Edit tour
Windows
Analysis Report
yIR0BZUT2A.exe
Overview
General Information
| Sample name: | yIR0BZUT2A.exerenamed because original name is a hash value |
| Original sample name: | d290cccbc59f0fa1d5e5d36a88785795.exe |
| Analysis ID: | 1585729 |
| MD5: | d290cccbc59f0fa1d5e5d36a88785795 |
| SHA1: | 426910443aec2075365cece2514801ea3254d0ca |
| SHA256: | 061f46e583ce23f357dba77ee0f455e31304231538a6820b0948f9bddc1e9b6e |
| Tags: | exeValleyRATuser-abuse_ch |
| Infos: |   |
 | |
Detection
GhostRat
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected GhostRat
AI detected suspicious sample
Contains functionality to capture and log keystrokes
Contains functionality to inject code into remote processes
Contains functionality to inject threads in other processes
Found evasive API chain (may stop execution after checking mutex)
Found stalling execution ending in API Sleep call
Sample is not signed and drops a device driver
Sigma detected: Potentially Suspicious Malware Callback Communication
Tries to detect sandboxes / dynamic malware analysis system (QueryWinSAT)
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Checks for available system drives (often done to infect USB drives)
Contains functionality for read data from the clipboard
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to clear windows event logs (to hide its activities)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a DirectInput object (often for capturing keystrokes)
Creates driver files
Detected TCP or UDP traffic on non-standard ports
Detected non-DNS traffic on DNS port
Detected potential crypto function
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evasive API chain checking for process token information
Installs a global mouse hook
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Stores large binary data to the registry
Classification
- System is w10x64
yIR0BZUT2A.exe (PID: 7056 cmdline: "C:\Users\ user\Deskt op\yIR0BZU T2A.exe" MD5: D290CCCBC59F0FA1D5E5D36A88785795)
- cleanup
⊘No configs have been found
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_GhostRat | Yara detected GhostRat | Joe Security |
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_GhostRat | Yara detected GhostRat | Joe Security |
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_GhostRat | Yara detected GhostRat | Joe Security | ||
| JoeSecurity_GhostRat | Yara detected GhostRat | Joe Security |
System Summary |   |
|---|
| Source: | Author: Florian Roth (Nextron Systems): | ||
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2025-01-08T05:52:01.260779+0100 | 2052875 | 1 | A Network Trojan was detected | 192.168.2.4 | 49730 | 154.91.90.234 | 4433 | TCP |
| 2025-01-08T05:53:07.512968+0100 | 2052875 | 1 | A Network Trojan was detected | 192.168.2.4 | 49730 | 154.91.90.234 | 4433 | TCP |
| 2025-01-08T05:54:08.867603+0100 | 2052875 | 1 | A Network Trojan was detected | 192.168.2.4 | 54649 | 154.91.90.234 | 4433 | TCP |
| 2025-01-08T05:55:51.557688+0100 | 2052875 | 1 | A Network Trojan was detected | 192.168.2.4 | 54653 | 154.91.90.234 | 4433 | TCP |
Click to jump to signature section
Show All Signature Results
AV Detection | |
|---|
| Source: | ReversingLabs: | |||
| Source: | Virustotal: | Perma Link | ||
| Source: | Integrated Neural Analysis Model: | ||
| Source: | Static PE information: | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | Code function: | 0_2_00007FF62A97F410 | |
| Source: | Code function: | 0_2_00007FF62A9A4190 | |
| Source: | Code function: | 0_2_00007FF62A976370 | |
Networking | |
|---|
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | TCP traffic: | ||
| Source: | TCP traffic: | ||
| Source: | ASN Name: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | Code function: | 0_2_00007FF62A973B00 | |
Key, Mouse, Clipboard, Microphone and Screen Capturing | |
|---|
| Source: | Code function: | 0_2_00007FF62A97ADB0 | |
| Source: | Code function: | 0_2_00007FF62A980DA0 | |
| Source: | Code function: | 0_2_00007FF62A980DA0 | |
| Source: | Code function: | 0_2_00007FF62A980DA0 | |
| Source: | Code function: | 0_2_00007FF62A97FD10 | |
| Source: | Code function: | 0_2_00007FF62A9772D0 | |
| Source: | Windows user hook set: | Jump to behavior | ||
| Source: | Process Stats: | ||
| Source: | Code function: | 0_2_00007FF62A98C400 | |
| Source: | Code function: | 0_2_00007FF62A97E3E9 | |
| Source: | Code function: | 0_2_00007FF62A97E4EE | |
| Source: | Code function: | 0_2_00007FF62A97E46D | |
| Source: | File created: | Jump to behavior | ||
| Source: | Code function: | 0_2_00007FF62A97B410 | |
| Source: | Code function: | 0_2_00007FF62A97F410 | |
| Source: | Code function: | 0_2_00007FF62A976370 | |
| Source: | Code function: | 0_2_00007FF62A971500 | |
| Source: | Code function: | 0_2_00007FF62A97FD10 | |
| Source: | Code function: | 0_2_00007FF62A9772D0 | |
| Source: | Code function: | 0_2_00007FF62A977A60 | |
| Source: | Code function: | 0_2_00007FF62A9780C0 | |
| Source: | Code function: | 0_2_00007FF62A9A2048 | |
| Source: | Code function: | 0_2_00007FF62A98B5E0 | |
| Source: | Code function: | 0_2_00007FF62A98AE60 | |
| Source: | Code function: | 0_2_00007FF62A998EB0 | |
| Source: | Code function: | 0_2_00007FF62A9A73EC | |
| Source: | Code function: | 0_2_00007FF62A995408 | |
| Source: | Code function: | 0_2_00007FF62A97D410 | |
| Source: | Code function: | 0_2_00007FF62A99F4BC | |
| Source: | Code function: | 0_2_00007FF62A9964C8 | |
| Source: | Code function: | 0_2_00007FF62A979480 | |
| Source: | Code function: | 0_2_00007FF62A9A29E4 | |
| Source: | Code function: | 0_2_00007FF62A9971DC | |
| Source: | Code function: | 0_2_00007FF62A9879D0 | |
| Source: | Code function: | 0_2_00007FF62A995A1C | |
| Source: | Code function: | 0_2_00007FF62A9A3A00 | |
| Source: | Code function: | 0_2_00007FF62A9951FC | |
| Source: | Code function: | 0_2_00007FF62A99F950 | |
| Source: | Code function: | 0_2_00007FF62A9A4190 | |
| Source: | Code function: | 0_2_00007FF62A9A22C4 | |
| Source: | Code function: | 0_2_00007FF62A989330 | |
| Source: | Code function: | 0_2_00007FF62A99C7BC | |
| Source: | Code function: | 0_2_00007FF62A99FFD0 | |
| Source: | Code function: | 0_2_00007FF62A9A5FD4 | |
| Source: | Code function: | 0_2_00007FF62A9A8824 | |
| Source: | Code function: | 0_2_00007FF62A995818 | |
| Source: | Code function: | 0_2_00007FF62A994FF8 | |
| Source: | Code function: | 0_2_00007FF62A99A798 | |
| Source: | Code function: | 0_2_00007FF62A982FA0 | |
| Source: | Code function: | 0_2_00007FF62A979900 | |
| Source: | Code function: | 0_2_00007FF62A99684C | |
| Source: | Code function: | 0_2_00007FF62A980880 | |
| Source: | Code function: | 0_2_00007FF62A9975E0 | |
| Source: | Code function: | 0_2_00007FF62A99B5F0 | |
| Source: | Code function: | 0_2_00007FF62A99D5C0 | |
| Source: | Code function: | 0_2_00007FF62A99560C | |
| Source: | Code function: | 0_2_00007FF62A97CD40 | |
| Source: | Code function: | 0_2_00007FF62A97ADB0 | |
| Source: | Code function: | 0_2_00007FF62A99AF20 | |
| Source: | Code function: | 0_2_00007FF62A972E50 | |
| Source: | Code function: | 0_2_00007FF62A98A680 | |
| Source: | Classification label: | ||
| Source: | Code function: | 0_2_00007FF62A98B5E0 | |
| Source: | Code function: | 0_2_00007FF62A97E3E9 | |
| Source: | Code function: | 0_2_00007FF62A97E4EE | |
| Source: | Code function: | 0_2_00007FF62A97E46D | |
| Source: | Code function: | 0_2_00007FF62A979480 | |
| Source: | Code function: | 0_2_00007FF62A976370 | |
| Source: | Code function: | 0_2_00007FF62A97F410 | |
| Source: | Code function: | 0_2_00007FF62A976370 | |
| Source: | Mutant created: | ||
| Source: | Static PE information: | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | ReversingLabs: | ||
