Edit tour
Windows
Analysis Report
ReaderPDFadobe.exe
Overview
General Information
| Sample name: | ReaderPDFadobe.exe |
| Analysis ID: | 1587448 |
| MD5: | 5b3f4288f2239f1805e7d5c935fec648 |
| SHA1: | 3e7d6b9b8e8549bd5e359c79e64829da329c0f92 |
| SHA256: | c761b3063a4cdad0061c015cda2d006077b52d833952ca912157bfa31d8a975d |
| Tags: | exeuser-zhuzhu0009 |
| Infos: |  |
 | |
Detection
| Score: | 80 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Detected unpacking (creates a PE file in dynamic memory)
Multi AV Scanner detection for submitted file
AI detected suspicious sample
Allocates memory in foreign processes
Injects a PE file into a foreign processes
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Writes to foreign memory regions
Yara detected Costura Assembly Loader
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Compiles C# or VB.Net code
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Launches processes in debugging mode, may be used to hinder debugging
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Classification
- System is w10x64
ReaderPDFadobe.exe (PID: 5536 cmdline: "C:\Users\ user\Deskt op\ReaderP DFadobe.ex e" MD5: 5B3F4288F2239F1805E7D5C935FEC648) 
csc.exe (PID: 2212 cmdline: "C:\Window s\Microsof t.NET\Fram ework\v4.0 .30319\csc .exe" MD5: EB80BB1CA9B9C7F516FF69AFCFD75B7D)
- cleanup
⊘No configs have been found
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_CosturaAssemblyLoader | Yara detected Costura Assembly Loader | Joe Security | ||
| JoeSecurity_CosturaAssemblyLoader | Yara detected Costura Assembly Loader | Joe Security | ||
| JoeSecurity_CosturaAssemblyLoader | Yara detected Costura Assembly Loader | Joe Security | ||
| JoeSecurity_CosturaAssemblyLoader | Yara detected Costura Assembly Loader | Joe Security |
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_CosturaAssemblyLoader | Yara detected Costura Assembly Loader | Joe Security | ||
| JoeSecurity_CosturaAssemblyLoader | Yara detected Costura Assembly Loader | Joe Security |
⊘No Sigma rule has matched
⊘No Suricata rule has matched
Click to jump to signature section
Show All Signature Results
AV Detection |   |
|---|
| Source: | ReversingLabs: | ||
| Source: | Integrated Neural Analysis Model: | ||
Compliance | |
|---|
| Source: | Unpacked PE file: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | TCP traffic: | ||
| Source: | IP Address: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | DNS traffic detected: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | Code function: | 5_2_05913C58 | |
| Source: | Code function: | 5_2_05913C4B | |
| Source: | Code function: | 5_2_09C457D0 | |
| Source: | Code function: | 5_2_09C411D0 | |
| Source: | Code function: | 5_2_09C4591D | |
| Source: | Code function: | 5_2_09C4112B | |
| Source: | Code function: | 5_2_09C410E1 | |
| Source: | Code function: | 5_2_09C410F0 | |
| Source: | Code function: | 5_2_09C413D5 | |
| Source: | Code function: | 5_2_09C4E3B8 | |
| Source: | Code function: | 5_2_09C41305 | |
| Source: | Code function: | 5_2_09C41254 | |
| Source: | Code function: | 5_2_09C4156A | |
| Source: | Code function: | 5_2_09C414F1 | |
| Source: | Code function: | 5_2_09C41464 | |
| Source: | Code function: | 5_2_09C457CD | |
| Source: | Code function: | 5_2_09C41701 | |
| Source: | Code function: | 5_2_09C416BA | |
| Source: | Code function: | 5_2_09D93500 | |
| Source: | Code function: | 5_2_09D93D38 | |
| Source: | Code function: | 5_2_09D92488 | |
| Source: | Code function: | 5_2_09D96C8E | |
| Source: | Code function: | 5_2_09D91870 | |
| Source: | Code function: | 5_2_09D95021 | |
| Source: | Code function: | 5_2_09D95540 | |
| Source: | Code function: | 5_2_09D94100 | |
| Source: | Code function: | 5_2_09D93D33 | |
| Source: | Code function: | 5_2_09D954C8 | |
| Source: | Code function: | 5_2_09D934F1 | |
| Source: | Code function: | 5_2_09D954E6 | |
| Source: | Code function: | 5_2_09D9545C | |
| Source: | Code function: | 5_2_09D91BB8 | |
| Source: | Code function: | 5_2_09DCEEB8 | |
| Source: | Code function: | 5_2_09DCD8F0 | |
| Source: | Code function: | 5_2_09DCEEA8 | |
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Static PE information: | ||
| Source: | Classification label: | ||
| Source: | Mutant created: | ||
| Source: | Mutant created: | ||
| Source: | Static PE information: | ||
| Source: | WMI Queries: | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | ReversingLabs: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Key value queried: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | Static PE information: | ||
| Source: | Static file information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
Data Obfuscation | |
|---|
| Source: | Unpacked PE file: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | Process created: | |||
| Source: | Process created: | Jump to behavior | ||
| Source: | Static PE information: | ||
| Source: | Code function: | 5_2_09C02A06 | |
| Source: | Code function: | 5_2_09C0FD5A | |
| Source: | Code function: | 5_2_09C4621A | |
| Source: | Code function: | 5_2_09C45BD2 | |
| Source: | Code function: | 5_2_09C492F1 | |
| Source: | Code function: | 5_2_09C45232 | |
| Source: | Code function: | 5_2_09C45592 | |
| Source: | Code function: | 5_2_09C4556A | |
| Source: | Code function: | 5_2_09C4579A | |
| Source: | Code function: | 5_2_09C49FAD | |
| Source: | Code function: | 5_2_09C41683 | |
| Source: | Code function: | 5_2_09C41683 | |
| Source: | Code function: | 5_2_09D95D30 | |
| Source: | Code function: | 5_2_09D95ADC | |
| Source: | Code function: | 5_2_09DCA200 | |
| Source: | Code function: | 5_2_09DC99EE | |
| Source: | Code function: | 5_2_09DCA16F | |
| Source: | Code function: | 5_2_09DC791E | |
| Source: | Code function: | 5_2_09DC691B | |
| Source: | Code function: | 5_2_09DC6934 | |
| Source: | Code function: | 5_2_09DC98FE | |
| Source: | Code function: | 5_2_09DCA08E | |
| Source: | Code function: | 5_2_09DCC8B1 | |
| Source: | Code function: | 5_2_09DC7846 | |
| Source: | Code function: | 5_2_09DC0032 | |
| Source: | Code function: | 5_2_09DCA034 | |
| Source: | Code function: | 5_2_09DC9B7F | |
| Source: | Code function: | 5_2_09DC9A97 | |
| Source: | Code function: | 5_2_09DC827E | |
| Source: | Code function: | 5_2_09DCC60E | |
| Source: | Code function: | 5_2_09DC6D9E | |
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
Malware Analysis System Evasion | |
|---|
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | Memory allocated: | Jump to behavior | ||
| Source: | Memory allocated: | Jump to behavior | ||
| Source: | Memory allocated: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Window / User API: | Jump to behavior | ||
| Source: | Window / User API: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep count: | Jump to behavior | ||
| Source: | Thread sleep count: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | Code function: | 5_2_09DCF115 | |
| Source: | Process token adjusted: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Memory allocated: | Jump to behavior | ||
HIPS / PFW / Operating System Protection Evasion | |
|---|
| Source: | Memory allocated: | Jump to behavior | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Code function: | 0_2_00644383 | |
| Source: | Key value queried: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | WMI Queries: | ||
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | 131 Windows Management Instrumentation | 1 DLL Side-Loading | 31 Process Injection | 11 Disable or Modify Tools | OS Credential Dumping | 1 System Time Discovery | Remote Services | 1 Archive Collected Data | 1 Encrypted Channel | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
| Credentials | Domains | Default Accounts | 2 Command and Scripting Interpreter | Boot or Logon Initialization Scripts | 1 DLL Side-Loading | 141 Virtualization/Sandbox Evasion | LSASS Memory | 131 Security Software Discovery | Remote Desktop Protocol | Data from Removable Media | 1 Non-Standard Port | Exfiltration Over Bluetooth | Network Denial of Service |
| Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | Logon Script (Windows) | 31 Process Injection | Security Account Manager | 141 Virtualization/Sandbox Evasion | SMB/Windows Admin Shares | Data from Network Shared Drive | 1 Non-Application Layer Protocol | Automated Exfiltration | Data Encrypted for Impact |
| Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | 1 Obfuscated Files or Information | NTDS | 1 Application Window Discovery | Distributed Component Object Model | Input Capture | 1 Application Layer Protocol | Traffic Duplication | Data Destruction |
| Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | 1 Software Packing | LSA Secrets | 124 System Information Discovery | SSH | Keylogging | Fallback Channels | Scheduled Transfer | Data Encrypted for Impact |
| Domain Properties | Botnet | Replication Through Removable Media | Scheduled Task | RC Scripts | RC Scripts | 1 DLL Side-Loading | Cached Domain Credentials | Wi-Fi Discovery | VNC | GUI Input Capture | Multiband Communication | Data Transfer Size Limits | Service Stop |
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetThis section contains all screenshots as thumbnails, including those not shown in the slideshow.
