Edit tour
Windows
Analysis Report
QwMcsmYcxv.exe
Overview
General Information
| Sample name: | QwMcsmYcxv.exerenamed because original name is a hash value |
| Original sample name: | 31c1b7a32fed169045d32fda5b53a1bcc9e2919ef9217b3232380f89869204c7.exe |
| Analysis ID: | 1588009 |
| MD5: | a8a4aa9c047894582f100213370da8de |
| SHA1: | e7b4d9747c787599947d9944cc90ed36c31984b4 |
| SHA256: | 31c1b7a32fed169045d32fda5b53a1bcc9e2919ef9217b3232380f89869204c7 |
| Tags: | exeuser-adrian__luca |
| Infos: |   |
 | |
Detection
AsyncRAT, VenomRAT
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Yara detected AsyncRAT
Yara detected VenomRAT
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
Drops VBS files to the startup folder
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Queries memory information (via WMI often done to detect virtual machines)
Sigma detected: WScript or CScript Dropper
Switches to a custom stack to bypass stack traces
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Contains functionality for read data from the clipboard
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected TCP or UDP traffic on non-standard ports
Detected non-DNS traffic on DNS port
Detected potential crypto function
Drops PE files
Extensive use of GetProcAddress (often used to hide API calls)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found evasive API chain (date check)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Queries the volume information (name, serial number etc) of a device
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match
Classification
- System is w10x64
QwMcsmYcxv.exe (PID: 5060 cmdline: "C:\Users\ user\Deskt op\QwMcsmY cxv.exe" MD5: A8A4AA9C047894582F100213370DA8DE) - vitrailist.exe (PID: 6228 cmdline:
"C:\Users\ user\Deskt op\QwMcsmY cxv.exe" MD5: A8A4AA9C047894582F100213370DA8DE) 
RegSvcs.exe (PID: 2016 cmdline: "C:\Users\ user\Deskt op\QwMcsmY cxv.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
wscript.exe (PID: 6600 cmdline: "C:\Window s\System32 \WScript.e xe" "C:\Us ers\user\A ppData\Roa ming\Micro soft\Windo ws\Start M enu\Progra ms\Startup \vitrailis t.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80) - vitrailist.exe (PID: 5612 cmdline:
"C:\Users\ user\AppDa ta\Local\s avagenesse s\vitraili st.exe" MD5: A8A4AA9C047894582F100213370DA8DE) - RegSvcs.exe (PID: 2936 cmdline:
"C:\Users\ user\AppDa ta\Local\s avagenesse s\vitraili st.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
- cleanup
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| AsyncRAT | AsyncRAT is a Remote Access Tool (RAT) designed to remotely monitor and control other computers through a secure encrypted connection. It is an open source remote administration tool, however, it could also be used maliciously because it provides functionality such as keylogger, remote desktop control, and many other functions that may cause harm to the victims computer. In addition, AsyncRAT can be delivered via various methods such as spear-phishing, malvertising, exploit kit and other techniques. | No Attribution |
{"Server": "87.120.120.15", "Ports": "4449", "Version": "Venom RAT + HVNC + Stealer + Grabber v6.0.3", "Autorun": "false", "Install_Folder": "%AppData%", "AES_key": "TQLFQ6mc9u7BHgxDjLp81iV3aaBO8VYS", "Mutex": "ykpleyrgtopul", "Certificate": "MIICOTCCAaKgAwIBAgIVAPyfwFFMs6hxoSr1U5gHJmBruaj1MA0GCSqGSIb3DQEBDQUAMGoxGDAWBgNVBAMMD1Zlbm9tUkFUIFNlcnZlcjETMBEGA1UECwwKcXdxZGFuY2h1bjEfMB0GA1UECgwWVmVub21SQVQgQnkgcXdxZGFuY2h1bjELMAkGA1UEBwwCU0gxCzAJBgNVBAYTAkNOMB4XDTIyMDgxNDA5NDEwOVoXDTMzMDUyMzA5NDEwOVowEzERMA8GA1UEAwwIVmVub21SQVQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAJMk9aXYluIabmb8kV7b5XTizjGIK0IH5qWN260bNCSIKNt2zQOLq6jGfh+VvAA/ddzW3TGyxBUMbya8CatcEPCCiU4SEc8xjyE/n8+O0uya4p8g4ooTRIrNFHrRVySKchyTv32rce963WWvmj+qDvwUHHkEY+Dsjf46C40vWLDxAgMBAAGjMjAwMB0GA1UdDgQWBBQsonRhlv8vx7fdxs/nJE8fsLDixjAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4GBAAVFFK4iQZ7aqDrUwV6nj3VoXFOcHVo+g9p9ikiXT8DjC2iQioCrN3cN4+w7YOkjPDL+fP3A7v+EI9z1lwEHgAqFPY7tF7sT9JEFtq/+XPM9bgDZnh4o1EWLq7Zdm66whSYsGIPR8wJdtjw6U396lrRHe6ODtIGB/JXyYYIdaVrz", "ServerSignature": "JgLAoU7z2h5ztjgJ107mkXDKXrjqjBaXNgmcHT1JB80YxZazv3rpCpW4vO1BVxX6Z1xN6UZadE4NYMoHerQBaq9xh238WY0SsNjDaDUlFNBWfXRcsImsGP2YvhgirLXO8qPFPrpN8gfruDqI3o4DpSPtlxP6gMxOuIbIWCkqZgk=", "BDOS": "null", "External_config_on_Pastebin": "false"}| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_AsyncRAT | Yara detected AsyncRAT | Joe Security | ||
| rat_win_dcrat_qwqdanchun | Find DcRAT samples (qwqdanchun) based on specific strings | Sekoia.io |
| |
| INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice | Detects executables attemping to enumerate video devices using WMI | ditekSHen |
| |
| JoeSecurity_AsyncRAT | Yara detected AsyncRAT | Joe Security | ||
| JoeSecurity_AsyncRAT | Yara detected AsyncRAT | Joe Security | ||
| Click to see the 5 entries | ||||
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_AsyncRAT | Yara detected AsyncRAT | Joe Security | ||
| rat_win_dcrat_qwqdanchun | Find DcRAT samples (qwqdanchun) based on specific strings | Sekoia.io |
| |
| INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice | Detects executables attemping to enumerate video devices using WMI | ditekSHen |
| |
| JoeSecurity_AsyncRAT | Yara detected AsyncRAT | Joe Security | ||
| rat_win_dcrat_qwqdanchun | Find DcRAT samples (qwqdanchun) based on specific strings | Sekoia.io |
| |
| Click to see the 10 entries | ||||
System Summary |   |
|---|
| Source: | Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: | ||
| Source: | Author: Michael Haag: | ||
Data Obfuscation | |
|---|
| Source: | Author: Joe Security: | ||
⊘No Suricata rule has matched
Click to jump to signature section
Show All Signature Results
AV Detection | |
|---|
| Source: | Malware Configuration Extractor: | ||
| Source: | ReversingLabs: | |||
| Source: | Virustotal: | Perma Link | ||
| Source: | ReversingLabs: | |||
| Source: | Virustotal: | Perma Link | ||
| Source: | Integrated Neural Analysis Model: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Static PE information: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Code function: | 0_2_0103445A | |
| Source: | Code function: | 0_2_0103C75C | |
| Source: | Code function: | 0_2_0103C6D1 | |
| Source: | Code function: | 0_2_0103EF95 | |
| Source: | Code function: | 0_2_0103F0F2 | |
| Source: | Code function: | 0_2_0103F3F3 | |
| Source: | Code function: | 0_2_010337EF | |
| Source: | Code function: | 0_2_01033B12 | |
| Source: | Code function: | 0_2_0103BCBC | |
| Source: | Code function: | 2_2_0101445A | |
| Source: | Code function: | 2_2_0101C75C | |
| Source: | Code function: | 2_2_0101C6D1 | |
| Source: | Code function: | 2_2_0101EF95 | |
| Source: | Code function: | 2_2_0101F0F2 | |
| Source: | Code function: | 2_2_0101F3F3 | |
| Source: | Code function: | 2_2_010137EF | |
| Source: | Code function: | 2_2_01013B12 | |
| Source: | Code function: | 2_2_0101BCBC | |
| Source: | TCP traffic: | ||
| Source: | TCP traffic: | ||
| Source: | ASN Name: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | Code function: | 0_2_010422EE | |
| Source: | String found in binary or memory: | ||
Key, Mouse, Clipboard, Microphone and Screen Capturing | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | Code function: | 0_2_01044164 | |
| Source: | Code function: | 0_2_01044164 | |
| Source: | Code function: | 2_2_01024164 | |
| Source: | Code function: | 0_2_01043F66 | |
| Source: | Code function: | 0_2_0103001C | |
| Source: | Code function: | 0_2_0105CABC | |
| Source: | Code function: | 2_2_0103CABC | |
System Summary | |
|---|
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Code function: | 0_2_00FD3B3A | |
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | memstr_9ebe339d-8 | |
| Source: | String found in binary or memory: | memstr_569f768f-4 | |
| Source: | String found in binary or memory: | memstr_fbe0d0eb-3 | |
| Source: | String found in binary or memory: | memstr_2aceb43d-0 | |
| Source: | Code function: | 2_2_00FB3B3A | |
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | memstr_4372a714-3 | |
| Source: | String found in binary or memory: | memstr_cd270d5f-0 | |
| Source: | String found in binary or memory: | memstr_c7607427-a | |
| Source: | String found in binary or memory: | memstr_52ff4584-4 | |
| Source: | String found in binary or memory: | memstr_e9242de3-3 | |
| Source: | String found in binary or memory: | memstr_0896d5e2-b | |
| Source: | String found in binary or memory: | memstr_a10555ca-f | |
| Source: | String found in binary or memory: | memstr_eb30bd11-c | |
| Source: | COM Object queried: | Jump to behavior | ||
| Source: | Code function: | 3_2_008970A8 | |
| Source: | Code function: | 3_2_00896C52 | |
| Source: | Code function: | 7_2_01846CC0 | |
| Source: | Code function: | 7_2_0184686A | |
| Source: | Code function: | 0_2_0103A1EF | |
| Source: | Code function: | 0_2_01028310 | |
| Source: | Code function: | 0_2_010351BD | |
| Source: | Code function: | 2_2_010151BD | |
| Source: | Code function: | 0_2_00FDE6A0 | |
| Source: | Code function: | 0_2_00FFD975 | |
| Source: | Code function: | 0_2_00FDFCE0 | |
| Source: | Code function: | 0_2_00FF21C5 | |
| Source: | Code function: | 0_2_010503DA | |
| Source: | Code function: | 0_2_010062D2 | |
| Source: | Code function: | 0_2_00FF25FA | |
| Source: | Code function: | 0_2_0100242E | |
| Source: | Code function: | 0_2_00FE66E1 | |
| Source: | Code function: | 0_2_0100878F | |
| Source: | Code function: | 0_2_0102E616 | |
| Source: | Code function: | 0_2_00FE8808 | |
| Source: | Code function: | 0_2_01006844 | |
| Source: | Code function: | 0_2_01050857 | |
| Source: | Code function: | 0_2_01038889 | |
| Source: | Code function: | 0_2_00FFCB21 | |
| Source: | Code function: | 0_2_01006DB6 | |
| Source: | Code function: | 0_2_00FE6F9E | |
| Source: | Code function: | 0_2_00FE3030 | |
| Source: | Code function: | 0_2_00FFF1D9 | |
| Source: | Code function: | 0_2_00FF3187 | |
| Source: | Code function: | 0_2_00FD1287 | |
| Source: | Code function: | 0_2_00FF1484 | |
| Source: | Code function: | 0_2_00FE5520 | |
| Source: | Code function: | 0_2_00FF7696 | |
| Source: | Code function: | 0_2_00FE5760 | |
| Source: | Code function: | 0_2_00FF1978 | |
| Source: | Code function: | 0_2_01009AB5 | |
| Source: | Code function: | 0_2_01057DDB | |
| Source: | Code function: | 0_2_00FFBDA6 | |
| Source: | Code function: | 0_2_00FF1D90 | |
| Source: | Code function: | 0_2_00FE3FE0 | |
| Source: | Code function: | 0_2_00FDDF00 | |
| Source: | Code function: | 0_2_012EA4B0 | |