| Source: | Virustotal: | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Key value queried: | Jump to behavior | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Code function: | 0_2_00007FF62A976370 | |
Persistence and Installation Behavior | |
|---|
| Source: | File created: | Jump to behavior | ||
| Source: | Code function: | 0_2_00007FF62A97E36A | |
| Source: | Key value created or modified: | Jump to behavior | ||
Malware Analysis System Evasion | |
|---|
| Source: | Evasive API call chain: | graph_0-21653 | ||
| Source: | Stalling execution: | graph_0-21131 | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Code function: | 0_2_00007FF62A976370 | |
| Source: | Window / User API: | Jump to behavior | ||
| Source: | Window / User API: | Jump to behavior | ||
| Source: | Window / User API: | Jump to behavior | ||
| Source: | Check user administrative privileges: | graph_0-21738 | ||
| Source: | Thread sleep count: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep count: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep count: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | File Volume queried: | Jump to behavior | ||
| Source: | File Volume queried: | Jump to behavior | ||
| Source: | File Volume queried: | Jump to behavior | ||
| Source: | File Volume queried: | Jump to behavior | ||
| Source: | File Volume queried: | Jump to behavior | ||
| Source: | File Volume queried: | Jump to behavior | ||
| Source: | File Volume queried: | Jump to behavior | ||
| Source: | Code function: | 0_2_00007FF62A97F410 | |
| Source: | Code function: | 0_2_00007FF62A9A4190 | |
| Source: | Code function: | 0_2_00007FF62A976370 | |
| Source: | Code function: | 0_2_00007FF62A976370 | |
| Source: | Binary or memory string: | ||
| Source: | Process information queried: | Jump to behavior | ||
| Source: | Code function: | 0_2_00007FF62A98B5E0 | |
| Source: | Code function: | 0_2_00007FF62A98C82C | |
| Source: | Code function: | 0_2_00007FF62A976370 | |
| Source: | Code function: | 0_2_00007FF62A976370 | |
| Source: | Code function: | 0_2_00007FF62A978710 | |
| Source: | Code function: | 0_2_00007FF62A98B5E0 | |
| Source: | Code function: | 0_2_00007FF62A98BDF0 | |
| Source: | Code function: | 0_2_00007FF62A993D0C | |
| Source: | Code function: | 0_2_00007FF62A98EA00 | |
| Source: | Code function: | 0_2_00007FF62A98E814 | |
| Source: | Code function: | 0_2_00007FF62A98E66C | |
HIPS / PFW / Operating System Protection Evasion | |
|---|
| Source: | Code function: | 0_2_00007FF62A979480 | |
| Source: | Code function: | 0_2_00007FF62A979480 | |
| Source: | Code function: | 0_2_00007FF62A979480 | |
| Source: | Code function: | 0_2_00007FF62A98B5E0 | |
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Code function: | 0_2_00007FF62A9ACB60 | |
| Source: | Code function: | 0_2_00007FF62A976370 | |
| Source: | Code function: | 0_2_00007FF62A9A83C4 | |
| Source: | Code function: | 0_2_00007FF62A9A7CD8 | |
| Source: | Code function: | 0_2_00007FF62A9A81E0 | |
| Source: | Code function: | 0_2_00007FF62A9A797C | |
| Source: | Code function: | 0_2_00007FF62A9A0AD8 | |
| Source: | Code function: | 0_2_00007FF62A9A8290 | |
| Source: | Code function: | 0_2_00007FF62A9A0FB0 | |
| Source: | Code function: | 0_2_00007FF62A9A8088 | |
| Source: | Code function: | 0_2_00007FF62A9A7DA8 | |
| Source: | Code function: | 0_2_00007FF62A9A7E40 | |
| Source: | Code function: | 0_2_00007FF62A976370 | |
| Source: | Code function: | 0_2_00007FF62A9A2048 | |
| Source: | Code function: | 0_2_00007FF62A978A40 | |
| Source: | Binary or memory string: | ||
Stealing of Sensitive Information | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
Remote Access Functionality | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Gather Victim Identity Information | Acquire Infrastructure | 1 Replication Through Removable Media | 12 Native API | 1 Windows Service | 1 Access Token Manipulation | 1 Modify Registry | 121 Input Capture | 2 System Time Discovery | Remote Services | 1 Screen Capture | 1 Encrypted Channel | Exfiltration Over Other Network Medium | 1 System Shutdown/Reboot |
| Credentials | Domains | Default Accounts | Scheduled Task/Job | 1 DLL Side-Loading | 1 Windows Service | 1 Virtualization/Sandbox Evasion | LSASS Memory | 151 Security Software Discovery | Remote Desktop Protocol | 121 Input Capture | 1 Non-Standard Port | Exfiltration Over Bluetooth | Network Denial of Service |
| Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | 211 Process Injection | 1 Access Token Manipulation | Security Account Manager | 1 Virtualization/Sandbox Evasion | SMB/Windows Admin Shares | 1 Archive Collected Data | 1 Ingress Tool Transfer | Automated Exfiltration | Data Encrypted for Impact |
| Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | 1 DLL Side-Loading | 211 Process Injection | NTDS | 3 Process Discovery | Distributed Component Object Model | 3 Clipboard Data | Protocol Impersonation | Traffic Duplication | Data Destruction |
| Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | 1 Indicator Removal | LSA Secrets | 1 Application Window Discovery | SSH | Keylogging | Fallback Channels | Scheduled Transfer | Data Encrypted for Impact |
| Domain Properties | Botnet | Replication Through Removable Media | Scheduled Task | RC Scripts | RC Scripts | 1 DLL Side-Loading | Cached Domain Credentials | 11 Peripheral Device Discovery | VNC | GUI Input Capture | Multiband Communication | Data Transfer Size Limits | Service Stop |
| DNS | Web Services | External Remote Services | Systemd Timers | Startup Items | Startup Items | Compile After Delivery | DCSync | 2 File and Directory Discovery | Windows Remote Management | Web Portal Capture | Commonly Used Port | Exfiltration Over C2 Channel | Inhibit System Recovery |
| Network Trust Dependencies | Serverless | Drive-by Compromise | Container Orchestration Job | Scheduled Task/Job | Scheduled Task/Job | Indicator Removal from Tools | Proc Filesystem | 26 System Information Discovery | Cloud Services | Credential API Hooking | Application Layer Protocol | Exfiltration Over Alternative Protocol | Defacement |
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetThis section contains all screenshots as thumbnails, including those not shown in the slideshow.
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 53% | ReversingLabs | Win64.Trojan.SpywareX | ||
| 68% | Virustotal | Browse |
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
⊘No contacted domains info
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
| IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
|---|---|---|---|---|---|---|
| 154.91.90.234 | unknown | Seychelles | 134705 | ITACE-AS-APItaceInternationalLimitedHK | true |
| Joe Sandbox version: | 41.0.0 Charoite |
| Analysis ID: | 1585729 |
| Start date and time: | 2025-01-08 05:51:05 +01:00 |
| Joe Sandbox product: | CloudBasic |
| Overall analysis duration: | 0h 6m 40s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
| Number of analysed new started processes analysed: | 5 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Sample name: | yIR0BZUT2A.exerenamed because original name is a hash value |
| Original Sample Name: | d290cccbc59f0fa1d5e5d36a88785795.exe |
| Detection: | MAL |
| Classification: | mal100.troj.spyw.evad.winEXE@1/1@0/1 |
| EGA Information: |
|
| HCA Information: |
|
| Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
- Excluded IPs from analysis (whitelisted): 20.109.210.53, 13.107.246.45
- Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, 7.4.8.4.4.3.1.4.0.0.0.0.0.0.0.0.0.0.0.a.0.0.1.f.1.1.1.0.1.0.a.2.ip6.arpa, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
- Not all processes where analyzed, report is missing behavior information
- Report size getting too big, too many NtEnumerateKey calls found.