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 47% | ReversingLabs | Win32.Backdoor.Remcos |
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe |
| Name | IP | Active | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|---|
| newstaticfreepoint24.ddns-ip.net | 181.71.216.203 | true | false | high |
| Name | Source | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|
| false |
| unknown | ||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false | high | |||
| false |
| unknown | ||
| false |
| unknown | ||
| false | high | |||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
| IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
|---|---|---|---|---|---|---|
| 181.71.216.203 | newstaticfreepoint24.ddns-ip.net | Colombia | 27831 | ColombiaMovilCO | false |
| Joe Sandbox version: | 42.0.0 Malachite |
| Analysis ID: | 1587448 |
| Start date and time: | 2025-01-10 11:52:04 +01:00 |
| Joe Sandbox product: | CloudBasic |
| Overall analysis duration: | 0h 5m 29s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
| Number of analysed new started processes analysed: | 9 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Sample name: | ReaderPDFadobe.exe |
| Detection: | MAL |
| Classification: | mal80.evad.winEXE@3/0@1/1 |
| EGA Information: |
|
| HCA Information: |
|
| Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
- Excluded IPs from analysis (whitelisted): 20.12.23.50
- Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
- Execution Graph export aborted for target ReaderPDFadobe.exe, PID 5536 because there are no executed function
- Not all processes where analyzed, report is missing behavior information
- Report size getting too big, too many NtProtectVirtualMemory calls found.
- VT rate limit hit for: ReaderPDFadobe.exe
| Time | Type | Description |
|---|---|---|
| 05:53:22 | API Interceptor |
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| 181.71.216.203 | Get hash | malicious | Unknown | Browse | ||
| Get hash | malicious | Unknown | Browse | |||
| Get hash | malicious | Unknown | Browse | |||
| Get hash | malicious | Unknown | Browse | |||
| Get hash | malicious | Unknown | Browse | |||
| Get hash | malicious | Unknown | Browse | |||
| Get hash | malicious | Unknown | Browse | |||
| Get hash | malicious | Unknown | Browse | |||
| Get hash | malicious | Unknown | Browse | |||
| Get hash | malicious | Unknown | Browse |
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| newstaticfreepoint24.ddns-ip.net | Get hash | malicious | Unknown | Browse |
| |
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| ColombiaMovilCO | Get hash | malicious | Unknown | Browse |
| |
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
|
⊘No context
⊘No context
⊘No created / dropped files found
| File type: | |
| Entropy (8bit): | 6.871666663925079 |
| TrID: |
|
| File name: | ReaderPDFadobe.exe |
| File size: | 5'649'920 bytes |
| MD5: | 5b3f4288f2239f1805e7d5c935fec648 |
| SHA1: | 3e7d6b9b8e8549bd5e359c79e64829da329c0f92 |
| SHA256: | c761b3063a4cdad0061c015cda2d006077b52d833952ca912157bfa31d8a975d |
| SHA512: | ba36f0584d294b1566b77185bf9c3450f13af917b656f0abdc1f35456974a630c9e3d17b94b23b4079a594817a2f2a3d30af673ef4e1f90c527b0911d1457c52 |
| SSDEEP: | 49152:/hKqxQ06Ybgpey773zDpgNaPvsGbNhvaE/0+dbMie3c/Hat0f3rNcXeiXzOHQXeb:5nbgpe4xdaEMybVR/XfGBPN74TlwDU |
| TLSH: | 2C46AD32B753CC66C65100BF8979AAFD9128ED78CB7346C35284FE1D20B39E216B6917 |
| File Content Preview: | MZ......................@...................................@...........!..L.!This program cannot be run in DOS mode....$..........,..............h........~...............~.......~.......~............'..~....d..~.......~.......~.......~.......~.......~... |
 | |
| Icon Hash: | 334de0b2926d330e |
| Entrypoint: | 0x643e93 |
| Entrypoint Section: | .text |
| Digitally signed: | false |
| Imagebase: | 0x400000 |
| Subsystem: | windows gui |
| Image File Characteristics: | EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE |
| DLL Characteristics: | DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE |
| Time Stamp: | 0x67600E9F [Mon Dec 16 11:27:27 2024 UTC] |
| TLS Callbacks: | |
| CLR (.Net) Version: | |
| OS Version Major: | 6 |
| OS Version Minor: | 0 |
| File Version Major: | 6 |
| File Version Minor: | 0 |
| Subsystem Version Major: | 6 |
| Subsystem Version Minor: | 0 |
| Import Hash: | d0efa8288bc8fcf1ae384debe93de6ac |
| Instruction |
|---|
| call 00007F7A6D1F7C5Dh |
| jmp 00007F7A6D1F759Fh |
| push 00000010h |
| push 006E65C0h |
| call 00007F7A6D1F7BACh |
| xor ebx, ebx |
| mov dword ptr [ebp-20h], ebx |
| mov byte ptr [ebp-19h], bl |
| mov dword ptr [ebp-04h], ebx |
| cmp ebx, dword ptr [ebp+14h] |
| je 00007F7A6D1F7743h |
| push dword ptr [ebp+0Ch] |
| mov ecx, dword ptr [ebp+18h] |
| call dword ptr [00675B18h] |
| mov ecx, dword ptr [ebp+08h] |
| call dword ptr [ebp+18h] |
| mov eax, dword ptr [ebp+10h] |
| add dword ptr [ebp+08h], eax |
| add dword ptr [ebp+0Ch], eax |
| inc ebx |
| mov dword ptr [ebp-20h], ebx |
| jmp 00007F7A6D1F76FCh |
| mov al, 01h |
| mov byte ptr [ebp-19h], al |
| mov dword ptr [ebp-04h], FFFFFFFEh |
| call 00007F7A6D1F773Dh |
| mov ecx, dword ptr [ebp-10h] |
| mov dword ptr fs:[00000000h], ecx |
| pop ecx |
| pop edi |
| pop esi |
| pop ebx |
| leave |
| retn 0018h |
| mov ebx, dword ptr [ebp-20h] |
| mov al, byte ptr [ebp-19h] |
| test al, al |
| jne 00007F7A6D1F7731h |
| push dword ptr [ebp+1Ch] |
| push ebx |
| push dword ptr [ebp+10h] |
| push dword ptr [ebp+08h] |
| call 00007F7A6D1F7194h |
| ret |
| push ebp |
| mov ebp, esp |
| sub esp, 0Ch |
| lea ecx, dword ptr [ebp-0Ch] |
| call 00007F7A6CFBFEE0h |
| push 006E66B4h |
| lea eax, dword ptr [ebp-0Ch] |
| push eax |
| call 00007F7A6D1F7E2Bh |
| int3 |
| push ebp |
| mov ebp, esp |
| sub esp, 0Ch |
| lea ecx, dword ptr [ebp-0Ch] |
| call 00007F7A6CFBF333h |
| push 006E6608h |
| lea eax, dword ptr [ebp-0Ch] |
| push eax |
| call 00007F7A6D1F7E0Eh |
| int3 |
| push ebp |
| mov ebp, esp |
| and dword ptr [00701C04h], 00000000h |
| Programming Language: |
|
| Name | Virtual Address | Virtual Size | Is in Section |
|---|---|---|---|
| IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IMPORT | 0x2e826c | 0x294 | .rdata |
| IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x32e000 | 0x24102c | .rsrc |
| IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x350000 | 0x2c140 | .rsrc |
| IMAGE_DIRECTORY_ENTRY_DEBUG | 0x2a823c | 0x70 | .rdata |
| IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_TLS | 0x2a82c0 | 0x18 | .rdata |
| IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x276d30 | 0x40 | .rdata |
| IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IAT | 0x275000 | 0xb18 | .rdata |
| IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x2e8128 | 0x40 | .rdata |
| IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
| Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
|---|---|---|---|---|---|---|---|---|---|
| .text | 0x1000 | 0x274000 | 0x273200 | 696e190c41e929632b849b4372bca92f | unknown | unknown | unknown | unknown | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
| .rdata | 0x275000 | 0x78000 | 0x77600 | 2a4704a587240261914c1de80110ddb1 | False | 0.3565792702879581 | data | 5.125253402867627 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .data | 0x2ed000 | 0x1e000 | 0x14c00 | 0b15f16cdaeb2ade44ddb62497a9e5fb | False | 0.22939806099397592 | DOS executable (block device driver @\273\) | 5.393205596281875 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| _RDATA | 0x30b000 | 0x23000 | 0x22c00 | 241f50e9d164772437fd3eebd88a3edb | False | 0.16984459307553956 | data | 5.38723924085817 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .rsrc | 0x32e000 | 0x24102c | 0x241200 | f4ab587bb2ddbe9f5f1d926f55817b5d | unknown | unknown | unknown | unknown | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
|---|---|---|---|---|---|---|
| AFX_DIALOG_LAYOUT | 0x32f96c | 0x2 | data | English | United States | 5.0 |
| AFX_DIALOG_LAYOUT | 0x32f970 | 0x2 | data | English | United States | 5.0 |
| AFX_DIALOG_LAYOUT | 0x32f974 | 0x2 | data | English | United States | 5.0 |
| AFX_DIALOG_LAYOUT | 0x32f978 | 0x2 | data | English | United States | 5.0 |
| AFX_DIALOG_LAYOUT | 0x32f97c | 0x2 | data | English | United States | 5.0 |
| AFX_DIALOG_LAYOUT | 0x32f980 | 0x2 | data | English | United States | 5.0 |
| AFX_DIALOG_LAYOUT | 0x32f984 | 0x2 | data | English | United States | 5.0 |
| AFX_DIALOG_LAYOUT | 0x32f988 | 0x2 | data | English | United States | 5.0 |
| AFX_DIALOG_LAYOUT | 0x32f98c | 0x2 | data | English | United States | 5.0 |
| AFX_DIALOG_LAYOUT | 0x32f990 | 0x2 | data | English | United States | 5.0 |
| AFX_DIALOG_LAYOUT | 0x32f994 | 0x2 | data | English | United States | 5.0 |
| AFX_DIALOG_LAYOUT | 0x32f998 | 0x2 | data | English | United States | 5.0 |
| AFX_DIALOG_LAYOUT | 0x32f99c | 0x2 | data | English | United States | 5.0 |
| AFX_DIALOG_LAYOUT | 0x32f9a0 | 0x2 | data | English | United States | 5.0 |
| AFX_DIALOG_LAYOUT | 0x32f9a4 | 0x2 | data | English | United States | 5.0 |
| AFX_DIALOG_LAYOUT | 0x32f9a8 | 0x2 | data | English | United States | 5.0 |
| AFX_DIALOG_LAYOUT | 0x32f9ac | 0x2 | data | English | United States | 5.0 |
| AFX_DIALOG_LAYOUT | 0x32f9b0 | 0x2 | data | English | United States | 5.0 |
| AFX_DIALOG_LAYOUT | 0x32f9b4 | 0x2 | data | English | United States | 5.0 |
| AFX_DIALOG_LAYOUT | 0x32f9b8 | 0x2 | data | English | United States | 5.0 |
| AFX_DIALOG_LAYOUT | 0x32f9bc | 0x2 | data | English | United States | 5.0 |
| AFX_DIALOG_LAYOUT | 0x32f9c0 | 0x2 | data | English | United States | 5.0 |
| AFX_DIALOG_LAYOUT | 0x32f9c4 | 0x2 | data | English | United States | 5.0 |
| PNG | 0x32f9c8 | 0x5366 | PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced | English | United States | 1.0004215456674472 |
| RT_BITMAP | 0x334d30 | 0x72a24 | Device independent bitmap graphic, 500 x 313 x 24, image size 469500, resolution 3780 x 3780 px/m | 0.6494377475827405 | ||
| RT_BITMAP | 0x3a7754 | 0x72a24 | Device independent bitmap graphic, 500 x 313 x 24, image size 469500, resolution 3780 x 3780 px/m | 0.5587979724837074 | ||
| RT_BITMAP | 0x41a178 | 0x14be8 | Device independent bitmap graphic, 302 x 276 x 8, image size 83904, 256 important colors | 0.1667098201675925 | ||
| RT_BITMAP | 0x42ed60 | 0x46e8c | PC bitmap, Windows 3.x format, 36628 x 2 x 52, image size 290472, cbSize 290444, bits offset 54 | 0.9879563702469323 | ||
| RT_BITMAP | 0x475bec | 0x2e02a | Device independent bitmap graphic, 1472 x 32 x 32, image size 188418, resolution 2834 x 2834 px/m | 0.216446104702374 | ||
| RT_BITMAP | 0x4a3c18 | 0x402a | Device independent bitmap graphic, 64 x 64 x 32, image size 16386, resolution 2834 x 2834 px/m | 0.35370753683185197 | ||
| RT_BITMAP | 0x4a7c44 | 0xcf28 | Device independent bitmap graphic, 552 x 24 x 32, image size 52992, resolution 3543 x 3543 px/m | 0.23476391612611253 | ||
| RT_ICON | 0x4b4b6c | 0x10a8 | Device independent bitmap graphic, 32 x 64 x 32, image size 4224 | English | United States | 0.33630393996247654 |
| RT_ICON | 0x4b5c14 | 0x1a68 | Device independent bitmap graphic, 40 x 80 x 32, image size 6720 | English | United States | 0.29319526627218934 |
| RT_ICON | 0x4b767c | 0x25a8 | Device independent bitmap graphic, 48 x 96 x 32, image size 9600 | English | United States | 0.258298755186722 |
| RT_ICON | 0x4b9c24 | 0x4228 | Device independent bitmap graphic, 64 x 128 x 32, image size 16896 | English | United States | 0.20896315540859708 |
| RT_ICON | 0x4bde4c | 0x5cd2 | PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced | English | United States | 0.9988216480094269 |
| RT_ICON | 0x4c3b20 | 0x468 | Device independent bitmap graphic, 16 x 32 x 32, image size 1088 | English | United States | 0.5301418439716312 |
| RT_ICON | 0x4c3f88 | 0x6b8 | Device independent bitmap graphic, 20 x 40 x 32, image size 1680 | English | United States | 0.4511627906976744 |
| RT_ICON | 0x4c4640 | 0x988 | Device independent bitmap graphic, 24 x 48 x 32, image size 2400 | English | United States | 0.41270491803278686 |
| RT_DIALOG | 0x4c4fc8 | 0x32a | data | 0.7555555555555555 | ||
| RT_DIALOG | 0x4c52f4 | 0x35c | data | English | United States | 0.436046511627907 |
| RT_DIALOG | 0x4c5650 | 0x502 | data | English | United States | 0.3962558502340094 |
| RT_DIALOG | 0x4c5b54 | 0x248 | data | English | United States | 0.4828767123287671 |
| RT_DIALOG | 0x4c5d9c | 0x2c2 | data | English | United States | 0.4730878186968839 |
| RT_DIALOG | 0x4c6060 | 0x630 | data | English | United States | 0.4116161616161616 |
| RT_DIALOG | 0x4c6690 | 0x1e8 | data | English | United States | 0.5368852459016393 |
| RT_DIALOG | 0x4c6878 | 0x828 | data | English | United States | 0.4051724137931034 |
| RT_DIALOG | 0x4c70a0 | 0x36c | data | English | United States | 0.45662100456621 |
| RT_DIALOG | 0x4c740c | 0x188 | data | English | United States | 0.5586734693877551 |
| RT_DIALOG | 0x4c7594 | 0x1e8 | data | English | United States | 0.5430327868852459 |
| RT_DIALOG | 0x4c777c | 0x4a8 | data | English | United States | 0.42533557046979864 |
| RT_DIALOG | 0x4c7c24 | 0x278 | data | English | United States | 0.44936708860759494 |
| RT_DIALOG | 0x4c7e9c | 0xc8 | data | English | United States | 0.675 |
| RT_DIALOG | 0x4c7f64 | 0x634 | data | English | United States | 0.4275818639798489 |
| RT_DIALOG | 0x4c8598 | 0x4d2 | data | English | United States | 0.3987034035656402 |
| RT_DIALOG | 0x4c8a6c | 0x2b0 | data | English | United States | 0.4738372093023256 |
| RT_DIALOG | 0x4c8d1c | 0xd0 | data | English | United States | 0.6586538461538461 |
