Edit tour
Windows
Analysis Report
PDFONLINE.exe
Overview
General Information
| Sample name: | PDFONLINE.exe |
| Analysis ID: | 1587451 |
| MD5: | 8268f8ad872d9ca06152019676fbe0bf |
| SHA1: | 4ad8baab93a10ced110b768a4c4cfa054262293e |
| SHA256: | 423612aa03d476e3a3d7b21d7daf3fae2a9a5d7b6c2097961ca2df5e38958e79 |
| Tags: | exeuser-zhuzhu0009 |
| Infos: |   |
 | |
Detection
| Score: | 84 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
AI detected suspicious sample
Allocates memory in foreign processes
Drops large PE files
Injects a PE file into a foreign processes
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Writes to foreign memory regions
Yara detected Costura Assembly Loader
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Compiles C# or VB.Net code
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Detected TCP or UDP traffic on non-standard ports
Detected non-DNS traffic on DNS port
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
IP address seen in connection with other malware
Installs a raw input device (often for capturing keystrokes)
Launches processes in debugging mode, may be used to hinder debugging
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Classification
- System is w10x64
PDFONLINE.exe (PID: 7416 cmdline: "C:\Users\ user\Deskt op\PDFONLI NE.exe" MD5: 8268F8AD872D9CA06152019676FBE0BF) 
csc.exe (PID: 7644 cmdline: "C:\Window s\Microsof t.NET\Fram ework\v4.0 .30319\csc .exe" MD5: EB80BB1CA9B9C7F516FF69AFCFD75B7D)
- cleanup
⊘No configs have been found
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_CosturaAssemblyLoader | Yara detected Costura Assembly Loader | Joe Security | ||
| JoeSecurity_CosturaAssemblyLoader | Yara detected Costura Assembly Loader | Joe Security | ||
| JoeSecurity_CosturaAssemblyLoader | Yara detected Costura Assembly Loader | Joe Security | ||
| JoeSecurity_CosturaAssemblyLoader | Yara detected Costura Assembly Loader | Joe Security |
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_CosturaAssemblyLoader | Yara detected Costura Assembly Loader | Joe Security | ||
| JoeSecurity_CosturaAssemblyLoader | Yara detected Costura Assembly Loader | Joe Security |
System Summary |   |
|---|
| Source: | Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): | ||
⊘No Suricata rule has matched
Click to jump to signature section
Show All Signature Results
AV Detection | |
|---|
| Source: | Avira: | ||
| Source: | Virustotal: | Perma Link | ||
| Source: | ReversingLabs: | |||
| Source: | Integrated Neural Analysis Model: | ||
| Source: | Static PE information: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | TCP traffic: | ||
| Source: | TCP traffic: | ||
| Source: | IP Address: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | DNS traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | Binary or memory string: | ||
System Summary | |
|---|
| Source: | File dump: | Jump to dropped file | ||
| Source: | Code function: | 3_2_05AE3C88 | |
| Source: | Code function: | 3_2_05AE3C7C | |
| Source: | Code function: | 3_2_076D0990 | |
| Source: | Code function: | 3_2_076DF078 | |
| Source: | Code function: | 3_2_076D24F8 | |
| Source: | Code function: | 3_2_076DDAB2 | |
| Source: | Code function: | 3_2_076DF008 | |
| Source: | Code function: | 3_2_076E0F08 | |
| Source: | Code function: | 3_2_076E55E0 | |
| Source: | Code function: | 3_2_076ED28F | |
| Source: | Code function: | 3_2_076E0F43 | |
| Source: | Code function: | 3_2_076E570C | |
| Source: | Code function: | 3_2_076E0FB4 | |
| Source: | Code function: | 3_2_076E0EF7 | |
| Source: | Code function: | 3_2_076ED5C7 | |
| Source: | Code function: | 3_2_076E55D1 | |
| Source: | Code function: | 3_2_076E1474 | |
| Source: | Code function: | 3_2_076EE338 | |
| Source: | Code function: | 3_2_076E4BE8 | |
| Source: | Code function: | 3_2_076E13FF | |
| Source: | Code function: | 3_2_076E4BD9 | |
| Source: | Code function: | 3_2_076E138C | |
| Source: | Code function: | 3_2_076E123C | |
| Source: | Code function: | 3_2_076E12C2 | |
| Source: | Code function: | 3_2_076E10C0 | |
| Source: | Code function: | 3_2_0A704148 | |
| Source: | Code function: | 3_2_0A7027F8 | |
| Source: | Code function: | 3_2_0A701BE0 | |
| Source: | Code function: | 3_2_0A706FA0 | |
| Source: | Code function: | 3_2_0A7042E7 | |
| Source: | Code function: | 3_2_0A70413B | |
| Source: | Code function: | 3_2_0A701F28 | |
| Source: | Code function: | 3_2_0A7073F2 | |
| Source: | Binary or memory string: | ||
| Source: | Static PE information: | ||
| Source: | Classification label: | ||
| Source: | File created: | Jump to behavior | ||
| Source: | Mutant created: | ||
| Source: | Mutant created: | ||
| Source: | Static PE information: | ||
| Source: | WMI Queries: | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Virustotal: | ||
| Source: | ReversingLabs: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | File read: | Jump to behavior | ||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Key value queried: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | Static file information: | ||
| Source: | Static PE information: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
Data Obfuscation | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | Process created: | |||
| Source: | Process created: | Jump to behavior | ||
| Source: | Static PE information: | ||
| Source: | Code function: | 3_2_05AE4075 | |
| Source: | Code function: | 3_2_05AE6D29 | |
| Source: | Code function: | 3_2_076956F5 | |
| Source: | Code function: | 3_2_07697437 | |
| Source: | Code function: | 3_2_076DCA71 | |
| Source: | Code function: | 3_2_076E9ECD | |
| Source: | Code function: | 3_2_076E9517 | |
| Source: | Code function: | 3_2_076E4BB9 | |
| Source: | File created: | Jump to dropped file | ||
| Source: | Registry value created or modified: | Jump to behavior | ||
| Source: | Registry value created or modified: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
Malware Analysis System Evasion | |
|---|
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | Memory allocated: | Jump to behavior | ||
| Source: | Memory allocated: | Jump to behavior | ||
