBE976998AD26C27E4)
wscript.exe (PID: 1436 cmdline: C:\Windows \system32\ wscript.EX E //B "C:\ Users\user \AppData\L ocal\Secur eScope Dyn amics\Cybe rScope.js" MD5: A47CBE969EA935BDD3AB568BB126BC80) - CyberScope.com (PID: 5776 cmdline:
"C:\Users\ user\AppDa ta\Local\S ecureScope Dynamics\ CyberScope .com" "C:\ Users\user \AppData\L ocal\Secur eScope Dyn amics\r" MD5: 62D09F076E6E0240548C2F837536A46A)
- wscript.exe (PID: 4616 cmdline:
"C:\Window s\System32 \WScript.e xe" "C:\Us ers\user\A ppData\Loc al\SecureS cope Dynam ics\CyberS cope.js" MD5: A47CBE969EA935BDD3AB568BB126BC80) - CyberScope.com (PID: 3788 cmdline:
"C:\Users\ user\AppDa ta\Local\S ecureScope Dynamics\ CyberScope .com" "C:\ Users\user \AppData\L ocal\Secur eScope Dyn amics\r" MD5: 62D09F076E6E0240548C2F837536A46A)
- cleanup
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| Remcos, RemcosRAT | Remcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity. |
⊘No configs have been found
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security |
System Summary |   |
|---|
| Source: | Author: Florian Roth (Nextron Systems): | ||
| Source: | Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: | ||
| Source: | Author: Florian Roth (Nextron Systems), Markus Neis, Tim Shelton (HAWK.IO), Nasreddine Bencherchali (Nextron Systems): | ||
| Source: | Author: Florian Roth (Nextron Systems): | ||
| Source: | Author: Michael Haag: | ||
Data Obfuscation | |
|---|
| Source: | Author: Joe Security: | ||
HIPS / PFW / Operating System Protection Evasion | |
|---|
| Source: | Author: Joe Security: | ||
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-12-19T23:42:58.468620+0100 | 2032776 | 1 | Malware Command and Control Activity Detected | 192.168.2.5 | 49804 | 181.131.217.244 | 3021 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-12-19T23:42:59.740248+0100 | 2032777 | 1 | Malware Command and Control Activity Detected | 181.131.217.244 | 3021 | 192.168.2.5 | 49804 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-12-19T23:43:01.524052+0100 | 2803304 | 3 | Unknown Traffic | 192.168.2.5 | 49810 | 178.237.33.50 | 80 | TCP |
Click to jump to signature section
Show All Signature Results
AV Detection | |
|---|
| Source: | ReversingLabs: | ||
| Source: | File source: | ||
| Source: | Integrated Neural Analysis Model: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Code function: | 0_2_00406301 | |
| Source: | Code function: | 0_2_00406CC7 | |
| Source: | Code function: | 19_2_0020A087 | |
| Source: | Code function: | 19_2_0020A1E2 | |
| Source: | Code function: | 19_2_001FE472 | |
| Source: | Code function: | 19_2_0020A570 | |
| Source: | Code function: | 19_2_001CC622 | |
| Source: | Code function: | 19_2_002066DC | |
| Source: | Code function: | 19_2_00207333 | |
| Source: | Code function: | 19_2_002073D4 | |
| Source: | Code function: | 19_2_001FD921 | |
| Source: | Code function: | 19_2_001FDC54 | |
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
Networking | |
|---|
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | TCP traffic: | ||
| Source: | HTTP traffic detected: | ||
| Source: | IP Address: | ||
| Source: | IP Address: | ||
| Source: | Suricata IDS: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | Code function: | 19_2_0020D889 | |
| Source: | HTTP traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
Key, Mouse, Clipboard, Microphone and Screen Capturing | |
|---|
| Source: | Windows user hook set: | Jump to behavior | ||
| Source: | Code function: | 0_2_004050F9 | |
| Source: | Code function: | 19_2_0020F7C7 | |
| Source: | Code function: | 19_2_0020F55C | |
| Source: | Code function: | 0_2_004044D1 | |
| Source: | Code function: | 19_2_00229FD2 | |
E-Banking Fraud | |
|---|
| Source: | File source: | ||
System Summary | |
|---|
| Source: | COM Object queried: | Jump to behavior | ||
| Source: | Process created: | ||
| Source: | Process Stats: | ||
| Source: | Code function: | 19_2_00204763 | |
| Source: | Code function: | 19_2_001F1B4D | |
| Source: | Code function: | 0_2_004038AF | |
| Source: | Code function: | 19_2_001FF20D | |
| Source: | File created: | Jump to behavior | ||
| Source: | File created: | Jump to behavior | ||
| Source: | File created: | Jump to behavior | ||
| Source: | Code function: | 0_2_0040737E | |
| Source: | Code function: | 0_2_00406EFE | |
| Source: | Code function: | 0_2_004079A2 | |
| Source: | Code function: | 0_2_004049A8 | |
| Source: | Code function: | 19_2_001B8017 | |
| Source: | Code function: | 19_2_001AE144 | |
| Source: | Code function: | 19_2_0019E1F0 | |
| Source: | Code function: | 19_2_001CA26E | |
| Source: | Code function: | 19_2_001922AD | |
| Source: | Code function: | 19_2_001B22A2 | |
| Source: | Code function: | 19_2_001AC624 | |
| Source: | Code function: | 19_2_001CE87F | |
| Source: | Code function: | 19_2_0021C8A4 | |
| Source: | Code function: | 19_2_00202A05 | |
| Source: | Code function: | 19_2_001C6ADE | |
| Source: | Code function: | 19_2_001F8BFF | |
| Source: | Code function: | 19_2_001ACD7A | |
| Source: | Code function: | 19_2_001BCE10 | |
| Source: | Code function: | 19_2_001C7159 | |
| Source: | Code function: | 19_2_00199240 | |
| Source: | Code function: | 19_2_00225311 | |
| Source: | Code function: | 19_2_001996E0 | |
| Source: | Code function: | 19_2_001B1704 | |
| Source: | Code function: | 19_2_001B1A76 | |
| Source: | Code function: | 19_2_00199B60 | |
| Source: | Code function: | 19_2_001B7B8B | |
| Source: | Code function: | 19_2_001B1D20 | |
| Source: | Code function: | 19_2_001B7DBA | |
| Source: | Code function: | 19_2_001B1FE7 | |
| Source: | Dropped File: | ||
| Source: | Dropped File: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Classification label: | ||
| Source: | Code function: | 19_2_002041FA | |
| Source: | Code function: | 19_2_001F2010 | |
| Source: | Code function: | 19_2_001F1A0B | |
| Source: | Code function: | 0_2_004044D1 | |
| Source: | Code function: | 19_2_001FDD87 | |
| Source: | Code function: | 0_2_004024FB | |
| Source: | Code function: | 19_2_00203A0E | |
| Source: | File created: | Jump to behavior | ||
| Source: | Mutant created: | ||
| Source: | Mutant created: | ||
| Source: | Mutant created: | ||
| Source: | File created: | Jump to behavior | ||
| Source: | Static PE information: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | File read: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | ReversingLabs: | ||
| Source: | File read: | Jump to behavior | ||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Key value queried: | Jump to behavior | ||
| Source: | Process created: | ||
| Source: | Window detected: | ||
| Source: | Static file information: | ||
| Source: | Static PE information: | ||
| Source: | Code function: | 0_2_00406328 | |
| Source: | Static PE information: | ||
| Source: | Code function: | 19_2_001E0318 | |
| Source: | Code function: | 19_2_001B0DF9 | |
Persistence and Installation Behavior | |
|---|
| Source: | File created: | Jump to dropped file | ||
| Source: | File created: | Jump to dropped file | ||
| Source: | File created: | Jump to dropped file | ||
| Source: | File created: | Jump to dropped file | ||
Boot Survival | |
|---|
| Source: | Process created: | ||
| Source: | File created: | Jump to behavior | ||
| Source: | File created: | Jump to behavior | ||
| Source: | Code function: | 19_2_002226DD | |
| Source: | Code function: | 19_2_001AFC7C | |
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
Malware Analysis System Evasion | |
|---|
| Source: | Sandbox detection routine: | graph_19-105252 | ||
| Source: | Window found: | Jump to behavior | ||
| Source: | Window found: | Jump to behavior | ||
| Source: | Window / User API: | Jump to behavior | ||
| Source: | Window / User API: | Jump to behavior | ||
| Source: | Window / User API: | Jump to behavior | ||
| Source: | API coverage: | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Last function: | ||
| Source: | Last function: | ||
| Source: | Code function: | 0_2_00406301 | |
| Source: | Code function: | 0_2_00406CC7 | |
| Source: | Code function: | 19_2_0020A087 | |
| Source: | Code function: | 19_2_0020A1E2 | |
| Source: | Code function: | 19_2_001FE472 | |
| Source: | Code function: | 19_2_0020A570 | |
| Source: | Code function: | 19_2_001CC622 | |
| Source: | Code function: | 19_2_002066DC | |
| Source: | Code function: | 19_2_00207333 | |
| Source: | Code function: | 19_2_002073D4 | |
| Source: | Code function: | 19_2_001FD921 | |
| Source: | Code function: | 19_2_001FDC54 | |
| Source: | Code function: | 19_2_00195FC8 | |
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | Process information queried: | Jump to behavior | ||
| Source: | Code function: | 19_2_0020F4FF | |
| Source: | Code function: | 19_2_0019338B | |
| Source: | Code function: | 0_2_00406328 | |
| Source: | Code function: | 19_2_001B5058 | |
| Source: | Code function: | 19_2_001F20AA | |
| Source: | Process token adjusted: | Jump to behavior | ||
| Source: | Process token adjusted: | Jump to behavior | ||
| Source: | Code function: | 19_2_001C2992 | |
| Source: | Code function: | 19_2_001B0BAF | |
| Source: | Code function: | 19_2_001B0D45 | |
| Source: | Code function: | 19_2_001B0F91 | |
| Source: | Code function: | 19_2_001F1B4D | |
| Source: | Code function: | 19_2_0019338B | |
| Source: | Code function: | 19_2_001FBBED | |
| Source: | Code function: | 19_2_001FEC6C | |
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | |||
| Source: | Process created: | Jump to behavior | ||
| Source: | Code function: | 19_2_001F14AE | |
| Source: | Code function: | 19_2_001F1FB0 | |
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Code function: | 19_2_001B0A08 | |
| Source: | Code function: | 19_2_001EE5F4 | |
| Source: | Code function: | 19_2_001EE652 | |
| Source: | Code function: | 19_2_001CBCD2 | |
| Source: | Code function: | 0_2_00406831 | |
| Source: | Key value queried: | Jump to behavior | ||
Stealing of Sensitive Information | |
|---|
| Source: | File source: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
Remote Access Functionality | |
|---|
| Source: | File source: | ||
| Source: | Code function: | 19_2_00212263 | |
| Source: | Code function: | 19_2_00211C61 | |
