Edit tour
Windows
Analysis Report
vYeaC4s9zP.exe
Overview
General Information
| Sample name: | vYeaC4s9zP.exerenamed because original name is a hash value |
| Original sample name: | 26cb6c247cdfb5215bc60ac7abd12322.exe |
| Analysis ID: | 1583860 |
| MD5: | 26cb6c247cdfb5215bc60ac7abd12322 |
| SHA1: | d1ca8142469039a57cb43d3bebe369d0a00aa08b |
| SHA256: | da7c7cbc0d451b55c5a9312532b3e07d52e25399cb10e96cb2479a10407d4600 |
| Tags: | exeValleyRATuser-abuse_ch |
| Infos: |   |
 | |
Detection
GhostRat
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected GhostRat
AI detected suspicious sample
Contains functionality to capture and log keystrokes
Contains functionality to inject code into remote processes
Contains functionality to inject threads in other processes
Found evasive API chain (may stop execution after checking mutex)
Found stalling execution ending in API Sleep call
Sample is not signed and drops a device driver
Sigma detected: Potentially Suspicious Malware Callback Communication
Tries to detect sandboxes / dynamic malware analysis system (QueryWinSAT)
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Checks for available system drives (often done to infect USB drives)
Contains functionality for read data from the clipboard
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to clear windows event logs (to hide its activities)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a DirectInput object (often for capturing keystrokes)
Creates driver files
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found decision node followed by non-executed suspicious APIs
Found evasive API chain checking for process token information
Installs a global mouse hook
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Stores large binary data to the registry
Classification
- System is w10x64
vYeaC4s9zP.exe (PID: 1216 cmdline: "C:\Users\ user\Deskt op\vYeaC4s 9zP.exe" MD5: 26CB6C247CDFB5215BC60AC7ABD12322)
- cleanup
⊘No configs have been found
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_GhostRat | Yara detected GhostRat | Joe Security |
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_GhostRat | Yara detected GhostRat | Joe Security |
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_GhostRat | Yara detected GhostRat | Joe Security | ||
| JoeSecurity_GhostRat | Yara detected GhostRat | Joe Security |
System Summary |   |
|---|
| Source: | Author: Florian Roth (Nextron Systems): | ||
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2025-01-03T18:47:02.929641+0100 | 2052875 | 1 | A Network Trojan was detected | 192.168.2.5 | 49704 | 27.124.4.60 | 4433 | TCP |
| 2025-01-03T18:48:08.634869+0100 | 2052875 | 1 | A Network Trojan was detected | 192.168.2.5 | 49704 | 27.124.4.60 | 4433 | TCP |
| 2025-01-03T18:49:15.394711+0100 | 2052875 | 1 | A Network Trojan was detected | 192.168.2.5 | 49979 | 27.124.4.60 | 10443 | TCP |
| 2025-01-03T18:50:19.461038+0100 | 2052875 | 1 | A Network Trojan was detected | 192.168.2.5 | 49982 | 27.124.4.60 | 4433 | TCP |
Click to jump to signature section
Show All Signature Results
AV Detection | |
|---|
| Source: | ReversingLabs: | ||
| Source: | Integrated Neural Analysis Model: | ||
| Source: | Static PE information: | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | Code function: | 0_2_00007FF6B299F410 | |
| Source: | Code function: | 0_2_00007FF6B29C3EF0 | |
| Source: | Code function: | 0_2_00007FF6B29962F0 | |
Networking | |
|---|
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | TCP traffic: | ||
| Source: | ASN Name: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | Code function: | 0_2_00007FF6B2993B00 | |
Key, Mouse, Clipboard, Microphone and Screen Capturing | |
|---|
| Source: | Code function: | 0_2_00007FF6B299ADB0 | |
| Source: | Code function: | 0_2_00007FF6B29A0E20 | |
| Source: | Code function: | 0_2_00007FF6B29A0E20 | |
| Source: | Code function: | 0_2_00007FF6B29A0E20 | |
| Source: | Code function: | 0_2_00007FF6B299FD10 | |
| Source: | Code function: | 0_2_00007FF6B2997250 | |
| Source: | Windows user hook set: | Jump to behavior | ||
| Source: | Process Stats: | ||
| Source: | Code function: | 0_2_00007FF6B29AC1B0 | |
| Source: | Code function: | 0_2_00007FF6B299E3E9 | |
| Source: | Code function: | 0_2_00007FF6B299E4EE | |
| Source: | Code function: | 0_2_00007FF6B299E46D | |
| Source: | File created: | Jump to behavior | ||
| Source: | Code function: | 0_2_00007FF6B29B8C10 | |
| Source: | Code function: | 0_2_00007FF6B299F410 | |
| Source: | Code function: | 0_2_00007FF6B29AB500 | |
| Source: | Code function: | 0_2_00007FF6B2991500 | |
| Source: | Code function: | 0_2_00007FF6B299FD10 | |
| Source: | Code function: | 0_2_00007FF6B29979E0 | |
| Source: | Code function: | 0_2_00007FF6B29962F0 | |
| Source: | Code function: | 0_2_00007FF6B2997250 | |
| Source: | Code function: | 0_2_00007FF6B2998040 | |
| Source: | Code function: | 0_2_00007FF6B29C1DA8 | |
| Source: | Code function: | 0_2_00007FF6B29AAD80 | |
| Source: | Code function: | 0_2_00007FF6B299B410 | |
| Source: | Code function: | 0_2_00007FF6B299D410 | |
| Source: | Code function: | 0_2_00007FF6B29B536C | |
| Source: | Code function: | 0_2_00007FF6B29B7340 | |
| Source: | Code function: | 0_2_00007FF6B29BB350 | |
| Source: | Code function: | 0_2_00007FF6B29BC51C | |
| Source: | Code function: | 0_2_00007FF6B29BFD30 | |
| Source: | Code function: | 0_2_00007FF6B29C5D34 | |
| Source: | Code function: | 0_2_00007FF6B29BA4F8 | |
| Source: | Code function: | 0_2_00007FF6B29BAC80 | |
| Source: | Code function: | 0_2_00007FF6B29BF21C | |
| Source: | Code function: | 0_2_00007FF6B29B6228 | |
| Source: | Code function: | 0_2_00007FF6B29B5168 | |
| Source: | Code function: | 0_2_00007FF6B29C714C | |
| Source: | Code function: | 0_2_00007FF6B29BD320 | |
| Source: | Code function: | 0_2_00007FF6B2999320 | |
| Source: | Code function: | 0_2_00007FF6B29A9250 | |
| Source: | Code function: | 0_2_00007FF6B29C2024 | |
| Source: | Code function: | 0_2_00007FF6B29C3760 | |
| Source: | Code function: | 0_2_00007FF6B29B4F5C | |
| Source: | Code function: | 0_2_00007FF6B29C2744 | |
| Source: | Code function: | 0_2_00007FF6B29B6F3C | |
| Source: | Code function: | 0_2_00007FF6B29997A0 | |
| Source: | Code function: | 0_2_00007FF6B29B577C | |
| Source: | Code function: | 0_2_00007FF6B29A78F0 | |
| Source: | Code function: | 0_2_00007FF6B29A0900 | |
| Source: | Code function: | 0_2_00007FF6B29B4D58 | |
| Source: | Code function: | 0_2_00007FF6B299CD40 | |
| Source: | Code function: | 0_2_00007FF6B29AA5A0 | |
| Source: | Code function: | 0_2_00007FF6B299ADB0 | |
| Source: | Code function: | 0_2_00007FF6B29B65AC | |
| Source: | Code function: | 0_2_00007FF6B29C8584 | |
| Source: | Code function: | 0_2_00007FF6B29B5578 | |
| Source: | Code function: | 0_2_00007FF6B29C3EF0 | |
| Source: | Code function: | 0_2_00007FF6B29A2EC0 | |
| Source: | Code function: | 0_2_00007FF6B2992E50 | |
| Source: | Code function: | 0_2_00007FF6B29BF6B0 | |
| Source: | Classification label: | ||
| Source: | Code function: | 0_2_00007FF6B29AB500 | |
| Source: | Code function: | 0_2_00007FF6B299E3E9 | |
| Source: | Code function: | 0_2_00007FF6B299E4EE | |
| Source: | Code function: | 0_2_00007FF6B299E46D | |
| Source: | Code function: | 0_2_00007FF6B2999320 | |
| Source: | Code function: | 0_2_00007FF6B29962F0 | |
| Source: | Code function: | 0_2_00007FF6B299F410 | |
| Source: | Code function: | 0_2_00007FF6B29979E0 | |
| Source: | Mutant created: | ||