| Source: | Memory allocated: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Window / User API: | Jump to behavior | ||
| Source: | Window / User API: | Jump to behavior | ||
| Source: | Dropped PE file which has not been started: | Jump to dropped file | ||
| Source: | Thread sleep count: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep count: | Jump to behavior | ||
| Source: | Thread sleep count: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | Code function: | 3_2_076DF388 | |
| Source: | Process token adjusted: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Memory allocated: | Jump to behavior | ||
HIPS / PFW / Operating System Protection Evasion | |
|---|
| Source: | Memory allocated: | Jump to behavior | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Key value queried: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | WMI Queries: | ||
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | 131 Windows Management Instrumentation | 1 Registry Run Keys / Startup Folder | 31 Process Injection | 1 Masquerading | 11 Input Capture | 131 Security Software Discovery | Remote Services | 11 Input Capture | 1 Encrypted Channel | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
| Credentials | Domains | Default Accounts | 2 Command and Scripting Interpreter | 1 DLL Side-Loading | 1 Registry Run Keys / Startup Folder | 11 Disable or Modify Tools | LSASS Memory | 141 Virtualization/Sandbox Evasion | Remote Desktop Protocol | 1 Archive Collected Data | 1 Non-Standard Port | Exfiltration Over Bluetooth | Network Denial of Service |
| Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | 1 DLL Side-Loading | 141 Virtualization/Sandbox Evasion | Security Account Manager | 1 Application Window Discovery | SMB/Windows Admin Shares | Data from Network Shared Drive | 1 Non-Application Layer Protocol | Automated Exfiltration | Data Encrypted for Impact |
| Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | 31 Process Injection | NTDS | 123 System Information Discovery | Distributed Component Object Model | Input Capture | 1 Application Layer Protocol | Traffic Duplication | Data Destruction |
| Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | 1 Obfuscated Files or Information | LSA Secrets | Internet Connection Discovery | SSH | Keylogging | Fallback Channels | Scheduled Transfer | Data Encrypted for Impact |
| Domain Properties | Botnet | Replication Through Removable Media | Scheduled Task | RC Scripts | RC Scripts | 1 DLL Side-Loading | Cached Domain Credentials | Wi-Fi Discovery | VNC | GUI Input Capture | Multiband Communication | Data Transfer Size Limits | Service Stop |
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetThis section contains all screenshots as thumbnails, including those not shown in the slideshow.
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 64% | Virustotal | Browse | ||
| 66% | ReversingLabs | Win32.Trojan.Leonem | ||
| 100% | Avira | HEUR/AGEN.1356008 |
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
| Name | IP | Active | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|---|
| s-part-0017.t-0009.t-msedge.net | 13.107.246.45 | true | false | high | |
| newstaticfreepoint24.ddns-ip.net | 181.71.216.203 | true | false | high | |
| 53.210.109.20.in-addr.arpa | unknown | unknown | false | unknown | |
| 171.39.242.20.in-addr.arpa | unknown | unknown | false | high |
| Name | Source | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
| IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
|---|---|---|---|---|---|---|
| 181.71.216.203 | newstaticfreepoint24.ddns-ip.net | Colombia | 27831 | ColombiaMovilCO | false |
| Joe Sandbox version: | 42.0.0 Malachite |
| Analysis ID: | 1587451 |
| Start date and time: | 2025-01-10 11:53:36 +01:00 |
| Joe Sandbox product: | CloudBasic |
| Overall analysis duration: | 0h 6m 51s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
| Number of analysed new started processes analysed: | 7 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Sample name: | PDFONLINE.exe |
| Detection: | MAL |
| Classification: | mal84.evad.winEXE@3/1@4/1 |
| EGA Information: |
|
| HCA Information: |
|
| Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
- Excluded IPs from analysis (whitelisted): 13.107.246.45, 172.202.163.200, 20.242.39.171, 20.109.210.53, 52.149.20.212
- Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, otelrules.azureedge.net, otelrules.afd.azureedge.net, azureedge-t-prod.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
- Execution Graph export aborted for target PDFONLINE.exe, PID 7416 because it is empty
- Not all processes where analyzed, report is missing behavior information
- Report size getting too big, too many NtProtectVirtualMemory calls found.
| Time | Type | Description |
|---|---|---|
| 05:54:51 | API Interceptor | |
| 10:54:57 | Autostart | |
| 10:55:06 | Autostart |
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| 181.71.216.203 | Get hash | malicious | Unknown | Browse | ||
| Get hash | malicious | Unknown | Browse | |||
| Get hash | malicious | Unknown | Browse | |||
| Get hash | malicious | Unknown | Browse | |||
| Get hash | malicious | Unknown | Browse | |||
| Get hash | malicious | Unknown | Browse | |||
| Get hash | malicious | Unknown | Browse | |||
| Get hash | malicious | Unknown | Browse | |||
| Get hash | malicious | Unknown | Browse | |||
| Get hash | malicious | Unknown | Browse |
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| s-part-0017.t-0009.t-msedge.net | Get hash | malicious | HTMLPhisher | Browse |
| |
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | HTMLPhisher | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| newstaticfreepoint24.ddns-ip.net | Get hash | malicious | Unknown | Browse |
| |
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| ColombiaMovilCO | Get hash | malicious | Unknown | Browse |
| |
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
|
⊘No context
⊘No context
| Process: | C:\Users\user\Desktop\PDFONLINE.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 959567731 |
| Entropy (8bit): | 0.0652813896429866 |
| Encrypted: | false |
| SSDEEP: | |