| Source: | Code function: | 2_2_00FBE6A0 | |
| Source: | Code function: | 2_2_00FDD975 | |
| Source: | Code function: | 2_2_00FBFCE0 | |
| Source: | Code function: | 2_2_00FD21C5 | |
| Source: | Code function: | 2_2_00FE62D2 | |
| Source: | Code function: | 2_2_010303DA | |
| Source: | Code function: | 2_2_00FE242E | |
| Source: | Code function: | 2_2_00FD25FA | |
| Source: | Code function: | 2_2_00FC66E1 | |
| Source: | Code function: | 2_2_0100E616 | |
| Source: | Code function: | 2_2_00FE878F | |
| Source: | Code function: | 2_2_00FE6844 | |
| Source: | Code function: | 2_2_00FC8808 | |
| Source: | Code function: | 2_2_01030857 | |
| Source: | Code function: | 2_2_01018889 | |
| Source: | Code function: | 2_2_00FDCB21 | |
| Source: | Code function: | 2_2_00FE6DB6 | |
| Source: | Code function: | 2_2_00FC6F9E | |
| Source: | Code function: | 2_2_00FC3030 | |
| Source: | Code function: | 2_2_00FDF1D9 | |
| Source: | Code function: | 2_2_00FD3187 | |
| Source: | Code function: | 2_2_00FB1287 | |
| Source: | Code function: | 2_2_00FD1484 | |
| Source: | Code function: | 2_2_00FC5520 | |
| Source: | Code function: | 2_2_00FD7696 | |
| Source: | Code function: | 2_2_00FC5760 | |
| Source: | Code function: | 2_2_00FD1978 | |
| Source: | Code function: | 2_2_00FE9AB5 | |
| Source: | Code function: | 2_2_01037DDB | |
| Source: | Code function: | 2_2_00FDBDA6 | |
| Source: | Code function: | 2_2_00FD1D90 | |
| Source: | Code function: | 2_2_00FC3FE0 | |
| Source: | Code function: | 2_2_00FBDF00 | |
| Source: | Code function: | 2_2_01A89C68 | |
| Source: | Code function: | 3_2_008964D8 | |
| Source: | Code function: | 3_2_00895240 | |
| Source: | Code function: | 3_2_00895B10 | |
| Source: | Code function: | 3_2_008964C8 | |
| Source: | Code function: | 3_2_00896C52 | |
| Source: | Code function: | 3_2_00894EF8 | |
| Source: | Code function: | 6_2_01BD97B0 | |
| Source: | Code function: | 7_2_018460F0 | |
| Source: | Code function: | 7_2_01845728 | |
| Source: | Code function: | 7_2_01844E58 | |
| Source: | Code function: | 7_2_018460E0 | |
| Source: | Code function: | 7_2_0184686A | |
| Source: | Code function: | 7_2_01844B10 | |
| Source: | Static PE information: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Classification label: | ||
| Source: | Code function: | 0_2_0103A06A | |
| Source: | Code function: | 0_2_010281CB | |
| Source: | Code function: | 0_2_010287E1 | |
| Source: | Code function: | 2_2_010081CB | |
| Source: | Code function: | 2_2_010087E1 | |
| Source: | Code function: | 0_2_0103B333 | |
| Source: | Code function: | 0_2_0104EE0D | |
| Source: | Code function: | 0_2_0103C397 | |
| Source: | Code function: | 0_2_00FD4E89 | |
| Source: | File created: | Jump to behavior | ||
| Source: | Mutant created: | ||
| Source: | Mutant created: | ||
| Source: | File created: | Jump to behavior | ||
| Source: | Process created: | ||
| Source: | Static PE information: | ||
| Source: | File read: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | ReversingLabs: | ||
| Source: | Virustotal: | ||
| Source: | File read: | Jump to behavior | ||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Key value queried: | Jump to behavior | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Code function: | 0_2_00FD4B37 | |
| Source: | Code function: | 0_2_00FF8958 | |
| Source: | Code function: | 2_2_00FD8958 | |
| Source: | Code function: | 7_2_01841282 | |
| Source: | File created: | Jump to dropped file | ||
Boot Survival | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File created: | Jump to dropped file | ||
| Source: | File created: | Jump to behavior | ||
| Source: | File created: | Jump to behavior | ||
| Source: | Code function: | 0_2_00FD48D7 | |
| Source: | Code function: | 0_2_01055376 | |
| Source: | Code function: | 2_2_00FB48D7 | |
| Source: | Code function: | 2_2_01035376 | |
| Source: | Code function: | 0_2_00FF3187 | |
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
Malware Analysis System Evasion | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | API/Special instruction interceptor: | ||
| Source: | API/Special instruction interceptor: | ||
| Source: | Binary or memory string: | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Window found: | Jump to behavior | ||
| Source: | Evasive API call chain: | |||
| Source: | Evasive API call chain: | graph_0-105247 | ||
| Source: | API coverage: | ||
| Source: | API coverage: | ||
| Source: | File Volume queried: | Jump to behavior | ||
| Source: | File Volume queried: | Jump to behavior | ||
| Source: | Code function: | 0_2_0103445A | |
| Source: | Code function: | 0_2_0103C75C | |
| Source: | Code function: | 0_2_0103C6D1 | |
| Source: | Code function: | 0_2_0103EF95 | |
| Source: | Code function: | 0_2_0103F0F2 | |
| Source: | Code function: | 0_2_0103F3F3 | |
| Source: | Code function: | 0_2_010337EF | |
| Source: | Code function: | 0_2_01033B12 | |
| Source: | Code function: | 0_2_0103BCBC | |
| Source: | Code function: | 2_2_0101445A | |
| Source: | Code function: | 2_2_0101C75C | |
| Source: | Code function: | 2_2_0101C6D1 | |
| Source: | Code function: | 2_2_0101EF95 | |
| Source: | Code function: | 2_2_0101F0F2 | |
| Source: | Code function: | 2_2_0101F3F3 | |
| Source: | Code function: | 2_2_010137EF | |
| Source: | Code function: | 2_2_01013B12 | |
| Source: | Code function: | 2_2_0101BCBC | |
| Source: | Code function: | 0_2_00FD49A0 | |
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | API call chain: | ||
| Source: | Code function: | 0_2_01043F09 | |
| Source: | Code function: | 0_2_00FD3B3A | |
| Source: | Code function: | 0_2_01005A7C | |
| Source: | Code function: | 0_2_00FD4B37 | |
| Source: | Code function: | 0_2_012EA340 | |
| Source: | Code function: | 0_2_012EA3A0 | |
| Source: | Code function: | 0_2_012E8D30 | |
| Source: | Code function: | 2_2_01A884E8 | |
| Source: | Code function: | 2_2_01A89B58 | |
| Source: | Code function: | 2_2_01A89AF8 | |
| Source: | Code function: | 6_2_01BD8030 | |
| Source: | Code function: | 6_2_01BD96A0 | |
| Source: | Code function: | 6_2_01BD9640 | |
| Source: | Code function: | 0_2_0102810A | |
| Source: | Code function: | 0_2_00FFA155 | |
| Source: | Code function: | 0_2_00FFA124 | |
| Source: | Code function: | 2_2_00FDA155 | |
| Source: | Code function: | 2_2_00FDA124 | |
| Source: | Memory allocated: | Jump to behavior | ||
HIPS / PFW / Operating System Protection Evasion | |
|---|
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | Code function: | 0_2_010287B1 | |
| Source: | Code function: | 0_2_00FD3B3A | |
| Source: | Code function: | 0_2_00FD48D7 | |
| Source: | Code function: | 0_2_01034C27 | |
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Code function: | 0_2_01027CAF | |
| Source: | Code function: | 0_2_0102874B | |
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Code function: | 0_2_00FF862B | |
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Code function: | 0_2_01004E87 | |
| Source: | Code function: | 0_2_01011E06 | |
| Source: | Code function: | 0_2_01003F3A | |
| Source: | Code function: | 0_2_00FD49A0 | |
| Source: | Key value queried: | Jump to behavior | ||
Lowering of HIPS / PFW / Operating System Security Settings | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Code function: | 0_2_01046283 | |
| Source: | Code function: | 0_2_01046747 | |
| Source: | Code function: | 2_2_01026283 | |
| Source: | Code function: | 2_2_01026747 | |
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Gather Victim Identity Information | 111 Scripting | 2 Valid Accounts | 1 Windows Management Instrumentation | 111 Scripting | 1 Exploitation for Privilege Escalation | 11 Disable or Modify Tools | 21 Input Capture | 2 System Time Discovery | Remote Services | 1 Archive Collected Data | 1 Ingress Tool Transfer | Exfiltration Over Other Network Medium | 1 System Shutdown/Reboot |
| Credentials | Domains | Default Accounts | 2 Native API | 1 DLL Side-Loading | 1 DLL Side-Loading | 1 Deobfuscate/Decode Files or Information | LSASS Memory | 1 Account Discovery | Remote Desktop Protocol | 21 Input Capture | 1 Encrypted Channel | Exfiltration Over Bluetooth | Network Denial of Service |
| Email Addresses | DNS Server | Domain Accounts | 2 Scheduled Task/Job | 2 Valid Accounts | 2 Valid Accounts | 22 Obfuscated Files or Information | Security Account Manager | 2 File and Directory Discovery | SMB/Windows Admin Shares | 3 Clipboard Data | 1 Non-Standard Port | Automated Exfiltration | Data Encrypted for Impact |
| Employee Names | Virtual Private Server | Local Accounts | Cron | 2 Scheduled Task/Job | 21 Access Token Manipulation | 1 DLL Side-Loading | NTDS | 127 System Information Discovery | Distributed Component Object Model | Input Capture | Protocol Impersonation | Traffic Duplication | Data Destruction |
| Gather Victim Network Information | Server | Cloud Accounts | Launchd | 2 Registry Run Keys / Startup Folder | 212 Process Injection | 1 Masquerading | LSA Secrets | 441 Security Software Discovery | SSH | Keylogging | Fallback Channels | Scheduled Transfer | Data Encrypted for Impact |
| Domain Properties | Botnet | Replication Through Removable Media | Scheduled Task | RC Scripts | 2 Scheduled Task/Job | 2 Valid Accounts | Cached Domain Credentials | 11 Virtualization/Sandbox Evasion | VNC | GUI Input Capture | Multiband Communication | Data Transfer Size Limits | Service Stop |
| DNS | Web Services | External Remote Services | Systemd Timers | Startup Items | 2 Registry Run Keys / Startup Folder | 11 Virtualization/Sandbox Evasion | DCSync | 2 Process Discovery | Windows Remote Management | Web Portal Capture | Commonly Used Port | Exfiltration Over C2 Channel | Inhibit System Recovery |
| Network Trust Dependencies | Serverless | Drive-by Compromise | Container Orchestration Job | Scheduled Task/Job | Scheduled Task/Job | 21 Access Token Manipulation | Proc Filesystem | 1 Application Window Discovery | Cloud Services | Credential API Hooking | Application Layer Protocol | Exfiltration Over Alternative Protocol | Defacement |
| Network Topology | Malvertising | Exploit Public-Facing Application | Command and Scripting Interpreter | At | At | 212 Process Injection | /etc/passwd and /etc/shadow | 1 System Owner/User Discovery | Direct Cloud VM Connections | Data Staged | Web Protocols | Exfiltration Over Symmetric Encrypted Non-C2 Protocol | Internal Defacement |
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetThis section contains all screenshots as thumbnails, including those not shown in the slideshow.