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Gather Victim Identity Information | 11 Scripting | 2 Valid Accounts | 1 Windows Management Instrumentation | 11 Scripting | 1 Exploitation for Privilege Escalation | 1 Disable or Modify Tools | 121 Input Capture | 2 System Time Discovery | Remote Services | 1 Archive Collected Data | 2 Ingress Tool Transfer | Exfiltration Over Other Network Medium | 1 System Shutdown/Reboot |
| Credentials | Domains | Default Accounts | 1 Native API | 1 DLL Side-Loading | 1 DLL Side-Loading | 1 Deobfuscate/Decode Files or Information | LSASS Memory | 1 Account Discovery | Remote Desktop Protocol | 121 Input Capture | 1 Encrypted Channel | Exfiltration Over Bluetooth | Network Denial of Service |
| Email Addresses | DNS Server | Domain Accounts | 1 Command and Scripting Interpreter | 2 Valid Accounts | 2 Valid Accounts | 2 Obfuscated Files or Information | Security Account Manager | 3 File and Directory Discovery | SMB/Windows Admin Shares | 3 Clipboard Data | 1 Non-Standard Port | Automated Exfiltration | Data Encrypted for Impact |
| Employee Names | Virtual Private Server | Local Accounts | 1 Scheduled Task/Job | 1 Scheduled Task/Job | 21 Access Token Manipulation | 1 Software Packing | NTDS | 17 System Information Discovery | Distributed Component Object Model | Input Capture | 2 Non-Application Layer Protocol | Traffic Duplication | Data Destruction |
| Gather Victim Network Information | Server | Cloud Accounts | Launchd | 2 Registry Run Keys / Startup Folder | 12 Process Injection | 1 DLL Side-Loading | LSA Secrets | 12 Security Software Discovery | SSH | Keylogging | 2 Application Layer Protocol | Scheduled Transfer | Data Encrypted for Impact |
| Domain Properties | Botnet | Replication Through Removable Media | Scheduled Task | RC Scripts | 1 Scheduled Task/Job | 111 Masquerading | Cached Domain Credentials | 11 Virtualization/Sandbox Evasion | VNC | GUI Input Capture | Multiband Communication | Data Transfer Size Limits | Service Stop |
| DNS | Web Services | External Remote Services | Systemd Timers | Startup Items | 2 Registry Run Keys / Startup Folder | 2 Valid Accounts | DCSync | 4 Process Discovery | Windows Remote Management | Web Portal Capture | Commonly Used Port | Exfiltration Over C2 Channel | Inhibit System Recovery |
| Network Trust Dependencies | Serverless | Drive-by Compromise | Container Orchestration Job | Scheduled Task/Job | Scheduled Task/Job | 11 Virtualization/Sandbox Evasion | Proc Filesystem | 11 Application Window Discovery | Cloud Services | Credential API Hooking | Application Layer Protocol | Exfiltration Over Alternative Protocol | Defacement |
| Network Topology | Malvertising | Exploit Public-Facing Application | Command and Scripting Interpreter | At | At | 21 Access Token Manipulation | /etc/passwd and /etc/shadow | 1 System Owner/User Discovery | Direct Cloud VM Connections | Data Staged | Web Protocols | Exfiltration Over Symmetric Encrypted Non-C2 Protocol | Internal Defacement |
| IP Addresses | Compromise Infrastructure | Supply Chain Compromise | PowerShell | Cron | Cron | 12 Process Injection | Network Sniffing | Network Service Discovery | Shared Webroot | Local Data Staging | File Transfer Protocols | Exfiltration Over Asymmetric Encrypted Non-C2 Protocol | External Defacement |
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetThis section contains all screenshots as thumbnails, including those not shown in the slideshow.
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 26% | ReversingLabs |
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 0% | ReversingLabs | |||
| 0% | ReversingLabs |
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
| Name | IP | Active | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|---|
| navegacionseguracol24vip.org | 181.131.217.244 | true | false | high | |
| geoplugin.net | 178.237.33.50 | true | false | high | |
| wnBHxhzUAWNxsjrpdZtUkwTu.wnBHxhzUAWNxsjrpdZtUkwTu | unknown | unknown | true | unknown |
| Name | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|
| false | high |
| Name | Source | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
| IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
|---|---|---|---|---|---|---|
| 181.131.217.244 | navegacionseguracol24vip.org | Colombia | 13489 | EPMTelecomunicacionesSAESPCO | false | |
| 178.237.33.50 | geoplugin.net | Netherlands | 8455 | ATOM86-ASATOM86NL | false |
| Joe Sandbox version: | 41.0.0 Charoite |
| Analysis ID: | 1578615 |
| Start date and time: | 2024-12-19 23:41:07 +01:00 |
| Joe Sandbox product: | CloudBasic |
| Overall analysis duration: | 0h 7m 33s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
| Number of analysed new started processes analysed: | 24 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Sample name: | nikDoCvpJa.exerenamed because original name is a hash value |
| Original Sample Name: | d2729f574a3ba69a10c00a5992986226.exe |
| Detection: | MAL |
| Classification: | mal100.troj.spyw.expl.evad.winEXE@36/29@3/2 |
| EGA Information: |
|
| HCA Information: |
|
| Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
- Excluded IPs from analysis (whitelisted): 13.107.246.63, 20.12.23.50
- Excluded domains from analysis (whitelisted): ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
- Not all processes where analyzed, report is missing behavior information
- Report size exceeded maximum capacity and may have missing behavior information.
- Report size exceeded maximum capacity and may have missing disassembly code.
- Report size getting too big, too many NtOpenKeyEx calls found.
- Report size getting too big, too many NtQueryValueKey calls found.
- Report size getting too big, too many NtSetInformationFile calls found.
- VT rate limit hit for: nikDoCvpJa.exe
| Time | Type | Description |
|---|---|---|
| 17:42:04 | API Interceptor | |
| 17:42:46 | API Interceptor | |
| 23:42:10 | Task Scheduler | |
| 23:42:12 | Autostart |
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| 181.131.217.244 | Get hash | malicious | Remcos | Browse | ||
| Get hash | malicious | Remcos | Browse | |||
| Get hash | malicious | Unknown | Browse | |||
| Get hash | malicious | Remcos | Browse | |||
| Get hash | malicious | Unknown | Browse | |||
| Get hash | malicious | Remcos | Browse | |||
| Get hash | malicious | Unknown | Browse | |||
| Get hash | malicious | Remcos | Browse | |||
| Get hash | malicious | Remcos | Browse | |||
| Get hash | malicious | Remcos | Browse | |||
| 178.237.33.50 | Get hash | malicious | Remcos | Browse |
| |
| Get hash | malicious | Remcos | Browse |
| ||
| Get hash | malicious | Remcos, DBatLoader | Browse |
| ||
| Get hash | malicious | Cobalt Strike, Remcos, DBatLoader | Browse |
| ||
| Get hash | malicious | Remcos | Browse |
| ||
| Get hash | malicious | Remcos | Browse |
| ||
| Get hash | malicious | Remcos | Browse |
| ||
| Get hash | malicious | Remcos, GuLoader | Browse |
| ||
| Get hash | malicious | Remcos, GuLoader | Browse |
| ||
| Get hash | malicious | Remcos, GuLoader | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| navegacionseguracol24vip.org | Get hash | malicious | Remcos | Browse |
| |
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Remcos | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Remcos | Browse |
| ||
| Get hash | malicious | Remcos | Browse |
| ||
| Get hash | malicious | Remcos | Browse |
| ||
| Get hash | malicious | Remcos | Browse |
| ||
| Get hash | malicious | Remcos | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| geoplugin.net | Get hash | malicious | Remcos | Browse |
| |
| Get hash | malicious | Remcos | Browse |
| ||
| Get hash | malicious | Remcos, DBatLoader | Browse |
| ||
| Get hash | malicious | Cobalt Strike, Remcos, DBatLoader | Browse |
| ||
| Get hash | malicious | Remcos | Browse |
| ||
| Get hash | malicious | Remcos | Browse |
| ||
| Get hash | malicious | Remcos | Browse |
| ||
| Get hash | malicious | Remcos, GuLoader | Browse |
| ||
| Get hash | malicious | Remcos, GuLoader | Browse |
| ||
| Get hash | malicious | Remcos, GuLoader | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| EPMTelecomunicacionesSAESPCO | Get hash | malicious | Mirai, Okiru | Browse |
| |
| Get hash | malicious | Mirai, Okiru | Browse |
| ||
| Get hash | malicious | Mirai | Browse |
| ||
| Get hash | malicious | Mirai, Okiru | Browse |
| ||
| Get hash | malicious | Mirai | Browse |
| ||
| Get hash | malicious | Mirai | Browse |
| ||
| Get hash | malicious | Mirai, Okiru | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| ATOM86-ASATOM86NL | Get hash | malicious | Remcos | Browse |
| |
| Get hash | malicious | Remcos | Browse |
| ||
| Get hash | malicious | Remcos, DBatLoader | Browse |
| ||
| Get hash | malicious | Cobalt Strike, Remcos, DBatLoader | Browse |
| ||
| Get hash | malicious | Remcos | Browse |
| ||
| Get hash | malicious | Remcos | Browse |
| ||
| Get hash | malicious | Remcos | Browse |
| ||
| Get hash | malicious | Remcos, GuLoader | Browse |
| ||
| Get hash | malicious | Remcos, GuLoader | Browse |
| ||
| Get hash | malicious | Remcos, GuLoader | Browse |
|
⊘No context
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| C:\Users\user\AppData\Local\SecureScope Dynamics\CyberScope.com | Get hash | malicious | RHADAMANTHYS | Browse | ||
| Get hash | malicious | RHADAMANTHYS | Browse | |||
| Get hash | malicious | RHADAMANTHYS | Browse | |||
| Get hash | malicious | RHADAMANTHYS | Browse | |||
| Get hash | malicious | Vidar | Browse | |||
| Get hash | malicious | Vidar | Browse | |||
| Get hash | malicious | LummaC Stealer | Browse | |||
| Get hash | malicious | LummaC Stealer | Browse | |||
| Get hash | malicious | LummaC Stealer | Browse | |||
| Get hash | malicious | Vidar | Browse | |||
| C:\Users\user\AppData\Local\Temp\638933\Beth.com | Get hash | malicious | RHADAMANTHYS | Browse | ||
| Get hash | malicious | RHADAMANTHYS | Browse | |||
| Get hash | malicious | RHADAMANTHYS | Browse | |||
| Get hash | malicious | RHADAMANTHYS | Browse | |||
| Get hash | malicious | Vidar | Browse | |||
| Get hash | malicious | Vidar | Browse | |||
| Get hash | malicious | LummaC Stealer | Browse | |||
| Get hash | malicious | LummaC Stealer | Browse | |||
| Get hash | malicious | LummaC Stealer | Browse | |||
| Get hash | malicious | Vidar | Browse |
| Process: | C:\Users\user\AppData\Local\Temp\638933\Beth.com |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 184 |
| Entropy (8bit): | 3.375175391562378 |
| Encrypted: | false |
| SSDEEP: | 3:rhlKlyKHlfUlWJF+rQ55JWRal2Jl+7R0DAlBG4phlKlyKHlfUlWJF+mPQblovDlA:6lZHl8RE55YcIeeDAlMlZHl8RPbWAv |