| MD5: | F56CC7221C1047EE75D1F3B5564C2532 |
| SHA1: | 1DF2E795FEA113FAA56489893F1F0759E3C60282 |
| SHA-256: | 597AC5A2438E6E81D6605055FC4264689BFBFABC684322571C3B8980C26F4410 |
| SHA-512: | F3A197684EA2E7FD74BDAE825A0F6EDAE3D23E893BA066FBDEEB8B44CE7C833A1F9FB9221C08EAB2A89A85E58EB6C02CA2C7FE2800CA538D4776EB904C326044 |
| Malicious: | false |
| Reputation: | low |
| Preview: |
| File type: | |
| Entropy (8bit): | 6.298308694296775 |
| TrID: |
|
| File name: | PDFONLINE.exe |
| File size: | 4'623'872 bytes |
| MD5: | 8268f8ad872d9ca06152019676fbe0bf |
| SHA1: | 4ad8baab93a10ced110b768a4c4cfa054262293e |
| SHA256: | 423612aa03d476e3a3d7b21d7daf3fae2a9a5d7b6c2097961ca2df5e38958e79 |
| SHA512: | 6f61224c28cd91735dafd8e24a65497c3cfef2c42742318defc5f1cf1f596128c43dc903741b0aa595fd660c06bb8f899afdc67c56b1cfc88a97b615e9b3a546 |
| SSDEEP: | 49152:B02lJK8pPNTM7Pn8keVBA8gDzh1WCrkpVgrZk1eDPPzxRjRz:/tRM7cBezWskp2rO1eD9RjRz |
| TLSH: | 552639B5D443CC06D86B09BFE02AE8FC51163EB5E01BA53B6689FE1F727329110D8997 |
| File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...9Y J...............8......F..v................@..........................0Q............... ............................ |
 | |
| Icon Hash: | 0316165c38300009 |
| Entrypoint: | 0x4012a0 |
| Entrypoint Section: | .text |
| Digitally signed: | true |
| Imagebase: | 0x400000 |
| Subsystem: | windows gui |
| Image File Characteristics: | RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED |
| DLL Characteristics: | |
| Time Stamp: | 0x4A205939 [Fri May 29 21:52:57 2009 UTC] |
| TLS Callbacks: | |
| CLR (.Net) Version: | |
| OS Version Major: | 4 |
| OS Version Minor: | 0 |
| File Version Major: | 4 |
| File Version Minor: | 0 |
| Subsystem Version Major: | 4 |
| Subsystem Version Minor: | 0 |
| Import Hash: | f539b8cfd7163416a01a457780573bcc |
| Signature Valid: | |
| Signature Issuer: | |
| Signature Validation Error: | |
| Error Number: | |
| Not Before, Not After | |
| Subject Chain | |
| Version: | |
| Thumbprint MD5: | |
| Thumbprint SHA-1: | |
| Thumbprint SHA-256: | |
| Serial: |
| Instruction |
|---|
| push ebp |
| mov ebp, esp |
| sub esp, 08h |
| mov dword ptr [esp], 00000002h |
| inc eax |
| inc ebx |
| call 00007F2B20BE4181h |
| cwde |
| Name | Virtual Address | Virtual Size | Is in Section |
|---|---|---|---|
| IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IMPORT | 0x147000 | 0x22a8 | .idata |
| IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x14a000 | 0x3c8ed8 | .rsrc |
| IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_SECURITY | 0xd9c00 | 0xd40 | .bss |
| IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IAT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
| Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
|---|---|---|---|---|---|---|---|---|---|
| .text | 0x1000 | 0x2fba4 | 0x2fc00 | f3a19dd5351a46ffd4a68fd24142272c | False | 0.5039164757853403 | data | 6.419425852354698 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
| .data | 0x31000 | 0x1be6c | 0x1c000 | 2573c1642aa463c4bc52f58b5f546e74 | False | 0.23196847098214285 | data | 3.5614541661296633 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .rdata | 0x4d000 | 0x51840 | 0x51a00 | 88526616148575c822f3e50ea377b0a0 | False | 0.35188253732771824 | data | 5.692765508385372 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ |
| .bss | 0x9f000 | 0xa7498 | 0x0 | d41d8cd98f00b204e9800998ecf8427e | False | 0 | empty | 0.0 | IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .idata | 0x147000 | 0x22a8 | 0x2400 | 4fade12cc973756fc00928df13bc15b5 | False | 0.3541666666666667 | data | 5.3115523582028406 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .rsrc | 0x14a000 | 0x3c8ed8 | 0x3c9000 | d0a75d3fa91d5dc4368cb201edca1889 | unknown | unknown | unknown | unknown | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
|---|---|---|---|---|---|---|
| RT_CURSOR | 0x14a900 | 0x25ac | data | 0.24865201161343842 | ||
| RT_CURSOR | 0x14ceac | 0x2ec | data | 0.5133689839572193 | ||
| RT_BITMAP | 0x14d198 | 0x4a6c | PC bitmap, Windows 3.x format, 3157 x 2 x 39, image size 19635, cbSize 19052, bits offset 54 | 0.9246798236405627 | ||
| RT_BITMAP | 0x151c04 | 0x23f28 | Device independent bitmap graphic, 920 x 40 x 32, image size 147200, resolution 3503 x 3503 px/m | 0.22595082857919044 | ||
| RT_BITMAP | 0x175b2c | 0x19f98 | Device independent bitmap graphic, 782 x 34 x 32, image size 106352, resolution 3543 x 3543 px/m | 0.17136626814046169 | ||
| RT_BITMAP | 0x18fac4 | 0x84800 | PC bitmap, Windows 3.x format, 67983 x 2 x 38, image size 542879, cbSize 542720, bits offset 54 | 0.9938955630896227 | ||
| RT_BITMAP | 0x2142c4 | 0x3106e | Device independent bitmap graphic, 571 x 117 x 24, image size 200774, resolution 2834 x 2834 px/m | English | United States | 0.10916569561883135 |
| RT_ICON | 0x245334 | 0x10828 | Device independent bitmap graphic, 128 x 256 x 32, image size 67584 | 0.10497752277298 | ||
| RT_ICON | 0x255b5c | 0x42028 | Device independent bitmap graphic, 256 x 512 x 32, image size 0 | 0.33982306121845135 | ||
| RT_ICON | 0x297b84 | 0x1ae8 | PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced | English | United States | 0.9520905923344948 |
| RT_ICON | 0x29966c | 0x25a8 | Device independent bitmap graphic, 48 x 96 x 32, image size 0 | English | United States | 0.16130705394190872 |
| RT_ICON | 0x29bc14 | 0x10a8 | Device independent bitmap graphic, 32 x 64 x 32, image size 0 | English | United States | 0.21177298311444653 |
| RT_ICON | 0x29ccbc | 0x988 | Device independent bitmap graphic, 24 x 48 x 32, image size 0 | English | United States | 0.3168032786885246 |
| RT_ICON | 0x29d644 | 0x468 | Device independent bitmap graphic, 16 x 32 x 32, image size 0 | English | United States | 0.4175531914893617 |
| RT_ICON | 0x29daac | 0x10a8 | Device independent bitmap graphic, 32 x 64 x 32, image size 0 | English | United States | 0.21083489681050657 |
| RT_ICON | 0x29eb54 | 0x988 | Device independent bitmap graphic, 24 x 48 x 32, image size 0 | English | United States | 0.34672131147540985 |
| RT_ICON | 0x29f4dc | 0x468 | Device independent bitmap graphic, 16 x 32 x 32, image size 0 | English | United States | 0.38652482269503546 |