| RT_DIALOG | 0x4c8dec | 0x124 | data | English | United States | 0.589041095890411 |
| RT_DIALOG | 0x4c8f10 | 0x30e | data | English | United States | 0.4322250639386189 |
| RT_DIALOG | 0x4c9220 | 0x174 | data | English | United States | 0.5698924731182796 |
| RT_DIALOG | 0x4c9394 | 0x220 | data | English | United States | 0.48713235294117646 |
| RT_DIALOG | 0x4c95b4 | 0x2d2 | data | English | United States | 0.4695290858725762 |
| RT_DIALOG | 0x4c9888 | 0xec | data | English | United States | 0.673728813559322 |
| RT_DIALOG | 0x4c9974 | 0x1e0 | data | English | United States | 0.5229166666666667 |
| RT_DIALOG | 0x4c9b54 | 0x1b0 | data | English | United States | 0.5532407407407407 |
| RT_DIALOG | 0x4c9d04 | 0x1a4 | data | English | United States | 0.5333333333333333 |
| RT_DIALOG | 0x4c9ea8 | 0x100 | data | English | United States | 0.62890625 |
| RT_DIALOG | 0x4c9fa8 | 0x60 | data | English | United States | 0.7291666666666666 |
| RT_DIALOG | 0x4ca008 | 0x4ac | data | English | United States | 0.3804347826086957 |
| RT_DIALOG | 0x4ca4b4 | 0x326 | data | English | United States | 0.4640198511166253 |
| RT_DIALOG | 0x4ca7dc | 0x1f8 | data | English | United States | 0.5515873015873016 |
| RT_DIALOG | 0x4ca9d4 | 0xe0 | data | English | United States | 0.6607142857142857 |
| RT_DIALOG | 0x4caab4 | 0xe4 | data | English | United States | 0.6798245614035088 |
| RT_DIALOG | 0x4cab98 | 0x1c4 | data | English | United States | 0.5575221238938053 |
| RT_DIALOG | 0x4cad5c | 0x104 | data | English | United States | 0.573076923076923 |
| RT_DIALOG | 0x4cae60 | 0xaa | data | English | United States | 0.7411764705882353 |
| RT_DIALOG | 0x4caf0c | 0x1f4 | data | English | United States | 0.492 |
| RT_DIALOG | 0x4cb100 | 0x12c | data | English | United States | 0.5966666666666667 |
| RT_DIALOG | 0x4cb22c | 0x7c | data | English | United States | 0.7903225806451613 |
| RT_DIALOG | 0x4cb2a8 | 0x40 | data | English | United States | 0.765625 |
| RT_DIALOG | 0x4cb2e8 | 0x228 | data | English | United States | 0.519927536231884 |
| RT_DIALOG | 0x4cb510 | 0xa4 | data | English | United States | 0.6829268292682927 |
| RT_DIALOG | 0x4cb5b4 | 0xb8 | data | English | United States | 0.6739130434782609 |
| RT_DIALOG | 0x4cb66c | 0x228 | data | English | United States | 0.5018115942028986 |
| RT_DIALOG | 0x4cb894 | 0xa8 | data | English | United States | 0.6607142857142857 |
| RT_DIALOG | 0x4cb93c | 0x11c | data | English | United States | 0.5845070422535211 |
| RT_DIALOG | 0x4cba58 | 0x1c8 | data | English | United States | 0.4868421052631579 |
| RT_DIALOG | 0x4cbc20 | 0x32c | data | English | United States | 0.45689655172413796 |
| RT_DIALOG | 0x4cbf4c | 0x90 | data | English | United States | 0.6944444444444444 |
| RT_DIALOG | 0x4cbfdc | 0xc6 | data | English | United States | 0.6919191919191919 |
| RT_DIALOG | 0x4cc0a4 | 0x224 | data | English | United States | 0.5547445255474452 |
| RT_DIALOG | 0x4cc2c8 | 0x224 | data | English | United States | 0.5602189781021898 |
| RT_DIALOG | 0x4cc4ec | 0x120 | data | English | United States | 0.5972222222222222 |
| RT_DIALOG | 0x4cc60c | 0x5d4 | data | English | United States | 0.4175603217158177 |
| RT_DIALOG | 0x4ccbe0 | 0x17e | data | English | United States | 0.5837696335078534 |
| RT_DIALOG | 0x4ccd60 | 0x19e | data | English | United States | 0.5217391304347826 |
| RT_DIALOG | 0x4ccf00 | 0x1e0 | data | English | United States | 0.51875 |
| RT_DIALOG | 0x4cd0e0 | 0x3f8 | data | English | United States | 0.43799212598425197 |
| RT_DIALOG | 0x4cd4d8 | 0x6e | data | English | United States | 0.7181818181818181 |
| RT_DIALOG | 0x4cd548 | 0x7c | data | English | United States | 0.7338709677419355 |
| RT_DIALOG | 0x4cd5c4 | 0x3e0 | data | English | United States | 0.4254032258064516 |
| RT_DIALOG | 0x4cd9a4 | 0x94 | data | English | United States | 0.7905405405405406 |
| RT_DIALOG | 0x4cda38 | 0x246 | data | English | United States | 0.49140893470790376 |
| RT_DIALOG | 0x4cdc80 | 0x1e8 | data | English | United States | 0.4959016393442623 |
| RT_DIALOG | 0x4cde68 | 0xfc | data | English | United States | 0.6626984126984127 |
| RT_DIALOG | 0x4cdf64 | 0x160 | data | English | United States | 0.6051136363636364 |
| RT_DIALOG | 0x4ce0c4 | 0x4ec | data | English | United States | 0.44047619047619047 |
| RT_DIALOG | 0x4ce5b0 | 0x2f0 | data | English | United States | 0.4654255319148936 |
| RT_DIALOG | 0x4ce8a0 | 0x1ac | data | English | United States | 0.5677570093457944 |
| RT_DIALOG | 0x4cea4c | 0x142 | data | English | United States | 0.5869565217391305 |
| RT_DIALOG | 0x4ceb90 | 0x1ae | data | English | United States | 0.5511627906976744 |
| RT_ACCELERATOR | 0x4ced40 | 0x20 | data | English | United States | 0.96875 |
| RT_ACCELERATOR | 0x4ced60 | 0x28 | data | English | United States | 0.95 |
| RT_RCDATA | 0x4ced88 | 0x82e8 | data | 0.24680711386965862 | ||
| RT_RCDATA | 0x4d7070 | 0x11dab | Delphi compiled form 'TfFolderProperties' | 0.31615867416006893 | ||
| RT_RCDATA | 0x4e8e1c | 0x11dab | Delphi compiled form 'TfFolderProperties' | 0.4024558668690432 | ||
| RT_RCDATA | 0x4fabc8 | 0x23e27 | Delphi compiled form 'TfLogin' | 0.28407366838341847 | ||
| RT_RCDATA | 0x51e9f0 | 0x2092 | Delphi compiled form 'TWizardForm' | 0.2983928999760134 | ||
| RT_RCDATA | 0x520a84 | 0xbd22 | PNG image data, 118 x 102, 8-bit/color RGBA, non-interlaced | 0.24928745507868974 | ||
| RT_GROUP_ICON | 0x52c7a8 | 0x76 | data | English | United States | 0.7457627118644068 |
| RT_VERSION | 0x52c820 | 0x30c | data | English | United States | 0.44358974358974357 |
| RT_ANIICON | 0x52cb2c | 0x424fd | PC bitmap, Windows 3.x format, 34094 x 2 x 35, image size 271646, cbSize 271613, bits offset 54 | 0.9939619974007136 |
| DLL | Import |
|---|---|
| COMCTL32.dll | ImageList_Destroy, ImageList_Create, ImageList_Add |
| WINMM.dll | timeGetTime, timeBeginPeriod, timeEndPeriod |
| SHLWAPI.dll | SHAutoComplete, StrCmpLogicalW, SHDeleteKeyW |
| UxTheme.dll | IsThemePartDefined, OpenThemeData, GetThemePartSize, SetWindowTheme, DrawThemeBackground, EnableThemeDialogTexture, CloseThemeData |