| MD5: | 476F1747F69532F4F7BA0AE5031CB0F7 |
| SHA1: | E1E94D75DA26286D1D4859222F34F4D32155426B |
| SHA-256: | D828C3C97B1E576A022F5A47700D30A8720B8D370421188044D9E9EB19728CF5 |
| SHA-512: | BCE05D0307D9DC394E08D055BD26C91843AF3359F6D49B96C7A785F8BF5BBBF08DBBB4E486C7AD0551CCB65987A06486853A6C43C80D9F048A3BDC26D5187818 |
| Malicious: | true |
| Yara Hits: |
|
| Preview: |
| Process: | C:\Users\user\AppData\Local\Temp\638933\Beth.com |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 963 |
| Entropy (8bit): | 5.018384957371898 |
| Encrypted: | false |
| SSDEEP: | 12:tkluWJmnd6CsGkMyGWKyGXPVGArwY307f7aZHI7GZArpv/mOAaNO+ao9W7iN5zz2:qlupdRNuKyGX85jvXhNlT3/7CcVKWro |
| MD5: | C9BB4D5FD5C8A01D20EBF8334B62AE54 |
| SHA1: | D38895F4CBB44CB10B6512A19034F14A2FC40359 |
| SHA-256: | 767218EC255B7E851971A77B773C0ECC59DC0B179ECA46ABCC29047EEE6216AA |
| SHA-512: | 2D412433053610C0229FB3B73A26C8FB684F0A4AB03A53D0533FDC52D4E9882C25037015ACE7D4A411214AA9FAA780A8D950A83B57B200A877E26D7890977157 |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\AppData\Local\Temp\638933\Beth.com |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 947288 |
| Entropy (8bit): | 6.630612696399572 |
| Encrypted: | false |
| SSDEEP: | 24576:uvG4FEq/TQ+Svbi3zcNjmsuENOJuM8WU2a+BYK:u9GqLQHbijkmc2umva+OK |
| MD5: | 62D09F076E6E0240548C2F837536A46A |
| SHA1: | 26BDBC63AF8ABAE9A8FB6EC0913A307EF6614CF2 |
| SHA-256: | 1300262A9D6BB6FCBEFC0D299CCE194435790E70B9C7B4A651E202E90A32FD49 |
| SHA-512: | 32DE0D8BB57F3D3EB01D16950B07176866C7FB2E737D9811F61F7BE6606A6A38A5FC5D4D2AE54A190636409B2A7943ABCA292D6CEFAA89DF1FC474A1312C695F |
| Malicious: | true |
| Antivirus: |
|
| Joe Sandbox View: |
|
| Preview: |
| Process: | C:\Users\user\AppData\Local\Temp\638933\Beth.com |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 181 |
| Entropy (8bit): | 4.638378348159726 |
| Encrypted: | false |
| SSDEEP: | 3:RiMIpGXIdPHo55wWAX+aJp6/h4EkD52AGqdecwI2qL4Gf5uWAX+aJp6/h4EkD528:RiJBJHonwWDaJ0/hJkDd4c9H4GfwWDap |
| MD5: | DD338F0FA02C4DFF5AB20F483E22E4D0 |
| SHA1: | F5EBA73BC4A348EB8FDFC05F4B25FDCAC4CB52C3 |
| SHA-256: | 6B272AE9749A6BE3BB7FC8A0C99B43EBB4B94444A1758120763587FF7FA5F704 |
| SHA-512: | EDBCC169D87C71F50252E5355F220416007BA34997C7986CD1B6FDDA473FA56DE2A98638ABFDBB311886AF2C4D3A7B48F4C1A8A542B6E7438B4459E21C09F5D8 |
| Malicious: | true |
| Preview: |
| Process: | C:\Users\user\AppData\Local\Temp\638933\Beth.com |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 704760 |
| Entropy (8bit): | 7.999709425894182 |
| Encrypted: | true |
| SSDEEP: | 12288:t5LTwLcScZ0OkRjdOctZcUs15SLkVczFWAAQo8B5TfzcjHmpuciLSprWJ1sS:DwLczZ0OIdOctE1SkiKQoiLcr4sLarI |
| MD5: | 113965F1186BD15CDA1811E65B6E617E |
| SHA1: | 92257A886927D514AA62A33DE95EAFCBF47B4E73 |
| SHA-256: | 484A1F01CA5B64ED9804F008C681621E546A2DB7481D182C77DDD33543B933E7 |
| SHA-512: | FE24FDCD84EB35EAFFE507E7BD1D8D36014DB9067144F0308810770CB06DBBF0D0F8919EF57B8DD2703412F398EA85D1BCF47C3CCD0D03ED224495A992B6D55C |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\SysWOW64\cmd.exe |
| File Type: | |
| Category: | modified |
| Size (bytes): | 947288 |
| Entropy (8bit): | 6.630612696399572 |
| Encrypted: | false |
| SSDEEP: | 24576:uvG4FEq/TQ+Svbi3zcNjmsuENOJuM8WU2a+BYK:u9GqLQHbijkmc2umva+OK |
| MD5: | 62D09F076E6E0240548C2F837536A46A |
| SHA1: | 26BDBC63AF8ABAE9A8FB6EC0913A307EF6614CF2 |
| SHA-256: | 1300262A9D6BB6FCBEFC0D299CCE194435790E70B9C7B4A651E202E90A32FD49 |
| SHA-512: | 32DE0D8BB57F3D3EB01D16950B07176866C7FB2E737D9811F61F7BE6606A6A38A5FC5D4D2AE54A190636409B2A7943ABCA292D6CEFAA89DF1FC474A1312C695F |
| Malicious: | true |
| Antivirus: |
|
| Joe Sandbox View: |
|
| Preview: |
| Process: | C:\Windows\SysWOW64\cmd.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 704760 |
| Entropy (8bit): | 7.999709425894182 |
| Encrypted: | true |
| SSDEEP: | 12288:t5LTwLcScZ0OkRjdOctZcUs15SLkVczFWAAQo8B5TfzcjHmpuciLSprWJ1sS:DwLczZ0OIdOctE1SkiKQoiLcr4sLarI |
| MD5: | 113965F1186BD15CDA1811E65B6E617E |
| SHA1: | 92257A886927D514AA62A33DE95EAFCBF47B4E73 |
| SHA-256: | 484A1F01CA5B64ED9804F008C681621E546A2DB7481D182C77DDD33543B933E7 |
| SHA-512: | FE24FDCD84EB35EAFFE507E7BD1D8D36014DB9067144F0308810770CB06DBBF0D0F8919EF57B8DD2703412F398EA85D1BCF47C3CCD0D03ED224495A992B6D55C |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\Desktop\nikDoCvpJa.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 62464 |
| Entropy (8bit): | 7.997298797317556 |
| Encrypted: | true |
| SSDEEP: | 1536:wzzclvuRytW/vqWUdgGeRiE4skenrby1m1gBJk9X3QeqXQAfD7z:SygqyvggNMlFobMm1u2XlqAAPz |
| MD5: | 154FCC1926F23A7CC005231522018EF9 |
| SHA1: | 3E661EB13B7C61E3E4880CA3EBDA7883106C5F83 |
| SHA-256: | C6B562B5D0241C9823116ECF30FF42D3E764755264E26FE32445C4DFB346A6BA |
| SHA-512: | DF382B9255344006A98042FAD3BDB3C6DC6D729CCD8AF28005623CA9F15FFE18F0697E2DB31D652301919B17C6411EF608D4CDCF5A637A1DF96C27C597D85A4C |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\Desktop\nikDoCvpJa.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 228 |
| Entropy (8bit): | 4.818005131696724 |
| Encrypted: | false |
| SSDEEP: | 3:wWUqt/vllpfrYZcFTS9gXeF+X32ZpfW6MZCt7HINqCXjPYLEzClS6ufXCZNF:IqjvVg3F+X32+hZCt7HSbYwClS6CSNF |
| MD5: | FCDE92646FF6C8858C7D14C72C9BF637 |
| SHA1: | 6035E678601D7EE7889E7B2B8F08D6C0F0FCC853 |
| SHA-256: | 7BEF0873884ECEE61479FA19C16B8BE130F8F3A6632E7DB21F64EAA29D1396D3 |
| SHA-512: | D3654CC54B2FAC9320D582C0FEC712F1BA4CF28638DF4308A9EE530EF7F8A65F4E1B0924526A237787DCF49F25F5478285390B1DEC14991031CB76297F1072D8 |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\Desktop\nikDoCvpJa.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 24126 |
| Entropy (8bit): | 5.086735322226342 |
| Encrypted: | false |
| SSDEEP: | 384:MpflhioW9H63AbNLqivmNXvciF90p8hagNneJC5M3vtvGHXyQJm/EwaW0zG:8hoxEAbNOivqagNneQ5M3vtUXyj/QG |
| MD5: | 84506D06B109D7D9DC0839143B36C73D |
| SHA1: | 434AD989DF76562BF96E5D496E118BE25954812E |
| SHA-256: | 76EB7F16F100D734613B4C0DD65A8DA8687E483FC70AE22F8D3A098E5D4E310E |
| SHA-512: | 56D0D301ECC17C5D412A26DD54520A51033C00B63AAE5B191A7666E007C73AB1B473DEA7C154CC9D05D570D008ABD39F5B3B720DE36F576DEC408C8ECECC5835 |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\SysWOW64\cmd.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 24126 |
| Entropy (8bit): | 5.086735322226342 |
| Encrypted: | false |
| SSDEEP: | 384:MpflhioW9H63AbNLqivmNXvciF90p8hagNneJC5M3vtvGHXyQJm/EwaW0zG:8hoxEAbNOivqagNneQ5M3vtUXyj/QG |
| MD5: | 84506D06B109D7D9DC0839143B36C73D |
| SHA1: | 434AD989DF76562BF96E5D496E118BE25954812E |
| SHA-256: | 76EB7F16F100D734613B4C0DD65A8DA8687E483FC70AE22F8D3A098E5D4E310E |
| SHA-512: | 56D0D301ECC17C5D412A26DD54520A51033C00B63AAE5B191A7666E007C73AB1B473DEA7C154CC9D05D570D008ABD39F5B3B720DE36F576DEC408C8ECECC5835 |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\Desktop\nikDoCvpJa.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 129914 |
| Entropy (8bit): | 6.087421720563181 |
| Encrypted: | false |
| SSDEEP: | 3072:HhxjgarB/5elDWy4ZNoGmROL7F1G7ho2kOb:3garZ8aBZ2GmRq76tl |
| MD5: | 11BD51FA971C1276ECAE00673DD837E5 |
| SHA1: | 7AC636664AE40E11320ADDC09C9B8B0CE7DA4207 |
| SHA-256: | A8D4115CC3CF5F812B7EE9EA1C8E470A43405A5FE2760F691DE1176FAD08752E |
| SHA-512: | 8CEEBE937A987EAE6996E7A01B7BCCCD0E54D09B89A964546A39E294082FF000F2C81B25D75B71F5695A1E5618558E531B7F454C091E7945D5B5A6085DA4A643 |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\Desktop\nikDoCvpJa.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 87040 |
| Entropy (8bit): | 6.693519362474099 |
| Encrypted: | false |
| SSDEEP: | 1536:zxWboHdMJ3RraSXL21rKoUn9r5C03Eq30BcrTrhCX4aVmoJiKwtk2ukC5HRus:zxrHSBRtNPnj0nEoXnmowS2u5hL |
| MD5: | 1A36E317EBEB7F01F600E97F5EB12B30 |
| SHA1: | A1D60DD976D7329D5B92836DDF320FDF1133E453 |
| SHA-256: | 6613609608CC9B0E060B04A697C81AD869F247DBDD8BDFDDF73A9E866CADF3CB |
| SHA-512: | 0F219D07D39A903ED346D43E21D5291D3A62AC6309CA5C6CB3CAEA5F2A698CF051BD047E02D26B012B32FFCDD6764F68089C8F43835B52F4E88F279C20EA0CE2 |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\Desktop\nikDoCvpJa.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 115712 |
| Entropy (8bit): | 6.6355886862153035 |
| Encrypted: | false |
| SSDEEP: | 3072:i0Imbi80PtCZEMnVIPPBxT/sZydTmRxlHS3h:nbfSCOMVIPPL/sZ7HS3h |
| MD5: | 026A05DA4CA3559CCBEE96E3E5A0FC27 |
| SHA1: | 4B7A00966C781F275FC28D22A5EF2A1EF225138C |
| SHA-256: | 189664F109F51F6EABE4EADF261AB21AC5EE4C28387BD931BD49501C46973F8C |
| SHA-512: | AB54B3FA23A6D9CCA3F13E42F721FC207C719FF9FABA3E067FF2AC02715666793677EB5C616DB0C57040055980CC3E653B63064E2240BA874EA2C5495C50AAF6 |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\Desktop\nikDoCvpJa.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 137216 |
| Entropy (8bit): | 6.597272684213896 |
| Encrypted: | false |
| SSDEEP: | 3072:BOoQ7t8T6pUkBJR8CThpmESv+AqVnBypIbv18mLthfhnueoMmOqDoioc:Q6AUkB0CThp6vmVnjphfhnvc |
| MD5: | 359BCA215485F8DF98B4E0687A0B3BDE |
| SHA1: | 4122AE38AE0A27F7DD4EE2CB0B9CCF38BE3C8524 |
| SHA-256: | F8F4061410EAB9A0BA5D7577BDBE74098695E0E43E8F8DF5341D742671B1B6FA |
| SHA-512: | B2FF85F671C89DA192B9389284AF416AAA3A963ADFF920DC9E88A6E5B6A60A720A14E2F08BC3E1B691CC9597A788142DA19171C181826CF34586297F0F4BEDF8 |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\Desktop\nikDoCvpJa.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 84992 |
| Entropy (8bit): | 7.997717624907673 |
| Encrypted: | true |
| SSDEEP: | 1536:oeZhZDhvieZIr3jv1iG5cRYuQOaDenYpLWLidgk/yPQR7mKv5ftT:BhZ0o4TdiktuQzoNudIoR7mKhfJ |
| MD5: | 664CFA35657A413AEF85CC6F643235C6 |
| SHA1: | 316B5C4F887D4F7A69499D73171308B9EEEEC7E2 |
| SHA-256: | B60CAC283C1F1C121E35D03B9CBF1A79CE754EFA7C1B1AABBF6F70980DDA1D61 |
| SHA-512: | 649FEA55BDC2D395B317248C2C30E3276AC6C0CE716E5F842335016CAF23338E19A70682B6440D54B7EB4393FF6CC22182850FD98B4CE86C351E76F20463F1ED |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\Desktop\nikDoCvpJa.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 59392 |
| Entropy (8bit): | 7.997024505313728 |
| Encrypted: | true |
| SSDEEP: | 1536:wkCx/8+LKvddel4fFQjn4qlRqyh2rF7bn4sbNG77PfDCF:wkjdNQjuycrVbn4spK7Pf2F |
| MD5: | 2A452FE74151932E5E599994D7C70239 |
| SHA1: | 0F3370406BD21AF1D26C73C0D8CF5B10C64AFC29 |
| SHA-256: | 00A70934B7F5F308E923560D9E16FFDDDCC115DF336A3998EECA01B7097905F7 |
| SHA-512: | 488CE3472485071AC846835F2252E83CD082474BF4D4E7DB1800CEFAC3C67D9A32A8B3C4A9AB6A7A2C081CC6C9F3C8D09FC8656C4D9845296C1F8C659B59D160 |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\Desktop\nikDoCvpJa.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 58368 |