- Report size getting too big, too many NtOpenKeyEx calls found.
| Time | Type | Description |
|---|---|---|
| 23:52:28 | API Interceptor |
⊘No context
⊘No context
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| ITACE-AS-APItaceInternationalLimitedHK | Get hash | malicious | ValleyRAT | Browse |
| |
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | SmokeLoader | Browse |
| ||
| Get hash | malicious | Gafgyt, Mirai | Browse |
| ||
| Get hash | malicious | Gafgyt, Mirai | Browse |
| ||
| Get hash | malicious | Gafgyt, Mirai | Browse |
| ||
| Get hash | malicious | Gafgyt, Mirai | Browse |
| ||
| Get hash | malicious | Mirai, Moobot | Browse |
| ||
| Get hash | malicious | Mirai, Gafgyt | Browse |
|
⊘No context
⊘No context
| Process: | C:\Users\user\Desktop\yIR0BZUT2A.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 30 |
| Entropy (8bit): | 2.6616157143988106 |
| Encrypted: | false |
| SSDEEP: | 3:tblM6lEjln:tbhEZn |
| MD5: | AE50B29A0B8DCC411F24F1863B0EAFDE |
| SHA1: | D415A55627B1ADED8E4B2CBBA402F816B0461155 |
| SHA-256: | 6B4BBBCE480FBC50D39A8EC4B72CDB7D781B151921E063DD899FD9B736ADCF68 |
| SHA-512: | D9A9BA42D99BE32D26667060BE1D523DCD20EAFA187A67F7919002CC6DA349FD058053C9C6F721D6FDB730EA02FBAA3013E51C0C653368BD6B3F57A4C0FCABA8 |
| Malicious: | true |
| Reputation: | moderate, very likely benign file |
| Preview: |
| File type: | |
| Entropy (8bit): | 6.060232935611435 |
| TrID: |
|
| File name: | yIR0BZUT2A.exe |
| File size: | 390'656 bytes |
| MD5: | d290cccbc59f0fa1d5e5d36a88785795 |
| SHA1: | 426910443aec2075365cece2514801ea3254d0ca |
| SHA256: | 061f46e583ce23f357dba77ee0f455e31304231538a6820b0948f9bddc1e9b6e |
| SHA512: | 3c431febb985275a84da02263d67b7cc2b98fd1fc7f9e7c8f1bcb442e6d790f929047670862cf6da2e450366c75cb6c4271156c27fa8e32035588dceb5e38238 |
| SSDEEP: | 6144:rvy/g/Oe2CZNHfXmv9m7tvT7DYewsPJimci9vrBP2kbLjNy:2/KlpTXmv9mpvv0iPJPBr9zNy |
| TLSH: | 3D847E49FB9409F8E467C138C9A34916EBB27C5913A09BDF33A4466A2F237D05D3EB11 |
| File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......B..R............M.......M.......M.......M........O.......O.......O..S...M.......M...........3...MN......MN......Rich........... |
 | |
| Icon Hash: | 90cececece8e8eb0 |
| Entrypoint: | 0x14001e25c |
| Entrypoint Section: | .text |
| Digitally signed: | false |
| Imagebase: | 0x140000000 |
| Subsystem: | windows gui |
| Image File Characteristics: | EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE |
| DLL Characteristics: | HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE |
| Time Stamp: | 0x6763E626 [Thu Dec 19 09:23:50 2024 UTC] |
| TLS Callbacks: | |
| CLR (.Net) Version: | |
| OS Version Major: | 6 |
| OS Version Minor: | 0 |
| File Version Major: | 6 |
| File Version Minor: | 0 |
| Subsystem Version Major: | 6 |
| Subsystem Version Minor: | 0 |
| Import Hash: | 1db3bac59c066f9b53b8b3b6b99b874b |
| Instruction |
|---|
| dec eax |
| sub esp, 28h |
| call 00007F5BF4835680h |
| dec eax |
| add esp, 28h |
| jmp 00007F5BF4834ED7h |
| int3 |
| int3 |
| dec eax |
| sub esp, 28h |
| dec ebp |
| mov eax, dword ptr [ecx+38h] |
| dec eax |
| mov ecx, edx |
| dec ecx |
| mov edx, ecx |
| call 00007F5BF4835072h |
| mov eax, 00000001h |
| dec eax |
| add esp, 28h |
| ret |
| int3 |
| int3 |
| int3 |
| inc eax |
| push ebx |
| inc ebp |
| mov ebx, dword ptr [eax] |
| dec eax |
| mov ebx, edx |
| inc ecx |
| and ebx, FFFFFFF8h |
| dec esp |
| mov ecx, ecx |
| inc ecx |
| test byte ptr [eax], 00000004h |
| dec esp |
| mov edx, ecx |
| je 00007F5BF4835075h |
| inc ecx |
| mov eax, dword ptr [eax+08h] |
| dec ebp |
| arpl word ptr [eax+04h], dx |
| neg eax |
| dec esp |
| add edx, ecx |
| dec eax |
| arpl ax, cx |
| dec esp |
| and edx, ecx |
| dec ecx |
| arpl bx, ax |
| dec edx |
| mov edx, dword ptr [eax+edx] |
| dec eax |
| mov eax, dword ptr [ebx+10h] |
| mov ecx, dword ptr [eax+08h] |
| dec eax |
| mov eax, dword ptr [ebx+08h] |
| test byte ptr [ecx+eax+03h], 0000000Fh |
| je 00007F5BF483506Dh |
| movzx eax, byte ptr [ecx+eax+03h] |
| and eax, FFFFFFF0h |
| dec esp |
| add ecx, eax |
| dec esp |
| xor ecx, edx |
| dec ecx |
| mov ecx, ecx |
| pop ebx |
| jmp 00007F5BF483507Ah |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| nop word ptr [eax+eax+00000000h] |
| dec eax |
| cmp ecx, dword ptr [00036D39h] |
| jne 00007F5BF4835072h |
| dec eax |
| rol ecx, 10h |
| test cx, FFFFh |
| jne 00007F5BF4835063h |
| ret |
| dec eax |
| ror ecx, 10h |
| jmp 00007F5BF483577Bh |
| int3 |
| int3 |
| dec eax |
| mov dword ptr [esp+00h], ebx |
| Name | Virtual Address | Virtual Size | Is in Section |
|---|---|---|---|
| IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IMPORT | 0x52400 | 0x104 | .rdata |
| IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x60000 | 0x3450 | .pdata |
| IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x64000 | 0xc8c | .reloc |
| IMAGE_DIRECTORY_ENTRY_DEBUG | 0x4c7c0 | 0x38 | .rdata |
| IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_TLS | 0x4c980 | 0x28 | .rdata |
| IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x4c680 | 0x140 | .rdata |
| IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IAT | 0x3f000 | 0x920 | .rdata |
| IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
| Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
|---|---|---|---|---|---|---|---|---|---|
| .text | 0x1000 | 0x3df70 | 0x3e000 | 2b6c6c8b93239d65e2449c4cc33eda20 | False | 0.5452683971774194 | data | 6.461526088950339 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
| .rdata | 0x3f000 | 0x151e8 | 0x15200 | 0f93661560d08fd5133b1ecad98a47aa | False | 0.4156804733727811 | data | 4.936195594835422 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .data | 0x55000 | 0xaa9c | 0x7c00 | 02896d874f254d4521f959657c33941d | False | 0.10650831653225806 | DOS executable (block device driver \377\3) | 1.586961638922988 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .pdata | 0x60000 | 0x3450 | 0x3600 | b6a68cd5b1e86136baf9e34e01cfad8b | False | 0.4622395833333333 | data | 5.530289196450094 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .reloc | 0x64000 | 0xc8c | 0xe00 | a952b87812e4781581800f8699e0d5a4 | False | 0.49302455357142855 | data | 5.228153224182403 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
| DLL | Import |
|---|---|