| KERNEL32.dll | GetSystemPowerStatus, VerifyVersionInfoW, VerSetConditionMask, GlobalFree, SystemTimeToFileTime, LocalFileTimeToFileTime, ResumeThread, GetLocaleInfoW, GetNumberFormatW, GlobalSize, DecodePointer, Sleep, SetErrorMode, LoadLibraryW, CreateEventW, FindResourceW, FindResourceExW, LoadResource, LockResource, SizeofResource, SetEndOfFile, GetFileTime, FlushFileBuffers, CreateFileW, GetDiskFreeSpaceExW, FindFirstFileW, DeleteFileW, RemoveDirectoryW, GetFileAttributesW, GetStartupInfoW, SetUnhandledExceptionFilter, UnhandledExceptionFilter, WaitForSingleObjectEx, InitializeCriticalSectionAndSpinCount, LoadLibraryExA, GetCurrentThreadId, VirtualAlloc, IsProcessorFeaturePresent, FlushInstructionCache, InterlockedPushEntrySList, InterlockedPopEntrySList, InitializeSListHead, EncodePointer, InitOnceComplete, InitOnceBeginInitialize, SystemTimeToTzSpecificLocalTime, MoveFileExW, NormalizeString, TryEnterCriticalSection, GetVolumeNameForVolumeMountPointW, GetVolumePathNameW, DeviceIoControl, SetFileTime, SetFilePointer, DosDateTimeToFileTime, GetFileSizeEx, FileTimeToSystemTime, GetSystemTimeAsFileTime, ReadDirectoryChangesW, GetThreadPriority, GetThreadId, GetFileInformationByHandle, TerminateProcess, GetCurrentProcess, DuplicateHandle, WriteFile, CancelIo, GetOverlappedResult, ReadFile, WideCharToMultiByte, MultiByteToWideChar, WaitForMultipleObjects, FormatMessageW, GlobalUnlock, GlobalLock, GlobalAlloc, GetCommandLineW, LoadLibraryExW, lstrlenW, GetNativeSystemInfo, GetVersionExW, PowerCreateRequest, PowerClearRequest, PowerSetRequest, SetLastError, EnterCriticalSection, SetThreadPriority, OutputDebugStringW, LeaveCriticalSection, GetTickCount64, DeleteCriticalSection, GetFileAttributesExW, FindNextFileW, FindClose, GetCurrentThread, SetEvent, ResetEvent, GetExitCodeThread, GetCurrentProcessId, VirtualQuery, VirtualProtect, GetSystemInfo, ReleaseSRWLockExclusive, AcquireSRWLockExclusive, ReleaseSRWLockShared, AcquireSRWLockShared, CopyFileW, IsDebuggerPresent, FreeLibrary, SetDllDirectoryW, CloseHandle, WaitForSingleObject, GetModuleHandleW, GetProcAddress, GetTickCount, GetProcessHeap, HeapAlloc, CreateMutexW, InitializeCriticalSection, QueryPerformanceCounter, QueryPerformanceFrequency, HeapFree, HeapReAlloc, HeapSize, HeapDestroy, MulDiv, InitializeCriticalSectionEx, GetLastError, RaiseException, VirtualFree |
| USER32.dll | SetDlgItemTextW, MapVirtualKeyW, GetDlgItem, SendMessageW, ShowWindow, EnableWindow, SetWindowTextW, DestroyWindow, UnregisterClassW, CreateDialogParamW, SetWindowLongW, SendDlgItemMessageW, GetActiveWindow, GetWindowLongW, GetClientRect, ClientToScreen, GetWindowRect, SetWindowPos, SetLayeredWindowAttributes, CharUpperW, GetComboBoxInfo, GetSystemMetrics, EnumThreadWindows, GetWindowPlacement, IsIconic, AdjustWindowRect, DrawEdge, SetClipboardData, CloseClipboard, OpenClipboard, FillRect, AdjustWindowRectEx, GetWindowTextLengthW, GetWindowTextW, NotifyWinEvent, RedrawWindow, IsRectEmpty, DrawTextW, TrackMouseEvent, InflateRect, FrameRect, UnhookWindowsHookEx, SetWindowsHookExW, CallNextHookEx, GetNextDlgTabItem, InvalidateRgn, SystemParametersInfoW, ScrollWindowEx, SetScrollPos, UpdateWindow, SetScrollInfo, SetRectEmpty, SetGestureConfig, CloseGestureInfoHandle, GetGestureInfo, GetScrollInfo, MapDialogRect, IsZoomed, SetMenuItemInfoW, GetMenuItemInfoW, GetMenu, GetWindow, GetDC, BeginPaint, EndPaint, InvalidateRect, IsWindowEnabled, PostMessageW, CreateWindowExW, ScreenToClient, IntersectRect, MonitorFromWindow, LoadIconW, RegisterClipboardFormatW, wsprintfW, AllowSetForegroundWindow, EnumWindows, GetClassNameW, GetWindowThreadProcessId, WindowFromPoint, CheckMenuRadioItem, RegisterShellHookWindow, DeregisterShellHookWindow, RegisterWindowMessageW, RegisterClassW, GetClipboardData, IsCharAlphaW, IsClipboardFormatAvailable, DispatchMessageW, TranslateMessage, LoadImageW, GetDesktopWindow, PostQuitMessage, GetMessageW, MsgWaitForMultipleObjects, OffsetRect, CopyRect, MonitorFromRect, CharLowerW, EndDeferWindowPos, BeginDeferWindowPos, DeferWindowPos, EmptyClipboard, IsWindowVisible, MoveWindow, IsChild, PeekMessageW, SetTimer, DrawTextExW, SetForegroundWindow, PtInRect, DefWindowProcW, GetCursorPos, SetFocus, KillTimer, SetCapture, SetCursor, LoadCursorW, IsDialogMessageW, RegisterClassExW, GetClassInfoExW, CallWindowProcW, GetWindowDC, ReleaseDC, DrawFrameControl, GetParent, GetKeyState, GetMessagePos, AppendMenuW, TrackPopupMenu, CreatePopupMenu, MonitorFromPoint, GetMonitorInfoW, DestroyMenu, MessageBoxW, EndDialog, DialogBoxParamW, MessageBeep, SetActiveWindow, EnumChildWindows, MapWindowPoints, SetMenuDefaultItem, TrackPopupMenuEx, GetDlgCtrlID, GetSysColor, GetFocus, TranslateAcceleratorW, LoadAcceleratorsW, DestroyAcceleratorTable, RegisterHotKey, UnregisterHotKey |
| GDI32.dll | GetStockObject, SelectObject, CreateCompatibleDC, CreateCompatibleBitmap, ExtTextOutW, SetBkColor, SetTextColor, DeleteDC, DeleteObject, GetObjectW, CreateFontIndirectW, SetBkMode, CreateRectRgnIndirect, CreateRectRgn, GetTextExtentPoint32W, GetTextColor, GetBkColor, GetCurrentObject, SetDCBrushColor, CreatePen, GetDeviceCaps, GetTextMetricsW, LPtoDP, SaveDC, RestoreDC, OffsetWindowOrgEx, SetWindowOrgEx, IntersectClipRect, CreatePolygonRgn, FrameRgn, FillRgn, SetViewportOrgEx, BitBlt, CombineRgn, SetDCPenColor, LineTo, MoveToEx, OffsetRgn |
| ADVAPI32.dll | CryptImportKey, RegQueryValueExW, RegSetValueExW, RegCloseKey, RegOpenKeyW, RegCreateKeyW, RegDeleteValueW, CryptGetHashParam, CryptVerifySignatureW, CryptHashData, CryptCreateHash, RegGetValueW, CryptDestroyKey, CryptDestroyHash, CryptReleaseContext, RegEnumValueW, CryptAcquireContextW, RegOpenKeyExW, RegEnumKeyExW, RegQueryInfoKeyW |
| SHELL32.dll | SHOpenFolderAndSelectItems, SHGetFolderPathW, SHCreateItemFromIDList, DragAcceptFiles, ShellExecuteExW, SHGetDesktopFolder, DragFinish |
| ole32.dll | CoCreateInstance, OleSetClipboard, OleGetClipboard, CoTaskMemFree, PropVariantClear, CLSIDFromString, CoTaskMemAlloc, ReleaseStgMedium, CoCreateGuid, DoDragDrop, CoUninitialize, RegisterDragDrop, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, RevokeDragDrop |
| OLEAUT32.dll | VariantClear, VariantInit, SysAllocString |
| OLEACC.dll | AccessibleObjectFromWindow, LresultFromObject |
| CRYPT32.dll | CertVerifyRevocation, CertVerifyCertificateChainPolicy, CertGetCertificateChain, CertVerifyTimeValidity, CertCloseStore, CertFreeCertificateChain, CertFreeCertificateContext |
| Language of compilation system | Country where language is spoken | Map |
|---|---|---|
| English | United States |  |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library Node| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Jan 10, 2025 11:53:23.922399044 CET | 49709 | 30203 | 192.168.2.8 | 181.71.216.203 |
| Jan 10, 2025 11:53:23.927340984 CET | 30203 | 49709 | 181.71.216.203 | 192.168.2.8 |
| Jan 10, 2025 11:53:23.927438021 CET | 49709 | 30203 | 192.168.2.8 | 181.71.216.203 |
| Jan 10, 2025 11:53:23.991112947 CET | 49709 | 30203 | 192.168.2.8 | 181.71.216.203 |
| Jan 10, 2025 11:53:23.996352911 CET | 30203 | 49709 | 181.71.216.203 | 192.168.2.8 |
| Jan 10, 2025 11:53:23.996412992 CET | 49709 | 30203 | 192.168.2.8 | 181.71.216.203 |
| Jan 10, 2025 11:53:24.001775980 CET | 30203 | 49709 | 181.71.216.203 | 192.168.2.8 |
| Jan 10, 2025 11:53:45.302323103 CET | 30203 | 49709 | 181.71.216.203 | 192.168.2.8 |
| Jan 10, 2025 11:53:45.304275036 CET | 49709 | 30203 | 192.168.2.8 | 181.71.216.203 |