| Entropy (8bit): | 7.996743277226256 |
| Encrypted: | true |
| SSDEEP: | 1536:eQ2Bl1h0EETOfae6Y40x6YHu3a+vqX88xB:efzw4qJYoC88xB |
| MD5: | 5055EE8CB0DA98C3C39E96C4A4088C0D |
| SHA1: | 60C6BA91201B7813F674F955CC51AE684A51838F |
| SHA-256: | 221C670740C26CAC8EEFA85DDB50D9314935B5CB63C857F520EC18053C53DD31 |
| SHA-512: | D73A72BFA3170D435543F8D23794CF674A5D0475701098B756362EBFECF8DC840B1782311B21FBA48E398B61B8D8E2C2E3CA1E8E4FA958C83FB319A56806FCEC |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\Desktop\nikDoCvpJa.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 91384 |
| Entropy (8bit): | 7.998111616463107 |
| Encrypted: | true |
| SSDEEP: | 1536:ymd7XKNgmUd//3s7yYTe5h0GG09Q0XKI1fxGvM3PI6fsfzlwpTgY+IhhyBgKoPVz:lqgmUF/cmiefHXKItkmPfsfzWpU6qgdF |
| MD5: | C71881C4532C63EFFD02808F037DE211 |
| SHA1: | 097283DC3BF33937A2BDB348791070E24E132525 |
| SHA-256: | 9175D28F49BF4CDD5F91FEF049387C8B2D1D4F90F528F75CAC67731F0E6E4A77 |
| SHA-512: | A4EF200E4EA6D119DFAE7C163629B5FFC72364AE4CB2546665A93D00B37F27206903FCA87CE4467648C8EA010AB0249D5197A10D17528E33C33CA91CCD827970 |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\Desktop\nikDoCvpJa.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 125952 |
| Entropy (8bit): | 5.536176418145287 |
| Encrypted: | false |
| SSDEEP: | 768:FKPDvFQC7Vkr5M4INduPbOU7aI4kCD9vmPukxhSaAwuXc/mex/SGKAGWRqA60dTd:F8QuklMBNIimuzaAwusPdKaj6iTcPAs4 |
| MD5: | 559D4F0DEA25FE10E552C77F2E1B716C |
| SHA1: | 9A67E889666472700D71E783F8E85794D3A9945D |
| SHA-256: | 656587B8CA8C26785B3B59059DC1E3373A1A9BF2B6E253EA8A04C5263E7511C1 |
| SHA-512: | 859A4B6EF35F5535C8A0F9B3A26E715668FDD626B953DA3A6E0044DBD1012B23EF420CF204C3812710B96EC216C444A269929953ABCF9A2C883BA06F239A6C3E |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\Desktop\nikDoCvpJa.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 82944 |
| Entropy (8bit): | 6.681948730926329 |
| Encrypted: | false |
| SSDEEP: | 1536:f/UXT6TvY464qvI932eOypvcLSDOSpZ+Sh+I+FrbCyI7P4Cp:fgF4qv+32eOyKODOSpQSAU4Cp |
| MD5: | 48D977581D70B4D8EB274100C5C7AB0B |
| SHA1: | 8E007EE20BB4E9154F65516DAD309D773054CD3D |
| SHA-256: | CD4A445BDEBD3B5CF3425306F0DB7FC8F88FC09116FA725101AFE66B9C3E3B53 |
| SHA-512: | 3B97B910D03ACC43823B1D959F06054A96F97561FE0FCBA0900ED2D998D928CA64A8EDBD04078D438A11B9195EBDAEB6711ABBC140EB66187B37B5596875F2F0 |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\Desktop\nikDoCvpJa.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 98304 |
| Entropy (8bit): | 7.998206684154131 |
| Encrypted: | true |
| SSDEEP: | 1536:zQ6z2OYzCfk/VR8C1LTvuVriB43WcakZHJpbNQL5OuUzBzj4RrULF8lXgA:EkYzUs8C9vucB4Gcakrx+L5OtMULkgA |
| MD5: | BDC13282C79460C2BA1E0EF20F4E5E81 |
| SHA1: | CF8AFB3ED54647E5C40E255E10D25B2995D48EED |
| SHA-256: | 599E91B463FAAA46F894FDF81F2835BD78317573EB0D68F43A152187FB6E0D4C |
| SHA-512: | 9E54618E9C966B3B6083807C7A3EF524141D5890C00C9E779EEF2B632921BB9F7258B91DB6854CAE0B373637A1989DFE85DA98CA680055E1359BC31BE00133CD |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\Desktop\nikDoCvpJa.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 104448 |
| Entropy (8bit): | 6.271128694234634 |
| Encrypted: | false |
| SSDEEP: | 3072:N5bLezW9FfTut/Dde6u640ewy4Za9coRC2jfTq8QLeAg0FuzW:N5bLezWWt/Dd314V14ZgP0JaAOzW |
| MD5: | 8645EE059F7491C27B56F84F572A1AED |
| SHA1: | BEE65D077ACB41BDE50E37DBDE02B1B5841FD7B2 |
| SHA-256: | B1A0D20F4CE8BAE90D73CF0DE11591223E6AA6A147A38FEDBB726F43DE03B319 |
| SHA-512: | 9B12C47E13467AD25B0F88CF6B4546232C48E5178B9DCC59CB909DA03338D44C5B92EF64FCC0C98E28908B74E4BF5E299B67B7CA66BC35CFA2639352929167A1 |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\Desktop\nikDoCvpJa.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 92160 |
| Entropy (8bit): | 7.9977036402420225 |
| Encrypted: | true |
| SSDEEP: | 1536:aBBviVJPmTXw7f/zIyTnWPd++uRE7/bUZ78bHgWmIZ/ixHWGA/EmZUcuoYE7Z/FZ:MBuxswbsy7WPNbQYgbfp1A/ZZNRYkhFZ |
| MD5: | 55295B4FA65ECDF193B67F66EC43B2D2 |
| SHA1: | 4DC8234A65BB0BD4B53050916479FE46937347D4 |
| SHA-256: | 096FB31FBADB5B88A84667C8B697AB4CD879056AF190F7B7F6A61AC1C319FAB2 |
| SHA-512: | 27D93F91351216E6D41756303F7E894FFE50561A544278C7A13FD5E033FCB0EDC79657B346BFBB7FE6D25C754E2B5C0CCC6B462167BE478C6675D30CB7C88C8D |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\Desktop\nikDoCvpJa.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 77824 |
| Entropy (8bit): | 7.997293656107534 |
| Encrypted: | true |
| SSDEEP: | 1536:nlHJcu111hHwerW8RUC/hD8GzrTRgRAQmqmIWbruRjzbeVKIGFWSU2MNmd:lpcw1hNqWD9kAQoIWbrQDeVKIlSVM6 |
| MD5: | 0306260A6BC38AA5DBD8948E5440BF61 |
| SHA1: | 7BAF4CEC13E1FBB2298252381B11D5526EFD27B6 |
| SHA-256: | 481AB5460A952BC0B5016D38584BB37E9DF49AC8B565B1B9FF58E6F9E479362D |
| SHA-512: | 8D8705D33090717B0C22D28432D71AD384D6157BD6BD91C2F0B130E0FF99B360F6EAF60C61941B76854ECB5040CF369DE85D07F6D61557C396A03818D1332991 |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\Desktop\nikDoCvpJa.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 94208 |
| Entropy (8bit): | 6.332052519965856 |
| Encrypted: | false |
| SSDEEP: | 1536:c1/AD1EsdzVXnP94SGGLpRB6M28eFvMVpYhWoXElJUzdlDfFgQa8BpDzdZPp7HM:cZg5PXPeiR6MKkjGWoUlJUPdgQa8Bp/y |
| MD5: | 40F119370AF8F62616FCB5D6FD9CB7B5 |
| SHA1: | 33C64EC1DFFAA51741721A353E05F4B27723DEA0 |
| SHA-256: | 556FE900A4FC1B0EBDF401D9743C2E74C0AC165B0361C5EF16B597E74EF8111F |
| SHA-512: | 40E9246B536E07740BC0ECA56E6774028A679D08163AE9A4FFA03D1321296AC593E8FF9D6E2A30DF47C74779359FCEC914AD12E9567F463AA1761E445F0909B8 |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\Desktop\nikDoCvpJa.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 69632 |
| Entropy (8bit): | 6.564032174584603 |
| Encrypted: | false |
| SSDEEP: | 1536:L+tKA3QkvyNf7Xw2U0pkzUWBh2zGc/xv5mjKu2IwNnPEBiqXv++:rA3laW2UDQWf05mjccBiqXv1 |
| MD5: | 9CA2B08CAE1EA5EBDCB5A4883D863C3E |
| SHA1: | 0DD9890ED8BD7CE9BD577D8F9A3DB528ABA1088A |
| SHA-256: | E755FBD1474CCB45AA18C0A97EEF322C71BCD6714DFB4D030D5A55B7FA9C3C30 |
| SHA-512: | C3193A8634F8CA91E136CF4B4C094F82F2342134FC4DEAB6B5CCE4CA6F154442A1EF9CC27ADB7F8782867B42CDD209DBE3DD76E6FE507ACB785FE805FDB57DBE |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\Desktop\nikDoCvpJa.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 79872 |
| Entropy (8bit): | 7.9975158081302915 |
| Encrypted: | true |
| SSDEEP: | 1536:TE64WBH+PmX7t9z9wcsjuYV88nHyQwjCnBcrLTqMV81Q+CgQ2hl5:Ao9RuuM3HyQmCBcrPqMsld |
| MD5: | 39BD7CDDA87195136F91ECC649988A42 |
| SHA1: | 4E1E70CDF5254D59823AAA0955C518F9A38929C7 |
| SHA-256: | F2AEE101CECB321C781E68964E3FB1B2172B2F7494ED040C659988E989264A21 |
| SHA-512: | 309FFA953E5CA568989BFA176F797B295C0CDC22C7876861A7F3800CFE7E76EDFF77C49456C39914CD343A3894EE52E39400FE90E8BCC1EDC1845728A12DCAC1 |
| Malicious: | false |
| Preview: |
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CyberScope.url 
Download File
| Process: | C:\Windows\SysWOW64\cmd.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 96 |
| Entropy (8bit): | 4.8279063251453795 |
| Encrypted: | false |
| SSDEEP: | 3:HRAbABGQaFyw3pYoUkh4E2J52A3TdecwIEAMqLI/y:HRYF5yjo9232A4c9p1I/y |
| MD5: | 0FF464ECD7422406613DA16C9CD4BC6E |
| SHA1: | 69D0BCE415641B7D35322459FC14F7C2E740DFB8 |
| SHA-256: | 473D04B3C9C5611772F417A2BD524A9A31B0D87C6119F1337EAD71B3B14FCCC0 |
| SHA-512: | 3DD9CB822CA5846D158FCC0BFA60A587C2B1E068C99809C43F633C1F96A60CF2112639CF30B8D22FBC3CF57B75F167F3C3B3A74C885C1B12053F68E5D73A6AAC |
| Malicious: | true |
| Preview: |
| File type: | |
| Entropy (8bit): | 7.984134223214029 |
| TrID: |
|
| File name: | nikDoCvpJa.exe |
| File size: | 1'798'791 bytes |
| MD5: | d2729f574a3ba69a10c00a5992986226 |
| SHA1: | 827b50066bf4509c1f293f2e2170b86070f3bcd6 |
| SHA256: | 2027658fe07e8ef66d192bf1697cf0d9e91f9813ded69da4408747fb3724b3ec |
| SHA512: | 7bc28a41cc7c61dfc1eb205d7b46da0c9453ce7424fe8eceade72fb5429ac08f72b67b77bdc72df3aaac755bb037808f7714a5334c9e5c541d55fead4df279ca |
| SSDEEP: | 49152:f4yTKXSSgG7DpdzSzn2Y2+TITsGWgECdytvV9iSkbwrsK+ZTF4ShJtO:AyeSSgG7Dpdzm2YusGW/CqvV94w02iHO |
| TLSH: | 328533D57AF3802BD8990EBA14F0114BC5B664F8383DEF5F97114BD8F119F118BA8A4A |
| File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A{.k...8...8...8.b<8...8.b,8...8...8...8...8...8..%8...8.."8...8Rich...8........PE..L.....GO.................t.......B...8..... |
 | |
| Icon Hash: | 31f0e8d490f0e071 |
| Entrypoint: | 0x4038af |
| Entrypoint Section: | .text |
| Digitally signed: | true |
| Imagebase: | 0x400000 |
| Subsystem: | windows gui |
| Image File Characteristics: | EXECUTABLE_IMAGE, 32BIT_MACHINE |
| DLL Characteristics: | DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE |
| Time Stamp: | 0x4F47E2E4 [Fri Feb 24 19:20:04 2012 UTC] |
| TLS Callbacks: | |
| CLR (.Net) Version: | |
| OS Version Major: | 5 |
| OS Version Minor: | 0 |
| File Version Major: | 5 |
| File Version Minor: | 0 |
| Subsystem Version Major: | 5 |
| Subsystem Version Minor: | 0 |
| Import Hash: | be41bf7b8cc010b614bd36bbca606973 |
| Signature Valid: | false |
| Signature Issuer: | CN=GlobalSign CodeSigning CA - SHA256 - G2, O=GlobalSign nv-sa, C=BE |
| Signature Validation Error: | The digital signature of the object did not verify |
| Error Number: | -2146869232 |
| Not Before, Not After |
|
| Subject Chain |
|
| Version: | 3 |
| Thumbprint MD5: | 3F04BAC702761698B870D1B5952D2C85 |
| Thumbprint SHA-1: | 52AA9079B68E00C5C3C1D8CA7C6C363D0037A59E |
| Thumbprint SHA-256: | D35F904A15D0AD8079CFF4F54FFD3425CAE695F6988F9EDD8964A837785D0B47 |
| Serial: | 1121534C85F8E4ED8E6A978D0356BA881964 |
| Instruction |
|---|
| sub esp, 000002D4h |
| push ebx |
| push ebp |
| push esi |
| push edi |
| push 00000020h |
| xor ebp, ebp |
| pop esi |
| mov dword ptr [esp+18h], ebp |
| mov dword ptr [esp+10h], 0040A268h |
| mov dword ptr [esp+14h], ebp |
| call dword ptr [00409030h] |
| push 00008001h |
| call dword ptr [004090B4h] |
| push ebp |
| call dword ptr [004092C0h] |
| push 00000008h |
| mov dword ptr [0047EB98h], eax |
| call 00007F77F50B7CDBh |
| push ebp |
| push 000002B4h |
| mov dword ptr [0047EAB0h], eax |
| lea eax, dword ptr [esp+38h] |
| push eax |
| push ebp |
| push 0040A264h |
| call dword ptr [00409184h] |
| push 0040A24Ch |
| push 00476AA0h |
| call 00007F77F50B79BDh |
| call dword ptr [004090B0h] |
| push eax |
| mov edi, 004CF0A0h |
| push edi |
| call 00007F77F50B79ABh |
| push ebp |
| call dword ptr [00409134h] |
| cmp word ptr [004CF0A0h], 0022h |