| RT_MENU | 0x29f944 | 0xd62 | data | 0.4349095154699358 | ||
| RT_MENU | 0x2a06a8 | 0x7e | data | English | United States | 0.6746031746031746 |
| RT_DIALOG | 0x2a0728 | 0x3e8 | data | 0.714 | ||
| RT_DIALOG | 0x2a0b10 | 0x336 | data | 0.6545012165450121 | ||
| RT_DIALOG | 0x2a0e48 | 0x118 | data | English | United States | 0.6392857142857142 |
| RT_DIALOG | 0x2a0f60 | 0x2f0 | data | English | United States | 0.4747340425531915 |
| RT_DIALOG | 0x2a1250 | 0x146 | data | English | United States | 0.6533742331288344 |
| RT_RCDATA | 0x2a1398 | 0x9c27a | Delphi compiled form 'TdmMain' | 0.24911274057628868 | ||
| RT_RCDATA | 0x33d614 | 0x46d3b | Delphi compiled form 'TfHint' | 0.2587700400197169 | ||
| RT_RCDATA | 0x384350 | 0xf7ece | Delphi compiled form 'TfPNGMessage' | 0.11165807649812605 | ||
| RT_RCDATA | 0x47c220 | 0x136fe | Delphi compiled form '\016TfrmAutoTuning' | 0.6008490968925063 | ||
| RT_RCDATA | 0x48f920 | 0x20b55 | Delphi compiled form 'TMainForm' | 0.4496726952445642 | ||
| RT_RCDATA | 0x4b0478 | 0x5fd99 | Delphi compiled form '\023TOperationModeFrame\022OperationModeFrame' | 0.5496929452548516 | ||
| RT_MESSAGETABLE | 0x510214 | 0x2840 | data | 0.31570263975155277 | ||
| RT_GROUP_ICON | 0x512a54 | 0x4c | data | English | United States | 0.7894736842105263 |
| RT_GROUP_ICON | 0x512aa0 | 0x30 | data | English | United States | 0.9583333333333334 |
| RT_VERSION | 0x512ad0 | 0x284 | data | English | United States | 0.4549689440993789 |
| RT_MANIFEST | 0x512d54 | 0x181 | XML 1.0 document, ASCII text, with CRLF line terminators | English | United States | 0.6623376623376623 |
| DLL | Import |
|---|---|
| ADVAPI32.DLL | CloseServiceHandle, ControlService, CreateServiceA, DeleteService, InitializeSecurityDescriptor, OpenSCManagerA, OpenServiceA, QueryServiceStatus, RegCloseKey, RegCreateKeyA, RegDeleteKeyA, RegOpenKeyA, RegQueryValueExA, RegSetValueExA, SetSecurityDescriptorDacl, StartServiceA |
| COMCTL32.DLL | InitCommonControlsEx |
| GDI32.dll | BitBlt, CombineRgn, CreateCompatibleDC, CreateDCA, CreateDIBSection, CreateFontA, CreateRectRgn, CreateSolidBrush, DeleteDC, DeleteObject, ExtCreateRegion, GdiFlush, GetDIBits, GetObjectA, GetRegionData, SelectObject, SetBkColor, SetBkMode, SetDIBits, SetTextColor |
| IMAGEHLP.DLL | ImageLoad, ImageUnload, ReBaseImage |
| KERNEL32.dll | AddAtomA, AddVectoredExceptionHandler, CloseHandle, CreateFileA, CreateFileMappingA, CreateMutexA, CreateProcessA, CreateThread, CreateToolhelp32Snapshot, DeviceIoControl, ExitProcess, FindAtomA, FindClose, FindFirstFileA, FindNextFileA, FormatMessageA, FreeLibrary, GetAtomNameA, GetComputerNameA, GetCurrentProcess, GetCurrentProcessId, GetCurrentThreadId, GetDllDirectoryA, GetFileSize, GetLastError, GetModuleFileNameA, GetModuleHandleA, GetProcAddress, GetSystemTime, GetSystemTimes, GetVersionExA, GlobalAlloc, GlobalLock, GlobalMemoryStatus, GlobalUnlock, LoadLibraryA, LoadLibraryExA, MapViewOfFile, Module32First, Module32Next, MultiByteToWideChar, OpenFileMappingA, OpenMutexA, OpenProcess, Process32First, Process32Next, ReadFile, ReadProcessMemory, RemoveVectoredExceptionHandler, ResumeThread, SetDllDirectoryA, SetEnvironmentVariableA, SetLastError, SetUnhandledExceptionFilter, Sleep, SuspendThread, TerminateThread, Thread32First, Thread32Next, UnmapViewOfFile, VirtualQuery, WaitForSingleObject, WideCharToMultiByte |
| OLE32.dll | CoCreateInstance, CoInitialize, CoUninitialize, CreateStreamOnHGlobal, OleInitialize, OleUninitialize |
| OLEAUT32.DLL | SysAllocString, SysFreeString |
| SHELL32.DLL | SHGetFolderPathA, Shell_NotifyIconA |
| SHLWAPI.DLL | UrlUnescapeA |
| USER32.dll | BeginDeferWindowPos, BeginPaint, CallNextHookEx, ClientToScreen, CopyIcon, CreateDialogParamA, CreateWindowExA, DefWindowProcA, DeferWindowPos, DestroyMenu, DestroyWindow, DispatchMessageA, DrawTextExA, EnableWindow, EndDeferWindowPos, EndDialog, EndPaint, EnumChildWindows, EnumDisplayDevicesA, EnumDisplayMonitors, FindWindowA, GetAsyncKeyState, GetClassNameA, GetClientRect, GetCursorPos, GetDC, GetDlgItem, GetIconInfo, GetMessageA, GetMonitorInfoA, GetRawInputData, GetRawInputDeviceInfoA, GetRawInputDeviceList, GetRegisteredRawInputDevices, GetSubMenu, GetSystemMetrics, GetWindow, GetWindowLongA, GetWindowRect, GetWindowTextA, IntersectRect, IsDialogMessageA, IsWindow, IsWindowUnicode, LoadCursorFromFileA, LoadIconA, LoadImageA, LoadMenuA, MessageBoxA, MonitorFromRect, PeekMessageA, PostMessageA, PostMessageW, RegisterClassA, RegisterClassExA, RegisterHotKey, RegisterRawInputDevices, RegisterWindowMessageA, ReleaseDC, ScreenToClient, SendInput, SendMessageA, SendMessageW, SetCursorPos, SetForegroundWindow, SetLayeredWindowAttributes, SetSystemCursor, SetWindowLongA, SetWindowPos, SetWindowRgn, SetWindowTextA, SetWindowsHookExA, ShowWindow, SystemParametersInfoA, TrackPopupMenu, TranslateMessage, UnhookWindowsHookEx, UnregisterClassA, UpdateLayeredWindow |
| WS2_32.DLL | WSAAsyncSelect, WSACleanup, WSAGetLastError, WSAStartup, accept, bind, closesocket, connect, gethostbyname, getsockname, htons, inet_ntoa, listen, ntohs, recv, send, setsockopt, socket |
| Language of compilation system | Country where language is spoken | Map |
|---|---|---|
| English | United States |  |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library Node| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Jan 10, 2025 11:54:52.532896996 CET | 49864 | 30203 | 192.168.2.9 | 181.71.216.203 |
| Jan 10, 2025 11:54:52.538670063 CET | 30203 | 49864 | 181.71.216.203 | 192.168.2.9 |
| Jan 10, 2025 11:54:52.538748026 CET | 49864 | 30203 | 192.168.2.9 | 181.71.216.203 |
| Jan 10, 2025 11:54:52.590078115 CET | 49864 | 30203 | 192.168.2.9 | 181.71.216.203 |
| Jan 10, 2025 11:54:52.594897032 CET | 30203 | 49864 | 181.71.216.203 | 192.168.2.9 |
| Jan 10, 2025 11:54:52.594974041 CET | 49864 | 30203 | 192.168.2.9 | 181.71.216.203 |
| Jan 10, 2025 11:54:52.599909067 CET | 30203 | 49864 | 181.71.216.203 | 192.168.2.9 |
| Jan 10, 2025 11:55:06.091767073 CET | 60925 | 53 | 192.168.2.9 | 162.159.36.2 |
| Jan 10, 2025 11:55:06.096596003 CET | 53 | 60925 | 162.159.36.2 | 192.168.2.9 |