| Jan 10, 2025 11:53:45.307780027 CET | 49709 | 30203 | 192.168.2.8 | 181.71.216.203 |
| Jan 10, 2025 11:53:45.312623024 CET | 30203 | 49709 | 181.71.216.203 | 192.168.2.8 |
| Jan 10, 2025 11:53:45.474503994 CET | 49710 | 30203 | 192.168.2.8 | 181.71.216.203 |
| Jan 10, 2025 11:53:45.479356050 CET | 30203 | 49710 | 181.71.216.203 | 192.168.2.8 |
| Jan 10, 2025 11:53:45.479458094 CET | 49710 | 30203 | 192.168.2.8 | 181.71.216.203 |
| Jan 10, 2025 11:53:45.569863081 CET | 49710 | 30203 | 192.168.2.8 | 181.71.216.203 |
| Jan 10, 2025 11:53:45.574812889 CET | 30203 | 49710 | 181.71.216.203 | 192.168.2.8 |
| Jan 10, 2025 11:53:45.574954033 CET | 49710 | 30203 | 192.168.2.8 | 181.71.216.203 |
| Jan 10, 2025 11:53:45.579792976 CET | 30203 | 49710 | 181.71.216.203 | 192.168.2.8 |
| Jan 10, 2025 11:54:06.865113974 CET | 30203 | 49710 | 181.71.216.203 | 192.168.2.8 |
| Jan 10, 2025 11:54:06.865199089 CET | 49710 | 30203 | 192.168.2.8 | 181.71.216.203 |
| Jan 10, 2025 11:54:06.865355968 CET | 49710 | 30203 | 192.168.2.8 | 181.71.216.203 |
| Jan 10, 2025 11:54:06.870228052 CET | 30203 | 49710 | 181.71.216.203 | 192.168.2.8 |
| Jan 10, 2025 11:54:06.978739023 CET | 49712 | 30203 | 192.168.2.8 | 181.71.216.203 |
| Jan 10, 2025 11:54:06.983752012 CET | 30203 | 49712 | 181.71.216.203 | 192.168.2.8 |
| Jan 10, 2025 11:54:06.983844042 CET | 49712 | 30203 | 192.168.2.8 | 181.71.216.203 |
| Jan 10, 2025 11:54:06.987328053 CET | 49712 | 30203 | 192.168.2.8 | 181.71.216.203 |
| Jan 10, 2025 11:54:06.992194891 CET | 30203 | 49712 | 181.71.216.203 | 192.168.2.8 |
| Jan 10, 2025 11:54:06.992270947 CET | 49712 | 30203 | 192.168.2.8 | 181.71.216.203 |
| Jan 10, 2025 11:54:06.997065067 CET | 30203 | 49712 | 181.71.216.203 | 192.168.2.8 |
| Jan 10, 2025 11:54:28.348089933 CET | 30203 | 49712 | 181.71.216.203 | 192.168.2.8 |
| Jan 10, 2025 11:54:28.348181009 CET | 49712 | 30203 | 192.168.2.8 | 181.71.216.203 |
| Jan 10, 2025 11:54:28.348319054 CET | 49712 | 30203 | 192.168.2.8 | 181.71.216.203 |
| Jan 10, 2025 11:54:28.353095055 CET | 30203 | 49712 | 181.71.216.203 | 192.168.2.8 |
| Jan 10, 2025 11:54:28.458301067 CET | 49716 | 30203 | 192.168.2.8 | 181.71.216.203 |
| Jan 10, 2025 11:54:28.463145018 CET | 30203 | 49716 | 181.71.216.203 | 192.168.2.8 |
| Jan 10, 2025 11:54:28.463360071 CET | 49716 | 30203 | 192.168.2.8 | 181.71.216.203 |
| Jan 10, 2025 11:54:28.464102030 CET | 49716 | 30203 | 192.168.2.8 | 181.71.216.203 |
| Jan 10, 2025 11:54:28.468877077 CET | 30203 | 49716 | 181.71.216.203 | 192.168.2.8 |
| Jan 10, 2025 11:54:28.468938112 CET | 49716 | 30203 | 192.168.2.8 | 181.71.216.203 |
| Jan 10, 2025 11:54:28.473735094 CET | 30203 | 49716 | 181.71.216.203 | 192.168.2.8 |
| Jan 10, 2025 11:54:49.819258928 CET | 30203 | 49716 | 181.71.216.203 | 192.168.2.8 |
| Jan 10, 2025 11:54:49.819394112 CET | 49716 | 30203 | 192.168.2.8 | 181.71.216.203 |
| Jan 10, 2025 11:54:49.819592953 CET | 49716 | 30203 | 192.168.2.8 | 181.71.216.203 |
| Jan 10, 2025 11:54:49.825628996 CET | 30203 | 49716 | 181.71.216.203 | 192.168.2.8 |
| Jan 10, 2025 11:54:49.927231073 CET | 49717 | 30203 | 192.168.2.8 | 181.71.216.203 |
| Jan 10, 2025 11:54:49.933604002 CET | 30203 | 49717 | 181.71.216.203 | 192.168.2.8 |
| Jan 10, 2025 11:54:49.933717012 CET | 49717 | 30203 | 192.168.2.8 | 181.71.216.203 |
| Jan 10, 2025 11:54:49.934508085 CET | 49717 | 30203 | 192.168.2.8 | 181.71.216.203 |
| Jan 10, 2025 11:54:49.939280033 CET | 30203 | 49717 | 181.71.216.203 | 192.168.2.8 |
| Jan 10, 2025 11:54:49.939349890 CET | 49717 | 30203 | 192.168.2.8 | 181.71.216.203 |
| Jan 10, 2025 11:54:49.945647001 CET | 30203 | 49717 | 181.71.216.203 | 192.168.2.8 |
| Jan 10, 2025 11:55:00.787101030 CET | 49717 | 30203 | 192.168.2.8 | 181.71.216.203 |
| Jan 10, 2025 11:55:00.791891098 CET | 30203 | 49717 | 181.71.216.203 | 192.168.2.8 |
| Jan 10, 2025 11:55:00.791948080 CET | 49717 | 30203 | 192.168.2.8 | 181.71.216.203 |
| Jan 10, 2025 11:55:00.796824932 CET | 30203 | 49717 | 181.71.216.203 | 192.168.2.8 |
| Jan 10, 2025 11:55:07.228481054 CET | 49717 | 30203 | 192.168.2.8 | 181.71.216.203 |
| Jan 10, 2025 11:55:07.233475924 CET | 30203 | 49717 | 181.71.216.203 | 192.168.2.8 |
| Jan 10, 2025 11:55:07.233676910 CET | 49717 | 30203 | 192.168.2.8 | 181.71.216.203 |
| Jan 10, 2025 11:55:07.238524914 CET | 30203 | 49717 | 181.71.216.203 | 192.168.2.8 |
| Jan 10, 2025 11:55:11.302778006 CET | 30203 | 49717 | 181.71.216.203 | 192.168.2.8 |
| Jan 10, 2025 11:55:11.302866936 CET | 49717 | 30203 | 192.168.2.8 | 181.71.216.203 |
| Jan 10, 2025 11:55:11.303064108 CET | 49717 | 30203 | 192.168.2.8 | 181.71.216.203 |
| Jan 10, 2025 11:55:11.312918901 CET | 30203 | 49717 | 181.71.216.203 | 192.168.2.8 |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Jan 10, 2025 11:53:23.898183107 CET | 57871 | 53 | 192.168.2.8 | 1.1.1.1 |
| Jan 10, 2025 11:53:23.920166969 CET | 53 | 57871 | 1.1.1.1 | 192.168.2.8 |
| Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|
| Jan 10, 2025 11:53:23.898183107 CET | 192.168.2.8 | 1.1.1.1 | 0x4f4b | Standard query (0) | A (IP address) | IN (0x0001) | false |
| Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|---|---|
| Jan 10, 2025 11:53:23.920166969 CET | 1.1.1.1 | 192.168.2.8 | 0x4f4b | No error (0) | 181.71.216.203 | A (IP address) | IN (0x0001) | false |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
| Target ID: | 0 |
| Start time: | 05:52:59 |
| Start date: | 10/01/2025 |
| Path: | C:\Users\user\Desktop\ReaderPDFadobe.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x400000 |
| File size: | 5'649'920 bytes |
| MD5 hash: | 5B3F4288F2239F1805E7D5C935FEC648 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | low |
| Has exited: | true |
| Target ID: | 5 |
| Start time: | 05:53:18 |
| Start date: | 10/01/2025 |
| Path: | C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0xa30000 |
| File size: | 2'141'552 bytes |
| MD5 hash: | EB80BB1CA9B9C7F516FF69AFCFD75B7D |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Yara matches: |
|
| Reputation: | moderate |
| Has exited: | false |
Execution Graph
| Execution Coverage: | 9.8% |
| Dynamic/Decrypted Code Coverage: | 100% |
| Signature Coverage: | 29.6% |
| Total number of Nodes: | 27 |
| Total number of Limit Nodes: | 3 |
Graph
Function 09DCEEA8 Relevance: 1.6, APIs: 1, Instructions: 148COMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 09DCEEB8 Relevance: 1.6, APIs: 1, Instructions: 144COMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 09D93D33 Relevance: .3, Instructions: 311COMMON
Download Yara Rule
Control-flow Graph
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 09D93D38 Relevance: .3, Instructions: 308COMMON
Download Yara Rule
Control-flow Graph