| mov dword ptr [0047EAB8h], eax |
| mov eax, edi |
| jne 00007F77F50B52AAh |
| push 00000022h |
| pop esi |
| mov eax, 004CF0A2h |
| push esi |
| push eax |
| call 00007F77F50B7681h |
| push eax |
| call dword ptr [00409260h] |
| mov esi, eax |
| mov dword ptr [esp+1Ch], esi |
| jmp 00007F77F50B5333h |
| push 00000020h |
| pop ebx |
| cmp ax, bx |
| jne 00007F77F50B52AAh |
| add esi, 02h |
| cmp word ptr [esi], bx |
| Programming Language: |
|
| Name | Virtual Address | Virtual Size | Is in Section |
|---|---|---|---|
| IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IMPORT | 0xac40 | 0xb4 | .rdata |
| IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x100000 | 0x811a2 | .rsrc |
| IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_SECURITY | 0x1b5797 | 0x1af0 | |
| IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x86000 | 0x994 | .ndata |
| IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IAT | 0x9000 | 0x2d0 | .rdata |
| IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
| Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
|---|---|---|---|---|---|---|---|---|---|
| .text | 0x1000 | 0x728c | 0x7400 | 419d4e1be1ac35a5db9c47f553b27cea | False | 0.6566540948275862 | data | 6.499708590628113 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
| .rdata | 0x9000 | 0x2b6e | 0x2c00 | cca1ca3fbf99570f6de9b43ce767f368 | False | 0.3678977272727273 | data | 4.497932535153822 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .data | 0xc000 | 0x72b9c | 0x200 | 77f0839f8ebea31040e462523e1c770e | False | 0.279296875 | data | 1.8049406284608531 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .ndata | 0x7f000 | 0x81000 | 0x0 | d41d8cd98f00b204e9800998ecf8427e | False | 0 | empty | 0.0 | IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .rsrc | 0x100000 | 0x811a2 | 0x81200 | b3e19c84c679cf55fd4be427d35ae5be | False | 0.994193565464666 | data | 7.957883026281082 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .reloc | 0x182000 | 0xfd6 | 0x1000 | 3c9b5dd0e9f28bd31a752ba6553005b4 | False | 0.59814453125 | data | 5.586288821054992 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
| Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
|---|---|---|---|---|---|---|
| RT_ICON | 0x1001f0 | 0x7ae9d | PNG image data, 512 x 512, 8-bit/color RGBA, non-interlaced | English | United States | 0.999269047954824 |
| RT_ICON | 0x17b090 | 0x3525 | PNG image data, 64 x 64, 8-bit/color RGBA, non-interlaced | English | United States | 1.000808526277104 |
| RT_ICON | 0x17e5b8 | 0x2668 | Device independent bitmap graphic, 48 x 96 x 32, image size 9792 | English | United States | 0.798006509357201 |
| RT_DIALOG | 0x180c20 | 0x100 | data | English | United States | 0.5234375 |
| RT_DIALOG | 0x180d20 | 0x11c | data | English | United States | 0.6056338028169014 |
| RT_DIALOG | 0x180e3c | 0x60 | data | English | United States | 0.7291666666666666 |
| RT_GROUP_ICON | 0x180e9c | 0x30 | data | English | United States | 0.8958333333333334 |
| RT_MANIFEST | 0x180ecc | 0x2d6 | XML 1.0 document, ASCII text, with very long lines (726), with no line terminators | English | United States | 0.5647382920110193 |
| DLL | Import |
|---|---|
| KERNEL32.dll | SetFileTime, CompareFileTime, SearchPathW, GetShortPathNameW, GetFullPathNameW, MoveFileW, SetCurrentDirectoryW, GetFileAttributesW, GetLastError, CreateDirectoryW, SetFileAttributesW, Sleep, GetTickCount, GetFileSize, GetModuleFileNameW, GetCurrentProcess, CopyFileW, ExitProcess, GetWindowsDirectoryW, GetTempPathW, GetCommandLineW, SetErrorMode, lstrcpynA, CloseHandle, lstrcpynW, GetDiskFreeSpaceW, GlobalUnlock, GlobalLock, CreateThread, LoadLibraryW, CreateProcessW, lstrcmpiA, CreateFileW, GetTempFileNameW, lstrcatW, GetProcAddress, LoadLibraryA, GetModuleHandleA, OpenProcess, lstrcpyW, GetVersionExW, GetSystemDirectoryW, GetVersion, lstrcpyA, RemoveDirectoryW, lstrcmpA, lstrcmpiW, lstrcmpW, ExpandEnvironmentStringsW, GlobalAlloc, WaitForSingleObject, GetExitCodeProcess, GlobalFree, GetModuleHandleW, LoadLibraryExW, FreeLibrary, WritePrivateProfileStringW, GetPrivateProfileStringW, WideCharToMultiByte, lstrlenA, MulDiv, WriteFile, ReadFile, MultiByteToWideChar, SetFilePointer, FindClose, FindNextFileW, FindFirstFileW, DeleteFileW, lstrlenW |
| USER32.dll | GetAsyncKeyState, IsDlgButtonChecked, ScreenToClient, GetMessagePos, CallWindowProcW, IsWindowVisible, LoadBitmapW, CloseClipboard, SetClipboardData, EmptyClipboard, OpenClipboard, TrackPopupMenu, GetWindowRect, AppendMenuW, CreatePopupMenu, GetSystemMetrics, EndDialog, EnableMenuItem, GetSystemMenu, SetClassLongW, IsWindowEnabled, SetWindowPos, DialogBoxParamW, CheckDlgButton, CreateWindowExW, SystemParametersInfoW, RegisterClassW, SetDlgItemTextW, GetDlgItemTextW, MessageBoxIndirectW, CharNextA, CharUpperW, CharPrevW, wvsprintfW, DispatchMessageW, PeekMessageW, wsprintfA, DestroyWindow, CreateDialogParamW, SetTimer, SetWindowTextW, PostQuitMessage, SetForegroundWindow, ShowWindow, wsprintfW, SendMessageTimeoutW, LoadCursorW, SetCursor, GetWindowLongW, GetSysColor, CharNextW, GetClassInfoW, ExitWindowsEx, IsWindow, GetDlgItem, SetWindowLongW, LoadImageW, GetDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, DrawTextW, EndPaint, FindWindowExW |
| GDI32.dll | SetBkColor, GetDeviceCaps, DeleteObject, CreateBrushIndirect, CreateFontIndirectW, SetBkMode, SetTextColor, SelectObject |
| SHELL32.dll | SHBrowseForFolderW, SHGetPathFromIDListW, SHGetFileInfoW, ShellExecuteW, SHFileOperationW, SHGetSpecialFolderLocation |
| ADVAPI32.dll | RegEnumKeyW, RegOpenKeyExW, RegCloseKey, RegDeleteKeyW, RegDeleteValueW, RegCreateKeyExW, RegSetValueExW, RegQueryValueExW, RegEnumValueW |
| COMCTL32.dll | ImageList_AddMasked, ImageList_Destroy, ImageList_Create |
| ole32.dll | CoTaskMemFree, OleInitialize, OleUninitialize, CoCreateInstance |
| VERSION.dll | GetFileVersionInfoSizeW, GetFileVersionInfoW, VerQueryValueW |
| Language of compilation system | Country where language is spoken | Map |
|---|---|---|
| English | United States |  |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library Node| Timestamp | SID | Signature | Severity | Source IP | Source Port | Dest IP | Dest Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-12-19T23:42:58.468620+0100 | 2032776 | ET MALWARE Remcos 3.x Unencrypted Checkin | 1 | 192.168.2.5 | 49804 | 181.131.217.244 | 3021 | TCP |
| 2024-12-19T23:42:59.740248+0100 | 2032777 | ET MALWARE Remcos 3.x Unencrypted Server Response | 1 | 181.131.217.244 | 3021 | 192.168.2.5 | 49804 | TCP |
| 2024-12-19T23:43:01.524052+0100 | 2803304 | ETPRO MALWARE Common Downloader Header Pattern HCa | 3 | 192.168.2.5 | 49810 | 178.237.33.50 | 80 | TCP |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Dec 19, 2024 23:42:58.348459959 CET | 49804 | 3021 | 192.168.2.5 | 181.131.217.244 |
| Dec 19, 2024 23:42:58.468028069 CET | 3021 | 49804 | 181.131.217.244 | 192.168.2.5 |
| Dec 19, 2024 23:42:58.468172073 CET | 49804 | 3021 | 192.168.2.5 | 181.131.217.244 |
| Dec 19, 2024 23:42:58.468620062 CET | 49804 | 3021 | 192.168.2.5 | 181.131.217.244 |
| Dec 19, 2024 23:42:58.588115931 CET | 3021 | 49804 | 181.131.217.244 | 192.168.2.5 |
| Dec 19, 2024 23:42:59.740247965 CET | 3021 | 49804 | 181.131.217.244 | 192.168.2.5 |
| Dec 19, 2024 23:42:59.741446018 CET | 49804 | 3021 | 192.168.2.5 | 181.131.217.244 |
| Dec 19, 2024 23:42:59.861721992 CET | 3021 | 49804 | 181.131.217.244 | 192.168.2.5 |
| Dec 19, 2024 23:42:59.973498106 CET | 3021 | 49804 | 181.131.217.244 | 192.168.2.5 |
| Dec 19, 2024 23:43:00.027642012 CET | 49804 | 3021 | 192.168.2.5 | 181.131.217.244 |
| Dec 19, 2024 23:43:00.154680967 CET | 49810 | 80 | 192.168.2.5 | 178.237.33.50 |
| Dec 19, 2024 23:43:00.274243116 CET | 80 | 49810 | 178.237.33.50 | 192.168.2.5 |
| Dec 19, 2024 23:43:00.274375916 CET | 49810 | 80 | 192.168.2.5 | 178.237.33.50 |
| Dec 19, 2024 23:43:00.275007010 CET | 49810 | 80 | 192.168.2.5 | 178.237.33.50 |
| Dec 19, 2024 23:43:00.394495010 CET | 80 | 49810 | 178.237.33.50 | 192.168.2.5 |
| Dec 19, 2024 23:43:01.523915052 CET | 80 | 49810 | 178.237.33.50 | 192.168.2.5 |
| Dec 19, 2024 23:43:01.524051905 CET | 49810 | 80 | 192.168.2.5 | 178.237.33.50 |
| Dec 19, 2024 23:43:01.533869982 CET | 49804 | 3021 | 192.168.2.5 | 181.131.217.244 |
| Dec 19, 2024 23:43:01.653464079 CET | 3021 | 49804 | 181.131.217.244 | 192.168.2.5 |
| Dec 19, 2024 23:43:02.524173021 CET | 80 | 49810 | 178.237.33.50 | 192.168.2.5 |
| Dec 19, 2024 23:43:02.524245024 CET | 49810 | 80 | 192.168.2.5 | 178.237.33.50 |
| Dec 19, 2024 23:43:22.367640018 CET | 3021 | 49804 | 181.131.217.244 | 192.168.2.5 |
| Dec 19, 2024 23:43:22.368899107 CET | 49804 | 3021 | 192.168.2.5 | 181.131.217.244 |
| Dec 19, 2024 23:43:22.488332033 CET | 3021 | 49804 | 181.131.217.244 | 192.168.2.5 |
| Dec 19, 2024 23:43:52.405323982 CET | 3021 | 49804 | 181.131.217.244 | 192.168.2.5 |
| Dec 19, 2024 23:43:52.406918049 CET | 49804 | 3021 | 192.168.2.5 | 181.131.217.244 |
| Dec 19, 2024 23:43:52.526439905 CET | 3021 | 49804 | 181.131.217.244 | 192.168.2.5 |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Dec 19, 2024 23:42:11.560640097 CET | 55824 | 53 | 192.168.2.5 | 1.1.1.1 |
| Dec 19, 2024 23:42:11.794698954 CET | 53 | 55824 | 1.1.1.1 | 192.168.2.5 |
| Dec 19, 2024 23:42:57.865504980 CET | 61383 | 53 | 192.168.2.5 | 1.1.1.1 |
| Dec 19, 2024 23:42:58.344794035 CET | 53 | 61383 | 1.1.1.1 | 192.168.2.5 |
| Dec 19, 2024 23:43:00.011619091 CET | 53785 | 53 | 192.168.2.5 | 1.1.1.1 |
| Dec 19, 2024 23:43:00.150248051 CET | 53 | 53785 | 1.1.1.1 | 192.168.2.5 |
| Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|
| Dec 19, 2024 23:42:11.560640097 CET | 192.168.2.5 | 1.1.1.1 | 0xb287 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Dec 19, 2024 23:42:57.865504980 CET | 192.168.2.5 | 1.1.1.1 | 0x8310 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Dec 19, 2024 23:43:00.011619091 CET | 192.168.2.5 | 1.1.1.1 | 0x6cfa | Standard query (0) | A (IP address) | IN (0x0001) | false |
| Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|---|---|
| Dec 19, 2024 23:42:11.794698954 CET | 1.1.1.1 | 192.168.2.5 | 0xb287 | Name error (3) | none | none | A (IP address) | IN (0x0001) | false | |
| Dec 19, 2024 23:42:58.344794035 CET | 1.1.1.1 | 192.168.2.5 | 0x8310 | No error (0) | 181.131.217.244 | A (IP address) | IN (0x0001) | false | ||
| Dec 19, 2024 23:43:00.150248051 CET | 1.1.1.1 | 192.168.2.5 | 0x6cfa | No error (0) | 178.237.33.50 | A (IP address) | IN (0x0001) | false |