| Jan 10, 2025 11:55:06.097450018 CET | 60925 | 53 | 192.168.2.9 | 162.159.36.2 |
| Jan 10, 2025 11:55:06.102294922 CET | 53 | 60925 | 162.159.36.2 | 192.168.2.9 |
| Jan 10, 2025 11:55:06.593044043 CET | 60925 | 53 | 192.168.2.9 | 162.159.36.2 |
| Jan 10, 2025 11:55:06.598027945 CET | 53 | 60925 | 162.159.36.2 | 192.168.2.9 |
| Jan 10, 2025 11:55:06.598107100 CET | 60925 | 53 | 192.168.2.9 | 162.159.36.2 |
| Jan 10, 2025 11:55:13.914653063 CET | 30203 | 49864 | 181.71.216.203 | 192.168.2.9 |
| Jan 10, 2025 11:55:13.915406942 CET | 49864 | 30203 | 192.168.2.9 | 181.71.216.203 |
| Jan 10, 2025 11:55:13.922895908 CET | 49864 | 30203 | 192.168.2.9 | 181.71.216.203 |
| Jan 10, 2025 11:55:13.927726030 CET | 30203 | 49864 | 181.71.216.203 | 192.168.2.9 |
| Jan 10, 2025 11:55:14.164055109 CET | 60964 | 30203 | 192.168.2.9 | 181.71.216.203 |
| Jan 10, 2025 11:55:14.168853045 CET | 30203 | 60964 | 181.71.216.203 | 192.168.2.9 |
| Jan 10, 2025 11:55:14.168991089 CET | 60964 | 30203 | 192.168.2.9 | 181.71.216.203 |
| Jan 10, 2025 11:55:14.169857979 CET | 60964 | 30203 | 192.168.2.9 | 181.71.216.203 |
| Jan 10, 2025 11:55:14.174628973 CET | 30203 | 60964 | 181.71.216.203 | 192.168.2.9 |
| Jan 10, 2025 11:55:14.174767971 CET | 60964 | 30203 | 192.168.2.9 | 181.71.216.203 |
| Jan 10, 2025 11:55:14.179569006 CET | 30203 | 60964 | 181.71.216.203 | 192.168.2.9 |
| Jan 10, 2025 11:55:35.536966085 CET | 30203 | 60964 | 181.71.216.203 | 192.168.2.9 |
| Jan 10, 2025 11:55:35.537125111 CET | 60964 | 30203 | 192.168.2.9 | 181.71.216.203 |
| Jan 10, 2025 11:55:35.537348032 CET | 60964 | 30203 | 192.168.2.9 | 181.71.216.203 |
| Jan 10, 2025 11:55:35.542185068 CET | 30203 | 60964 | 181.71.216.203 | 192.168.2.9 |
| Jan 10, 2025 11:55:35.648099899 CET | 60965 | 30203 | 192.168.2.9 | 181.71.216.203 |
| Jan 10, 2025 11:55:35.653539896 CET | 30203 | 60965 | 181.71.216.203 | 192.168.2.9 |
| Jan 10, 2025 11:55:35.653634071 CET | 60965 | 30203 | 192.168.2.9 | 181.71.216.203 |
| Jan 10, 2025 11:55:35.654340029 CET | 60965 | 30203 | 192.168.2.9 | 181.71.216.203 |
| Jan 10, 2025 11:55:35.659084082 CET | 30203 | 60965 | 181.71.216.203 | 192.168.2.9 |
| Jan 10, 2025 11:55:35.659169912 CET | 60965 | 30203 | 192.168.2.9 | 181.71.216.203 |
| Jan 10, 2025 11:55:35.663961887 CET | 30203 | 60965 | 181.71.216.203 | 192.168.2.9 |
| Jan 10, 2025 11:55:57.058604002 CET | 30203 | 60965 | 181.71.216.203 | 192.168.2.9 |
| Jan 10, 2025 11:55:57.058670998 CET | 60965 | 30203 | 192.168.2.9 | 181.71.216.203 |
| Jan 10, 2025 11:55:57.058841944 CET | 60965 | 30203 | 192.168.2.9 | 181.71.216.203 |
| Jan 10, 2025 11:55:57.063607931 CET | 30203 | 60965 | 181.71.216.203 | 192.168.2.9 |
| Jan 10, 2025 11:55:57.163501978 CET | 60966 | 30203 | 192.168.2.9 | 181.71.216.203 |
| Jan 10, 2025 11:55:57.168348074 CET | 30203 | 60966 | 181.71.216.203 | 192.168.2.9 |
| Jan 10, 2025 11:55:57.168451071 CET | 60966 | 30203 | 192.168.2.9 | 181.71.216.203 |
| Jan 10, 2025 11:55:57.169116020 CET | 60966 | 30203 | 192.168.2.9 | 181.71.216.203 |
| Jan 10, 2025 11:55:57.173934937 CET | 30203 | 60966 | 181.71.216.203 | 192.168.2.9 |
| Jan 10, 2025 11:55:57.174005985 CET | 60966 | 30203 | 192.168.2.9 | 181.71.216.203 |
| Jan 10, 2025 11:55:57.178812027 CET | 30203 | 60966 | 181.71.216.203 | 192.168.2.9 |
| Jan 10, 2025 11:56:18.542574883 CET | 30203 | 60966 | 181.71.216.203 | 192.168.2.9 |
| Jan 10, 2025 11:56:18.542674065 CET | 60966 | 30203 | 192.168.2.9 | 181.71.216.203 |
| Jan 10, 2025 11:56:18.542778015 CET | 60966 | 30203 | 192.168.2.9 | 181.71.216.203 |
| Jan 10, 2025 11:56:18.547581911 CET | 30203 | 60966 | 181.71.216.203 | 192.168.2.9 |
| Jan 10, 2025 11:56:18.648184061 CET | 60967 | 30203 | 192.168.2.9 | 181.71.216.203 |
| Jan 10, 2025 11:56:18.653328896 CET | 30203 | 60967 | 181.71.216.203 | 192.168.2.9 |
| Jan 10, 2025 11:56:18.653403044 CET | 60967 | 30203 | 192.168.2.9 | 181.71.216.203 |
| Jan 10, 2025 11:56:18.654208899 CET | 60967 | 30203 | 192.168.2.9 | 181.71.216.203 |
| Jan 10, 2025 11:56:18.662364006 CET | 30203 | 60967 | 181.71.216.203 | 192.168.2.9 |
| Jan 10, 2025 11:56:18.664446115 CET | 60967 | 30203 | 192.168.2.9 | 181.71.216.203 |
| Jan 10, 2025 11:56:18.669210911 CET | 30203 | 60967 | 181.71.216.203 | 192.168.2.9 |
| Jan 10, 2025 11:56:30.523996115 CET | 60967 | 30203 | 192.168.2.9 | 181.71.216.203 |
| Jan 10, 2025 11:56:30.528887033 CET | 30203 | 60967 | 181.71.216.203 | 192.168.2.9 |
| Jan 10, 2025 11:56:30.528959990 CET | 60967 | 30203 | 192.168.2.9 | 181.71.216.203 |
| Jan 10, 2025 11:56:30.533754110 CET | 30203 | 60967 | 181.71.216.203 | 192.168.2.9 |
| Jan 10, 2025 11:56:33.820437908 CET | 60967 | 30203 | 192.168.2.9 | 181.71.216.203 |
| Jan 10, 2025 11:56:33.825417995 CET | 30203 | 60967 | 181.71.216.203 | 192.168.2.9 |
| Jan 10, 2025 11:56:33.825608969 CET | 60967 | 30203 | 192.168.2.9 | 181.71.216.203 |
| Jan 10, 2025 11:56:33.830507994 CET | 30203 | 60967 | 181.71.216.203 | 192.168.2.9 |
| Jan 10, 2025 11:56:36.826651096 CET | 60967 | 30203 | 192.168.2.9 | 181.71.216.203 |
| Jan 10, 2025 11:56:36.831537008 CET | 30203 | 60967 | 181.71.216.203 | 192.168.2.9 |
| Jan 10, 2025 11:56:36.831607103 CET | 60967 | 30203 | 192.168.2.9 | 181.71.216.203 |
| Jan 10, 2025 11:56:36.836420059 CET | 30203 | 60967 | 181.71.216.203 | 192.168.2.9 |
| Jan 10, 2025 11:56:40.028099060 CET | 30203 | 60967 | 181.71.216.203 | 192.168.2.9 |
| Jan 10, 2025 11:56:40.028181076 CET | 60967 | 30203 | 192.168.2.9 | 181.71.216.203 |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Jan 10, 2025 11:54:52.499445915 CET | 63645 | 53 | 192.168.2.9 | 1.1.1.1 |
| Jan 10, 2025 11:54:52.529359102 CET | 53 | 63645 | 1.1.1.1 | 192.168.2.9 |
| Jan 10, 2025 11:55:06.061768055 CET | 53 | 50427 | 162.159.36.2 | 192.168.2.9 |
| Jan 10, 2025 11:55:06.691771984 CET | 62873 | 53 | 192.168.2.9 | 1.1.1.1 |
| Jan 10, 2025 11:55:06.699726105 CET | 53 | 62873 | 1.1.1.1 | 192.168.2.9 |
| Jan 10, 2025 11:55:08.099780083 CET | 55008 | 53 | 192.168.2.9 | 1.1.1.1 |
| Jan 10, 2025 11:55:08.115267992 CET | 53 | 55008 | 1.1.1.1 | 192.168.2.9 |
| Jan 10, 2025 11:55:14.119262934 CET | 50460 | 53 | 192.168.2.9 | 1.1.1.1 |