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 09D95021 Relevance: .3, Instructions: 275COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 09D96C8E Relevance: .3, Instructions: 274COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 09D954E6 Relevance: .3, Instructions: 268COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 09D92488 Relevance: .3, Instructions: 266COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 09D95540 Relevance: .3, Instructions: 252COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 09D954C8 Relevance: .2, Instructions: 247COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 09D91870 Relevance: .2, Instructions: 238COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 09C457D0 Relevance: .2, Instructions: 233COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 09D94100 Relevance: .2, Instructions: 222COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 09D93500 Relevance: .2, Instructions: 215COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 09D934F1 Relevance: .2, Instructions: 215COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 09D9545C Relevance: .2, Instructions: 207COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 09DCF115 Relevance: .2, Instructions: 160COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 05913C4B Relevance: .2, Instructions: 151COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 05913C58 Relevance: .1, Instructions: 149COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0591C1D8 Relevance: 1.6, APIs: 1, Instructions: 56memoryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 09D92984 Relevance: 1.3, Strings: 1, Instructions: 51COMMON
Download Yara Rule
Control-flow Graph
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0591C388 Relevance: 1.3, APIs: 1, Instructions: 49COMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 09D80078 Relevance: .6, Instructions: 597COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 09D80810 Relevance: .4, Instructions: 362COMMON
Download Yara Rule
Control-flow Graph
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 09D92485 Relevance: .3, Instructions: 259COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 09C41789 Relevance: .3, Instructions: 257COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 09D9186C Relevance: .2, Instructions: 234COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 09C4C388 Relevance: .2, Instructions: 207COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 09D80CC8 Relevance: .2, Instructions: 183COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 09C45240 Relevance: .2, Instructions: 172COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 09C4523B Relevance: .2, Instructions: 172COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 09C41790 Relevance: .2, Instructions: 162COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 09D9528C Relevance: .2, Instructions: 150COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 09C4F0B0 Relevance: .1, Instructions: 149COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 09C45F3B Relevance: .1, Instructions: 136COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 09C4ACCB Relevance: .1, Instructions: 124COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 09C4B680 Relevance: .1, Instructions: 123COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 09C4ACD0 Relevance: .1, Instructions: 122COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 09D97130 Relevance: .1, Instructions: 122COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 09C4559F Relevance: .1, Instructions: 119COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 09C4C6B8 Relevance: .1, Instructions: 117COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 09C4ACB1 Relevance: .1, Instructions: 116COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 09D956D1 Relevance: .1, Instructions: 108COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 09C4C837 Relevance: .1, Instructions: 107COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 09D936D2 Relevance: .1, Instructions: 107COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 09D956E0 Relevance: .1, Instructions: 104COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 09C0EDE0 Relevance: .1, Instructions: 99COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 09C4B511 Relevance: .1, Instructions: 91COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 09C4B671 Relevance: .1, Instructions: 91COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 09D97299 Relevance: .1, Instructions: 82COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 09D9723A Relevance: .1, Instructions: 82COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 09C4A238 Relevance: .1, Instructions: 81COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 09C4A233 Relevance: .1, Instructions: 80COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 09C49FCC Relevance: .1, Instructions: 78COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 09D93A33 Relevance: .1, Instructions: 76COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 09C4EB70 Relevance: .1, Instructions: 75COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 09C4B419 Relevance: .1, Instructions: 74COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 09D961B0 Relevance: .1, Instructions: 73COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 09C45D4C Relevance: .1, Instructions: 72COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 09C4F718 Relevance: .1, Instructions: 72COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 09C4B428 Relevance: .1, Instructions: 67COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 09C4A9A3 Relevance: .1, Instructions: 66COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 09D94D8F Relevance: .1, Instructions: 58COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 09D93243 Relevance: .1, Instructions: 57COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 09C4BDC4 Relevance: .1, Instructions: 56COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 09C4A0CB Relevance: .1, Instructions: 55COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 09C4A0D0 Relevance: .1, Instructions: 55COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 09C4BB41 Relevance: .1, Instructions: 55COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 09C4BA11 Relevance: .1, Instructions: 55COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 09C4BDD0 Relevance: .1, Instructions: 55COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 09D8005D Relevance: .1, Instructions: 51COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 09C461A0 Relevance: .0, Instructions: 48COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 09D959F7 Relevance: .0, Instructions: 48COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 