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 66% | ReversingLabs | Win32.Trojan.AutoitInject | ||
| 68% | Virustotal | Browse | ||
| 100% | Joe Sandbox ML |
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 100% | Joe Sandbox ML | |||
| 66% | ReversingLabs | Win32.Trojan.AutoitInject | ||
| 68% | Virustotal | Browse |
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
⊘No contacted domains info
| Name | Source | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|
| false | high |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
| IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
|---|---|---|---|---|---|---|
| 87.120.120.15 | unknown | Bulgaria | 25206 | UNACS-AS-BG8000BurgasBG | true |
| Joe Sandbox version: | 42.0.0 Malachite |
| Analysis ID: | 1588009 |
| Start date and time: | 2025-01-10 20:28:59 +01:00 |
| Joe Sandbox product: | CloudBasic |
| Overall analysis duration: | 0h 7m 19s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
| Number of analysed new started processes analysed: | 9 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Sample name: | QwMcsmYcxv.exerenamed because original name is a hash value |
| Original Sample Name: | 31c1b7a32fed169045d32fda5b53a1bcc9e2919ef9217b3232380f89869204c7.exe |
| Detection: | MAL |
| Classification: | mal100.troj.expl.evad.winEXE@10/8@0/1 |
| EGA Information: |
|
| HCA Information: |
|
| Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
- Excluded IPs from analysis (whitelisted): 13.107.246.45, 4.175.87.197
- Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, dns.msftncsi.com, fe3cr.delivery.mp.microsoft.com
- Report size exceeded maximum capacity and may have missing behavior information.
- Report size exceeded maximum capacity and may have missing disassembly code.
- Report size getting too big, too many NtOpenKeyEx calls found.
- Report size getting too big, too many NtProtectVirtualMemory calls found.
- Report size getting too big, too many NtQueryValueKey calls found.
- Report size getting too big, too many NtReadVirtualMemory calls found.
| Time | Type | Description |
|---|---|---|
| 14:31:06 | API Interceptor | |
| 20:29:58 | Autostart |
⊘No context
⊘No context
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| UNACS-AS-BG8000BurgasBG | Get hash | malicious | RedLine | Browse |
| |
| Get hash | malicious | RedLine | Browse |
| ||
| Get hash | malicious | RedLine | Browse |
| ||
| Get hash | malicious | RedLine | Browse |
| ||
| Get hash | malicious | XWorm | Browse |
| ||
| Get hash | malicious | Remcos, PureLog Stealer | Browse |
| ||
| Get hash | malicious | Remcos | Browse |
| ||
| Get hash | malicious | XWorm | Browse |
| ||
| Get hash | malicious | XWorm | Browse |
| ||
| Get hash | malicious | DarkVision Rat | Browse |
|
⊘No context
⊘No context
| Process: | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 1159 |
| Entropy (8bit): | 5.3458720040787515 |
| Encrypted: | false |
| SSDEEP: | 24:ML9E4KiE4KnKDE4KhKiKhPKIE4oKNzKoZAE4KzeosXE4qdKm:MxHKiHKnYHKh3oPtHo6hAHKzePHA |
| MD5: | F4BD67337451E88A079DB354803152AE |
| SHA1: | C0868134496119FD7E829734007B6315D8329ADF |
| SHA-256: | 793FC6B03B54B8944DB2E17259D1CF5AEC12D6BB09D87374FAD3041149E17340 |
| SHA-512: | 0A2AFB2E03C37DF278D5DE9095928A5D04059815749C9DD5F4DE9DF6ED4A01BF0E4FBC2C9BCA51216EE3447DD8A3233CAF00D5C28BE064F7CE836221543999AC |
| Malicious: | false |
| Reputation: | low |
| Preview: |
| Process: | C:\Users\user\Desktop\QwMcsmYcxv.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 59076 |
| Entropy (8bit): | 7.7757700298022785 |
| Encrypted: | false |
| SSDEEP: | 1536:/lS/OvOzs5NGZEloPvRSDRdemn2PmBrQmk/tB:/NTGZEloP52keqr |
| MD5: | 5CA5663395ED6CFB8E9F4D1B6C89793A |
| SHA1: | C20A37A9DD9A3D5B13A3466689F131D79130A4DA |
| SHA-256: | 9D2A31DA233A05E4F24D04F4ED85CEF2A0F01576AE843E6F501CE313B0B5EACA |
| SHA-512: | 3E20C19BE274E32CC152CE3CF1A669BA8C10A6878BDDACECF3C34FDAEBC6B3E0CDABAB81ED39397FCE78C796217C765C99339D74A4F6B5AA6D95AA405180D521 |
| Malicious: | false |
| Reputation: | low |
| Preview: |
| Process: | C:\Users\user\AppData\Local\savagenesses\vitrailist.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 59076 |
| Entropy (8bit): | 7.7757700298022785 |
| Encrypted: | false |
| SSDEEP: | 1536:/lS/OvOzs5NGZEloPvRSDRdemn2PmBrQmk/tB:/NTGZEloP52keqr |
| MD5: | 5CA5663395ED6CFB8E9F4D1B6C89793A |
| SHA1: | C20A37A9DD9A3D5B13A3466689F131D79130A4DA |
| SHA-256: | 9D2A31DA233A05E4F24D04F4ED85CEF2A0F01576AE843E6F501CE313B0B5EACA |
| SHA-512: | 3E20C19BE274E32CC152CE3CF1A669BA8C10A6878BDDACECF3C34FDAEBC6B3E0CDABAB81ED39397FCE78C796217C765C99339D74A4F6B5AA6D95AA405180D521 |
| Malicious: | false |
| Reputation: | low |
| Preview: |
| Process: | C:\Users\user\AppData\Local\savagenesses\vitrailist.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 59076 |
| Entropy (8bit): | 7.7757700298022785 |
| Encrypted: | false |
| SSDEEP: | 1536:/lS/OvOzs5NGZEloPvRSDRdemn2PmBrQmk/tB:/NTGZEloP52keqr |
| MD5: | 5CA5663395ED6CFB8E9F4D1B6C89793A |
| SHA1: | C20A37A9DD9A3D5B13A3466689F131D79130A4DA |
| SHA-256: | 9D2A31DA233A05E4F24D04F4ED85CEF2A0F01576AE843E6F501CE313B0B5EACA |
| SHA-512: | 3E20C19BE274E32CC152CE3CF1A669BA8C10A6878BDDACECF3C34FDAEBC6B3E0CDABAB81ED39397FCE78C796217C765C99339D74A4F6B5AA6D95AA405180D521 |
| Malicious: | false |
| Reputation: | low |
| Preview: |
| Process: | C:\Users\user\Desktop\QwMcsmYcxv.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 75776 |
| Entropy (8bit): | 6.773205847805882 |
| Encrypted: | false |
| SSDEEP: | 1536:U/dCOkNaGg61IXiMDu3LsUD0it1N52QZyt7HXo:U/dCOKao8iMgJDDVy7HY |
| MD5: | 4BE3A6E947BCFAB9DF6E7D8B46A1E469 |
| SHA1: | 87E8D307342B7240661EC626A4B234BFD454BB06 |
| SHA-256: | 1E0BDE0130CBDF5BF6343A5BD3A290F03ABDD27487227B07DFA141217E01F5D0 |
| SHA-512: | CAACABEE707284A7B846A7BC7F8B40A48F91B188B251CD33E8D33088595F37D34DF8A06D31A2135099AAB9F6D9C111DD5B5D017A1388ECE3E1B5551B43E67FED |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\Desktop\QwMcsmYcxv.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 973312 |
| Entropy (8bit): | 6.86141398806319 |
| Encrypted: | false |
| SSDEEP: | 24576:Gu6J33O0c+JY5UZ+XC0kGso6Fat0svhWWY:Iu0c++OCvkGs9Fat0sv7Y |
| MD5: | A8A4AA9C047894582F100213370DA8DE |
| SHA1: | E7B4D9747C787599947D9944CC90ED36C31984B4 |
| SHA-256: | 31C1B7A32FED169045D32FDA5B53A1BCC9E2919EF9217B3232380F89869204C7 |
| SHA-512: | 235B0A604D73EA9A45C3DB63693CF1A6EE3F38EA783C22568AF233252A41C7018DD77B96F70020E2E97C0F2843B316B270A023D95983C55CDC72C6ECC86DF0C9 |
| Malicious: | true |
| Antivirus: |
|
| Preview: |
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vitrailist.vbs 
Download File
| Process: | C:\Users\user\AppData\Local\savagenesses\vitrailist.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 292 |
| Entropy (8bit): | 3.364286340009046 |
| Encrypted: | false |
| SSDEEP: | 6:DMM8lfm3OOQdUfclzXUEZ+lX1WlEQGMMlAND1EWSAnriIM8lfQVn:DsO+vNlDQ1nQGMk0OWDmA2n |
| MD5: | AC57D291672E9F36FAA7AA3788D7FEB3 |
| SHA1: | 2548C5BA1BFE6AF5FA2D42E38E549545B0BB129B |
| SHA-256: | 7B240DE600CFCDF76076692646889CECA3DE1BBA682EF3251555156FB00A5561 |
| SHA-512: | 605BCBEFA20EDB705578F4E091C4303591C367DF362D11E97944B58324194068D795B6648538FF6EE3B6564680C85FBD18C6E9C50F26423681B6D9FD96058E8A |
| Malicious: | true |
| Preview: |
| Process: | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 8 |
| Entropy (8bit): | 2.75 |
| Encrypted: | false |
| SSDEEP: | 3:Rt:v |
| MD5: | CF759E4C5F14FE3EEC41B87ED756CEA8 |
| SHA1: | C27C796BB3C2FAC929359563676F4BA1FFADA1F5 |
| SHA-256: | C9F9F193409217F73CC976AD078C6F8BF65D3AABCF5FAD3E5A47536D47AA6761 |
| SHA-512: | C7F832AEE13A5EB36D145F35D4464374A9E12FA2017F3C2257442D67483B35A55ECCAE7F7729243350125B37033E075EFBC2303839FD86B81B9B4DCA3626953B |
| Malicious: | false |
| Preview: |
| File type: | |
| Entropy (8bit): | 6.86141398806319 |
| TrID: |
|
| File name: | QwMcsmYcxv.exe |
| File size: | 973'312 bytes |
| MD5: | a8a4aa9c047894582f100213370da8de |
| SHA1: | e7b4d9747c787599947d9944cc90ed36c31984b4 |
| SHA256: | 31c1b7a32fed169045d32fda5b53a1bcc9e2919ef9217b3232380f89869204c7 |
| SHA512: | 235b0a604d73ea9a45c3db63693cf1a6ee3f38ea783c22568af233252a41c7018dd77b96f70020e2e97c0f2843b316b270a023d95983c55cdc72c6ecc86df0c9 |
| SSDEEP: | 24576:Gu6J33O0c+JY5UZ+XC0kGso6Fat0svhWWY:Iu0c++OCvkGs9Fat0sv7Y |
| TLSH: | 3825AE22B3DDC360CB669173BF69B7016EBF7C610630B85B2F980D7DA950162162D7A3 |
| File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r}..r}..r}..4,".p}......s}.../..A}.../#..}.../".G}..{.@.{}..{.P.W}..r}..R.....)."}......s}.../..s}..r}T.s}......s}..Richr}. |
 | |
| Icon Hash: | aaf3e3e3938382a0 |
| Entrypoint: | 0x427dcd |
| Entrypoint Section: | .text |
| Digitally signed: | false |
| Imagebase: | 0x400000 |
| Subsystem: | windows gui |
| Image File Characteristics: | EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE |
| DLL Characteristics: | DYNAMIC_BASE, TERMINAL_SERVER_AWARE |
| Time Stamp: | 0x675C4A35 [Fri Dec 13 14:52:37 2024 UTC] |
| TLS Callbacks: | |
| CLR (.Net) Version: | |
| OS Version Major: | 5 |
| OS Version Minor: | 1 |
| File Version Major: | 5 |
| File Version Minor: | 1 |
| Subsystem Version Major: | 5 |
| Subsystem Version Minor: | 1 |
| Import Hash: | afcdf79be1557326c854b6e20cb900a7 |
| Instruction |
|---|
| call 00007F78848859BAh |
| jmp 00007F7884878784h |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| push edi |
| push esi |
| mov esi, dword ptr [esp+10h] |
| mov ecx, dword ptr [esp+14h] |
| mov edi, dword ptr [esp+0Ch] |
| mov eax, ecx |
| mov edx, ecx |
| add eax, esi |
| cmp edi, esi |
| jbe 00007F788487890Ah |
| cmp edi, eax |
| jc 00007F7884878C6Eh |
| bt dword ptr [004C31FCh], 01h |
| jnc 00007F7884878909h |
| rep movsb |
| jmp 00007F7884878C1Ch |
| cmp ecx, 00000080h |
| jc 00007F7884878AD4h |
| mov eax, edi |
| xor eax, esi |
| test eax, 0000000Fh |
| jne 00007F7884878910h |
| bt dword ptr [004BE324h], 01h |
| jc 00007F7884878DE0h |
| bt dword ptr [004C31FCh], 00000000h |
| jnc 00007F7884878AADh |
| test edi, 00000003h |
| jne 00007F7884878ABEh |
| test esi, 00000003h |
| jne 00007F7884878A9Dh |
| bt edi, 02h |
| jnc 00007F788487890Fh |
| mov eax, dword ptr [esi] |
| sub ecx, 04h |
| lea esi, dword ptr [esi+04h] |
| mov dword ptr [edi], eax |
| lea edi, dword ptr [edi+04h] |
| bt edi, 03h |
| jnc 00007F7884878913h |
| movq xmm1, qword ptr [esi] |
| sub ecx, 08h |
| lea esi, dword ptr [esi+08h] |
| movq qword ptr [edi], xmm1 |
| lea edi, dword ptr [edi+08h] |
| test esi, 00000007h |
| je 00007F7884878965h |
| bt esi, 03h |
| jnc 00007F78848789B8h |
| Programming Language: |
|
| Name | Virtual Address | Virtual Size | Is in Section |
|---|---|---|---|
| IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IMPORT | 0xba44c | 0x17c | .rdata |
| IMAGE_DIRECTORY_ENTRY_RESOURCE | 0xc7000 | 0x2518c | .rsrc |
| IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BASERELOC | 0xed000 | 0x711c | .reloc |
| IMAGE_DIRECTORY_ENTRY_DEBUG | 0x92bc0 | 0x1c | .rdata |
| IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0xa4870 | 0x40 | .rdata |
| IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IAT | 0x8f000 | 0x884 | .rdata |
| IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
| Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
|---|---|---|---|---|---|---|---|---|---|
| .text | 0x1000 | 0x8dcc4 | 0x8de00 | d28a820a1d9ff26cda02d12b888ba4b4 | False | 0.5728679102422908 | data | 6.676118058520316 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
| .rdata | 0x8f000 | 0x2e10e | 0x2e200 | 79b14b254506b0dbc8cd0ad67fb70ad9 | False | 0.33535526761517614 | OpenPGP Public Key | 5.76010872795207 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .data | 0xbe000 | 0x8f74 | 0x5200 | 9f9d6f746f1a415a63de45f8b7983d33 | False | 0.1017530487804878 | data | 1.198745897703538 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .rsrc | 0xc7000 | 0x2518c | 0x25200 | b836d1ca5c4a5b8458ad473e4a4996e9 | False | 0.8233243897306397 | data | 7.604311053672223 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .reloc | 0xed000 | 0x711c | 0x7200 | 6fcae3cbbf6bfbabf5ec5bbe7cf612c3 | False | 0.7650767543859649 | data | 6.779031650454199 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
| Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
|---|---|---|---|---|---|---|
| RT_ICON | 0xc75a8 | 0x128 | Device independent bitmap graphic, 16 x 32 x 4, image size 192 | English | Great Britain | 0.7466216216216216 |
| RT_ICON | 0xc76d0 | 0x128 | Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors | English | Great Britain | 0.3277027027027027 |
| RT_ICON | 0xc77f8 | 0x128 | Device independent bitmap graphic, 16 x 32 x 4, image size 192 | English | Great Britain | 0.3885135135135135 |
| RT_ICON | 0xc7920 | 0x2e8 | Device independent bitmap graphic, 32 x 64 x 4, image size 0 | English | Great Britain | 0.3333333333333333 |
| RT_ICON | 0xc7c08 | 0x128 | Device independent bitmap graphic, 16 x 32 x 4, image size 0 | English | Great Britain | 0.5 |
| RT_ICON | 0xc7d30 | 0xea8 | Device independent bitmap graphic, 48 x 96 x 8, image size 0 | English | Great Britain | 0.2835820895522388 |
| RT_ICON | 0xc8bd8 | 0x8a8 | Device independent bitmap graphic, 32 x 64 x 8, image size 0 | English | Great Britain | 0.37906137184115524 |
| RT_ICON | 0xc9480 | 0x568 | Device independent bitmap graphic, 16 x 32 x 8, image size 0 | English | Great Britain | 0.23699421965317918 |
| RT_ICON | 0xc99e8 | 0x25a8 | Device independent bitmap graphic, 48 x 96 x 32, image size 0 | English | Great Britain | 0.13858921161825727 |
| RT_ICON | 0xcbf90 | 0x10a8 | Device independent bitmap graphic, 32 x 64 x 32, image size 0 | English | Great Britain | 0.25070356472795496 |
| RT_ICON | 0xcd038 | 0x468 | Device independent bitmap graphic, 16 x 32 x 32, image size 0 | English | Great Britain | 0.3173758865248227 |
| RT_MENU | 0xcd4a0 | 0x50 | data | English | Great Britain | 0.9 |
| RT_STRING | 0xcd4f0 | 0x594 | data | English | Great Britain | 0.3333333333333333 |
| RT_STRING | 0xcda84 | 0x68a | data | English | Great Britain | 0.2747909199522103 |
| RT_STRING | 0xce110 | 0x490 | data | English | Great Britain | 0.3715753424657534 |
| RT_STRING | 0xce5a0 | 0x5fc | data | English | Great Britain | 0.3087467362924282 |
| RT_STRING | 0xceb9c | 0x65c | data | English | Great Britain | 0.34336609336609336 |
| RT_STRING | 0xcf1f8 | 0x466 | data | English | Great Britain | 0.3605683836589698 |
| RT_STRING | 0xcf660 | 0x158 | Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0 | English | Great Britain | 0.502906976744186 |
| RT_RCDATA | 0xcf7b8 | 0x1c453 | data | 1.000397253767434 | ||
| RT_GROUP_ICON | 0xebc0c | 0x76 | data | English | Great Britain | 0.6610169491525424 |
| RT_GROUP_ICON | 0xebc84 | 0x14 | data | English | Great Britain | 1.25 |
| RT_GROUP_ICON | 0xebc98 | 0x14 | data | English | Great Britain | 1.15 |
| RT_GROUP_ICON | 0xebcac | 0x14 | data | English | Great Britain | 1.25 |
| RT_VERSION | 0xebcc0 | 0xdc | data | English | Great Britain | 0.6181818181818182 |
| RT_MANIFEST | 0xebd9c | 0x3ef | ASCII text, with CRLF line terminators | English | Great Britain | 0.5074478649453823 |
| DLL | Import |
|---|---|
| WSOCK32.dll | WSACleanup, socket, inet_ntoa, setsockopt, ntohs, recvfrom, ioctlsocket, htons, WSAStartup, __WSAFDIsSet, select, accept, listen, bind, closesocket, WSAGetLastError, recv, sendto, send, inet_addr, gethostbyname, gethostname, connect |
| VERSION.dll | GetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW |
| WINMM.dll | timeGetTime, waveOutSetVolume, mciSendStringW |
| COMCTL32.dll | ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create |
| MPR.dll | WNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W |
| WININET.dll | InternetQueryDataAvailable, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetConnectW |
| PSAPI.DLL | GetProcessMemoryInfo |
| IPHLPAPI.DLL | IcmpCreateFile, IcmpCloseHandle, IcmpSendEcho |
| USERENV.dll | DestroyEnvironmentBlock, UnloadUserProfile, CreateEnvironmentBlock, LoadUserProfileW |
| UxTheme.dll | IsThemeActive |
| KERNEL32.dll | DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, SetCurrentDirectoryW, GetLongPathNameW, GetShortPathNameW, DeleteFileW, FindNextFileW, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, GetCurrentProcess, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, LoadLibraryW, VirtualAlloc, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, GetCurrentThread, CloseHandle, GetFullPathNameW, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, WriteConsoleW, FindClose, SetEnvironmentVariableA |
| USER32.dll | AdjustWindowRectEx, CopyImage, SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, SetRect, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, MonitorFromRect, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, PeekMessageW, UnregisterHotKey, CheckMenuRadioItem, CharLowerBuffW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, LoadImageW, GetClassNameW |
| GDI32.dll | StrokePath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, GetDeviceCaps, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, DeleteDC, GetPixel, CreateDCW, GetStockObject, GetTextFaceW, CreateFontW, SetTextColor, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, StrokeAndFillPath |
| COMDLG32.dll | GetOpenFileNameW, GetSaveFileNameW |
| ADVAPI32.dll | GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, RegCreateKeyExW, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, AddAce, SetSecurityDescriptorDacl, GetUserNameW, InitiateSystemShutdownExW |
| SHELL32.dll | DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish |
| ole32.dll | CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoSetProxyBlanket, CoCreateInstanceEx, CoInitializeSecurity |
| OLEAUT32.dll | LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, RegisterTypeLib, CreateStdDispatch, DispCallFunc, VariantChangeType, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, VariantCopy, VariantClear, OleLoadPicture, QueryPathOfRegTypeLib, RegisterTypeLibForUser, UnRegisterTypeLibForUser, UnRegisterTypeLib, CreateDispTypeInfo, SysAllocString, VariantInit |
| Language of compilation system | Country where language is spoken | Map |
|---|---|---|
| English | Great Britain |  |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library Node| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Jan 10, 2025 20:30:10.581687927 CET | 49226 | 53 | 192.168.2.6 | 1.1.1.1 |
| Jan 10, 2025 20:30:10.586601973 CET | 53 | 49226 | 1.1.1.1 | 192.168.2.6 |
| Jan 10, 2025 20:30:10.587414980 CET | 49226 | 53 | 192.168.2.6 | 1.1.1.1 |
| Jan 10, 2025 20:30:10.595792055 CET | 53 | 49226 | 1.1.1.1 | 192.168.2.6 |
| Jan 10, 2025 20:30:10.646583080 CET | 49227 | 4449 | 192.168.2.6 | 87.120.120.15 |
| Jan 10, 2025 20:30:10.651451111 CET | 4449 | 49227 | 87.120.120.15 | 192.168.2.6 |
| Jan 10, 2025 20:30:10.651588917 CET | 49227 | 4449 | 192.168.2.6 | 87.120.120.15 |
| Jan 10, 2025 20:30:10.677690029 CET | 49227 | 4449 | 192.168.2.6 | 87.120.120.15 |
| Jan 10, 2025 20:30:10.682715893 CET | 4449 | 49227 | 87.120.120.15 | 192.168.2.6 |
| Jan 10, 2025 20:30:11.060051918 CET | 49226 | 53 | 192.168.2.6 | 1.1.1.1 |
| Jan 10, 2025 20:30:11.065068007 CET | 53 | 49226 | 1.1.1.1 | 192.168.2.6 |
| Jan 10, 2025 20:30:11.065176010 CET | 49226 | 53 | 192.168.2.6 | 1.1.1.1 |
| Jan 10, 2025 20:30:12.233629942 CET | 4449 | 49227 | 87.120.120.15 | 192.168.2.6 |
| Jan 10, 2025 20:30:12.233712912 CET | 49227 | 4449 | 192.168.2.6 | 87.120.120.15 |
| Jan 10, 2025 20:30:15.256025076 CET | 49227 | 4449 | 192.168.2.6 | 87.120.120.15 |
| Jan 10, 2025 20:30:15.260835886 CET | 4449 | 49227 | 87.120.120.15 | 192.168.2.6 |
| Jan 10, 2025 20:30:15.264694929 CET | 49254 | 4449 | 192.168.2.6 | 87.120.120.15 |
| Jan 10, 2025 20:30:15.269548893 CET | 4449 | 49254 | 87.120.120.15 | 192.168.2.6 |
| Jan 10, 2025 20:30:15.269618034 CET | 49254 | 4449 | 192.168.2.6 | 87.120.120.15 |
| Jan 10, 2025 20:30:15.269902945 CET | 49254 | 4449 | 192.168.2.6 | 87.120.120.15 |
| Jan 10, 2025 20:30:15.274852991 CET | 4449 | 49254 | 87.120.120.15 | 192.168.2.6 |
| Jan 10, 2025 20:30:16.893707037 CET | 4449 | 49254 | 87.120.120.15 | 192.168.2.6 |
| Jan 10, 2025 20:30:16.894589901 CET | 49254 | 4449 | 192.168.2.6 | 87.120.120.15 |
| Jan 10, 2025 20:30:19.911648989 CET | 49254 | 4449 | 192.168.2.6 | 87.120.120.15 |
| Jan 10, 2025 20:30:19.912029982 CET | 49284 | 4449 | 192.168.2.6 | 87.120.120.15 |
| Jan 10, 2025 20:30:19.916532993 CET | 4449 | 49254 | 87.120.120.15 | 192.168.2.6 |
| Jan 10, 2025 20:30:19.916894913 CET | 4449 | 49284 | 87.120.120.15 | 192.168.2.6 |
| Jan 10, 2025 20:30:19.916979074 CET | 49284 | 4449 | 192.168.2.6 | 87.120.120.15 |
| Jan 10, 2025 20:30:19.917290926 CET | 49284 | 4449 | 192.168.2.6 | 87.120.120.15 |
| Jan 10, 2025 20:30:19.922146082 CET | 4449 | 49284 | 87.120.120.15 | 192.168.2.6 |
| Jan 10, 2025 20:30:21.536604881 CET | 4449 | 49284 | 87.120.120.15 | 192.168.2.6 |
| Jan 10, 2025 20:30:21.536729097 CET | 49284 | 4449 | 192.168.2.6 | 87.120.120.15 |
| Jan 10, 2025 20:30:24.635515928 CET | 49284 | 4449 | 192.168.2.6 | 87.120.120.15 |
| Jan 10, 2025 20:30:24.635988951 CET | 49312 | 4449 | 192.168.2.6 | 87.120.120.15 |
| Jan 10, 2025 20:30:24.640446901 CET | 4449 | 49284 | 87.120.120.15 | 192.168.2.6 |
| Jan 10, 2025 20:30:24.640953064 CET | 4449 | 49312 | 87.120.120.15 | 192.168.2.6 |
| Jan 10, 2025 20:30:24.641208887 CET | 49312 | 4449 | 192.168.2.6 | 87.120.120.15 |
| Jan 10, 2025 20:30:24.641640902 CET | 49312 | 4449 | 192.168.2.6 | 87.120.120.15 |
| Jan 10, 2025 20:30:24.646439075 CET | 4449 | 49312 | 87.120.120.15 | 192.168.2.6 |
| Jan 10, 2025 20:30:26.287652016 CET | 4449 | 49312 | 87.120.120.15 | 192.168.2.6 |
| Jan 10, 2025 20:30:26.287765026 CET | 49312 | 4449 | 192.168.2.6 | 87.120.120.15 |
| Jan 10, 2025 20:30:29.302289963 CET | 49312 | 4449 | 192.168.2.6 | 87.120.120.15 |
| Jan 10, 2025 20:30:29.302891016 CET | 49344 | 4449 | 192.168.2.6 | 87.120.120.15 |
| Jan 10, 2025 20:30:29.307097912 CET | 4449 | 49312 | 87.120.120.15 | 192.168.2.6 |
| Jan 10, 2025 20:30:29.307662964 CET | 4449 | 49344 | 87.120.120.15 | 192.168.2.6 |
| Jan 10, 2025 20:30:29.307730913 CET | 49344 | 4449 | 192.168.2.6 | 87.120.120.15 |