| Source: | Static PE information: | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | ReversingLabs: | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Key value queried: | Jump to behavior | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Code function: | 0_2_00007FF6B29AB500 | |
Persistence and Installation Behavior | |
|---|
| Source: | File created: | Jump to behavior | ||
| Source: | Code function: | 0_2_00007FF6B299E36A | |
| Source: | Key value created or modified: | Jump to behavior | ||
Malware Analysis System Evasion | |
|---|
| Source: | Evasive API call chain: | graph_0-21519 | ||
| Source: | Stalling execution: | graph_0-21060 | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Code function: | 0_2_00007FF6B29962F0 | |
| Source: | Window / User API: | Jump to behavior | ||
| Source: | Window / User API: | Jump to behavior | ||
| Source: | Decision node followed by non-executed suspicious API: | graph_0-21550 | ||
| Source: | Check user administrative privileges: | graph_0-21595 | ||
| Source: | Thread sleep count: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep count: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep count: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | File Volume queried: | Jump to behavior | ||
| Source: | File Volume queried: | Jump to behavior | ||
| Source: | File Volume queried: | Jump to behavior | ||
| Source: | File Volume queried: | Jump to behavior | ||
| Source: | File Volume queried: | Jump to behavior | ||
| Source: | File Volume queried: | Jump to behavior | ||
| Source: | Code function: | 0_2_00007FF6B299F410 | |
| Source: | Code function: | 0_2_00007FF6B29C3EF0 | |
| Source: | Code function: | 0_2_00007FF6B29962F0 | |
| Source: | Code function: | 0_2_00007FF6B29991A0 | |
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Process information queried: | Jump to behavior | ||
| Source: | Code function: | 0_2_00007FF6B29AB500 | |
| Source: | Code function: | 0_2_00007FF6B29AC70C | |
| Source: | Code function: | 0_2_00007FF6B29962F0 | |
| Source: | Code function: | 0_2_00007FF6B29AB500 | |
| Source: | Code function: | 0_2_00007FF6B2998690 | |
| Source: | Code function: | 0_2_00007FF6B29ABCD0 | |
| Source: | Code function: | 0_2_00007FF6B29AB500 | |
| Source: | Code function: | 0_2_00007FF6B29B3A6C | |
| Source: | Code function: | 0_2_00007FF6B29AE8E0 | |
| Source: | Code function: | 0_2_00007FF6B29AE54C | |
| Source: | Code function: | 0_2_00007FF6B29AE6F4 | |
HIPS / PFW / Operating System Protection Evasion | |
|---|
| Source: | Code function: | 0_2_00007FF6B2999320 | |
| Source: | Code function: | 0_2_00007FF6B2999320 | |
| Source: | Code function: | 0_2_00007FF6B2999320 | |
| Source: | Code function: | 0_2_00007FF6B29AB500 | |
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Code function: | 0_2_00007FF6B29CC8C0 | |
| Source: | Code function: | 0_2_00007FF6B29962F0 | |
| Source: | Code function: | 0_2_00007FF6B29C7BA0 | |
| Source: | Code function: | 0_2_00007FF6B29C0D10 | |
| Source: | Code function: | 0_2_00007FF6B29C7B08 | |
| Source: | Code function: | 0_2_00007FF6B29C7A38 | |
| Source: | Code function: | 0_2_00007FF6B29C7FF0 | |
| Source: | Code function: | 0_2_00007FF6B29C7F40 | |
| Source: | Code function: | 0_2_00007FF6B29C8124 | |
| Source: | Code function: | 0_2_00007FF6B29C0838 | |
| Source: | Code function: | 0_2_00007FF6B29C7DE8 | |
| Source: | Code function: | 0_2_00007FF6B29C76DC | |
| Source: | Code function: | 0_2_00007FF6B29AB500 | |
| Source: | Code function: | 0_2_00007FF6B29C1DA8 | |
| Source: | Code function: | 0_2_00007FF6B299FD10 | |
| Source: | Binary or memory string: | ||
Stealing of Sensitive Information | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
Remote Access Functionality | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Gather Victim Identity Information | Acquire Infrastructure | 1 Replication Through Removable Media | 12 Native API | 1 Windows Service | 1 Access Token Manipulation | 1 Modify Registry | 121 Input Capture | 2 System Time Discovery | Remote Services | 1 Screen Capture | 1 Encrypted Channel | Exfiltration Over Other Network Medium | 1 System Shutdown/Reboot |
| Credentials | Domains | Default Accounts | Scheduled Task/Job | 1 DLL Side-Loading | 1 Windows Service | 1 Virtualization/Sandbox Evasion | LSASS Memory | 151 Security Software Discovery | Remote Desktop Protocol | 121 Input Capture | 1 Non-Standard Port | Exfiltration Over Bluetooth | Network Denial of Service |
| Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | 211 Process Injection | 1 Access Token Manipulation | Security Account Manager | 1 Virtualization/Sandbox Evasion | SMB/Windows Admin Shares | 1 Archive Collected Data | 1 Ingress Tool Transfer | Automated Exfiltration | Data Encrypted for Impact |
| Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | 1 DLL Side-Loading | 211 Process Injection | NTDS | 3 Process Discovery | Distributed Component Object Model | 3 Clipboard Data | Protocol Impersonation | Traffic Duplication | Data Destruction |
| Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | 1 Indicator Removal | LSA Secrets | 1 Application Window Discovery | SSH | Keylogging | Fallback Channels | Scheduled Transfer | Data Encrypted for Impact |
| Domain Properties | Botnet | Replication Through Removable Media | Scheduled Task | RC Scripts | RC Scripts | 1 DLL Side-Loading | Cached Domain Credentials | 11 Peripheral Device Discovery | VNC | GUI Input Capture | Multiband Communication | Data Transfer Size Limits | Service Stop |
| DNS | Web Services | External Remote Services | Systemd Timers | Startup Items | Startup Items | Compile After Delivery | DCSync | 2 File and Directory Discovery | Windows Remote Management | Web Portal Capture | Commonly Used Port | Exfiltration Over C2 Channel | Inhibit System Recovery |
| Network Trust Dependencies | Serverless | Drive-by Compromise | Container Orchestration Job | Scheduled Task/Job | Scheduled Task/Job | Indicator Removal from Tools | Proc Filesystem | 26 System Information Discovery | Cloud Services | Credential API Hooking | Application Layer Protocol | Exfiltration Over Alternative Protocol | Defacement |
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetThis section contains all screenshots as thumbnails, including those not shown in the slideshow.
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 53% | ReversingLabs | Win64.Trojan.SpywareX |
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
⊘No contacted domains info
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
| IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
|---|---|---|---|---|---|---|
| 27.124.4.60 | unknown | Singapore | 64050 | BCPL-SGBGPNETGlobalASNSG | true |
| Joe Sandbox version: | 41.0.0 Charoite |
| Analysis ID: | 1583860 |
| Start date and time: | 2025-01-03 18:46:08 +01:00 |
| Joe Sandbox product: | CloudBasic |
| Overall analysis duration: | 0h 6m 46s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
| Number of analysed new started processes analysed: | 4 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Sample name: | vYeaC4s9zP.exerenamed because original name is a hash value |
| Original Sample Name: | 26cb6c247cdfb5215bc60ac7abd12322.exe |
| Detection: | MAL |
| Classification: | mal100.troj.spyw.evad.winEXE@1/1@0/1 |
| EGA Information: |
|
| HCA Information: |
|
| Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
- Excluded IPs from analysis (whitelisted): 4.175.87.197, 13.107.246.45, 4.245.163.56
- Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
- Report size getting too big, too many NtEnumerateKey calls found.