| KERNEL32.dll | QueryDosDeviceW, WriteProcessMemory, GetCommandLineW, GetCurrentProcess, WriteFile, OutputDebugStringA, GetModuleFileNameW, GetProcessId, CreateMutexW, GetLocaleInfoW, LocalAlloc, CreateFileW, GetVersionExW, K32GetProcessImageFileNameW, GetSystemDirectoryW, ResumeThread, GetModuleHandleA, OpenProcess, GetLogicalDriveStringsW, CreateToolhelp32Snapshot, MultiByteToWideChar, Process32NextW, GetDiskFreeSpaceExW, GetSystemDirectoryA, LoadLibraryA, lstrcatW, GlobalAlloc, Process32FirstW, GlobalFree, GetSystemInfo, LoadLibraryW, GetLocalTime, VirtualProtectEx, GetThreadContext, GetProcAddress, VirtualAllocEx, LocalFree, ExitProcess, GetCurrentProcessId, GlobalMemoryStatusEx, CreateProcessW, GetModuleHandleW, FreeLibrary, GetConsoleWindow, lstrcpyW, CreateRemoteThread, CreateProcessA, SetThreadContext, GetModuleFileNameA, GetTickCount, lstrcmpW, GetDriveTypeW, GetExitCodeProcess, SetFilePointer, ReleaseMutex, GlobalSize, DeleteFileW, GlobalLock, GetFileSize, GlobalUnlock, FindFirstFileW, ExpandEnvironmentStringsW, FindClose, GetFileAttributesW, TerminateThread, VirtualProtect, IsBadReadPtr, CreateThread, IsDebuggerPresent, SetUnhandledExceptionFilter, WriteConsoleW, GetCurrentThreadId, GetConsoleMode, GetConsoleOutputCP, FlushFileBuffers, SetFilePointerEx, SetStdHandle, SetEnvironmentVariableW, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetOEMCP, GetACP, IsValidCodePage, FindNextFileW, FindFirstFileExW, GetTimeZoneInformation, EnumSystemLocalesW, GetUserDefaultLCID, IsValidLocale, LCMapStringW, CompareStringW, FlsFree, FlsSetValue, GetStartupInfoW, CreateWaitableTimerW, SetWaitableTimer, TryEnterCriticalSection, WideCharToMultiByte, ResetEvent, CreateEventW, lstrlenW, CancelIo, GetNativeSystemInfo, SetLastError, lstrcmpiW, CreateEventA, CloseHandle, SetEvent, Sleep, WaitForSingleObject, LeaveCriticalSection, InitializeCriticalSectionAndSpinCount, EnterCriticalSection, HeapCreate, HeapFree, GetProcessHeap, DeleteCriticalSection, HeapDestroy, DecodePointer, HeapAlloc, HeapReAlloc, GetLastError, HeapSize, InitializeCriticalSectionEx, VirtualAlloc, VirtualFree, FlsGetValue, FlsAlloc, GetFileType, GetCommandLineA, GetStdHandle, VirtualQuery, GetModuleHandleExW, FreeLibraryAndExitThread, ExitThread, LoadLibraryExW, TlsFree, TlsSetValue, TlsGetValue, TlsAlloc, RtlPcToFileHeader, RtlUnwindEx, lstrcpyA, CreateFileA, GetSystemDefaultLangID, DeviceIoControl, TerminateProcess, InitializeSListHead, GetSystemTimeAsFileTime, QueryPerformanceCounter, IsProcessorFeaturePresent, UnhandledExceptionFilter, RtlVirtualUnwind, RtlLookupFunctionEntry, RtlCaptureContext, SleepConditionVariableSRW, WakeAllConditionVariable, AcquireSRWLockExclusive, ReleaseSRWLockExclusive, GetCPInfo, LCMapStringEx, EncodePointer, CompareStringEx, GetStringTypeW, RaiseException, OutputDebugStringW, SwitchToThread |
| USER32.dll | GetForegroundWindow, GetLastInputInfo, GetClipboardData, GetWindowTextW, GetKeyState, ReleaseDC, GetDesktopWindow, SetClipboardData, CloseClipboard, wsprintfW, ExitWindowsEx, ShowWindow, PostThreadMessageA, GetInputState, GetDC, GetSystemMetrics, EmptyClipboard, MsgWaitForMultipleObjects, DispatchMessageW, PeekMessageW, TranslateMessage, OpenClipboard |
| GDI32.dll | CreateCompatibleBitmap, SelectObject, CreateDIBSection, SetDIBColorTable, CreateCompatibleDC, StretchBlt, GetDIBits, GetDeviceCaps, GetObjectW, SetStretchBltMode, DeleteObject, DeleteDC |
| ADVAPI32.dll | RegQueryInfoKeyW, RegQueryValueExW, AllocateAndInitializeSid, FreeSid, CheckTokenMembership, ClearEventLogW, CloseEventLog, OpenEventLogW, LookupPrivilegeValueW, AdjustTokenPrivileges, GetCurrentHwProfileW, RegCloseKey, GetSidSubAuthorityCount, GetSidSubAuthority, RegEnumKeyExW, RegSetValueExW, OpenProcessToken, RegOpenKeyExW, RegCreateKeyW, RegDeleteValueW, LookupAccountSidW, GetTokenInformation |
| SHELL32.dll | SHGetFolderPathW |
| ole32.dll | CreateStreamOnHGlobal, GetHGlobalFromStream, CoCreateInstance, CoUninitialize, CoInitialize |
| OLEAUT32.dll | SysFreeString, SysAllocString, SysStringLen |
| WS2_32.dll | select, WSAStartup, send, socket, connect, recv, htons, setsockopt, WSAIoctl, gethostbyname, WSAGetLastError, WSAEnumNetworkEvents, WSAWaitForMultipleEvents, WSAResetEvent, WSAEventSelect, WSASetLastError, WSACloseEvent, shutdown, gethostname, inet_ntoa, WSACleanup, closesocket, WSACreateEvent |
| WINMM.dll | timeGetTime |
| gdiplus.dll | GdipDisposeImage, GdipCreateBitmapFromHBITMAP, GdipGetImagePixelFormat, GdiplusShutdown, GdipDrawImageI, GdipFree, GdipSaveImageToStream, GdipGetImageWidth, GdipGetImagePalette, GdipDeleteGraphics, GdipGetImageEncodersSize, GdipGetImageGraphicsContext, GdipBitmapLockBits, GdipCreateBitmapFromScan0, GdipAlloc, GdiplusStartup, GdipGetImageHeight, GdipGetImageEncoders, GdipGetImagePaletteSize, GdipCloneImage, GdipBitmapUnlockBits, GdipCreateBitmapFromStream |
| dxgi.dll | CreateDXGIFactory |
| DINPUT8.dll | DirectInput8Create |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library Node| Timestamp | SID | Signature | Severity | Source IP | Source Port | Dest IP | Dest Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2025-01-08T05:52:01.260779+0100 | 2052875 | ET MALWARE Anonymous RAT CnC Checkin | 1 | 192.168.2.4 | 49730 | 154.91.90.234 | 4433 | TCP |
| 2025-01-08T05:53:07.512968+0100 | 2052875 | ET MALWARE Anonymous RAT CnC Checkin | 1 | 192.168.2.4 | 49730 | 154.91.90.234 | 4433 | TCP |
| 2025-01-08T05:54:08.867603+0100 | 2052875 | ET MALWARE Anonymous RAT CnC Checkin | 1 | 192.168.2.4 | 54649 | 154.91.90.234 | 4433 | TCP |
| 2025-01-08T05:55:51.557688+0100 | 2052875 | ET MALWARE Anonymous RAT CnC Checkin | 1 | 192.168.2.4 | 54653 | 154.91.90.234 | 4433 | TCP |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Jan 8, 2025 05:52:00.089695930 CET | 49730 | 4433 | 192.168.2.4 | 154.91.90.234 |
| Jan 8, 2025 05:52:00.094626904 CET | 4433 | 49730 | 154.91.90.234 | 192.168.2.4 |
| Jan 8, 2025 05:52:00.094722033 CET | 49730 | 4433 | 192.168.2.4 | 154.91.90.234 |
| Jan 8, 2025 05:52:00.863348007 CET | 49730 | 4433 | 192.168.2.4 | 154.91.90.234 |
| Jan 8, 2025 05:52:00.868350029 CET | 4433 | 49730 | 154.91.90.234 | 192.168.2.4 |
| Jan 8, 2025 05:52:00.868391037 CET | 4433 | 49730 | 154.91.90.234 | 192.168.2.4 |
| Jan 8, 2025 05:52:00.868437052 CET | 4433 | 49730 | 154.91.90.234 | 192.168.2.4 |
| Jan 8, 2025 05:52:00.868459940 CET | 4433 | 49730 | 154.91.90.234 | 192.168.2.4 |
| Jan 8, 2025 05:52:01.172449112 CET | 4433 | 49730 | 154.91.90.234 | 192.168.2.4 |
| Jan 8, 2025 05:52:01.215883017 CET | 49730 | 4433 | 192.168.2.4 | 154.91.90.234 |
| Jan 8, 2025 05:52:01.255769968 CET | 49730 | 4433 | 192.168.2.4 | 154.91.90.234 |
| Jan 8, 2025 05:52:01.260691881 CET | 4433 | 49730 | 154.91.90.234 | 192.168.2.4 |
| Jan 8, 2025 05:52:01.260704994 CET | 4433 | 49730 | 154.91.90.234 | 192.168.2.4 |
| Jan 8, 2025 05:52:01.260714054 CET | 4433 | 49730 | 154.91.90.234 | 192.168.2.4 |
| Jan 8, 2025 05:52:01.260718107 CET | 4433 | 49730 | 154.91.90.234 | 192.168.2.4 |
| Jan 8, 2025 05:52:01.260778904 CET | 49730 | 4433 | 192.168.2.4 | 154.91.90.234 |
| Jan 8, 2025 05:52:01.265573025 CET | 4433 | 49730 | 154.91.90.234 | 192.168.2.4 |