| Jan 10, 2025 20:30:29.308056116 CET | 49344 | 4449 | 192.168.2.6 | 87.120.120.15 |
| Jan 10, 2025 20:30:29.312871933 CET | 4449 | 49344 | 87.120.120.15 | 192.168.2.6 |
| Jan 10, 2025 20:30:30.927068949 CET | 4449 | 49344 | 87.120.120.15 | 192.168.2.6 |
| Jan 10, 2025 20:30:30.927172899 CET | 49344 | 4449 | 192.168.2.6 | 87.120.120.15 |
| Jan 10, 2025 20:30:33.942390919 CET | 49344 | 4449 | 192.168.2.6 | 87.120.120.15 |
| Jan 10, 2025 20:30:33.942745924 CET | 49377 | 4449 | 192.168.2.6 | 87.120.120.15 |
| Jan 10, 2025 20:30:33.948452950 CET | 4449 | 49344 | 87.120.120.15 | 192.168.2.6 |
| Jan 10, 2025 20:30:33.948863983 CET | 4449 | 49377 | 87.120.120.15 | 192.168.2.6 |
| Jan 10, 2025 20:30:33.948935032 CET | 49377 | 4449 | 192.168.2.6 | 87.120.120.15 |
| Jan 10, 2025 20:30:33.949210882 CET | 49377 | 4449 | 192.168.2.6 | 87.120.120.15 |
| Jan 10, 2025 20:30:33.955256939 CET | 4449 | 49377 | 87.120.120.15 | 192.168.2.6 |
| Jan 10, 2025 20:30:35.565853119 CET | 4449 | 49377 | 87.120.120.15 | 192.168.2.6 |
| Jan 10, 2025 20:30:35.565917015 CET | 49377 | 4449 | 192.168.2.6 | 87.120.120.15 |
| Jan 10, 2025 20:30:38.584695101 CET | 49377 | 4449 | 192.168.2.6 | 87.120.120.15 |
| Jan 10, 2025 20:30:38.585071087 CET | 49406 | 4449 | 192.168.2.6 | 87.120.120.15 |
| Jan 10, 2025 20:30:38.589545965 CET | 4449 | 49377 | 87.120.120.15 | 192.168.2.6 |
| Jan 10, 2025 20:30:38.589874983 CET | 4449 | 49406 | 87.120.120.15 | 192.168.2.6 |
| Jan 10, 2025 20:30:38.589945078 CET | 49406 | 4449 | 192.168.2.6 | 87.120.120.15 |
| Jan 10, 2025 20:30:38.590395927 CET | 49406 | 4449 | 192.168.2.6 | 87.120.120.15 |
| Jan 10, 2025 20:30:38.595118046 CET | 4449 | 49406 | 87.120.120.15 | 192.168.2.6 |
| Jan 10, 2025 20:30:40.191824913 CET | 4449 | 49406 | 87.120.120.15 | 192.168.2.6 |
| Jan 10, 2025 20:30:40.191914082 CET | 49406 | 4449 | 192.168.2.6 | 87.120.120.15 |
| Jan 10, 2025 20:30:43.209012985 CET | 49406 | 4449 | 192.168.2.6 | 87.120.120.15 |
| Jan 10, 2025 20:30:43.209414005 CET | 49426 | 4449 | 192.168.2.6 | 87.120.120.15 |
| Jan 10, 2025 20:30:43.214142084 CET | 4449 | 49406 | 87.120.120.15 | 192.168.2.6 |
| Jan 10, 2025 20:30:43.214315891 CET | 4449 | 49426 | 87.120.120.15 | 192.168.2.6 |
| Jan 10, 2025 20:30:43.214390039 CET | 49426 | 4449 | 192.168.2.6 | 87.120.120.15 |
| Jan 10, 2025 20:30:43.214741945 CET | 49426 | 4449 | 192.168.2.6 | 87.120.120.15 |
| Jan 10, 2025 20:30:43.219607115 CET | 4449 | 49426 | 87.120.120.15 | 192.168.2.6 |
| Jan 10, 2025 20:30:44.833889961 CET | 4449 | 49426 | 87.120.120.15 | 192.168.2.6 |
| Jan 10, 2025 20:30:44.834012985 CET | 49426 | 4449 | 192.168.2.6 | 87.120.120.15 |
| Jan 10, 2025 20:30:47.858757019 CET | 49426 | 4449 | 192.168.2.6 | 87.120.120.15 |
| Jan 10, 2025 20:30:47.862082958 CET | 49428 | 4449 | 192.168.2.6 | 87.120.120.15 |
| Jan 10, 2025 20:30:47.863754034 CET | 4449 | 49426 | 87.120.120.15 | 192.168.2.6 |
| Jan 10, 2025 20:30:47.866977930 CET | 4449 | 49428 | 87.120.120.15 | 192.168.2.6 |
| Jan 10, 2025 20:30:47.867080927 CET | 49428 | 4449 | 192.168.2.6 | 87.120.120.15 |
| Jan 10, 2025 20:30:47.874649048 CET | 49428 | 4449 | 192.168.2.6 | 87.120.120.15 |
| Jan 10, 2025 20:30:47.879537106 CET | 4449 | 49428 | 87.120.120.15 | 192.168.2.6 |
| Jan 10, 2025 20:30:49.468280077 CET | 4449 | 49428 | 87.120.120.15 | 192.168.2.6 |
| Jan 10, 2025 20:30:49.468341112 CET | 49428 | 4449 | 192.168.2.6 | 87.120.120.15 |
| Jan 10, 2025 20:30:52.474154949 CET | 49428 | 4449 | 192.168.2.6 | 87.120.120.15 |
| Jan 10, 2025 20:30:52.474435091 CET | 49429 | 4449 | 192.168.2.6 | 87.120.120.15 |
| Jan 10, 2025 20:30:52.479063988 CET | 4449 | 49428 | 87.120.120.15 | 192.168.2.6 |
| Jan 10, 2025 20:30:52.479223967 CET | 4449 | 49429 | 87.120.120.15 | 192.168.2.6 |
| Jan 10, 2025 20:30:52.479296923 CET | 49429 | 4449 | 192.168.2.6 | 87.120.120.15 |
| Jan 10, 2025 20:30:52.479695082 CET | 49429 | 4449 | 192.168.2.6 | 87.120.120.15 |
| Jan 10, 2025 20:30:52.484450102 CET | 4449 | 49429 | 87.120.120.15 | 192.168.2.6 |
| Jan 10, 2025 20:30:54.100801945 CET | 4449 | 49429 | 87.120.120.15 | 192.168.2.6 |
| Jan 10, 2025 20:30:54.100943089 CET | 49429 | 4449 | 192.168.2.6 | 87.120.120.15 |
| Jan 10, 2025 20:30:57.114715099 CET | 49429 | 4449 | 192.168.2.6 | 87.120.120.15 |
| Jan 10, 2025 20:30:57.115171909 CET | 49430 | 4449 | 192.168.2.6 | 87.120.120.15 |
| Jan 10, 2025 20:30:57.119549990 CET | 4449 | 49429 | 87.120.120.15 | 192.168.2.6 |
| Jan 10, 2025 20:30:57.120002985 CET | 4449 | 49430 | 87.120.120.15 | 192.168.2.6 |
| Jan 10, 2025 20:30:57.120083094 CET | 49430 | 4449 | 192.168.2.6 | 87.120.120.15 |
| Jan 10, 2025 20:30:57.120436907 CET | 49430 | 4449 | 192.168.2.6 | 87.120.120.15 |
| Jan 10, 2025 20:30:57.125169992 CET | 4449 | 49430 | 87.120.120.15 | 192.168.2.6 |
| Jan 10, 2025 20:30:58.722867966 CET | 4449 | 49430 | 87.120.120.15 | 192.168.2.6 |
| Jan 10, 2025 20:30:58.723017931 CET | 49430 | 4449 | 192.168.2.6 | 87.120.120.15 |
| Jan 10, 2025 20:31:01.740966082 CET | 49430 | 4449 | 192.168.2.6 | 87.120.120.15 |
| Jan 10, 2025 20:31:01.741501093 CET | 49431 | 4449 | 192.168.2.6 | 87.120.120.15 |
| Jan 10, 2025 20:31:01.745816946 CET | 4449 | 49430 | 87.120.120.15 | 192.168.2.6 |
| Jan 10, 2025 20:31:01.746400118 CET | 4449 | 49431 | 87.120.120.15 | 192.168.2.6 |
| Jan 10, 2025 20:31:01.746473074 CET | 49431 | 4449 | 192.168.2.6 | 87.120.120.15 |
| Jan 10, 2025 20:31:01.747109890 CET | 49431 | 4449 | 192.168.2.6 | 87.120.120.15 |
| Jan 10, 2025 20:31:01.751879930 CET | 4449 | 49431 | 87.120.120.15 | 192.168.2.6 |
| Jan 10, 2025 20:31:03.384295940 CET | 4449 | 49431 | 87.120.120.15 | 192.168.2.6 |
| Jan 10, 2025 20:31:03.384397984 CET | 49431 | 4449 | 192.168.2.6 | 87.120.120.15 |
| Jan 10, 2025 20:31:06.395380974 CET | 49431 | 4449 | 192.168.2.6 | 87.120.120.15 |
| Jan 10, 2025 20:31:06.395802021 CET | 49433 | 4449 | 192.168.2.6 | 87.120.120.15 |
| Jan 10, 2025 20:31:06.400255919 CET | 4449 | 49431 | 87.120.120.15 | 192.168.2.6 |
| Jan 10, 2025 20:31:06.400711060 CET | 4449 | 49433 | 87.120.120.15 | 192.168.2.6 |
| Jan 10, 2025 20:31:06.400803089 CET | 49433 | 4449 | 192.168.2.6 | 87.120.120.15 |
| Jan 10, 2025 20:31:06.401196957 CET | 49433 | 4449 | 192.168.2.6 | 87.120.120.15 |
| Jan 10, 2025 20:31:06.406044960 CET | 4449 | 49433 | 87.120.120.15 | 192.168.2.6 |
| Jan 10, 2025 20:31:08.003971100 CET | 4449 | 49433 | 87.120.120.15 | 192.168.2.6 |
| Jan 10, 2025 20:31:08.004060030 CET | 49433 | 4449 | 192.168.2.6 | 87.120.120.15 |
| Jan 10, 2025 20:31:10.710118055 CET | 49433 | 4449 | 192.168.2.6 | 87.120.120.15 |
| Jan 10, 2025 20:31:10.710798979 CET | 49434 | 4449 | 192.168.2.6 | 87.120.120.15 |
| Jan 10, 2025 20:31:10.714996099 CET | 4449 | 49433 | 87.120.120.15 | 192.168.2.6 |
| Jan 10, 2025 20:31:10.715682030 CET | 4449 | 49434 | 87.120.120.15 | 192.168.2.6 |
| Jan 10, 2025 20:31:10.718739033 CET | 49434 | 4449 | 192.168.2.6 | 87.120.120.15 |
| Jan 10, 2025 20:31:10.721962929 CET | 49434 | 4449 | 192.168.2.6 | 87.120.120.15 |
| Jan 10, 2025 20:31:10.726767063 CET | 4449 | 49434 | 87.120.120.15 | 192.168.2.6 |
| Jan 10, 2025 20:31:12.334302902 CET | 4449 | 49434 | 87.120.120.15 | 192.168.2.6 |
| Jan 10, 2025 20:31:12.334419966 CET | 49434 | 4449 | 192.168.2.6 | 87.120.120.15 |
| Jan 10, 2025 20:31:14.770319939 CET | 49434 | 4449 | 192.168.2.6 | 87.120.120.15 |
| Jan 10, 2025 20:31:14.770694017 CET | 49435 | 4449 | 192.168.2.6 | 87.120.120.15 |
| Jan 10, 2025 20:31:14.775433064 CET | 4449 | 49434 | 87.120.120.15 | 192.168.2.6 |
| Jan 10, 2025 20:31:14.775603056 CET | 4449 | 49435 | 87.120.120.15 | 192.168.2.6 |
| Jan 10, 2025 20:31:14.775691032 CET | 49435 | 4449 | 192.168.2.6 | 87.120.120.15 |
| Jan 10, 2025 20:31:14.776221037 CET | 49435 | 4449 | 192.168.2.6 | 87.120.120.15 |
| Jan 10, 2025 20:31:14.781075954 CET | 4449 | 49435 | 87.120.120.15 | 192.168.2.6 |
| Jan 10, 2025 20:31:16.390799999 CET | 4449 | 49435 | 87.120.120.15 | 192.168.2.6 |
| Jan 10, 2025 20:31:16.390866995 CET | 49435 | 4449 | 192.168.2.6 | 87.120.120.15 |
| Jan 10, 2025 20:31:18.586597919 CET | 49435 | 4449 | 192.168.2.6 | 87.120.120.15 |
| Jan 10, 2025 20:31:18.587095022 CET | 49436 | 4449 | 192.168.2.6 | 87.120.120.15 |
| Jan 10, 2025 20:31:18.592665911 CET | 4449 | 49435 | 87.120.120.15 | 192.168.2.6 |
| Jan 10, 2025 20:31:18.593157053 CET | 4449 | 49436 | 87.120.120.15 | 192.168.2.6 |
| Jan 10, 2025 20:31:18.593252897 CET | 49436 | 4449 | 192.168.2.6 | 87.120.120.15 |
| Jan 10, 2025 20:31:18.593780994 CET | 49436 | 4449 | 192.168.2.6 | 87.120.120.15 |
| Jan 10, 2025 20:31:18.599773884 CET | 4449 | 49436 | 87.120.120.15 | 192.168.2.6 |
| Jan 10, 2025 20:31:20.189141989 CET | 4449 | 49436 | 87.120.120.15 | 192.168.2.6 |
| Jan 10, 2025 20:31:20.189291954 CET | 49436 | 4449 | 192.168.2.6 | 87.120.120.15 |
| Jan 10, 2025 20:31:22.160509109 CET | 49436 | 4449 | 192.168.2.6 | 87.120.120.15 |
| Jan 10, 2025 20:31:22.160890102 CET | 49437 | 4449 | 192.168.2.6 | 87.120.120.15 |
| Jan 10, 2025 20:31:22.165611029 CET | 4449 | 49436 | 87.120.120.15 | 192.168.2.6 |
| Jan 10, 2025 20:31:22.165781975 CET | 4449 | 49437 | 87.120.120.15 | 192.168.2.6 |
| Jan 10, 2025 20:31:22.165848017 CET | 49437 | 4449 | 192.168.2.6 | 87.120.120.15 |
| Jan 10, 2025 20:31:22.166239023 CET | 49437 | 4449 | 192.168.2.6 | 87.120.120.15 |
| Jan 10, 2025 20:31:22.171062946 CET | 4449 | 49437 | 87.120.120.15 | 192.168.2.6 |
| Jan 10, 2025 20:31:23.853835106 CET | 4449 | 49437 | 87.120.120.15 | 192.168.2.6 |
| Jan 10, 2025 20:31:23.853959084 CET | 49437 | 4449 | 192.168.2.6 | 87.120.120.15 |
| Jan 10, 2025 20:31:25.670587063 CET | 49437 | 4449 | 192.168.2.6 | 87.120.120.15 |
| Jan 10, 2025 20:31:25.675379992 CET | 4449 | 49437 | 87.120.120.15 | 192.168.2.6 |
| Jan 10, 2025 20:31:25.686908007 CET | 49438 | 4449 | 192.168.2.6 | 87.120.120.15 |
| Jan 10, 2025 20:31:25.691732883 CET | 4449 | 49438 | 87.120.120.15 | 192.168.2.6 |
| Jan 10, 2025 20:31:25.691823959 CET | 49438 | 4449 | 192.168.2.6 | 87.120.120.15 |
| Jan 10, 2025 20:31:25.694317102 CET | 49438 | 4449 | 192.168.2.6 | 87.120.120.15 |
| Jan 10, 2025 20:31:25.699070930 CET | 4449 | 49438 | 87.120.120.15 | 192.168.2.6 |
| Jan 10, 2025 20:31:27.322768927 CET | 4449 | 49438 | 87.120.120.15 | 192.168.2.6 |
| Jan 10, 2025 20:31:27.322899103 CET | 49438 | 4449 | 192.168.2.6 | 87.120.120.15 |
| Jan 10, 2025 20:31:28.926975012 CET | 49438 | 4449 | 192.168.2.6 | 87.120.120.15 |
| Jan 10, 2025 20:31:28.927428961 CET | 49439 | 4449 | 192.168.2.6 | 87.120.120.15 |
| Jan 10, 2025 20:31:28.931830883 CET | 4449 | 49438 | 87.120.120.15 | 192.168.2.6 |
| Jan 10, 2025 20:31:28.932312012 CET | 4449 | 49439 | 87.120.120.15 | 192.168.2.6 |
| Jan 10, 2025 20:31:28.932406902 CET | 49439 | 4449 | 192.168.2.6 | 87.120.120.15 |
| Jan 10, 2025 20:31:28.932792902 CET | 49439 | 4449 | 192.168.2.6 | 87.120.120.15 |
| Jan 10, 2025 20:31:28.937583923 CET | 4449 | 49439 | 87.120.120.15 | 192.168.2.6 |
| Jan 10, 2025 20:31:30.553075075 CET | 4449 | 49439 | 87.120.120.15 | 192.168.2.6 |
| Jan 10, 2025 20:31:30.553179979 CET | 49439 | 4449 | 192.168.2.6 | 87.120.120.15 |
| Jan 10, 2025 20:31:32.005431890 CET | 49439 | 4449 | 192.168.2.6 | 87.120.120.15 |