- Report size getting too big, too many NtOpenKeyEx calls found.
- VT rate limit hit for: vYeaC4s9zP.exe
| Time | Type | Description |
|---|---|---|
| 12:47:29 | API Interceptor |
⊘No context
⊘No context
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| BCPL-SGBGPNETGlobalASNSG | Get hash | malicious | FormBook | Browse |
| |
| Get hash | malicious | GhostRat | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | GhostRat, XRed | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Nitol, Zegost | Browse |
| ||
| Get hash | malicious | Nitol, Zegost | Browse |
| ||
| Get hash | malicious | Nitol, Zegost | Browse |
| ||
| Get hash | malicious | GhostRat | Browse |
| ||
| Get hash | malicious | GhostRat | Browse |
|
⊘No context
⊘No context
| Process: | C:\Users\user\Desktop\vYeaC4s9zP.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 30 |
| Entropy (8bit): | 2.6616157143988106 |
| Encrypted: | false |
| SSDEEP: | 3:tblM6lEjln:tbhEZn |
| MD5: | AE50B29A0B8DCC411F24F1863B0EAFDE |
| SHA1: | D415A55627B1ADED8E4B2CBBA402F816B0461155 |
| SHA-256: | 6B4BBBCE480FBC50D39A8EC4B72CDB7D781B151921E063DD899FD9B736ADCF68 |
| SHA-512: | D9A9BA42D99BE32D26667060BE1D523DCD20EAFA187A67F7919002CC6DA349FD058053C9C6F721D6FDB730EA02FBAA3013E51C0C653368BD6B3F57A4C0FCABA8 |
| Malicious: | true |
| Reputation: | moderate, very likely benign file |
| Preview: |
| File type: | |
| Entropy (8bit): | 6.060229389313906 |
| TrID: |
|
| File name: | vYeaC4s9zP.exe |
| File size: | 389'632 bytes |
| MD5: | 26cb6c247cdfb5215bc60ac7abd12322 |
| SHA1: | d1ca8142469039a57cb43d3bebe369d0a00aa08b |
| SHA256: | da7c7cbc0d451b55c5a9312532b3e07d52e25399cb10e96cb2479a10407d4600 |
| SHA512: | 188e695ca51398726ead3b322f9069c0984779fbd58dbbddaf5bf50175eb09231c0ecb32b90625e1dd4deb805c34cff779add38e5c184450b2909f5508fcb649 |
| SSDEEP: | 6144:gKtL0RSVgMoEao8ItdKwzBFdYmT+xmyiRLBVgLhkM:ltwSqEao8It4wlDCxmPkx |
| TLSH: | B2848E49F79405F8E5678138C9634916EBB27C6D03A09BDF33A4866A2F237D0AD3E711 |
| File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........A...A...A.......D...............@.......@...Q(..K...Q(..S...Q(..........U.......X...A...m....)..S....)..@...RichA.......... |
 | |
| Icon Hash: | 00928e8e8686b000 |
| Entrypoint: | 0x14001e13c |
| Entrypoint Section: | .text |
| Digitally signed: | false |
| Imagebase: | 0x140000000 |
| Subsystem: | windows gui |
| Image File Characteristics: | EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE |
| DLL Characteristics: | HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE |
| Time Stamp: | 0x677168C7 [Sun Dec 29 15:20:39 2024 UTC] |
| TLS Callbacks: | |
| CLR (.Net) Version: | |
| OS Version Major: | 6 |
| OS Version Minor: | 0 |
| File Version Major: | 6 |
| File Version Minor: | 0 |
| Subsystem Version Major: | 6 |
| Subsystem Version Minor: | 0 |
| Import Hash: | d7444b6dc7c8cddb50fba5269ad57bce |
| Instruction |
|---|
| dec eax |
| sub esp, 28h |
| call 00007F94BD06CB60h |
| dec eax |
| add esp, 28h |
| jmp 00007F94BD06C3B7h |
| int3 |
| int3 |
| dec eax |
| sub esp, 28h |
| dec ebp |
| mov eax, dword ptr [ecx+38h] |
| dec eax |
| mov ecx, edx |
| dec ecx |
| mov edx, ecx |
| call 00007F94BD06C552h |
| mov eax, 00000001h |
| dec eax |
| add esp, 28h |
| ret |
| int3 |
| int3 |
| int3 |
| inc eax |
| push ebx |
| inc ebp |
| mov ebx, dword ptr [eax] |
| dec eax |
| mov ebx, edx |
| inc ecx |
| and ebx, FFFFFFF8h |
| dec esp |
| mov ecx, ecx |
| inc ecx |
| test byte ptr [eax], 00000004h |
| dec esp |
| mov edx, ecx |
| je 00007F94BD06C555h |
| inc ecx |
| mov eax, dword ptr [eax+08h] |
| dec ebp |
| arpl word ptr [eax+04h], dx |
| neg eax |
| dec esp |
| add edx, ecx |
| dec eax |
| arpl ax, cx |
| dec esp |
| and edx, ecx |
| dec ecx |
| arpl bx, ax |
| dec edx |
| mov edx, dword ptr [eax+edx] |
| dec eax |
| mov eax, dword ptr [ebx+10h] |
| mov ecx, dword ptr [eax+08h] |
| dec eax |
| mov eax, dword ptr [ebx+08h] |
| test byte ptr [ecx+eax+03h], 0000000Fh |
| je 00007F94BD06C54Dh |
| movzx eax, byte ptr [ecx+eax+03h] |
| and eax, FFFFFFF0h |
| dec esp |
| add ecx, eax |
| dec esp |
| xor ecx, edx |
| dec ecx |
| mov ecx, ecx |
| pop ebx |
| jmp 00007F94BD06C55Ah |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| nop word ptr [eax+eax+00000000h] |
| dec eax |
| cmp ecx, dword ptr [00036E59h] |
| jne 00007F94BD06C552h |
| dec eax |
| rol ecx, 10h |
| test cx, FFFFh |
| jne 00007F94BD06C543h |
| ret |
| dec eax |
| ror ecx, 10h |
| jmp 00007F94BD06CC5Bh |
| int3 |
| int3 |
| dec eax |
| mov dword ptr [esp+00h], ebx |
| Name | Virtual Address | Virtual Size | Is in Section |
|---|---|---|---|
| IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IMPORT | 0x523b0 | 0x104 | .rdata |
| IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x60000 | 0x3420 | .pdata |
| IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x64000 | 0xc80 | .reloc |
| IMAGE_DIRECTORY_ENTRY_DEBUG | 0x4c7b0 | 0x38 | .rdata |
| IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_TLS | 0x4c980 | 0x28 | .rdata |
| IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x4c670 | 0x140 | .rdata |
| IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IAT | 0x3f000 | 0x918 | .rdata |
| IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
| Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
|---|---|---|---|---|---|---|---|---|---|
| .text | 0x1000 | 0x3dbf0 | 0x3dc00 | d3f6189e43bbd290b28f7518c02b76a1 | False | 0.5461593813259109 | data | 6.462564110280856 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
| .rdata | 0x3f000 | 0x1519e | 0x15200 | 13c0b12c937ab96a5d21e4441a19f16c | False | 0.4149986131656805 | data | 4.932093126288018 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .data | 0x55000 | 0xaa6c | 0x7c00 | 38d4eff7b357db402101654f0fe35b27 | False | 0.10600428427419355 | DOS executable (block device driver \377\3) | 1.5549509551669303 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .pdata | 0x60000 | 0x3420 | 0x3600 | 20b7b9769859dd90801ea597a1d992be | False | 0.4626736111111111 | data | 5.517914471579984 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .reloc | 0x64000 | 0xc80 | 0xe00 | 316f5780e4a2c74c1946985bacab1ae4 | False | 0.4916294642857143 | data | 5.228910762857474 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
| DLL | Import |
|---|---|