| Jan 8, 2025 05:52:17.028435946 CET | 49730 | 4433 | 192.168.2.4 | 154.91.90.234 |
| Jan 8, 2025 05:52:17.033441067 CET | 4433 | 49730 | 154.91.90.234 | 192.168.2.4 |
| Jan 8, 2025 05:52:17.367533922 CET | 4433 | 49730 | 154.91.90.234 | 192.168.2.4 |
| Jan 8, 2025 05:52:17.418977976 CET | 49730 | 4433 | 192.168.2.4 | 154.91.90.234 |
| Jan 8, 2025 05:52:33.622212887 CET | 49730 | 4433 | 192.168.2.4 | 154.91.90.234 |
| Jan 8, 2025 05:52:33.627137899 CET | 4433 | 49730 | 154.91.90.234 | 192.168.2.4 |
| Jan 8, 2025 05:52:33.928493023 CET | 4433 | 49730 | 154.91.90.234 | 192.168.2.4 |
| Jan 8, 2025 05:52:33.981506109 CET | 49730 | 4433 | 192.168.2.4 | 154.91.90.234 |
| Jan 8, 2025 05:52:40.301570892 CET | 54380 | 53 | 192.168.2.4 | 162.159.36.2 |
| Jan 8, 2025 05:52:40.306420088 CET | 53 | 54380 | 162.159.36.2 | 192.168.2.4 |
| Jan 8, 2025 05:52:40.306487083 CET | 54380 | 53 | 192.168.2.4 | 162.159.36.2 |
| Jan 8, 2025 05:52:40.311338902 CET | 53 | 54380 | 162.159.36.2 | 192.168.2.4 |
| Jan 8, 2025 05:52:40.770030975 CET | 54380 | 53 | 192.168.2.4 | 162.159.36.2 |
| Jan 8, 2025 05:52:40.775059938 CET | 53 | 54380 | 162.159.36.2 | 192.168.2.4 |
| Jan 8, 2025 05:52:40.775113106 CET | 54380 | 53 | 192.168.2.4 | 162.159.36.2 |
| Jan 8, 2025 05:52:50.325372934 CET | 49730 | 4433 | 192.168.2.4 | 154.91.90.234 |
| Jan 8, 2025 05:52:50.330284119 CET | 4433 | 49730 | 154.91.90.234 | 192.168.2.4 |
| Jan 8, 2025 05:52:50.631928921 CET | 4433 | 49730 | 154.91.90.234 | 192.168.2.4 |
| Jan 8, 2025 05:52:50.684770107 CET | 49730 | 4433 | 192.168.2.4 | 154.91.90.234 |
| Jan 8, 2025 05:53:07.512968063 CET | 49730 | 4433 | 192.168.2.4 | 154.91.90.234 |
| Jan 8, 2025 05:53:07.517818928 CET | 4433 | 49730 | 154.91.90.234 | 192.168.2.4 |
| Jan 8, 2025 05:53:07.819251060 CET | 4433 | 49730 | 154.91.90.234 | 192.168.2.4 |
| Jan 8, 2025 05:53:07.872179031 CET | 49730 | 4433 | 192.168.2.4 | 154.91.90.234 |
| Jan 8, 2025 05:53:24.794329882 CET | 49730 | 4433 | 192.168.2.4 | 154.91.90.234 |
| Jan 8, 2025 05:53:24.800461054 CET | 4433 | 49730 | 154.91.90.234 | 192.168.2.4 |
| Jan 8, 2025 05:53:25.112510920 CET | 4433 | 49730 | 154.91.90.234 | 192.168.2.4 |
| Jan 8, 2025 05:53:25.325321913 CET | 49730 | 4433 | 192.168.2.4 | 154.91.90.234 |
| Jan 8, 2025 05:53:41.309736013 CET | 49730 | 4433 | 192.168.2.4 | 154.91.90.234 |
| Jan 8, 2025 05:53:41.309777975 CET | 49730 | 4433 | 192.168.2.4 | 154.91.90.234 |
| Jan 8, 2025 05:53:41.314587116 CET | 4433 | 49730 | 154.91.90.234 | 192.168.2.4 |
| Jan 8, 2025 05:53:41.317359924 CET | 49730 | 4433 | 192.168.2.4 | 154.91.90.234 |
| Jan 8, 2025 05:53:46.263338089 CET | 54648 | 10443 | 192.168.2.4 | 154.91.90.234 |
| Jan 8, 2025 05:53:46.268227100 CET | 10443 | 54648 | 154.91.90.234 | 192.168.2.4 |
| Jan 8, 2025 05:53:46.271362066 CET | 54648 | 10443 | 192.168.2.4 | 154.91.90.234 |
| Jan 8, 2025 05:53:47.156785965 CET | 54648 | 10443 | 192.168.2.4 | 154.91.90.234 |
| Jan 8, 2025 05:53:47.161753893 CET | 10443 | 54648 | 154.91.90.234 | 192.168.2.4 |
| Jan 8, 2025 05:53:47.161766052 CET | 10443 | 54648 | 154.91.90.234 | 192.168.2.4 |
| Jan 8, 2025 05:53:47.161773920 CET | 10443 | 54648 | 154.91.90.234 | 192.168.2.4 |
| Jan 8, 2025 05:53:47.161802053 CET | 10443 | 54648 | 154.91.90.234 | 192.168.2.4 |
| Jan 8, 2025 05:53:47.725117922 CET | 10443 | 54648 | 154.91.90.234 | 192.168.2.4 |
| Jan 8, 2025 05:53:47.778529882 CET | 54648 | 10443 | 192.168.2.4 | 154.91.90.234 |
| Jan 8, 2025 05:53:47.834391117 CET | 54648 | 10443 | 192.168.2.4 | 154.91.90.234 |
| Jan 8, 2025 05:53:47.839265108 CET | 10443 | 54648 | 154.91.90.234 | 192.168.2.4 |
| Jan 8, 2025 05:53:47.839277029 CET | 10443 | 54648 | 154.91.90.234 | 192.168.2.4 |
| Jan 8, 2025 05:53:47.839308977 CET | 10443 | 54648 | 154.91.90.234 | 192.168.2.4 |
| Jan 8, 2025 05:53:47.839315891 CET | 54648 | 10443 | 192.168.2.4 | 154.91.90.234 |
| Jan 8, 2025 05:53:47.839329004 CET | 10443 | 54648 | 154.91.90.234 | 192.168.2.4 |
| Jan 8, 2025 05:53:47.844156027 CET | 10443 | 54648 | 154.91.90.234 | 192.168.2.4 |
| Jan 8, 2025 05:54:02.122626066 CET | 54648 | 10443 | 192.168.2.4 | 154.91.90.234 |
| Jan 8, 2025 05:54:02.122658968 CET | 54648 | 10443 | 192.168.2.4 | 154.91.90.234 |
| Jan 8, 2025 05:54:02.127501011 CET | 10443 | 54648 | 154.91.90.234 | 192.168.2.4 |
| Jan 8, 2025 05:54:02.127567053 CET | 54648 | 10443 | 192.168.2.4 | 154.91.90.234 |
| Jan 8, 2025 05:54:07.093420029 CET | 54649 | 4433 | 192.168.2.4 | 154.91.90.234 |
| Jan 8, 2025 05:54:07.098400116 CET | 4433 | 54649 | 154.91.90.234 | 192.168.2.4 |
| Jan 8, 2025 05:54:07.098476887 CET | 54649 | 4433 | 192.168.2.4 | 154.91.90.234 |
| Jan 8, 2025 05:54:08.421977043 CET | 54649 | 4433 | 192.168.2.4 | 154.91.90.234 |
| Jan 8, 2025 05:54:08.427301884 CET | 4433 | 54649 | 154.91.90.234 | 192.168.2.4 |
| Jan 8, 2025 05:54:08.427405119 CET | 4433 | 54649 | 154.91.90.234 | 192.168.2.4 |
| Jan 8, 2025 05:54:08.427414894 CET | 4433 | 54649 | 154.91.90.234 | 192.168.2.4 |
| Jan 8, 2025 05:54:08.427423954 CET | 4433 | 54649 | 154.91.90.234 | 192.168.2.4 |
| Jan 8, 2025 05:54:08.783978939 CET | 4433 | 54649 | 154.91.90.234 | 192.168.2.4 |
| Jan 8, 2025 05:54:08.825350046 CET | 54649 | 4433 | 192.168.2.4 | 154.91.90.234 |
| Jan 8, 2025 05:54:08.862683058 CET | 54649 | 4433 | 192.168.2.4 | 154.91.90.234 |
| Jan 8, 2025 05:54:08.867554903 CET | 4433 | 54649 | 154.91.90.234 | 192.168.2.4 |
| Jan 8, 2025 05:54:08.867564917 CET | 4433 | 54649 | 154.91.90.234 | 192.168.2.4 |
| Jan 8, 2025 05:54:08.867573023 CET | 4433 | 54649 | 154.91.90.234 | 192.168.2.4 |
| Jan 8, 2025 05:54:08.867597103 CET | 4433 | 54649 | 154.91.90.234 | 192.168.2.4 |
| Jan 8, 2025 05:54:08.867603064 CET | 54649 | 4433 | 192.168.2.4 | 154.91.90.234 |
| Jan 8, 2025 05:54:08.872359037 CET | 4433 | 54649 | 154.91.90.234 | 192.168.2.4 |
| Jan 8, 2025 05:54:23.138140917 CET | 54649 | 4433 | 192.168.2.4 | 154.91.90.234 |
| Jan 8, 2025 05:54:23.138237000 CET | 54649 | 4433 | 192.168.2.4 | 154.91.90.234 |
| Jan 8, 2025 05:54:23.143124104 CET | 4433 | 54649 | 154.91.90.234 | 192.168.2.4 |
| Jan 8, 2025 05:54:23.143186092 CET | 54649 | 4433 | 192.168.2.4 | 154.91.90.234 |
| Jan 8, 2025 05:54:28.092073917 CET | 54650 | 10443 | 192.168.2.4 | 154.91.90.234 |
| Jan 8, 2025 05:54:28.096945047 CET | 10443 | 54650 | 154.91.90.234 | 192.168.2.4 |
| Jan 8, 2025 05:54:28.097141027 CET | 54650 | 10443 | 192.168.2.4 | 154.91.90.234 |
| Jan 8, 2025 05:54:29.079698086 CET | 54650 | 10443 | 192.168.2.4 | 154.91.90.234 |
| Jan 8, 2025 05:54:29.084651947 CET | 10443 | 54650 | 154.91.90.234 | 192.168.2.4 |
| Jan 8, 2025 05:54:29.084665060 CET | 10443 | 54650 | 154.91.90.234 | 192.168.2.4 |
| Jan 8, 2025 05:54:29.084675074 CET | 10443 | 54650 | 154.91.90.234 | 192.168.2.4 |