| Jan 10, 2025 11:55:14.163132906 CET | 53 | 50460 | 1.1.1.1 | 192.168.2.9 |
| Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|
| Jan 10, 2025 11:54:52.499445915 CET | 192.168.2.9 | 1.1.1.1 | 0xd944 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Jan 10, 2025 11:55:06.691771984 CET | 192.168.2.9 | 1.1.1.1 | 0xcf53 | Standard query (0) | PTR (Pointer record) | IN (0x0001) | false | |
| Jan 10, 2025 11:55:08.099780083 CET | 192.168.2.9 | 1.1.1.1 | 0xf58e | Standard query (0) | PTR (Pointer record) | IN (0x0001) | false | |
| Jan 10, 2025 11:55:14.119262934 CET | 192.168.2.9 | 1.1.1.1 | 0x1908 | Standard query (0) | A (IP address) | IN (0x0001) | false |
| Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|---|---|
| Jan 10, 2025 11:54:25.822184086 CET | 1.1.1.1 | 192.168.2.9 | 0x3c3a | No error (0) | s-part-0017.t-0009.t-msedge.net | CNAME (Canonical name) | IN (0x0001) | false | ||
| Jan 10, 2025 11:54:25.822184086 CET | 1.1.1.1 | 192.168.2.9 | 0x3c3a | No error (0) | 13.107.246.45 | A (IP address) | IN (0x0001) | false | ||
| Jan 10, 2025 11:54:52.529359102 CET | 1.1.1.1 | 192.168.2.9 | 0xd944 | No error (0) | 181.71.216.203 | A (IP address) | IN (0x0001) | false | ||
| Jan 10, 2025 11:55:06.699726105 CET | 1.1.1.1 | 192.168.2.9 | 0xcf53 | Name error (3) | none | none | PTR (Pointer record) | IN (0x0001) | false | |
| Jan 10, 2025 11:55:08.115267992 CET | 1.1.1.1 | 192.168.2.9 | 0xf58e | Name error (3) | none | none | PTR (Pointer record) | IN (0x0001) | false | |
| Jan 10, 2025 11:55:14.163132906 CET | 1.1.1.1 | 192.168.2.9 | 0x1908 | No error (0) | 181.71.216.203 | A (IP address) | IN (0x0001) | false |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
| Target ID: | 0 |
| Start time: | 05:54:29 |
| Start date: | 10/01/2025 |
| Path: | C:\Users\user\Desktop\PDFONLINE.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x400000 |
| File size: | 4'623'872 bytes |
| MD5 hash: | 8268F8AD872D9CA06152019676FBE0BF |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | low |
| Has exited: | true |
| Target ID: | 3 |
| Start time: | 05:54:48 |
| Start date: | 10/01/2025 |
| Path: | C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x1000000 |
| File size: | 2'141'552 bytes |
| MD5 hash: | EB80BB1CA9B9C7F516FF69AFCFD75B7D |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Yara matches: |
|
| Reputation: | moderate |
| Has exited: | false |
Function 004012A0 Relevance: .0, Instructions: 7COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Execution Graph
| Execution Coverage: | 6.5% |
| Dynamic/Decrypted Code Coverage: | 100% |
| Signature Coverage: | 29.6% |
| Total number of Nodes: | 27 |
| Total number of Limit Nodes: | 5 |
Graph
Function 076E138C Relevance: 2.6, Strings: 2, Instructions: 125COMMON
Download Yara Rule
Control-flow Graph
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 076ED28F Relevance: 2.4, Strings: 1, Instructions: 1146COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 076ED5C7 Relevance: 1.7, Strings: 1, Instructions: 495COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 076DF008 Relevance: 1.7, APIs: 1, Instructions: 164COMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 076DF078 Relevance: 1.6, APIs: 1, Instructions: 144COMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0A701BE0 Relevance: 1.5, Strings: 1, Instructions: 238COMMON
Download Yara Rule
Control-flow Graph
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 076E12C2 Relevance: 1.4, Strings: 1, Instructions: 135COMMON
Download Yara Rule
Control-flow Graph
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 076E0F43 Relevance: 1.4, Strings: 1, Instructions: 128COMMON
Download Yara Rule
Control-flow Graph
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 076E123C Relevance: 1.4, Strings: 1, Instructions: 128COMMON
Download Yara Rule
Control-flow Graph
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 076E1474 Relevance: 1.4, Strings: 1, Instructions: 125COMMON
Download Yara Rule
Control-flow Graph
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 076E0FB4 Relevance: 1.4, Strings: 1, Instructions: 124COMMON
Download Yara Rule
Control-flow Graph
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 076E13FF Relevance: 1.4, Strings: 1, Instructions: 116COMMON
Download Yara Rule
Control-flow Graph
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 076E0EF7 Relevance: 1.4, Strings: 1, Instructions: 114COMMON
Download Yara Rule
Control-flow Graph
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 076E10C0 Relevance: 1.4, Strings: 1, Instructions: 114COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 076E0F08 Relevance: 1.4, Strings: 1, Instructions: 112COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 076D0990 Relevance: .6, Instructions: 552COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0A706FA0 Relevance: .4, Instructions: 367COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0A70413B Relevance: .3, Instructions: 301COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0A7073F2 Relevance: .3, Instructions: 299COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0A704148 Relevance: .3, Instructions: 276COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0A7027F8 Relevance: .3, Instructions: 266COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 076E55D1 Relevance: .2, Instructions: 221COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0A7042E7 Relevance: .2, Instructions: 218COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 076E55E0 Relevance: .2, Instructions: 216COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 076E570C Relevance: .2, Instructions: 205COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 05AE3C7C Relevance: .2, Instructions: 151COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 05AE3C88 Relevance: .1, Instructions: 149COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 076DF388 Relevance: .1, Instructions: 102COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0A701BD4 Relevance: 2.7, Strings: 2, Instructions: 201COMMON
Download Yara Rule
Control-flow Graph