| Jan 10, 2025 20:31:32.005821943 CET | 49440 | 4449 | 192.168.2.6 | 87.120.120.15 |
| Jan 10, 2025 20:31:32.010503054 CET | 4449 | 49439 | 87.120.120.15 | 192.168.2.6 |
| Jan 10, 2025 20:31:32.010636091 CET | 4449 | 49440 | 87.120.120.15 | 192.168.2.6 |
| Jan 10, 2025 20:31:32.010732889 CET | 49440 | 4449 | 192.168.2.6 | 87.120.120.15 |
| Jan 10, 2025 20:31:32.011303902 CET | 49440 | 4449 | 192.168.2.6 | 87.120.120.15 |
| Jan 10, 2025 20:31:32.016087055 CET | 4449 | 49440 | 87.120.120.15 | 192.168.2.6 |
| Jan 10, 2025 20:31:33.633193016 CET | 4449 | 49440 | 87.120.120.15 | 192.168.2.6 |
| Jan 10, 2025 20:31:33.633353949 CET | 49440 | 4449 | 192.168.2.6 | 87.120.120.15 |
| Jan 10, 2025 20:31:34.947156906 CET | 49440 | 4449 | 192.168.2.6 | 87.120.120.15 |
| Jan 10, 2025 20:31:34.948295116 CET | 49442 | 4449 | 192.168.2.6 | 87.120.120.15 |
| Jan 10, 2025 20:31:34.951936007 CET | 4449 | 49440 | 87.120.120.15 | 192.168.2.6 |
| Jan 10, 2025 20:31:34.953077078 CET | 4449 | 49442 | 87.120.120.15 | 192.168.2.6 |
| Jan 10, 2025 20:31:34.953154087 CET | 49442 | 4449 | 192.168.2.6 | 87.120.120.15 |
| Jan 10, 2025 20:31:34.953907013 CET | 49442 | 4449 | 192.168.2.6 | 87.120.120.15 |
| Jan 10, 2025 20:31:34.958658934 CET | 4449 | 49442 | 87.120.120.15 | 192.168.2.6 |
| Jan 10, 2025 20:31:36.603173018 CET | 4449 | 49442 | 87.120.120.15 | 192.168.2.6 |
| Jan 10, 2025 20:31:36.603303909 CET | 49442 | 4449 | 192.168.2.6 | 87.120.120.15 |
| Jan 10, 2025 20:31:37.770472050 CET | 49442 | 4449 | 192.168.2.6 | 87.120.120.15 |
| Jan 10, 2025 20:31:37.770849943 CET | 49443 | 4449 | 192.168.2.6 | 87.120.120.15 |
| Jan 10, 2025 20:31:37.775274992 CET | 4449 | 49442 | 87.120.120.15 | 192.168.2.6 |
| Jan 10, 2025 20:31:37.775598049 CET | 4449 | 49443 | 87.120.120.15 | 192.168.2.6 |
| Jan 10, 2025 20:31:37.775665045 CET | 49443 | 4449 | 192.168.2.6 | 87.120.120.15 |
| Jan 10, 2025 20:31:37.776006937 CET | 49443 | 4449 | 192.168.2.6 | 87.120.120.15 |
| Jan 10, 2025 20:31:37.780810118 CET | 4449 | 49443 | 87.120.120.15 | 192.168.2.6 |
| Jan 10, 2025 20:31:39.395577908 CET | 4449 | 49443 | 87.120.120.15 | 192.168.2.6 |
| Jan 10, 2025 20:31:39.395723104 CET | 49443 | 4449 | 192.168.2.6 | 87.120.120.15 |
| Jan 10, 2025 20:31:40.458259106 CET | 49443 | 4449 | 192.168.2.6 | 87.120.120.15 |
| Jan 10, 2025 20:31:40.458476067 CET | 49444 | 4449 | 192.168.2.6 | 87.120.120.15 |
| Jan 10, 2025 20:31:40.463489056 CET | 4449 | 49443 | 87.120.120.15 | 192.168.2.6 |
| Jan 10, 2025 20:31:40.463532925 CET | 4449 | 49444 | 87.120.120.15 | 192.168.2.6 |
| Jan 10, 2025 20:31:40.463640928 CET | 49444 | 4449 | 192.168.2.6 | 87.120.120.15 |
| Jan 10, 2025 20:31:40.464004993 CET | 49444 | 4449 | 192.168.2.6 | 87.120.120.15 |
| Jan 10, 2025 20:31:40.468873978 CET | 4449 | 49444 | 87.120.120.15 | 192.168.2.6 |
| Jan 10, 2025 20:31:42.083192110 CET | 4449 | 49444 | 87.120.120.15 | 192.168.2.6 |
| Jan 10, 2025 20:31:42.083262920 CET | 49444 | 4449 | 192.168.2.6 | 87.120.120.15 |
| Jan 10, 2025 20:31:43.036384106 CET | 49444 | 4449 | 192.168.2.6 | 87.120.120.15 |
| Jan 10, 2025 20:31:43.036741972 CET | 49445 | 4449 | 192.168.2.6 | 87.120.120.15 |
| Jan 10, 2025 20:31:43.041273117 CET | 4449 | 49444 | 87.120.120.15 | 192.168.2.6 |
| Jan 10, 2025 20:31:43.041579962 CET | 4449 | 49445 | 87.120.120.15 | 192.168.2.6 |
| Jan 10, 2025 20:31:43.041681051 CET | 49445 | 4449 | 192.168.2.6 | 87.120.120.15 |
| Jan 10, 2025 20:31:43.042033911 CET | 49445 | 4449 | 192.168.2.6 | 87.120.120.15 |
| Jan 10, 2025 20:31:43.046822071 CET | 4449 | 49445 | 87.120.120.15 | 192.168.2.6 |
| Jan 10, 2025 20:31:44.692723036 CET | 4449 | 49445 | 87.120.120.15 | 192.168.2.6 |
| Jan 10, 2025 20:31:44.692873955 CET | 49445 | 4449 | 192.168.2.6 | 87.120.120.15 |
| Jan 10, 2025 20:31:45.554133892 CET | 49445 | 4449 | 192.168.2.6 | 87.120.120.15 |
| Jan 10, 2025 20:31:45.554692984 CET | 49446 | 4449 | 192.168.2.6 | 87.120.120.15 |
| Jan 10, 2025 20:31:45.727467060 CET | 4449 | 49445 | 87.120.120.15 | 192.168.2.6 |
| Jan 10, 2025 20:31:45.727488041 CET | 4449 | 49446 | 87.120.120.15 | 192.168.2.6 |
| Jan 10, 2025 20:31:45.727607965 CET | 49446 | 4449 | 192.168.2.6 | 87.120.120.15 |
| Jan 10, 2025 20:31:45.728009939 CET | 49446 | 4449 | 192.168.2.6 | 87.120.120.15 |
| Jan 10, 2025 20:31:45.734617949 CET | 4449 | 49446 | 87.120.120.15 | 192.168.2.6 |
| Jan 10, 2025 20:31:47.331688881 CET | 4449 | 49446 | 87.120.120.15 | 192.168.2.6 |
| Jan 10, 2025 20:31:47.331768036 CET | 49446 | 4449 | 192.168.2.6 | 87.120.120.15 |
| Jan 10, 2025 20:31:48.098701954 CET | 49446 | 4449 | 192.168.2.6 | 87.120.120.15 |
| Jan 10, 2025 20:31:48.099087954 CET | 49447 | 4449 | 192.168.2.6 | 87.120.120.15 |
| Jan 10, 2025 20:31:48.104285002 CET | 4449 | 49446 | 87.120.120.15 | 192.168.2.6 |
| Jan 10, 2025 20:31:48.104899883 CET | 4449 | 49447 | 87.120.120.15 | 192.168.2.6 |
| Jan 10, 2025 20:31:48.104990005 CET | 49447 | 4449 | 192.168.2.6 | 87.120.120.15 |
| Jan 10, 2025 20:31:48.105451107 CET | 49447 | 4449 | 192.168.2.6 | 87.120.120.15 |
| Jan 10, 2025 20:31:48.111844063 CET | 4449 | 49447 | 87.120.120.15 | 192.168.2.6 |
| Jan 10, 2025 20:31:49.708451986 CET | 4449 | 49447 | 87.120.120.15 | 192.168.2.6 |
| Jan 10, 2025 20:31:49.708599091 CET | 49447 | 4449 | 192.168.2.6 | 87.120.120.15 |
| Jan 10, 2025 20:31:50.411839962 CET | 49447 | 4449 | 192.168.2.6 | 87.120.120.15 |
| Jan 10, 2025 20:31:50.412347078 CET | 49448 | 4449 | 192.168.2.6 | 87.120.120.15 |
| Jan 10, 2025 20:31:50.416691065 CET | 4449 | 49447 | 87.120.120.15 | 192.168.2.6 |
| Jan 10, 2025 20:31:50.417129040 CET | 4449 | 49448 | 87.120.120.15 | 192.168.2.6 |
| Jan 10, 2025 20:31:50.417203903 CET | 49448 | 4449 | 192.168.2.6 | 87.120.120.15 |
| Jan 10, 2025 20:31:50.417551041 CET | 49448 | 4449 | 192.168.2.6 | 87.120.120.15 |
| Jan 10, 2025 20:31:50.422395945 CET | 4449 | 49448 | 87.120.120.15 | 192.168.2.6 |
| Jan 10, 2025 20:31:52.002183914 CET | 4449 | 49448 | 87.120.120.15 | 192.168.2.6 |
| Jan 10, 2025 20:31:52.002254963 CET | 49448 | 4449 | 192.168.2.6 | 87.120.120.15 |
| Jan 10, 2025 20:31:52.630561113 CET | 49448 | 4449 | 192.168.2.6 | 87.120.120.15 |
| Jan 10, 2025 20:31:52.630918026 CET | 49449 | 4449 | 192.168.2.6 | 87.120.120.15 |
| Jan 10, 2025 20:31:52.635359049 CET | 4449 | 49448 | 87.120.120.15 | 192.168.2.6 |
| Jan 10, 2025 20:31:52.635787964 CET | 4449 | 49449 | 87.120.120.15 | 192.168.2.6 |
| Jan 10, 2025 20:31:52.635931969 CET | 49449 | 4449 | 192.168.2.6 | 87.120.120.15 |
| Jan 10, 2025 20:31:52.636416912 CET | 49449 | 4449 | 192.168.2.6 | 87.120.120.15 |
| Jan 10, 2025 20:31:52.641185045 CET | 4449 | 49449 | 87.120.120.15 | 192.168.2.6 |
| Jan 10, 2025 20:31:54.255218983 CET | 4449 | 49449 | 87.120.120.15 | 192.168.2.6 |
| Jan 10, 2025 20:31:54.255323887 CET | 49449 | 4449 | 192.168.2.6 | 87.120.120.15 |
| Jan 10, 2025 20:31:54.960634947 CET | 49449 | 4449 | 192.168.2.6 | 87.120.120.15 |
| Jan 10, 2025 20:31:54.961668015 CET | 49450 | 4449 | 192.168.2.6 | 87.120.120.15 |
| Jan 10, 2025 20:31:54.965498924 CET | 4449 | 49449 | 87.120.120.15 | 192.168.2.6 |
| Jan 10, 2025 20:31:54.966485977 CET | 4449 | 49450 | 87.120.120.15 | 192.168.2.6 |
| Jan 10, 2025 20:31:54.966547966 CET | 49450 | 4449 | 192.168.2.6 | 87.120.120.15 |
| Jan 10, 2025 20:31:54.971064091 CET | 49450 | 4449 | 192.168.2.6 | 87.120.120.15 |
| Jan 10, 2025 20:31:54.975872040 CET | 4449 | 49450 | 87.120.120.15 | 192.168.2.6 |
| Jan 10, 2025 20:31:56.566003084 CET | 4449 | 49450 | 87.120.120.15 | 192.168.2.6 |
| Jan 10, 2025 20:31:56.566330910 CET | 49450 | 4449 | 192.168.2.6 | 87.120.120.15 |
| Jan 10, 2025 20:31:57.101131916 CET | 49450 | 4449 | 192.168.2.6 | 87.120.120.15 |
| Jan 10, 2025 20:31:57.101568937 CET | 49451 | 4449 | 192.168.2.6 | 87.120.120.15 |
| Jan 10, 2025 20:31:57.105986118 CET | 4449 | 49450 | 87.120.120.15 | 192.168.2.6 |
| Jan 10, 2025 20:31:57.106440067 CET | 4449 | 49451 | 87.120.120.15 | 192.168.2.6 |
| Jan 10, 2025 20:31:57.106502056 CET | 49451 | 4449 | 192.168.2.6 | 87.120.120.15 |
| Jan 10, 2025 20:31:57.106818914 CET | 49451 | 4449 | 192.168.2.6 | 87.120.120.15 |
| Jan 10, 2025 20:31:57.111601114 CET | 4449 | 49451 | 87.120.120.15 | 192.168.2.6 |
| Jan 10, 2025 20:31:58.725852966 CET | 4449 | 49451 | 87.120.120.15 | 192.168.2.6 |
| Jan 10, 2025 20:31:58.725919962 CET | 49451 | 4449 | 192.168.2.6 | 87.120.120.15 |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Jan 10, 2025 20:30:10.578831911 CET | 53 | 60273 | 1.1.1.1 | 192.168.2.6 |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
| Target ID: | 0 |
| Start time: | 14:29:50 |
| Start date: | 10/01/2025 |
| Path: | C:\Users\user\Desktop\QwMcsmYcxv.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0xfd0000 |
| File size: | 973'312 bytes |
| MD5 hash: | A8A4AA9C047894582F100213370DA8DE |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | low |
| Has exited: | true |
| Target ID: | 2 |
| Start time: | 14:29:52 |
| Start date: | 10/01/2025 |
| Path: | C:\Users\user\AppData\Local\savagenesses\vitrailist.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0xfb0000 |
| File size: | 973'312 bytes |
| MD5 hash: | A8A4AA9C047894582F100213370DA8DE |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Yara matches: |
|
| Antivirus matches: |
|
| Reputation: | low |
| Has exited: | true |
| Target ID: | 3 |
| Start time: | 14:29:56 |
| Start date: | 10/01/2025 |
| Path: | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x40000 |
| File size: | 45'984 bytes |
| MD5 hash: | 9D352BC46709F0CB5EC974633A0C3C94 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | false |
| Target ID: | 5 |
| Start time: | 14:30:06 |
| Start date: | 10/01/2025 |
| Path: | C:\Windows\System32\wscript.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff7fd5b0000 |
| File size: | 170'496 bytes |
| MD5 hash: | A47CBE969EA935BDD3AB568BB126BC80 |
| Has elevated privileges: | false |
| Has administrator privileges: | false |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 6 |
| Start time: | 14:30:07 |
| Start date: | 10/01/2025 |
| Path: | C:\Users\user\AppData\Local\savagenesses\vitrailist.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0xfb0000 |
| File size: | 973'312 bytes |
| MD5 hash: | A8A4AA9C047894582F100213370DA8DE |
| Has elevated privileges: | false |
| Has administrator privileges: | false |
| Programmed in: | C, C++ or other language |
| Yara matches: |
|
| Reputation: | low |
| Has exited: | true |
| Target ID: | 7 |
| Start time: | 14:30:11 |
| Start date: | 10/01/2025 |
| Path: | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0xff0000 |
| File size: | 45'984 bytes |
| MD5 hash: | 9D352BC46709F0CB5EC974633A0C3C94 |
| Has elevated privileges: | false |
| Has administrator privileges: | false |
| Programmed in: | C, C++ or other language |
| Yara matches: |
|
| Reputation: | high |
| Has exited: | true |
Execution Graph
| Execution Coverage: | 3.3% |
| Dynamic/Decrypted Code Coverage: | 0.4% |
| Signature Coverage: | 7% |
| Total number of Nodes: | 2000 |
| Total number of Limit Nodes: | 61 |
Graph