| KERNEL32.dll | QueryDosDeviceW, WriteProcessMemory, GetCommandLineW, GetCurrentProcess, WriteFile, OutputDebugStringA, GetModuleFileNameW, GetProcessId, CreateMutexW, GetLocaleInfoW, LocalAlloc, CreateFileW, GetVersionExW, K32GetProcessImageFileNameW, GetSystemDirectoryW, ResumeThread, GetModuleHandleA, OpenProcess, GetVersion, GetLogicalDriveStringsW, CreateToolhelp32Snapshot, MultiByteToWideChar, Process32NextW, GetDiskFreeSpaceExW, GetSystemDirectoryA, LoadLibraryA, lstrcatW, GlobalAlloc, Process32FirstW, GlobalFree, GetSystemInfo, LoadLibraryW, GetLocalTime, VirtualProtectEx, GetThreadContext, GetProcAddress, VirtualAllocEx, LocalFree, ExitProcess, GetCurrentProcessId, GlobalMemoryStatusEx, CreateProcessW, GetModuleHandleW, FreeLibrary, GetConsoleWindow, lstrcpyW, CreateRemoteThread, CreateProcessA, SetThreadContext, GetModuleFileNameA, GetTickCount, lstrcmpW, GetDriveTypeW, GetExitCodeProcess, SetFilePointer, ReleaseMutex, GlobalSize, DeleteFileW, GlobalLock, GetFileSize, GlobalUnlock, FindFirstFileW, ExpandEnvironmentStringsW, FindClose, GetFileAttributesW, TerminateThread, VirtualProtect, IsBadReadPtr, CreateThread, IsDebuggerPresent, SetUnhandledExceptionFilter, WriteConsoleW, GetCurrentThreadId, GetConsoleMode, GetConsoleOutputCP, FlushFileBuffers, SetFilePointerEx, SetStdHandle, SetEnvironmentVariableW, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetOEMCP, GetACP, IsValidCodePage, FindNextFileW, FindFirstFileExW, GetTimeZoneInformation, EnumSystemLocalesW, GetUserDefaultLCID, IsValidLocale, LCMapStringW, CompareStringW, FlsFree, FlsSetValue, GetStartupInfoW, CreateWaitableTimerW, SetWaitableTimer, TryEnterCriticalSection, WideCharToMultiByte, ResetEvent, CreateEventW, lstrlenW, CancelIo, GetNativeSystemInfo, SetLastError, lstrcmpiW, CreateEventA, CloseHandle, SetEvent, Sleep, HeapFree, WaitForSingleObject, LeaveCriticalSection, InitializeCriticalSectionAndSpinCount, EnterCriticalSection, HeapCreate, GetProcessHeap, DeleteCriticalSection, HeapDestroy, DecodePointer, HeapAlloc, HeapReAlloc, GetLastError, HeapSize, InitializeCriticalSectionEx, VirtualAlloc, VirtualFree, FlsGetValue, FlsAlloc, GetFileType, GetCommandLineA, GetStdHandle, VirtualQuery, GetModuleHandleExW, FreeLibraryAndExitThread, ExitThread, LoadLibraryExW, TlsFree, TlsSetValue, TlsGetValue, TlsAlloc, RtlPcToFileHeader, RtlUnwindEx, lstrcpyA, CreateFileA, GetSystemDefaultLangID, DeviceIoControl, TerminateProcess, InitializeSListHead, GetSystemTimeAsFileTime, QueryPerformanceCounter, IsProcessorFeaturePresent, UnhandledExceptionFilter, RtlVirtualUnwind, RtlLookupFunctionEntry, RtlCaptureContext, SleepConditionVariableSRW, WakeAllConditionVariable, AcquireSRWLockExclusive, ReleaseSRWLockExclusive, GetCPInfo, LCMapStringEx, EncodePointer, CompareStringEx, GetStringTypeW, RaiseException, OutputDebugStringW, SwitchToThread |
| USER32.dll | MsgWaitForMultipleObjects, GetWindowTextW, wsprintfW, GetForegroundWindow, GetLastInputInfo, GetClipboardData, CloseClipboard, OpenClipboard, GetKeyState, ReleaseDC, GetDesktopWindow, SetClipboardData, ExitWindowsEx, EmptyClipboard, GetSystemMetrics, GetDC, GetInputState, PostThreadMessageA, TranslateMessage, DispatchMessageW, PeekMessageW, ShowWindow |
| GDI32.dll | CreateCompatibleBitmap, SelectObject, CreateDIBSection, SetDIBColorTable, CreateCompatibleDC, StretchBlt, GetDIBits, GetDeviceCaps, GetObjectW, SetStretchBltMode, DeleteObject, DeleteDC |
| ADVAPI32.dll | OpenProcessToken, RegQueryValueExW, AllocateAndInitializeSid, FreeSid, CheckTokenMembership, ClearEventLogW, CloseEventLog, OpenEventLogW, LookupPrivilegeValueW, AdjustTokenPrivileges, GetCurrentHwProfileW, RegCloseKey, RegQueryInfoKeyW, GetSidSubAuthorityCount, GetSidSubAuthority, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCreateKeyW, RegDeleteValueW, LookupAccountSidW, GetTokenInformation |
| SHELL32.dll | SHGetFolderPathW |
| ole32.dll | CreateStreamOnHGlobal, GetHGlobalFromStream, CoInitialize, CoUninitialize, CoCreateInstance |
| OLEAUT32.dll | SysFreeString |
| WS2_32.dll | WSASetLastError, WSAEventSelect, WSAResetEvent, WSAWaitForMultipleEvents, WSAEnumNetworkEvents, WSAGetLastError, WSACleanup, WSAIoctl, closesocket, WSACreateEvent, select, WSAStartup, send, socket, connect, recv, htons, setsockopt, inet_ntoa, WSACloseEvent, gethostbyname, gethostname, shutdown |
| WINMM.dll | timeGetTime |
| gdiplus.dll | GdipCreateBitmapFromStream, GdipBitmapUnlockBits, GdipCloneImage, GdipAlloc, GdiplusShutdown, GdipDrawImageI, GdipCreateBitmapFromScan0, GdipCreateBitmapFromHBITMAP, GdipGetImageWidth, GdipGetImagePalette, GdipDeleteGraphics, GdipGetImageEncodersSize, GdipGetImageGraphicsContext, GdipFree, GdipGetImagePixelFormat, GdipDisposeImage, GdipSaveImageToStream, GdipBitmapLockBits, GdipGetImagePaletteSize, GdiplusStartup, GdipGetImageHeight, GdipGetImageEncoders |
| dxgi.dll | CreateDXGIFactory |
| DINPUT8.dll | DirectInput8Create |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library Node| Timestamp | SID | Signature | Severity | Source IP | Source Port | Dest IP | Dest Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2025-01-03T18:47:02.929641+0100 | 2052875 | ET MALWARE Anonymous RAT CnC Checkin | 1 | 192.168.2.5 | 49704 | 27.124.4.60 | 4433 | TCP |
| 2025-01-03T18:48:08.634869+0100 | 2052875 | ET MALWARE Anonymous RAT CnC Checkin | 1 | 192.168.2.5 | 49704 | 27.124.4.60 | 4433 | TCP |
| 2025-01-03T18:49:15.394711+0100 | 2052875 | ET MALWARE Anonymous RAT CnC Checkin | 1 | 192.168.2.5 | 49979 | 27.124.4.60 | 10443 | TCP |
| 2025-01-03T18:50:19.461038+0100 | 2052875 | ET MALWARE Anonymous RAT CnC Checkin | 1 | 192.168.2.5 | 49982 | 27.124.4.60 | 4433 | TCP |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Jan 3, 2025 18:47:01.539664030 CET | 49704 | 4433 | 192.168.2.5 | 27.124.4.60 |
| Jan 3, 2025 18:47:01.544502974 CET | 4433 | 49704 | 27.124.4.60 | 192.168.2.5 |
| Jan 3, 2025 18:47:01.544594049 CET | 49704 | 4433 | 192.168.2.5 | 27.124.4.60 |
| Jan 3, 2025 18:47:02.318195105 CET | 49704 | 4433 | 192.168.2.5 | 27.124.4.60 |
| Jan 3, 2025 18:47:02.323122025 CET | 4433 | 49704 | 27.124.4.60 | 192.168.2.5 |
| Jan 3, 2025 18:47:02.323139906 CET | 4433 | 49704 | 27.124.4.60 | 192.168.2.5 |
| Jan 3, 2025 18:47:02.323151112 CET | 4433 | 49704 | 27.124.4.60 | 192.168.2.5 |
| Jan 3, 2025 18:47:02.323277950 CET | 4433 | 49704 | 27.124.4.60 | 192.168.2.5 |
| Jan 3, 2025 18:47:02.832179070 CET | 4433 | 49704 | 27.124.4.60 | 192.168.2.5 |
| Jan 3, 2025 18:47:02.884821892 CET | 49704 | 4433 | 192.168.2.5 | 27.124.4.60 |
| Jan 3, 2025 18:47:02.924619913 CET | 49704 | 4433 | 192.168.2.5 | 27.124.4.60 |
| Jan 3, 2025 18:47:02.929469109 CET | 4433 | 49704 | 27.124.4.60 | 192.168.2.5 |
| Jan 3, 2025 18:47:02.929480076 CET | 4433 | 49704 | 27.124.4.60 | 192.168.2.5 |
| Jan 3, 2025 18:47:02.929488897 CET | 4433 | 49704 | 27.124.4.60 | 192.168.2.5 |
| Jan 3, 2025 18:47:02.929569960 CET | 4433 | 49704 | 27.124.4.60 | 192.168.2.5 |
| Jan 3, 2025 18:47:02.929641008 CET | 49704 | 4433 | 192.168.2.5 | 27.124.4.60 |
| Jan 3, 2025 18:47:02.934348106 CET | 4433 | 49704 | 27.124.4.60 | 192.168.2.5 |
| Jan 3, 2025 18:47:18.541146040 CET | 49704 | 4433 | 192.168.2.5 | 27.124.4.60 |
| Jan 3, 2025 18:47:18.545909882 CET | 4433 | 49704 | 27.124.4.60 | 192.168.2.5 |