|
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 0 | 192.168.2.5 | 49810 | 178.237.33.50 | 80 | 6976 | C:\Users\user\AppData\Local\Temp\638933\Beth.com |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| Dec 19, 2024 23:43:00.275007010 CET | 71 | OUT | |
| Dec 19, 2024 23:43:01.523915052 CET | 1171 | IN |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
| Target ID: | 0 |
| Start time: | 17:42:03 |
| Start date: | 19/12/2024 |
| Path: | C:\Users\user\Desktop\nikDoCvpJa.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x400000 |
| File size: | 1'798'791 bytes |
| MD5 hash: | D2729F574A3BA69A10C00A5992986226 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | low |
| Has exited: | true |
| Target ID: | 2 |
| Start time: | 17:42:04 |
| Start date: | 19/12/2024 |
| Path: | C:\Windows\SysWOW64\cmd.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x790000 |
| File size: | 236'544 bytes |
| MD5 hash: | D0FCE3AFA6AA1D58CE9FA336CC2B675B |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 3 |
| Start time: | 17:42:04 |
| Start date: | 19/12/2024 |
| Path: | C:\Windows\System32\conhost.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff6d64d0000 |
| File size: | 862'208 bytes |
| MD5 hash: | 0D698AF330FD17BEE3BF90011D49251D |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 4 |
| Start time: | 17:42:07 |
| Start date: | 19/12/2024 |
| Path: | C:\Windows\SysWOW64\tasklist.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x970000 |
| File size: | 79'360 bytes |
| MD5 hash: | 0A4448B31CE7F83CB7691A2657F330F1 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 5 |
| Start time: | 17:42:07 |
| Start date: | 19/12/2024 |
| Path: | C:\Windows\SysWOW64\findstr.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0xdf0000 |
| File size: | 29'696 bytes |
| MD5 hash: | F1D4BE0E99EC734376FDE474A8D4EA3E |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 6 |
| Start time: | 17:42:07 |
| Start date: | 19/12/2024 |
| Path: | C:\Windows\SysWOW64\tasklist.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x970000 |
| File size: | 79'360 bytes |
| MD5 hash: | 0A4448B31CE7F83CB7691A2657F330F1 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 7 |
| Start time: | 17:42:07 |
| Start date: | 19/12/2024 |
| Path: | C:\Windows\SysWOW64\findstr.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0xdf0000 |
| File size: | 29'696 bytes |
| MD5 hash: | F1D4BE0E99EC734376FDE474A8D4EA3E |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 8 |
| Start time: | 17:42:09 |
| Start date: | 19/12/2024 |
| Path: | C:\Windows\SysWOW64\cmd.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x790000 |
| File size: | 236'544 bytes |
| MD5 hash: | D0FCE3AFA6AA1D58CE9FA336CC2B675B |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 9 |
| Start time: | 17:42:09 |
| Start date: | 19/12/2024 |
| Path: | C:\Windows\SysWOW64\findstr.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0xdf0000 |
| File size: | 29'696 bytes |
| MD5 hash: | F1D4BE0E99EC734376FDE474A8D4EA3E |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 10 |
| Start time: | 17:42:09 |
| Start date: | 19/12/2024 |
| Path: | C:\Windows\SysWOW64\cmd.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x790000 |
| File size: | 236'544 bytes |
| MD5 hash: | D0FCE3AFA6AA1D58CE9FA336CC2B675B |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 11 |
| Start time: | 17:42:09 |
| Start date: | 19/12/2024 |
| Path: | C:\Users\user\AppData\Local\Temp\638933\Beth.com |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x7c0000 |
| File size: | 947'288 bytes |
| MD5 hash: | 62D09F076E6E0240548C2F837536A46A |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Antivirus matches: |
|
| Reputation: | moderate |
| Has exited: | false |
| Target ID: | 12 |
| Start time: | 17:42:09 |
| Start date: | 19/12/2024 |
| Path: | C:\Windows\SysWOW64\choice.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0xab0000 |
| File size: | 28'160 bytes |
| MD5 hash: | FCE0E41C87DC4ABBE976998AD26C27E4 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | true |
| Target ID: | 13 |
| Start time: | 17:42:10 |
| Start date: | 19/12/2024 |
| Path: | C:\Windows\SysWOW64\cmd.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x790000 |
| File size: | 236'544 bytes |
| MD5 hash: | D0FCE3AFA6AA1D58CE9FA336CC2B675B |
| Has elevated privileges: | false |
| Has administrator privileges: | false |
| Programmed in: | C, C++ or other language |
| Has exited: | true |
| Target ID: | 14 |
| Start time: | 17:42:10 |
| Start date: | 19/12/2024 |
| Path: | C:\Windows\System32\conhost.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff6d64d0000 |
| File size: | 862'208 bytes |
| MD5 hash: | 0D698AF330FD17BEE3BF90011D49251D |
| Has elevated privileges: | false |
| Has administrator privileges: | false |
| Programmed in: | C, C++ or other language |
| Has exited: | true |
| Target ID: | 15 |
| Start time: | 17:42:10 |
| Start date: | 19/12/2024 |
| Path: | C:\Windows\SysWOW64\schtasks.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x1e0000 |
| File size: | 187'904 bytes |
| MD5 hash: | 48C2FE20575769DE916F48EF0676A965 |
| Has elevated privileges: | false |
| Has administrator privileges: | false |
| Programmed in: | C, C++ or other language |
| Has exited: | true |
| Target ID: | 16 |
| Start time: | 17:42:10 |
| Start date: | 19/12/2024 |
| Path: | C:\Windows\SysWOW64\cmd.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x790000 |
| File size: | 236'544 bytes |
| MD5 hash: | D0FCE3AFA6AA1D58CE9FA336CC2B675B |
| Has elevated privileges: | false |
| Has administrator privileges: | false |
| Programmed in: | C, C++ or other language |
| Has exited: | true |
| Target ID: | 17 |
| Start time: | 17:42:10 |
| Start date: | 19/12/2024 |
| Path: | C:\Windows\System32\conhost.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff6d64d0000 |
| File size: | 862'208 bytes |
| MD5 hash: | 0D698AF330FD17BEE3BF90011D49251D |
| Has elevated privileges: | false |
| Has administrator privileges: | false |
| Programmed in: | C, C++ or other language |
| Has exited: | true |
| Target ID: | 18 |
| Start time: | 17:42:10 |
| Start date: | 19/12/2024 |
| Path: | C:\Windows\System32\wscript.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff62ce60000 |
| File size: | 170'496 bytes |
| MD5 hash: | A47CBE969EA935BDD3AB568BB126BC80 |
| Has elevated privileges: | false |
| Has administrator privileges: | false |
| Programmed in: | C, C++ or other language |
| Has exited: | true |
| Target ID: | 19 |
| Start time: | 17:42:10 |
| Start date: | 19/12/2024 |
| Path: | C:\Users\user\AppData\Local\SecureScope Dynamics\CyberScope.com |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x190000 |
| File size: | 947'288 bytes |
| MD5 hash: | 62D09F076E6E0240548C2F837536A46A |
| Has elevated privileges: | false |
| Has administrator privileges: | false |
| Programmed in: | C, C++ or other language |
| Antivirus matches: |
|
| Has exited: | true |
| Target ID: | 21 |
| Start time: | 17:42:20 |
| Start date: | 19/12/2024 |
| Path: | C:\Windows\System32\wscript.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff62ce60000 |
| File size: | 170'496 bytes |
| MD5 hash: | A47CBE969EA935BDD3AB568BB126BC80 |
| Has elevated privileges: | false |
| Has administrator privileges: | false |
| Programmed in: | C, C++ or other language |
| Has exited: | true |
| Target ID: | 22 |
| Start time: | 17:42:20 |
| Start date: | 19/12/2024 |
| Path: | C:\Users\user\AppData\Local\SecureScope Dynamics\CyberScope.com |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x190000 |
| File size: | 947'288 bytes |
| MD5 hash: | 62D09F076E6E0240548C2F837536A46A |
| Has elevated privileges: | false |
| Has administrator privileges: | false |
| Programmed in: | C, C++ or other language |
| Has exited: | true |
Execution Graph
| Execution Coverage: | 17.7% |
| Dynamic/Decrypted Code Coverage: | 0% |
| Signature Coverage: | 21% |
| Total number of Nodes: | 1482 |
| Total number of Limit Nodes: | 27 |
Graph
Function 004050F9 Relevance: 66.8, APIs: 36, Strings: 2, Instructions: 295windowclipboardmemoryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004038AF Relevance: 52.8, APIs: 22, Strings: 8, Instructions: 304filestringcomCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004015A0 Relevance: 56.4, APIs: 15, Strings: 17, Instructions: 351sleepfilewindowCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405958 Relevance: 45.7, APIs: 15, Strings: 11, Instructions: 233stringregistrylibraryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00401A1F Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 185stringtimeCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040337F Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 175fileCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004022FD Relevance: 7.6, APIs: 5, Instructions: 56memoryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040139D Relevance: 3.0, APIs: 2, Instructions: 42windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405E7C Relevance: 3.0, APIs: 2, Instructions: 15fileCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405E5C Relevance: 3.0, APIs: 2, Instructions: 9COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00403336 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004037F8 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00403DDB Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00403368 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00403DC4 Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00403DB1 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004049A8 Relevance: 65.2, APIs: 33, Strings: 4, Instructions: 470windowmemoryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00406CC7 Relevance: 31.7, APIs: 9, Strings: 9, Instructions: 190filestringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004044D1 Relevance: 30.0, APIs: 15, Strings: 2, Instructions: 300stringkeyboardCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00406EFE Relevance: 30.0, APIs: 14, Strings: 3, Instructions: 270filestringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00406831 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 212stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004079A2 Relevance: .3, Instructions: 347COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040737E Relevance: .3, Instructions: 303COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004063D8 