| Jan 8, 2025 05:54:29.084882021 CET | 10443 | 54650 | 154.91.90.234 | 192.168.2.4 |
| Jan 8, 2025 05:54:29.635668039 CET | 10443 | 54650 | 154.91.90.234 | 192.168.2.4 |
| Jan 8, 2025 05:54:29.684748888 CET | 54650 | 10443 | 192.168.2.4 | 154.91.90.234 |
| Jan 8, 2025 05:54:29.967488050 CET | 54650 | 10443 | 192.168.2.4 | 154.91.90.234 |
| Jan 8, 2025 05:54:29.972436905 CET | 10443 | 54650 | 154.91.90.234 | 192.168.2.4 |
| Jan 8, 2025 05:54:29.972449064 CET | 10443 | 54650 | 154.91.90.234 | 192.168.2.4 |
| Jan 8, 2025 05:54:29.972460985 CET | 10443 | 54650 | 154.91.90.234 | 192.168.2.4 |
| Jan 8, 2025 05:54:29.972527981 CET | 10443 | 54650 | 154.91.90.234 | 192.168.2.4 |
| Jan 8, 2025 05:54:30.035533905 CET | 54650 | 10443 | 192.168.2.4 | 154.91.90.234 |
| Jan 8, 2025 05:54:30.040626049 CET | 10443 | 54650 | 154.91.90.234 | 192.168.2.4 |
| Jan 8, 2025 05:54:44.528723955 CET | 54650 | 10443 | 192.168.2.4 | 154.91.90.234 |
| Jan 8, 2025 05:54:44.528877020 CET | 54650 | 10443 | 192.168.2.4 | 154.91.90.234 |
| Jan 8, 2025 05:54:44.533576965 CET | 10443 | 54650 | 154.91.90.234 | 192.168.2.4 |
| Jan 8, 2025 05:54:44.535387039 CET | 54650 | 10443 | 192.168.2.4 | 154.91.90.234 |
| Jan 8, 2025 05:54:49.482064962 CET | 54651 | 4433 | 192.168.2.4 | 154.91.90.234 |
| Jan 8, 2025 05:54:49.487061024 CET | 4433 | 54651 | 154.91.90.234 | 192.168.2.4 |
| Jan 8, 2025 05:54:49.487397909 CET | 54651 | 4433 | 192.168.2.4 | 154.91.90.234 |
| Jan 8, 2025 05:54:50.411772966 CET | 54651 | 4433 | 192.168.2.4 | 154.91.90.234 |
| Jan 8, 2025 05:54:50.416695118 CET | 4433 | 54651 | 154.91.90.234 | 192.168.2.4 |
| Jan 8, 2025 05:54:50.416717052 CET | 4433 | 54651 | 154.91.90.234 | 192.168.2.4 |
| Jan 8, 2025 05:54:50.416753054 CET | 4433 | 54651 | 154.91.90.234 | 192.168.2.4 |
| Jan 8, 2025 05:54:50.416790962 CET | 4433 | 54651 | 154.91.90.234 | 192.168.2.4 |
| Jan 8, 2025 05:54:50.793350935 CET | 4433 | 54651 | 154.91.90.234 | 192.168.2.4 |
| Jan 8, 2025 05:54:50.841021061 CET | 54651 | 4433 | 192.168.2.4 | 154.91.90.234 |
| Jan 8, 2025 05:54:50.938977957 CET | 54651 | 4433 | 192.168.2.4 | 154.91.90.234 |
| Jan 8, 2025 05:54:50.943788052 CET | 4433 | 54651 | 154.91.90.234 | 192.168.2.4 |
| Jan 8, 2025 05:54:50.943799019 CET | 4433 | 54651 | 154.91.90.234 | 192.168.2.4 |
| Jan 8, 2025 05:54:50.943809032 CET | 4433 | 54651 | 154.91.90.234 | 192.168.2.4 |
| Jan 8, 2025 05:54:50.943927050 CET | 4433 | 54651 | 154.91.90.234 | 192.168.2.4 |
| Jan 8, 2025 05:54:50.958345890 CET | 54651 | 4433 | 192.168.2.4 | 154.91.90.234 |
| Jan 8, 2025 05:54:50.963279009 CET | 4433 | 54651 | 154.91.90.234 | 192.168.2.4 |
| Jan 8, 2025 05:55:05.966101885 CET | 54651 | 4433 | 192.168.2.4 | 154.91.90.234 |
| Jan 8, 2025 05:55:05.970989943 CET | 4433 | 54651 | 154.91.90.234 | 192.168.2.4 |
| Jan 8, 2025 05:55:06.273088932 CET | 4433 | 54651 | 154.91.90.234 | 192.168.2.4 |
| Jan 8, 2025 05:55:06.372289896 CET | 54651 | 4433 | 192.168.2.4 | 154.91.90.234 |
| Jan 8, 2025 05:55:23.497359037 CET | 54651 | 4433 | 192.168.2.4 | 154.91.90.234 |
| Jan 8, 2025 05:55:23.497396946 CET | 54651 | 4433 | 192.168.2.4 | 154.91.90.234 |
| Jan 8, 2025 05:55:23.502289057 CET | 4433 | 54651 | 154.91.90.234 | 192.168.2.4 |
| Jan 8, 2025 05:55:23.503403902 CET | 54651 | 4433 | 192.168.2.4 | 154.91.90.234 |
| Jan 8, 2025 05:55:28.480648994 CET | 54652 | 10443 | 192.168.2.4 | 154.91.90.234 |
| Jan 8, 2025 05:55:28.485526085 CET | 10443 | 54652 | 154.91.90.234 | 192.168.2.4 |
| Jan 8, 2025 05:55:28.485603094 CET | 54652 | 10443 | 192.168.2.4 | 154.91.90.234 |
| Jan 8, 2025 05:55:29.298566103 CET | 54652 | 10443 | 192.168.2.4 | 154.91.90.234 |
| Jan 8, 2025 05:55:29.303502083 CET | 10443 | 54652 | 154.91.90.234 | 192.168.2.4 |
| Jan 8, 2025 05:55:29.303514957 CET | 10443 | 54652 | 154.91.90.234 | 192.168.2.4 |
| Jan 8, 2025 05:55:29.303523064 CET | 10443 | 54652 | 154.91.90.234 | 192.168.2.4 |
| Jan 8, 2025 05:55:29.303742886 CET | 10443 | 54652 | 154.91.90.234 | 192.168.2.4 |
| Jan 8, 2025 05:55:29.865904093 CET | 10443 | 54652 | 154.91.90.234 | 192.168.2.4 |
| Jan 8, 2025 05:55:29.919202089 CET | 54652 | 10443 | 192.168.2.4 | 154.91.90.234 |
| Jan 8, 2025 05:55:30.021357059 CET | 54652 | 10443 | 192.168.2.4 | 154.91.90.234 |
| Jan 8, 2025 05:55:30.026828051 CET | 10443 | 54652 | 154.91.90.234 | 192.168.2.4 |
| Jan 8, 2025 05:55:30.026839972 CET | 10443 | 54652 | 154.91.90.234 | 192.168.2.4 |
| Jan 8, 2025 05:55:30.026850939 CET | 10443 | 54652 | 154.91.90.234 | 192.168.2.4 |
| Jan 8, 2025 05:55:30.026860952 CET | 10443 | 54652 | 154.91.90.234 | 192.168.2.4 |
| Jan 8, 2025 05:55:30.026902914 CET | 54652 | 10443 | 192.168.2.4 | 154.91.90.234 |
| Jan 8, 2025 05:55:30.031788111 CET | 10443 | 54652 | 154.91.90.234 | 192.168.2.4 |
| Jan 8, 2025 05:55:45.122459888 CET | 54652 | 10443 | 192.168.2.4 | 154.91.90.234 |
| Jan 8, 2025 05:55:45.122613907 CET | 54652 | 10443 | 192.168.2.4 | 154.91.90.234 |
| Jan 8, 2025 05:55:45.127371073 CET | 10443 | 54652 | 154.91.90.234 | 192.168.2.4 |
| Jan 8, 2025 05:55:45.129604101 CET | 54652 | 10443 | 192.168.2.4 | 154.91.90.234 |
| Jan 8, 2025 05:55:50.091464043 CET | 54653 | 4433 | 192.168.2.4 | 154.91.90.234 |
| Jan 8, 2025 05:55:50.096494913 CET | 4433 | 54653 | 154.91.90.234 | 192.168.2.4 |
| Jan 8, 2025 05:55:50.096566916 CET | 54653 | 4433 | 192.168.2.4 | 154.91.90.234 |
| Jan 8, 2025 05:55:50.887164116 CET | 54653 | 4433 | 192.168.2.4 | 154.91.90.234 |
| Jan 8, 2025 05:55:50.892015934 CET | 4433 | 54653 | 154.91.90.234 | 192.168.2.4 |
| Jan 8, 2025 05:55:50.892026901 CET | 4433 | 54653 | 154.91.90.234 | 192.168.2.4 |
| Jan 8, 2025 05:55:50.892041922 CET | 4433 | 54653 | 154.91.90.234 | 192.168.2.4 |
| Jan 8, 2025 05:55:50.892348051 CET | 4433 | 54653 | 154.91.90.234 | 192.168.2.4 |
| Jan 8, 2025 05:55:51.465368986 CET | 4433 | 54653 | 154.91.90.234 | 192.168.2.4 |
| Jan 8, 2025 05:55:51.512984991 CET | 54653 | 4433 | 192.168.2.4 | 154.91.90.234 |
| Jan 8, 2025 05:55:51.551748037 CET | 54653 | 4433 | 192.168.2.4 | 154.91.90.234 |
| Jan 8, 2025 05:55:51.557617903 CET | 4433 | 54653 | 154.91.90.234 | 192.168.2.4 |
| Jan 8, 2025 05:55:51.557687998 CET | 54653 | 4433 | 192.168.2.4 | 154.91.90.234 |
| Jan 8, 2025 05:55:51.557728052 CET | 4433 | 54653 | 154.91.90.234 | 192.168.2.4 |
| Jan 8, 2025 05:55:51.557738066 CET | 4433 | 54653 | 154.91.90.234 | 192.168.2.4 |
| Jan 8, 2025 05:55:51.557745934 CET | 4433 | 54653 | 154.91.90.234 | 192.168.2.4 |
| Jan 8, 2025 05:55:51.563563108 CET | 4433 | 54653 | 154.91.90.234 | 192.168.2.4 |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Jan 8, 2025 05:52:40.301124096 CET | 53 | 50440 | 162.159.36.2 | 192.168.2.4 |
| Jan 8, 2025 05:52:41.058515072 CET | 53 | 57248 | 1.1.1.1 | 192.168.2.4 |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