| Jan 3, 2025 18:47:18.841541052 CET | 4433 | 49704 | 27.124.4.60 | 192.168.2.5 |
| Jan 3, 2025 18:47:18.884809971 CET | 49704 | 4433 | 192.168.2.5 | 27.124.4.60 |
| Jan 3, 2025 18:47:35.744191885 CET | 49704 | 4433 | 192.168.2.5 | 27.124.4.60 |
| Jan 3, 2025 18:47:35.749047995 CET | 4433 | 49704 | 27.124.4.60 | 192.168.2.5 |
| Jan 3, 2025 18:47:36.044631004 CET | 4433 | 49704 | 27.124.4.60 | 192.168.2.5 |
| Jan 3, 2025 18:47:36.088000059 CET | 49704 | 4433 | 192.168.2.5 | 27.124.4.60 |
| Jan 3, 2025 18:47:52.135030985 CET | 49704 | 4433 | 192.168.2.5 | 27.124.4.60 |
| Jan 3, 2025 18:47:52.139791012 CET | 4433 | 49704 | 27.124.4.60 | 192.168.2.5 |
| Jan 3, 2025 18:47:52.584821939 CET | 4433 | 49704 | 27.124.4.60 | 192.168.2.5 |
| Jan 3, 2025 18:47:52.634732008 CET | 49704 | 4433 | 192.168.2.5 | 27.124.4.60 |
| Jan 3, 2025 18:48:08.634869099 CET | 49704 | 4433 | 192.168.2.5 | 27.124.4.60 |
| Jan 3, 2025 18:48:08.634964943 CET | 49704 | 4433 | 192.168.2.5 | 27.124.4.60 |
| Jan 3, 2025 18:48:08.639667034 CET | 4433 | 49704 | 27.124.4.60 | 192.168.2.5 |
| Jan 3, 2025 18:48:08.639723063 CET | 49704 | 4433 | 192.168.2.5 | 27.124.4.60 |
| Jan 3, 2025 18:48:13.589364052 CET | 49977 | 10443 | 192.168.2.5 | 27.124.4.60 |
| Jan 3, 2025 18:48:13.594346046 CET | 10443 | 49977 | 27.124.4.60 | 192.168.2.5 |
| Jan 3, 2025 18:48:13.594434023 CET | 49977 | 10443 | 192.168.2.5 | 27.124.4.60 |
| Jan 3, 2025 18:48:14.445863008 CET | 49977 | 10443 | 192.168.2.5 | 27.124.4.60 |
| Jan 3, 2025 18:48:14.450746059 CET | 10443 | 49977 | 27.124.4.60 | 192.168.2.5 |
| Jan 3, 2025 18:48:14.450762987 CET | 10443 | 49977 | 27.124.4.60 | 192.168.2.5 |
| Jan 3, 2025 18:48:14.450771093 CET | 10443 | 49977 | 27.124.4.60 | 192.168.2.5 |
| Jan 3, 2025 18:48:14.450844049 CET | 10443 | 49977 | 27.124.4.60 | 192.168.2.5 |
| Jan 3, 2025 18:48:15.024406910 CET | 10443 | 49977 | 27.124.4.60 | 192.168.2.5 |
| Jan 3, 2025 18:48:15.141279936 CET | 49977 | 10443 | 192.168.2.5 | 27.124.4.60 |
| Jan 3, 2025 18:48:15.146148920 CET | 10443 | 49977 | 27.124.4.60 | 192.168.2.5 |
| Jan 3, 2025 18:48:15.146173954 CET | 10443 | 49977 | 27.124.4.60 | 192.168.2.5 |
| Jan 3, 2025 18:48:15.146184921 CET | 10443 | 49977 | 27.124.4.60 | 192.168.2.5 |
| Jan 3, 2025 18:48:15.146217108 CET | 49977 | 10443 | 192.168.2.5 | 27.124.4.60 |
| Jan 3, 2025 18:48:15.146363974 CET | 10443 | 49977 | 27.124.4.60 | 192.168.2.5 |
| Jan 3, 2025 18:48:15.151034117 CET | 10443 | 49977 | 27.124.4.60 | 192.168.2.5 |
| Jan 3, 2025 18:48:29.541017056 CET | 49977 | 10443 | 192.168.2.5 | 27.124.4.60 |
| Jan 3, 2025 18:48:29.541117907 CET | 49977 | 10443 | 192.168.2.5 | 27.124.4.60 |
| Jan 3, 2025 18:48:29.545862913 CET | 10443 | 49977 | 27.124.4.60 | 192.168.2.5 |
| Jan 3, 2025 18:48:29.545917988 CET | 49977 | 10443 | 192.168.2.5 | 27.124.4.60 |
| Jan 3, 2025 18:48:34.503190994 CET | 49978 | 4433 | 192.168.2.5 | 27.124.4.60 |
| Jan 3, 2025 18:48:34.508099079 CET | 4433 | 49978 | 27.124.4.60 | 192.168.2.5 |
| Jan 3, 2025 18:48:34.508199930 CET | 49978 | 4433 | 192.168.2.5 | 27.124.4.60 |
| Jan 3, 2025 18:48:35.338960886 CET | 49978 | 4433 | 192.168.2.5 | 27.124.4.60 |
| Jan 3, 2025 18:48:35.343863010 CET | 4433 | 49978 | 27.124.4.60 | 192.168.2.5 |
| Jan 3, 2025 18:48:35.343880892 CET | 4433 | 49978 | 27.124.4.60 | 192.168.2.5 |
| Jan 3, 2025 18:48:35.343939066 CET | 4433 | 49978 | 27.124.4.60 | 192.168.2.5 |
| Jan 3, 2025 18:48:35.344003916 CET | 4433 | 49978 | 27.124.4.60 | 192.168.2.5 |
| Jan 3, 2025 18:48:35.696419954 CET | 4433 | 49978 | 27.124.4.60 | 192.168.2.5 |
| Jan 3, 2025 18:48:35.744044065 CET | 49978 | 4433 | 192.168.2.5 | 27.124.4.60 |
| Jan 3, 2025 18:48:35.798353910 CET | 49978 | 4433 | 192.168.2.5 | 27.124.4.60 |
| Jan 3, 2025 18:48:35.803508043 CET | 4433 | 49978 | 27.124.4.60 | 192.168.2.5 |
| Jan 3, 2025 18:48:35.803527117 CET | 4433 | 49978 | 27.124.4.60 | 192.168.2.5 |
| Jan 3, 2025 18:48:35.803539038 CET | 4433 | 49978 | 27.124.4.60 | 192.168.2.5 |
| Jan 3, 2025 18:48:35.803553104 CET | 4433 | 49978 | 27.124.4.60 | 192.168.2.5 |
| Jan 3, 2025 18:48:35.803558111 CET | 49978 | 4433 | 192.168.2.5 | 27.124.4.60 |
| Jan 3, 2025 18:48:35.808348894 CET | 4433 | 49978 | 27.124.4.60 | 192.168.2.5 |
| Jan 3, 2025 18:48:51.651451111 CET | 49978 | 4433 | 192.168.2.5 | 27.124.4.60 |
| Jan 3, 2025 18:48:51.656332016 CET | 4433 | 49978 | 27.124.4.60 | 192.168.2.5 |
| Jan 3, 2025 18:48:51.959949017 CET | 4433 | 49978 | 27.124.4.60 | 192.168.2.5 |
| Jan 3, 2025 18:48:52.009646893 CET | 49978 | 4433 | 192.168.2.5 | 27.124.4.60 |
| Jan 3, 2025 18:49:08.244127035 CET | 49978 | 4433 | 192.168.2.5 | 27.124.4.60 |
| Jan 3, 2025 18:49:08.244180918 CET | 49978 | 4433 | 192.168.2.5 | 27.124.4.60 |
| Jan 3, 2025 18:49:08.250267982 CET | 4433 | 49978 | 27.124.4.60 | 192.168.2.5 |
| Jan 3, 2025 18:49:08.250327110 CET | 49978 | 4433 | 192.168.2.5 | 27.124.4.60 |
| Jan 3, 2025 18:49:13.197494030 CET | 49979 | 10443 | 192.168.2.5 | 27.124.4.60 |
| Jan 3, 2025 18:49:13.202337027 CET | 10443 | 49979 | 27.124.4.60 | 192.168.2.5 |
| Jan 3, 2025 18:49:13.202416897 CET | 49979 | 10443 | 192.168.2.5 | 27.124.4.60 |
| Jan 3, 2025 18:49:14.749775887 CET | 49979 | 10443 | 192.168.2.5 | 27.124.4.60 |
| Jan 3, 2025 18:49:14.754604101 CET | 10443 | 49979 | 27.124.4.60 | 192.168.2.5 |
| Jan 3, 2025 18:49:14.754693985 CET | 10443 | 49979 | 27.124.4.60 | 192.168.2.5 |
| Jan 3, 2025 18:49:14.754703045 CET | 10443 | 49979 | 27.124.4.60 | 192.168.2.5 |
| Jan 3, 2025 18:49:14.754762888 CET | 10443 | 49979 | 27.124.4.60 | 192.168.2.5 |
| Jan 3, 2025 18:49:15.309130907 CET | 10443 | 49979 | 27.124.4.60 | 192.168.2.5 |
| Jan 3, 2025 18:49:15.353349924 CET | 49979 | 10443 | 192.168.2.5 | 27.124.4.60 |
| Jan 3, 2025 18:49:15.389827967 CET | 49979 | 10443 | 192.168.2.5 | 27.124.4.60 |
| Jan 3, 2025 18:49:15.394653082 CET | 10443 | 49979 | 27.124.4.60 | 192.168.2.5 |
| Jan 3, 2025 18:49:15.394663095 CET | 10443 | 49979 | 27.124.4.60 | 192.168.2.5 |
| Jan 3, 2025 18:49:15.394670010 CET | 10443 | 49979 | 27.124.4.60 | 192.168.2.5 |
| Jan 3, 2025 18:49:15.394711018 CET | 49979 | 10443 | 192.168.2.5 | 27.124.4.60 |
| Jan 3, 2025 18:49:15.394778967 CET | 10443 | 49979 | 27.124.4.60 | 192.168.2.5 |
| Jan 3, 2025 18:49:15.399530888 CET | 10443 | 49979 | 27.124.4.60 | 192.168.2.5 |
| Jan 3, 2025 18:49:29.556636095 CET | 49979 | 10443 | 192.168.2.5 | 27.124.4.60 |
| Jan 3, 2025 18:49:29.556749105 CET | 49979 | 10443 | 192.168.2.5 | 27.124.4.60 |
| Jan 3, 2025 18:49:29.562632084 CET | 10443 | 49979 | 27.124.4.60 | 192.168.2.5 |
| Jan 3, 2025 18:49:29.562691927 CET | 49979 | 10443 | 192.168.2.5 | 27.124.4.60 |
| Jan 3, 2025 18:49:34.510080099 CET | 49980 | 4433 | 192.168.2.5 | 27.124.4.60 |