09D97399 Relevance: .0, Instructions: 47COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 09D948C0 Relevance: .0, Instructions: 45COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 09D948B9 Relevance: .0, Instructions: 45COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 09D973A8 Relevance: .0, Instructions: 44COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 09D95A08 Relevance: .0, Instructions: 44COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 09D95D9B Relevance: .0, Instructions: 42COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 09D961AF Relevance: .0, Instructions: 42COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 09C4AE51 Relevance: .0, Instructions: 39COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 09D949E0 Relevance: .0, Instructions: 39COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 09D95D31 Relevance: .0, Instructions: 39COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 09C4AEB0 Relevance: .0, Instructions: 38COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 09C00769 Relevance: .0, Instructions: 38COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 09D94C89 Relevance: .0, Instructions: 35COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 09C41AD1 Relevance: .0, Instructions: 34COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 09C4B5A5 Relevance: .0, Instructions: 34COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 09C00778 Relevance: .0, Instructions: 34COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 09D949D2 Relevance: .0, Instructions: 32COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 09D94C62 Relevance: .0, Instructions: 32COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 09D93A38 Relevance: .0, Instructions: 32COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 09C41AE0 Relevance: .0, Instructions: 31COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 09C4619C Relevance: .0, Instructions: 30COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 09C422D9 Relevance: .0, Instructions: 30COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 09C02424 Relevance: .0, Instructions: 27COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 09D94A40 Relevance: .0, Instructions: 27COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 09D93C30 Relevance: .0, Instructions: 27COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 09D93C2C Relevance: .0, Instructions: 27COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 09C4D21C Relevance: .0, Instructions: 26COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 09C4D220 Relevance: .0, Instructions: 26COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 09D94988 Relevance: .0, Instructions: 26COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 09C49252 Relevance: .0, Instructions: 25COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 09C045CA Relevance: .0, Instructions: 25COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 09D94C50 Relevance: .0, Instructions: 24COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 09C415F5 Relevance: .0, Instructions: 22COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 09C46EDB Relevance: .0, Instructions: 22COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 09C45F00 Relevance: .0, Instructions: 20COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 09C01450 Relevance: .0, Instructions: 20COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 09D94998 Relevance: .0, Instructions: 20COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 09D92988 Relevance: .0, Instructions: 20COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 09C4A8E9 Relevance: .0, Instructions: 19COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 09D94BF3 Relevance: .0, Instructions: 19COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 09D959C9 Relevance: .0, Instructions: 18COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 09C4A8F0 Relevance: .0, Instructions: 17COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 09C45EFB Relevance: .0, Instructions: 16COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 09C4849B Relevance: .0, Instructions: 13COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 09D94D5F Relevance: .0, Instructions: 13COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 09C4206D Relevance: .0, Instructions: 12COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 09C42B68 Relevance: .0, Instructions: 12COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 09C0097A Relevance: .0, Instructions: 11COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 09C45EA7 Relevance: .0, Instructions: 7COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 09C4BDA8 Relevance: .0, Instructions: 6COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 09C49FB0 Relevance: .0, Instructions: 5COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 09C49FAF Relevance: .0, Instructions: 4COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 09C4156A Relevance: 1.4, Strings: 1, Instructions: 132COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 09C413D5 Relevance: 1.4, Strings: 1, Instructions: 130COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 09C41464 Relevance: 1.4, Strings: 1, Instructions: 126COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 09C41305 Relevance: 1.4, Strings: 1, Instructions: 124COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 09C41701 Relevance: 1.4, Strings: 1, Instructions: 118COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 09C410E1 Relevance: 1.4, Strings: 1, Instructions: 110COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 09C416BA Relevance: 1.4, Strings: 1, Instructions: 110COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 09C410F0 Relevance: 1.4, Strings: 1, Instructions: 109COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 09C4112B Relevance: 1.4, Strings: 1, Instructions: 105COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 09C414F1 Relevance: 1.4, Strings: 1, Instructions: 103COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 09C41254 Relevance: 1.4, Strings: 1, Instructions: 102COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 09C411D0 Relevance: 1.3, Strings: 1, Instructions: 98COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 09DCD8F0 Relevance: .4, Instructions: 406COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 09C4E3B8 Relevance: .3, Instructions: 320COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 09D91BB8 Relevance: .3, Instructions: 281COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 09C457CD Relevance: .2, Instructions: 225COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 09C4591D Relevance: .2, Instructions: 215COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|