Function 00FD3B3A Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 153windowCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FD49A0 Relevance: 10.7, APIs: 7, Instructions: 223COMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FDFCE0 Relevance: 5.5, APIs: 3, Instructions: 1040COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0103445A Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FDE6A0 Relevance: 2.4, Strings: 1, Instructions: 1102COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FE09D0 Relevance: 57.3, APIs: 27, Strings: 5, Instructions: 1300windowsleeptimeCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 01039155 Relevance: 19.8, APIs: 13, Instructions: 322fileCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FD301C Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 73windowregistryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FD3041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54windowregistryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FD708B Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201registryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FD3A46 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71windowregistryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FD3633 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151windowtimeregistryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 012E7790 Relevance: 10.7, APIs: 7, Instructions: 151fileCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FD407C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88windowCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 012E9270 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 140fileCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FD35B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0103955B Relevance: 6.2, APIs: 4, Instructions: 155COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FF470A Relevance: 6.1, APIs: 4, Instructions: 136COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 012E7E70 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41processCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0104CADD Relevance: 4.9, APIs: 3, Instructions: 392COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FDF76F Relevance: 4.7, APIs: 3, Instructions: 168comCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FD434A Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FF571C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 01038D0D Relevance: 4.5, APIs: 3, Instructions: 22COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FD47D0 Relevance: 3.1, APIs: 2, Instructions: 59COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 012E7EE0 Relevance: 1.7, APIs: 1, Instructions: 175COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FF0C08 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0100FCAC Relevance: 1.6, APIs: 1, Instructions: 88COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FD4DDD Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0100FD85 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FF072A Relevance: 1.5, APIs: 1, Instructions: 45COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FF4863 Relevance: 1.5, APIs: 1, Instructions: 36COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FD4E4A Relevance: 1.5, APIs: 1, Instructions: 28COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FF0791 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 01038E9F Relevance: 1.5, APIs: 1, Instructions: 22COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 012E7750 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 012E7720 Relevance: 1.5, APIs: 1, Instructions: 15COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FF525B Relevance: 1.5, APIs: 1, Instructions: 9COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 012E915C Relevance: 1.3, APIs: 1, Instructions: 21sleepCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 012E9160 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0105CABC Relevance: 74.1, APIs: 40, Strings: 2, Instructions: 632windowkeyboardCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 01057DDB Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 571windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FD48D7 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 131keyboardthreadwindowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0103C75C Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 280timefileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0103EF95 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 119fileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 01050857 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0103F0F2 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 112fileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0103A1EF Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FE66E1 Relevance: 18.4, Strings: 14, Instructions: 889COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 01044164 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 010337EF Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167fileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0103F3F3 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120filesleepCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FE5760 Relevance: 11.0, APIs: 7, Instructions: 532COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 01033B12 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 010351BD Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59shutdownCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 01046283 Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FE5520 Relevance: 8.0, APIs: 5, Instructions: 516COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FD1287 Relevance: 7.9, APIs: 5, Instructions: 379COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 01055376 Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0102810A Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FD4B37 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FE3030 Relevance: 6.6, APIs: 4, Instructions: 587COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0102E616 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 561stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0103B333 Relevance: 4.6, APIs: 3, Instructions: 73COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 010287E1 Relevance: 4.6, APIs: 3, Instructions: 67COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0102874B Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0103C6D1 Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0103A06A Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 010281CB Relevance: 3.0, APIs: 2, Instructions: 22COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FFF1D9 Relevance: 2.1, APIs: 1, Instructions: 645COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0100242E Relevance: 1.8, APIs: 1, Instructions: 294COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 01038889 Relevance: 1.6, APIs: 1, Instructions: 68COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 01034C27 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 010287B1 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FFA124 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FE8808 Relevance: .6, Instructions: 590COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FF21C5 Relevance: .3, Instructions: 345COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FF25FA Relevance: .3, Instructions: 341COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FF1D90 Relevance: .3, Instructions: 331COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FF1978 Relevance: .3, Instructions: 323COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 01047806 Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 491filecommemoryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0105356B Relevance: 51.1, APIs: 6, Strings: 23, Instructions: 365windowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0105A5DA Relevance: 49.8, APIs: 33, Instructions: 260COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 010474AB Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 284windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 01059A1C Relevance: 42.5, APIs: 23, Strings: 1, Instructions: 455windowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 010589D5 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 401windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0105488F Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FD27D9 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 286windowtimeCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 01053DE2 Relevance: 28.3, APIs: 3, Strings: 13, Instructions: 283windowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0102A439 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 01044FFD Relevance: 25.6, APIs: 17, Instructions: 110COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0105A1B9 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0105C5FE Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 181windowfileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 01037D1A Relevance: 23.1, APIs: 11, Strings: 2, Instructions: 378timeCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 01054392 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 251windowCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0105B7FE Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 197windowlibraryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0103DC1A Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 185timeCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0102F8AA Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 138windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0105C1AC Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0104731A Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 010277DC Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 128registryshareCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0102F7A1 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 75windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 010346B7 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networkCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 01034F75 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0103D58D Relevance: 18.3, APIs: 12, Instructions: 283comCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0102C267 Relevance: 18.2, APIs: 12, Instructions: 174COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FD201B Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FD21A5 Relevance: 18.1, APIs: 12, Instructions: 132COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 01057152 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 010574BB Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FF6E03 Relevance: 16.8, APIs: 11, Instructions: 258COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 010483BB Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 01045732 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 01028F8F Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 82windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0102907A Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 01029163 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 72windowCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 010488AB Relevance: 15.3, APIs: 10, Instructions: 324fileCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 01037990 Relevance: 15.3, APIs: 10, Instructions: 292COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FDFA5D Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 264comCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FD2E26 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 186windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 01041A15 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 134networkCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 01048C46 Relevance: 13.9, APIs: 9, Instructions: 438COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 01058645 Relevance: 13.7, APIs: 9, Instructions: 168COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0102966E Relevance: 13.6, APIs: 9, Instructions: 66sleepkeyboardwindowCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 01056D80 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 143windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 01032F94 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 82windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 010342F8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FD2A5B Relevance: 12.1, APIs: 8, Instructions: 129COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 010370C6 Relevance: 12.1, APIs: 8, Instructions: 101fileCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 010561D3 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0102BBAF Relevance: 12.1, APIs: 8, Instructions: 92COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FD1424 Relevance: 10.7, APIs: 7, Instructions: 219COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 010355FD Relevance: 10.6, APIs: 7, Instructions: 138timeCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 01033671 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111filestringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 01057291 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 010562CD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0102DAEB Relevance: 10.6, APIs: 7, Instructions: 95memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0102DBC4 Relevance: 10.6, APIs: 7, Instructions: 90memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 010575CD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FF9AE6 Relevance: 10.5, APIs: 7, Instructions: 45threadCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FF406B Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FD1DB3 Relevance: 9.3, APIs: 6, Instructions: 254COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 010364B8 Relevance: 9.2, APIs: 6, Instructions: 205COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 01055799 Relevance: 9.2, APIs: 6, Instructions: 160windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0102EEEC Relevance: 9.2, APIs: 6, Instructions: 159COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0103220A Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FD1765 Relevance: 9.1, APIs: 6, Instructions: 113COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0105B69E Relevance: 9.1, APIs: 6, Instructions: 109windowCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0104709E Relevance: 9.1, APIs: 6, Instructions: 97COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 01028879 Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 010285B1 Relevance: 9.1, APIs: 6, Instructions: 65processCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0102B790 Relevance: 9.0, APIs: 6, Instructions: 49COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 01037230 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 01028992 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 01032A96 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195windowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0102D56C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 121comlibraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 01032753 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 01028E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0104182D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 86networkCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 010563E7 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 01036D9C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 01036E6A Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0104EB55 Relevance: 7.7, APIs: 5, Instructions: 247COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0103E571 Relevance: 7.6, APIs: 5, Instructions: 135COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0105A056 Relevance: 7.6, APIs: 5, Instructions: 130COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 010263AA Relevance: 7.6, APIs: 5, Instructions: 97windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0102B1EC Relevance: 7.6, APIs: 5, Instructions: 88windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0105B14B Relevance: 7.6, APIs: 5, Instructions: 85COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 01029307 Relevance: 7.6, APIs: 5, Instructions: 84windowCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 01045A4D Relevance: 7.6, APIs: 5, Instructions: 70COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FD12F3 Relevance: 7.6, APIs: 5, Instructions: 67COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 01034A93 Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadwindowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 01028202 Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0102710A Relevance: 7.5, APIs: 5, Instructions: 48stringCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 01035244 Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 010280A9 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FD13B0 Relevance: 7.5, APIs: 5, Instructions: 29COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 010297F5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 122windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 010573D9 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90windowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 01057B93 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 88windowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 01056CB0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0105770E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FD4C36 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 01050DE7 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FD4C03 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 010490E0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0102717D Relevance: 6.3, APIs: 4, Instructions: 333COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0104E02A Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 01048093 Relevance: 6.3, APIs: 4, Instructions: 267COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 01027530 Relevance: 6.2, APIs: 4, Instructions: 231COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0102687D Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 010597F4 Relevance: 6.1, APIs: 4, Instructions: 140COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 01029A80 Relevance: 6.1, APIs: 4, Instructions: 129windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0104641A Relevance: 6.1, APIs: 4, Instructions: 116COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0103B7F4 Relevance: 6.1, APIs: 4, Instructions: 111fileCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 01058851 Relevance: 6.1, APIs: 4, Instructions: 109COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0105AB37 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 01054EEE Relevance: 6.1, APIs: 4, Instructions: 95COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 01033C55 Relevance: 6.1, APIs: 4, Instructions: 85processCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0105C498 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 01028656 Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FF098C Relevance: 6.1, APIs: 4, Instructions: 79COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 01041767 Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 01033A2A Relevance: 6.1, APIs: 4, Instructions: 78COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 01055D11 Relevance: 6.1, APIs: 4, Instructions: 69COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 01046369 Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 01028B41 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FD1290 Relevance: 6.1, APIs: 4, Instructions: 59COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 01031142 Relevance: 6.1, APIs: 4, Instructions: 51sleepCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0105B2C5 Relevance: 6.0, APIs: 4, Instructions: 47COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0105B635 Relevance: 6.0, APIs: 4, Instructions: 40processCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 01036BDA Relevance: 6.0, APIs: 4, Instructions: 33COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0105BD1C Relevance: 6.0, APIs: 4, Instructions: 31COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FD2218 Relevance: 6.0, APIs: 4, Instructions: 23COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 01028712 Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 01011D5D Relevance: 6.0, APIs: 4, Instructions: 20COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 01011D71 Relevance: 6.0, APIs: 4, Instructions: 19COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FF5DAC Relevance: 6.0, APIs: 4, Instructions: 14threadCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0103AFAC Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201shareCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FE2957 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0104258E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 01057A71 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97windowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 010328A2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88windowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 010566D4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 01056920 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 010329AF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 010421D6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 01047D8B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55networkCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 01028E05 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 01028CFD Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 01028D82 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 01055964 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 01055998 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|