| Jan 3, 2025 18:49:34.514926910 CET | 4433 | 49980 | 27.124.4.60 | 192.168.2.5 |
| Jan 3, 2025 18:49:34.515021086 CET | 49980 | 4433 | 192.168.2.5 | 27.124.4.60 |
| Jan 3, 2025 18:49:35.289638042 CET | 49980 | 4433 | 192.168.2.5 | 27.124.4.60 |
| Jan 3, 2025 18:49:35.294584990 CET | 4433 | 49980 | 27.124.4.60 | 192.168.2.5 |
| Jan 3, 2025 18:49:35.294595957 CET | 4433 | 49980 | 27.124.4.60 | 192.168.2.5 |
| Jan 3, 2025 18:49:35.294651031 CET | 4433 | 49980 | 27.124.4.60 | 192.168.2.5 |
| Jan 3, 2025 18:49:35.294658899 CET | 4433 | 49980 | 27.124.4.60 | 192.168.2.5 |
| Jan 3, 2025 18:49:35.645710945 CET | 4433 | 49980 | 27.124.4.60 | 192.168.2.5 |
| Jan 3, 2025 18:49:35.697072029 CET | 49980 | 4433 | 192.168.2.5 | 27.124.4.60 |
| Jan 3, 2025 18:49:35.754518986 CET | 49980 | 4433 | 192.168.2.5 | 27.124.4.60 |
| Jan 3, 2025 18:49:35.759339094 CET | 4433 | 49980 | 27.124.4.60 | 192.168.2.5 |
| Jan 3, 2025 18:49:35.759349108 CET | 4433 | 49980 | 27.124.4.60 | 192.168.2.5 |
| Jan 3, 2025 18:49:35.759356022 CET | 4433 | 49980 | 27.124.4.60 | 192.168.2.5 |
| Jan 3, 2025 18:49:35.759394884 CET | 49980 | 4433 | 192.168.2.5 | 27.124.4.60 |
| Jan 3, 2025 18:49:35.759496927 CET | 4433 | 49980 | 27.124.4.60 | 192.168.2.5 |
| Jan 3, 2025 18:49:35.764121056 CET | 4433 | 49980 | 27.124.4.60 | 192.168.2.5 |
| Jan 3, 2025 18:49:51.165927887 CET | 49980 | 4433 | 192.168.2.5 | 27.124.4.60 |
| Jan 3, 2025 18:49:51.165990114 CET | 49980 | 4433 | 192.168.2.5 | 27.124.4.60 |
| Jan 3, 2025 18:49:51.170815945 CET | 4433 | 49980 | 27.124.4.60 | 192.168.2.5 |
| Jan 3, 2025 18:49:51.170876980 CET | 49980 | 4433 | 192.168.2.5 | 27.124.4.60 |
| Jan 3, 2025 18:49:56.119447947 CET | 49981 | 10443 | 192.168.2.5 | 27.124.4.60 |
| Jan 3, 2025 18:49:56.124392986 CET | 10443 | 49981 | 27.124.4.60 | 192.168.2.5 |
| Jan 3, 2025 18:49:56.127475023 CET | 49981 | 10443 | 192.168.2.5 | 27.124.4.60 |
| Jan 3, 2025 18:49:56.988761902 CET | 49981 | 10443 | 192.168.2.5 | 27.124.4.60 |
| Jan 3, 2025 18:49:57.171279907 CET | 10443 | 49981 | 27.124.4.60 | 192.168.2.5 |
| Jan 3, 2025 18:49:57.171341896 CET | 10443 | 49981 | 27.124.4.60 | 192.168.2.5 |
| Jan 3, 2025 18:49:57.171353102 CET | 10443 | 49981 | 27.124.4.60 | 192.168.2.5 |
| Jan 3, 2025 18:49:57.171361923 CET | 10443 | 49981 | 27.124.4.60 | 192.168.2.5 |
| Jan 3, 2025 18:49:57.580425978 CET | 10443 | 49981 | 27.124.4.60 | 192.168.2.5 |
| Jan 3, 2025 18:49:57.679378986 CET | 49981 | 10443 | 192.168.2.5 | 27.124.4.60 |
| Jan 3, 2025 18:49:57.684276104 CET | 10443 | 49981 | 27.124.4.60 | 192.168.2.5 |
| Jan 3, 2025 18:49:57.684319019 CET | 49981 | 10443 | 192.168.2.5 | 27.124.4.60 |
| Jan 3, 2025 18:49:57.684355021 CET | 10443 | 49981 | 27.124.4.60 | 192.168.2.5 |
| Jan 3, 2025 18:49:57.684401035 CET | 10443 | 49981 | 27.124.4.60 | 192.168.2.5 |
| Jan 3, 2025 18:49:57.684411049 CET | 10443 | 49981 | 27.124.4.60 | 192.168.2.5 |
| Jan 3, 2025 18:49:57.689100027 CET | 10443 | 49981 | 27.124.4.60 | 192.168.2.5 |
| Jan 3, 2025 18:50:12.556510925 CET | 49981 | 10443 | 192.168.2.5 | 27.124.4.60 |
| Jan 3, 2025 18:50:12.556545019 CET | 49981 | 10443 | 192.168.2.5 | 27.124.4.60 |
| Jan 3, 2025 18:50:12.561317921 CET | 10443 | 49981 | 27.124.4.60 | 192.168.2.5 |
| Jan 3, 2025 18:50:12.561408043 CET | 49981 | 10443 | 192.168.2.5 | 27.124.4.60 |
| Jan 3, 2025 18:50:17.510011911 CET | 49982 | 4433 | 192.168.2.5 | 27.124.4.60 |
| Jan 3, 2025 18:50:17.514879942 CET | 4433 | 49982 | 27.124.4.60 | 192.168.2.5 |
| Jan 3, 2025 18:50:17.515064001 CET | 49982 | 4433 | 192.168.2.5 | 27.124.4.60 |
| Jan 3, 2025 18:50:18.994870901 CET | 49982 | 4433 | 192.168.2.5 | 27.124.4.60 |
| Jan 3, 2025 18:50:19.000178099 CET | 4433 | 49982 | 27.124.4.60 | 192.168.2.5 |
| Jan 3, 2025 18:50:19.000191927 CET | 4433 | 49982 | 27.124.4.60 | 192.168.2.5 |
| Jan 3, 2025 18:50:19.000252008 CET | 4433 | 49982 | 27.124.4.60 | 192.168.2.5 |
| Jan 3, 2025 18:50:19.000262022 CET | 4433 | 49982 | 27.124.4.60 | 192.168.2.5 |
| Jan 3, 2025 18:50:19.346244097 CET | 4433 | 49982 | 27.124.4.60 | 192.168.2.5 |
| Jan 3, 2025 18:50:19.400150061 CET | 49982 | 4433 | 192.168.2.5 | 27.124.4.60 |
| Jan 3, 2025 18:50:19.456024885 CET | 49982 | 4433 | 192.168.2.5 | 27.124.4.60 |
| Jan 3, 2025 18:50:19.460963011 CET | 4433 | 49982 | 27.124.4.60 | 192.168.2.5 |
| Jan 3, 2025 18:50:19.460987091 CET | 4433 | 49982 | 27.124.4.60 | 192.168.2.5 |
| Jan 3, 2025 18:50:19.460995913 CET | 4433 | 49982 | 27.124.4.60 | 192.168.2.5 |
| Jan 3, 2025 18:50:19.461004972 CET | 4433 | 49982 | 27.124.4.60 | 192.168.2.5 |
| Jan 3, 2025 18:50:19.461038113 CET | 49982 | 4433 | 192.168.2.5 | 27.124.4.60 |
| Jan 3, 2025 18:50:19.465773106 CET | 4433 | 49982 | 27.124.4.60 | 192.168.2.5 |
| Jan 3, 2025 18:50:34.790818930 CET | 49982 | 4433 | 192.168.2.5 | 27.124.4.60 |
| Jan 3, 2025 18:50:34.790875912 CET | 49982 | 4433 | 192.168.2.5 | 27.124.4.60 |
| Jan 3, 2025 18:50:34.795619011 CET | 4433 | 49982 | 27.124.4.60 | 192.168.2.5 |
| Jan 3, 2025 18:50:34.797878981 CET | 49982 | 4433 | 192.168.2.5 | 27.124.4.60 |
| Jan 3, 2025 18:50:39.744297028 CET | 49983 | 10443 | 192.168.2.5 | 27.124.4.60 |
| Jan 3, 2025 18:50:39.749154091 CET | 10443 | 49983 | 27.124.4.60 | 192.168.2.5 |
| Jan 3, 2025 18:50:39.750062943 CET | 49983 | 10443 | 192.168.2.5 | 27.124.4.60 |
| Jan 3, 2025 18:50:40.617860079 CET | 49983 | 10443 | 192.168.2.5 | 27.124.4.60 |
| Jan 3, 2025 18:50:40.622762918 CET | 10443 | 49983 | 27.124.4.60 | 192.168.2.5 |
| Jan 3, 2025 18:50:40.622776031 CET | 10443 | 49983 | 27.124.4.60 | 192.168.2.5 |
| Jan 3, 2025 18:50:40.622783899 CET | 10443 | 49983 | 27.124.4.60 | 192.168.2.5 |
| Jan 3, 2025 18:50:40.622916937 CET | 10443 | 49983 | 27.124.4.60 | 192.168.2.5 |
| Jan 3, 2025 18:50:41.187941074 CET | 10443 | 49983 | 27.124.4.60 | 192.168.2.5 |
| Jan 3, 2025 18:50:41.243880033 CET | 49983 | 10443 | 192.168.2.5 | 27.124.4.60 |
| Jan 3, 2025 18:50:41.442517042 CET | 49983 | 10443 | 192.168.2.5 | 27.124.4.60 |
| Jan 3, 2025 18:50:41.447504044 CET | 10443 | 49983 | 27.124.4.60 | 192.168.2.5 |
| Jan 3, 2025 18:50:41.447518110 CET | 10443 | 49983 | 27.124.4.60 | 192.168.2.5 |
| Jan 3, 2025 18:50:41.447525978 CET | 10443 | 49983 | 27.124.4.60 | 192.168.2.5 |
| Jan 3, 2025 18:50:41.447534084 CET | 10443 | 49983 | 27.124.4.60 | 192.168.2.5 |
| Jan 3, 2025 18:50:41.447587013 CET | 49983 | 10443 | 192.168.2.5 | 27.124.4.60 |
| Jan 3, 2025 18:50:41.452334881 CET | 10443 | 49983 | 27.124.4.60 | 192.168.2.5 |
| Jan 3, 2025 18:50:55.853358030 CET | 49983 | 10443 | 192.168.2.5 | 27.124.4.60 |
| Jan 3, 2025 18:50:55.858172894 CET | 10443 | 49983 | 27.124.4.60 | 192.168.2.5 |
| Jan 3, 2025 18:50:56.155967951 CET | 10443 | 49983 | 27.124.4.60 | 192.168.2.5 |
| Jan 3, 2025 18:50:56.243864059 CET | 49983 | 10443 | 192.168.2.5 | 27.124.4.60 |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