Relevance: 70.3, APIs: 29, Strings: 11, Instructions: 256libraryloadermemoryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004040E4 Relevance: 40.5, APIs: 20, Strings: 3, Instructions: 210windowstringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00406AC5 Relevance: 35.2, APIs: 15, Strings: 5, Instructions: 163filestringmemoryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00402880 Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 131registrystringCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00406113 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 72filestringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00402E55 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 103memoryfileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004023F0 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 83libraryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00403DF6 Relevance: 12.1, APIs: 8, Instructions: 60COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00402238 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59synchronizationCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040487A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040324C Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040209F Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00401F80 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004043D9 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 73stringCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004027E3 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 60registryCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00402665 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 56stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00406250 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 53stringCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004020F9 Relevance: 6.0, APIs: 4, Instructions: 45COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00407224 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 43stringCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004032D2 Relevance: 6.0, APIs: 4, Instructions: 33COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00406391 Relevance: 6.0, APIs: 4, Instructions: 31memorylibraryloaderCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004048F8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58windowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00402797 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25stringCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405C6B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004062CF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13stringCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405DE2 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Execution Graph
| Execution Coverage: | 2.9% |
| Dynamic/Decrypted Code Coverage: | 0% |
| Signature Coverage: | 3.5% |
| Total number of Nodes: | 2000 |
| Total number of Limit Nodes: | 72 |
Graph
Function 00195FC8 Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 236libraryloaderCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0019338B Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 148windowCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001FDD87 Relevance: 6.1, APIs: 4, Instructions: 86processCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0019EE4C Relevance: 26.9, APIs: 14, Strings: 1, Instructions: 617windowsleeptimeCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0019370F Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 145windowtimeregistryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00193624 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53windowregistryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001D09DB Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMONLIBRARYCODE
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001952A7 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201registryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001934D3 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63windowregistryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00192793 Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 153comCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00201196 Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001961A9 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 122windowCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001958CB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58registryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0019F238 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 29windowsleepCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 002189B6 Relevance: 4.9, APIs: 3, Instructions: 430COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00219AF3 Relevance: 4.7, APIs: 3, Instructions: 233COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00200D18 Relevance: 4.5, APIs: 3, Instructions: 21COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001AFFE0 Relevance: 3.1, APIs: 2, Instructions: 94COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0019396B Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001C4EB8 Relevance: 3.1, APIs: 2, Instructions: 67COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00200AC4 Relevance: 3.0, APIs: 2, Instructions: 30COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0019331B Relevance: 3.0, APIs: 2, Instructions: 30COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00200B4C Relevance: 3.0, APIs: 2, Instructions: 21COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0019CAB0 Relevance: 2.1, APIs: 1, Instructions: 587COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00217AF9 Relevance: 1.8, APIs: 1, Instructions: 326COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001BF106 Relevance: 1.7, APIs: 1, Instructions: 151COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00196679 Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001C8782 Relevance: 1.6, APIs: 1, Instructions: 54COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001BE972 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0019B329 Relevance: 1.5, APIs: 1, Instructions: 43COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0020F94A Relevance: 1.5, APIs: 1, Instructions: 43COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001C4FF0 Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001C3B93 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001966E7 Relevance: 1.5, APIs: 1, Instructions: 28COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0019684A Relevance: 1.5, APIs: 1, Instructions: 26COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00193907 Relevance: 1.5, APIs: 1, Instructions: 24windowCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00193A57 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001FE83E Relevance: 1.5, APIs: 1, Instructions: 20COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 002012EB Relevance: 1.5, APIs: 1, Instructions: 20threadCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001AFC7C Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 002073D4 Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0020A087 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00204763 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101fileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0020A1E2 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001FD921 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0020F7C7 Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001FF20D Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001CBCD2 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001FDC54 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001F20AA Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0020A570 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 002226DD Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001F2010 Relevance: 4.6, APIs: 3, Instructions: 68COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 002041FA Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001F1A0B Relevance: 3.0, APIs: 2, Instructions: 24COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001FEC6C Relevance: 1.5, APIs: 1, Instructions: 24COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001B0D45 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0021353B Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00191625 Relevance: 53.0, APIs: 26, Strings: 4, Instructions: 480windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00227B0D Relevance: 49.8, APIs: 33, Instructions: 273COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0021316E Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00192521 Relevance: 42.3, APIs: 18, Strings: 6, Instructions: 282windowtimeCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00221A8F Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00220CDD Relevance: 35.4, APIs: 7, Strings: 13, Instructions: 391windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0021CE17 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 002213BA Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00228D97 Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0021086B Relevance: 27.1, APIs: 18, Instructions: 128COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00229B7A Relevance: 26.4, APIs: 10, Strings: 5, Instructions: 181windowfileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00214A46 Relevance: 23.2, APIs: 11, Strings: 2, Instructions: 478libraryloaderCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0019381F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00227711 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0019146D Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 168timeCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0020CEBB Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0021C06E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0022A94F Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 271windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0022976A Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 221windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00212FB9 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001FC8F7 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 190windowsleepCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0021D694 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001FEFC7 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001F662D Relevance: 18.2, APIs: 12, Instructions: 173COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00192128 Relevance: 18.1, APIs: 12, Instructions: 137COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001913A6 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 155windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0022955E Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 149windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001FA05C Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001F0FCF Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00224A34 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0021468D Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 002084DB Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00210FB8 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00214189 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00208BDA Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 002246E2 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001F282C Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 78windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001F290D Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 77windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 002288F9 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 193windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00197447 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0020CC98 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001FA215 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001F29EC Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00197567 Relevance: 13.8, APIs: 9, Instructions: 291COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001CD210 Relevance: 13.7, APIs: 9, Instructions: 209COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001F2EEF Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001FCE7B Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 191windowCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00224322 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001FC625 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001FD11F Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001FE73E Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 70networkCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001FF437 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 42windowtimethreadCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001FF630 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0022379F Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001D18A2 Relevance: 10.8, APIs: 7, Instructions: 268COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00201B46 Relevance: 10.8, APIs: 7, Instructions: 254COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001C57A1 Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001FD7AB Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 002042B9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 101windowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00223899 Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001F808D Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001F8164 Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00200E79 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00200F4E Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00224B4B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001FE30E Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00201312 Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001C0527 Relevance: 9.3, APIs: 6, Instructions: 269COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001C6571 Relevance: 9.2, APIs: 6, Instructions: 216COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001F009D Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00228C36 Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00212D37 Relevance: 9.1, APIs: 6, Instructions: 103COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001F55E1 Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00229480 Relevance: 9.0, APIs: 6, Instructions: 49COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001F5B61 Relevance: 9.0, APIs: 6, Instructions: 49COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001D34D6 Relevance: 9.0, APIs: 6, Instructions: 39windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001F21C1 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001F7B05 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00224818 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001F272F Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 002239B3 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00229A25 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001B50DD Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001EE778 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0019663E Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00196607 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00203306 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0021ADE7 Relevance: 7.8, APIs: 5, Instructions: 256COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001F9517 Relevance: 7.7, APIs: 5, Instructions: 159COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00209540 Relevance: 7.6, APIs: 5, Instructions: 143COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 002275AE Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 002261A5 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0021138D Relevance: 7.6, APIs: 5, Instructions: 69COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001CD13D Relevance: 7.6, APIs: 5, Instructions: 68COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001F6078 Relevance: 7.6, APIs: 5, Instructions: 61COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001F08FE Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001FF292 Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001F1A45 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001F1900 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001F1960 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00200CB6 Relevance: 7.5, APIs: 6, Instructions: 41COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001C2610 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001C12B7 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001F3063 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001FCB28 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00213AAB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00224954 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 002250F1 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00224253 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00224C89 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001F389E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00226321 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0022823D Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 41windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00228BCD Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 40processCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001F096F Relevance: 6.3, APIs: 4, Instructions: 322COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001C41F3 Relevance: 6.3, APIs: 4, Instructions: 305COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001F0D26 Relevance: 6.2, APIs: 4, Instructions: 230COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00226CB0 Relevance: 6.1, APIs: 4, Instructions: 138COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001CB79F Relevance: 6.1, APIs: 4, Instructions: 133COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0020611E Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 002280AE Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00222176 Relevance: 6.1, APIs: 4, Instructions: 101COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001FE8AC Relevance: 6.1, APIs: 4, Instructions: 87COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001FDB6C Relevance: 6.1, APIs: 4, Instructions: 78COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0022321E Relevance: 6.1, APIs: 4, Instructions: 75COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001F825C Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 002260FF Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001C2079 Relevance: 6.1, APIs: 4, Instructions: 63COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001F2374 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001FEAED Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001BD53C Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00197873 Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001C33E6 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001FBA6F Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0022886F Relevance: 6.0, APIs: 4, Instructions: 46COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 002292BF Relevance: 6.0, APIs: 4, Instructions: 31COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001921A0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001EEC36 Relevance: 6.0, APIs: 4, Instructions: 19COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001EEC4A Relevance: 6.0, APIs: 4, Instructions: 18COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 002057CC Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001AF6CA Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0020DB39 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00224FD5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00223C8B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0020D763 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001F262B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001F2525 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001F25A9 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001F26B5 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46windowCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00229AFD Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44windowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001F1461 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00222DBE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00222DF2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|