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 05AEC198 Relevance: 1.6, APIs: 1, Instructions: 56memoryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0A701BD7 Relevance: 1.5, Strings: 1, Instructions: 235COMMON
Download Yara Rule
Control-flow Graph
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 05AEC348 Relevance: 1.3, APIs: 1, Instructions: 49COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 076E67AD Relevance: .8, Instructions: 800COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0A120078 Relevance: .6, Instructions: 597COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 076EF751 Relevance: .5, Instructions: 527COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0A120810 Relevance: .4, Instructions: 362COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 076E14F8 Relevance: .3, Instructions: 308COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0A705E60 Relevance: .3, Instructions: 300COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0A7027EC Relevance: .3, Instructions: 265COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 076EC318 Relevance: .2, Instructions: 221COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0A7064A8 Relevance: .2, Instructions: 209COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 076E4FE0 Relevance: .2, Instructions: 203COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 076E4FF0 Relevance: .2, Instructions: 197COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0A120CC8 Relevance: .2, Instructions: 183COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 076EF030 Relevance: .2, Instructions: 180COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 076E1548 Relevance: .2, Instructions: 162COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 076EABE0 Relevance: .2, Instructions: 156COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 076E5CF8 Relevance: .1, Instructions: 144COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 076EB5F8 Relevance: .1, Instructions: 141COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 076E53AB Relevance: .1, Instructions: 123COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 076E55B3 Relevance: .1, Instructions: 121COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0A705A81 Relevance: .1, Instructions: 120COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0A707548 Relevance: .1, Instructions: 119COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 076EC638 Relevance: .1, Instructions: 117COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 076EB483 Relevance: .1, Instructions: 108COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0A70001F Relevance: .1, Instructions: 101COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 076EC7C8 Relevance: .1, Instructions: 101COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0A705AB0 Relevance: .1, Instructions: 99COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0A7050D4 Relevance: .1, Instructions: 95COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0A704ECE Relevance: .1, Instructions: 92COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0A704E42 Relevance: .1, Instructions: 91COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 076EB5E9 Relevance: .1, Instructions: 91COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0A700040 Relevance: .1, Instructions: 90COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0A704DEB Relevance: .1, Instructions: 90COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 076EF020 Relevance: .1, Instructions: 90COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0A704DF8 Relevance: .1, Instructions: 89COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0A704FA5 Relevance: .1, Instructions: 88COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0A704FE5 Relevance: .1, Instructions: 87COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0A7051C8 Relevance: .1, Instructions: 87COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0A705126 Relevance: .1, Instructions: 85COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 076EA1A0 Relevance: .1, Instructions: 84COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0A7050F2 Relevance: .1, Instructions: 83COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0A70517C Relevance: .1, Instructions: 83COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 076EEAE1 Relevance: .1, Instructions: 83COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 076EE9F8 Relevance: .1, Instructions: 83COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 076EA1B0 Relevance: .1, Instructions: 82COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0A707648 Relevance: .1, Instructions: 80COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0A7076EF Relevance: .1, Instructions: 80COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0A704E9C Relevance: .1, Instructions: 80COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 076E5B08 Relevance: .1, Instructions: 78COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0A704FB7 Relevance: .1, Instructions: 77COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 076EF687 Relevance: .1, Instructions: 77COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0A7051B4 Relevance: .1, Instructions: 76COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0A705073 Relevance: .1, Instructions: 74COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0A705053 Relevance: .1, Instructions: 74COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0A705214 Relevance: .1, Instructions: 74COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0A705033 Relevance: .1, Instructions: 73COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 076E9F20 Relevance: .1, Instructions: 73COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 076EB390 Relevance: .1, Instructions: 73COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 076EF698 Relevance: .1, Instructions: 72COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 076EA911 Relevance: .1, Instructions: 70COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 076EB3A0 Relevance: .1, Instructions: 67COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 076E5D6B Relevance: .1, Instructions: 66COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0A120CAC