| Target ID: | 0 |
| Start time: | 12:46:53 |
| Start date: | 03/01/2025 |
| Path: | C:\Users\user\Desktop\vYeaC4s9zP.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff6b2990000 |
| File size: | 389'632 bytes |
| MD5 hash: | 26CB6C247CDFB5215BC60AC7ABD12322 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | low |
| Has exited: | false |
Execution Graph
| Execution Coverage: | 7.6% |
| Dynamic/Decrypted Code Coverage: | 0% |
| Signature Coverage: | 38% |
| Total number of Nodes: | 1041 |
| Total number of Limit Nodes: | 42 |
Graph
Function 00007FF6B29962F0 Relevance: 193.3, APIs: 81, Strings: 29, Instructions: 845registrystringprocessCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF6B29AB500 Relevance: 103.7, APIs: 41, Strings: 18, Instructions: 406registrylibrarysleepCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF6B299F410 Relevance: 81.0, APIs: 35, Strings: 11, Instructions: 532registryprocessfileCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF6B29AAD80 Relevance: 75.8, APIs: 27, Strings: 16, Instructions: 529stringregistryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF6B299FD10 Relevance: 56.3, APIs: 27, Strings: 5, Instructions: 326windowCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF6B2997250 Relevance: 54.7, APIs: 26, Strings: 5, Instructions: 457COMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF6B29979E0 Relevance: 31.7, APIs: 16, Strings: 2, Instructions: 216stringregistrycomCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF6B2998690 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 149memoryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF6B29ABCD0 Relevance: 15.0, APIs: 10, Instructions: 33threadsleepsynchronizationCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF6B29C1DA8 Relevance: 14.3, APIs: 6, Strings: 2, Instructions: 334timeCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF6B29C2024 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 143timeCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF6B29991A0 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 29libraryloaderCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF6B29AC1B0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 71fileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF6B2993B00 Relevance: 4.7, APIs: 3, Instructions: 151timenetworkCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF6B2998900 Relevance: 45.7, APIs: 22, Strings: 4, Instructions: 225memoryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF6B29A02A0 Relevance: 45.3, APIs: 30, Instructions: 260memorywindowCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF6B299C340 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 297windowCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF6B2993820 Relevance: 28.2, APIs: 15, Strings: 1, Instructions: 157networkstringtimeCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF6B2998AD0 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 101memoryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF6B29ABDD0 Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 223memoryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF6B299D9C0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 137registryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF6B29AC2E0 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 128fileCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF6B299C7B0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 143windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF6B2998CD0 Relevance: 9.1, APIs: 6, Instructions: 67registrystringCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF6B2998E00 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 239COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF6B2993E30 Relevance: 6.1, APIs: 4, Instructions: 120threadnetworkCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF6B29ADE98 Relevance: 3.0, APIs: 2, Instructions: 22COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF6B29BE6BC Relevance: 3.0, APIs: 2, Instructions: 19memoryCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF6B29BEDD0 Relevance: 1.3, APIs: 1, Instructions: 29memoryCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF6B2999320 Relevance: 68.5, APIs: 29, Strings: 10, Instructions: 221libraryloaderinjectionCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF6B299ADB0 Relevance: 63.3, APIs: 30, Strings: 6, Instructions: 286stringclipboardfileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF6B299D410 Relevance: 33.6, APIs: 15, Strings: 4, Instructions: 385stringtimeCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF6B29997A0 Relevance: 29.9, APIs: 11, Strings: 6, Instructions: 118libraryloaderfileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF6B29A0E20 Relevance: 27.3, APIs: 18, Instructions: 322clipboardsleepmemoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF6B299CD40 Relevance: 26.7, APIs: 7, Strings: 8, Instructions: 406threadinjectionprocessCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF6B299E3E9 Relevance: 26.3, APIs: 14, Strings: 1, Instructions: 64shutdownCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF6B29AA5A0 Relevance: 25.8, APIs: 17, Instructions: 347memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF6B299E46D Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 62shutdownCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF6B299E4EE Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 61shutdownCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF6B29C8584 Relevance: 24.0, APIs: 9, Strings: 4, Instructions: 1226COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF6B299B410 Relevance: 23.0, APIs: 11, Strings: 2, Instructions: 232memorytimeCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF6B29A0900 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 129registrystringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF6B29C76DC Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 227COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF6B29C8124 Relevance: 10.7, APIs: 7, Instructions: 172COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF6B299E36A Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 31COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF6B29B3A6C Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF6B29AC70C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF6B29C0D10 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF6B29C3760 Relevance: 3.2, APIs: 2, Instructions: 227COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF6B29C7A38 Relevance: 1.6, APIs: 1, Instructions: 61COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF6B29C7B08 Relevance: 1.5, APIs: 1, Instructions: 41COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF6B29C0838 Relevance: 1.5, APIs: 1, Instructions: 32COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF6B29A9250 Relevance: .7, Instructions: 678COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF6B29A78F0 Relevance: .4, Instructions: 369COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF6B29B6F3C Relevance: .3, Instructions: 327COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF6B29C714C Relevance: .3, Instructions: 271COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF6B29B6228 Relevance: .2, Instructions: 247COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF6B29BFD30 Relevance: .2, Instructions: 198COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF6B29A2EC0 Relevance: .2, Instructions: 188COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF6B29B536C Relevance: .1, Instructions: 146COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF6B29B4F5C Relevance: .1, Instructions: 146COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF6B29B577C Relevance: .1, Instructions: 146COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF6B29B5168 Relevance: .1, Instructions: 145COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF6B29B4D58 Relevance: .1, Instructions: 145COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF6B29B5578 Relevance: .1, Instructions: 145COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF6B29BC51C Relevance: .1, Instructions: 126COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF6B29CC8C0 Relevance: .0, Instructions: 32COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF6B29AE6F4 Relevance: .0, Instructions: 2COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF6B2994C50 Relevance: 33.2, APIs: 22, Instructions: 199windowthreadnetworkCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF6B29A06A0 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 140stringprocessCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF6B2994270 Relevance: 21.1, APIs: 14, Instructions: 119networkstringCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF6B29946A0 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 171networktimeCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF6B2995A80 Relevance: 16.7, APIs: 11, Instructions: 154networkCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF6B29A0BC0 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 52registrystringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF6B29B45E0 Relevance: 14.5, APIs: 3, Strings: 5, Instructions: 475COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF6B2994080 Relevance: 13.6, APIs: 9, Instructions: 111timenetworkCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF6B2995D10 Relevance: 13.6, APIs: 9, Instructions: 93timenetworkCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF6B29B0C08 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 310COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF6B29C08B4 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117libraryloaderCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF6B299E01F Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 94filestringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF6B2994A90 Relevance: 12.1, APIs: 8, Instructions: 104networkCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF6B29B9480 Relevance: 11.0, APIs: 3, Strings: 3, Instructions: 494COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF6B2994470 Relevance: 10.6, APIs: 7, Instructions: 143threadnetworktimeCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF6B299B9E0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 140COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF6B29A1D30 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 133COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF6B29B352C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF6B29A0CA0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 82processstringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF6B29BEA70 Relevance: 10.6, APIs: 7, Instructions: 62COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF6B29CCC80 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF6B299ACF0 Relevance: 10.5, APIs: 7, Instructions: 40filesynchronizationstringCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF6B299EF25 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 34registryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF6B2999220 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 26processCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF6B29B10D8 Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 320COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF6B2995300 Relevance: 9.1, APIs: 6, Instructions: 63synchronizationtimeCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF6B29BEBE8 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF6B29BBC90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF6B299EFA3 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 23registryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF6B29CC6BC Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF6B29BECB0 Relevance: 7.6, APIs: 5, Instructions: 54COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF6B2995640 Relevance: 7.5, APIs: 5, Instructions: 26synchronizationsleepCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF6B29B184C Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 190COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF6B29AFA80 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 154COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF6B29B15DC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF6B29B1DCC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF6B29AE760 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF6B2993FF0 Relevance: 6.0, APIs: 4, Instructions: 22synchronizationsleepCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF6B29A1840 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 202COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF6B29B2004 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 163COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF6B299DC4D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 130COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF6B29C1CC4 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 121COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF6B29B269C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 120COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF6B29BBF84 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF6B29CAE54 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF6B29B0050 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|