| Target ID: | 0 |
| Start time: | 23:51:52 |
| Start date: | 07/01/2025 |
| Path: | C:\Users\user\Desktop\yIR0BZUT2A.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff62a970000 |
| File size: | 390'656 bytes |
| MD5 hash: | D290CCCBC59F0FA1D5E5D36A88785795 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | low |
| Has exited: | false |
Execution Graph
| Execution Coverage: | 8% |
| Dynamic/Decrypted Code Coverage: | 0% |
| Signature Coverage: | 45% |
| Total number of Nodes: | 1152 |
| Total number of Limit Nodes: | 47 |
Graph
Function 00007FF62A976370 Relevance: 193.3, APIs: 81, Strings: 29, Instructions: 845registrystringprocessCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF62A98B5E0 Relevance: 103.7, APIs: 41, Strings: 18, Instructions: 429registrylibrarysleepCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF62A97F410 Relevance: 81.0, APIs: 35, Strings: 11, Instructions: 532registryprocessfileCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF62A98AE60 Relevance: 75.8, APIs: 27, Strings: 16, Instructions: 529stringregistryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF62A9772D0 Relevance: 54.7, APIs: 26, Strings: 5, Instructions: 457COMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF62A97FD10 Relevance: 54.6, APIs: 26, Strings: 5, Instructions: 318windowCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF62A978A40 Relevance: 49.3, APIs: 24, Strings: 4, Instructions: 255COMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF62A978710 Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 244memoryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF62A977A60 Relevance: 31.7, APIs: 16, Strings: 2, Instructions: 216stringregistrycomCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF62A97B410 Relevance: 23.0, APIs: 11, Strings: 2, Instructions: 232memorytimeCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF62A98C400 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 128fileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF62A98BDF0 Relevance: 15.0, APIs: 10, Instructions: 33threadsleepsynchronizationCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF62A9A2048 Relevance: 14.3, APIs: 6, Strings: 2, Instructions: 334timeCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF62A9A22C4 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 143timeCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF62A973B00 Relevance: 4.7, APIs: 3, Instructions: 151timenetworkCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF62A980220 Relevance: 45.3, APIs: 30, Instructions: 260memorywindowCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF62A97C340 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 297windowCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF62A973820 Relevance: 28.2, APIs: 15, Strings: 1, Instructions: 157networkstringtimeCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF62A978C30 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 101memoryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF62A98BEF0 Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 223memoryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF62A97D9C0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 137registryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF62A97C7B0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 143windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF62A979300 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 29libraryloaderCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF62A978E30 Relevance: 9.1, APIs: 6, Instructions: 67registrystringCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF62A978F60 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 239COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF62A98C2D0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 71fileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF62A973E30 Relevance: 6.1, APIs: 4, Instructions: 120threadnetworkCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF62A98DFB8 Relevance: 3.0, APIs: 2, Instructions: 22COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF62A99E95C Relevance: 3.0, APIs: 2, Instructions: 19memoryCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF62A99F070 Relevance: 1.3, APIs: 1, Instructions: 29memoryCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF62A979480 Relevance: 68.5, APIs: 29, Strings: 10, Instructions: 221libraryloaderinjectionCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF62A97ADB0 Relevance: 63.3, APIs: 30, Strings: 6, Instructions: 286stringclipboardfileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF62A97D410 Relevance: 33.6, APIs: 15, Strings: 4, Instructions: 385stringtimeCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF62A979900 Relevance: 29.9, APIs: 11, Strings: 6, Instructions: 118libraryloaderfileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF62A980DA0 Relevance: 27.3, APIs: 18, Instructions: 322clipboardsleepmemoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF62A97CD40 Relevance: 26.7, APIs: 7, Strings: 8, Instructions: 406threadinjectionprocessCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF62A97E3E9 Relevance: 26.3, APIs: 14, Strings: 1, Instructions: 64shutdownCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF62A98A680 Relevance: 25.8, APIs: 17, Instructions: 347memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF62A97E46D Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 62shutdownCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF62A97E4EE Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 61shutdownCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF62A9A8824 Relevance: 24.0, APIs: 9, Strings: 4, Instructions: 1226COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF62A980880 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 129registrystringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF62A9A797C Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 227COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF62A9A83C4 Relevance: 10.7, APIs: 7, Instructions: 172COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF62A97E36A Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 31COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF62A993D0C Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF62A98C82C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF62A9A0FB0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF62A9A3A00 Relevance: 3.2, APIs: 2, Instructions: 227COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF62A9A7CD8 Relevance: 1.6, APIs: 1, Instructions: 61COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF62A9A7DA8 Relevance: 