Relevance: .1, Instructions: 63COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0A703548 Relevance: .1, Instructions: 63COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 076EA01F Relevance: .1, Instructions: 63COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0A707791 Relevance: .1, Instructions: 59COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 076EBD41 Relevance: .1, Instructions: 59COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 076EA030 Relevance: .1, Instructions: 59COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 076EBD50 Relevance: .1, Instructions: 55COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 076EBAC1 Relevance: .1, Instructions: 55COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 076EB993 Relevance: .1, Instructions: 55COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 076E5F78 Relevance: .1, Instructions: 53COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0A705DB7 Relevance: .1, Instructions: 51COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0A12005C Relevance: .0, Instructions: 49COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0A7077A0 Relevance: .0, Instructions: 48COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0A704CC8 Relevance: .0, Instructions: 46COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0A704CD8 Relevance: .0, Instructions: 45COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0A705DC8 Relevance: .0, Instructions: 44COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 076907F0 Relevance: .0, Instructions: 43COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0A703E51 Relevance: .0, Instructions: 41COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 076E2C5A Relevance: .0, Instructions: 41COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 076EADCB Relevance: .0, Instructions: 39COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 076EAE28 Relevance: .0, Instructions: 38COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 076EEA80 Relevance: .0, Instructions: 38COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 076E1889 Relevance: .0, Instructions: 35COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 076ED193 Relevance: .0, Instructions: 34COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 07690800 Relevance: .0, Instructions: 34COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0A704020 Relevance: .0, Instructions: 33COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0A703E60 Relevance: .0, Instructions: 32COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 076E91E7 Relevance: .0, Instructions: 32COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 076E1898 Relevance: .0, Instructions: 31COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 076E5F77 Relevance: .0, Instructions: 28COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 076908F5 Relevance: .0, Instructions: 28COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0A704030 Relevance: .0, Instructions: 27COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0A702CE8 Relevance: .0, Instructions: 27COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0A704D99 Relevance: .0, Instructions: 26COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 076ED1A0 Relevance: .0, Instructions: 26COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 076936A0 Relevance: .0, Instructions: 25COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 076EA89F Relevance: .0, Instructions: 24COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0A7052B8 Relevance: .0, Instructions: 23COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 076E1FDD Relevance: .0, Instructions: 22COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 076E5CB8 Relevance: .0, Instructions: 22COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0A704DA8 Relevance: .0, Instructions: 20COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 076E5CC8 Relevance: .0, Instructions: 20COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 076EA863 Relevance: .0, Instructions: 20COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0A702CF8 Relevance: .0, Instructions: 19COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 076E2CA1 Relevance: .0, Instructions: 19COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 076EA8B0 Relevance: .0, Instructions: 18COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 07690925 Relevance: .0, Instructions: 18COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 076EA868 Relevance: .0, Instructions: 17COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0A705D8B Relevance: .0, Instructions: 15COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0A705801 Relevance: .0, Instructions: 14COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0A7061CF Relevance: .0, Instructions: 12COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 076E8B38 Relevance: .0, Instructions: 10COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0A7051E2 Relevance: .0, Instructions: 9COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 076E2B19 Relevance: .0, Instructions: 8COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 076E5C6F Relevance: .0, Instructions: 7COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 076E9F10 Relevance: .0, Instructions: 5COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 076EBD2E Relevance: .0, Instructions: 5COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 076E9F0F Relevance: .0, Instructions: 4COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0A701F28 Relevance: 1.5, Strings: 1, Instructions: 281COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 076D24F8 Relevance: .6, Instructions: 623COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 076DDAB2 Relevance: .4, Instructions: 406COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 076EE338 Relevance: .3, Instructions: 332COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 076E4BE8 Relevance: .3, Instructions: 314COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 076E4BD9 Relevance: .2, Instructions: 203COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|