1.5, APIs: 1, Instructions: 41COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF62A9A0AD8 Relevance: 1.5, APIs: 1, Instructions: 32COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF62A989330 Relevance: .7, Instructions: 678COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF62A9879D0 Relevance: .4, Instructions: 369COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF62A9971DC Relevance: .3, Instructions: 327COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF62A9A73EC Relevance: .3, Instructions: 271COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF62A9964C8 Relevance: .2, Instructions: 247COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF62A99FFD0 Relevance: .2, Instructions: 198COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF62A982FA0 Relevance: .2, Instructions: 188COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF62A995A1C Relevance: .1, Instructions: 146COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF62A9951FC Relevance: .1, Instructions: 146COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF62A99560C Relevance: .1, Instructions: 146COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF62A995408 Relevance: .1, Instructions: 145COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF62A995818 Relevance: .1, Instructions: 145COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF62A994FF8 Relevance: .1, Instructions: 145COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF62A99C7BC Relevance: .1, Instructions: 126COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF62A9ACB60 Relevance: .0, Instructions: 32COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF62A98E814 Relevance: .0, Instructions: 2COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF62A974C50 Relevance: 33.2, APIs: 22, Instructions: 199windowthreadnetworkCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF62A980620 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 140stringprocessCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF62A974270 Relevance: 21.1, APIs: 14, Instructions: 119networkstringCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF62A9746A0 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 171networktimeCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF62A975A80 Relevance: 16.7, APIs: 11, Instructions: 154networkCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF62A980B40 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 52registrystringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF62A994880 Relevance: 14.5, APIs: 3, Strings: 5, Instructions: 475COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF62A974080 Relevance: 13.6, APIs: 9, Instructions: 111timenetworkCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF62A975D10 Relevance: 13.6, APIs: 9, Instructions: 93timenetworkCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF62A990EA8 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 310COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF62A9A0B54 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117libraryloaderCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF62A97E01F Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 94filestringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF62A974A90 Relevance: 12.1, APIs: 8, Instructions: 104networkCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF62A999720 Relevance: 11.0, APIs: 3, Strings: 3, Instructions: 494COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF62A974470 Relevance: 10.6, APIs: 7, Instructions: 143threadnetworktimeCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF62A97B9E0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 140COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF62A981E10 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 133COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF62A9937CC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF62A980C20 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 82processstringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF62A99ED10 Relevance: 10.6, APIs: 7, Instructions: 62COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF62A9ACF20 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF62A97ACF0 Relevance: 10.5, APIs: 7, Instructions: 40filesynchronizationstringCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF62A97EF25 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 34registryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF62A979380 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 26processCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF62A991378 Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 320COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF62A975300 Relevance: 9.1, APIs: 6, Instructions: 63synchronizationtimeCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF62A99EE88 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF62A99BF30 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF62A97EFA3 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 23registryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF62A9AC95C Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF62A99EF50 Relevance: 7.6, APIs: 5, Instructions: 54COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF62A975640 Relevance: 7.5, APIs: 5, Instructions: 26synchronizationsleepCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF62A991AEC Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 190COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF62A98FD28 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 154COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF62A99206C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF62A98E880 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF62A973FF0 Relevance: 6.0, APIs: 4, Instructions: 22synchronizationsleepCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF62A9922A4 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 163COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF62A99187C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 146COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF62A97DC4D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 130COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF62A9A1F64 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 121COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF62A99293C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 120COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF62A99C224 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF62A9AB0F4 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF62A9902F0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|