Edit tour
Windows
Analysis Report
2NJzy3tiny.exe
Overview
General Information
| Sample name: | 2NJzy3tiny.exerenamed because original name is a hash value |
| Original sample name: | d0cc8030e79953557d7a28af708b2049f2b226fb5f8c857ade629becc1deb182.exe |
| Analysis ID: | 1588304 |
| MD5: | 2cd4ad6cec0f7ee2bc74b42753d03645 |
| SHA1: | cac0ff491afab77b6a3a4ff28b65e988c00b5358 |
| SHA256: | d0cc8030e79953557d7a28af708b2049f2b226fb5f8c857ade629becc1deb182 |
| Tags: | exeMassLoggeruser-adrian__luca |
| Infos: |  |
 | |
Detection
MassLogger RAT
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected MassLogger RAT
Yara detected Telegram RAT
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Switches to a custom stack to bypass stack traces
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Writes to foreign memory regions
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evasive API chain (date check)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer
Yara signature match
Classification
- System is w10x64
2NJzy3tiny.exe (PID: 1240 cmdline: "C:\Users\ user\Deskt op\2NJzy3t iny.exe" MD5: 2CD4AD6CEC0F7EE2BC74B42753D03645) 
RegSvcs.exe (PID: 7280 cmdline: "C:\Users\ user\Deskt op\2NJzy3t iny.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
- cleanup
{"C2 url": "https://api.telegram.org/bot8138619732:AAH290KzTAyIxOODoUHLupo_iFgT4CfKzAM/sendMessage"}{"EXfil Mode": "Telegram", "Telegram Token": "8138619732:AAH290KzTAyIxOODoUHLupo_iFgT4CfKzAM", "Telegram Chatid": "7455776561"}| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_MassLogger | Yara detected MassLogger RAT | Joe Security | ||
| JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
| JoeSecurity_TelegramRAT | Yara detected Telegram RAT | Joe Security | ||
| Windows_Trojan_SnakeKeylogger_af3faa65 | unknown | unknown |
| |
| MAL_Envrial_Jan18_1 | Detects Encrial credential stealer malware | Florian Roth |
| |
| Click to see the 15 entries | ||||
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_MassLogger | Yara detected MassLogger RAT | Joe Security | ||
| JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
| JoeSecurity_TelegramRAT | Yara detected Telegram RAT | Joe Security | ||
| Windows_Trojan_SnakeKeylogger_af3faa65 | unknown | unknown |
| |
| MAL_Envrial_Jan18_1 | Detects Encrial credential stealer malware | Florian Roth |
| |
| Click to see the 10 entries | ||||
⊘No Sigma rule has matched
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2025-01-10T23:46:11.253496+0100 | 2057744 | 1 | Malware Command and Control Activity Detected | 192.168.2.7 | 49732 | 149.154.167.220 | 443 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2025-01-10T23:46:01.526747+0100 | 2803274 | 2 | Potentially Bad Traffic | 192.168.2.7 | 49699 | 193.122.6.168 | 80 | TCP |
| 2025-01-10T23:46:09.948698+0100 | 2803274 | 2 | Potentially Bad Traffic | 192.168.2.7 | 49699 | 193.122.6.168 | 80 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2025-01-10T23:46:10.839573+0100 | 1810008 | 1 | Potentially Bad Traffic | 192.168.2.7 | 49732 | 149.154.167.220 | 443 | TCP |
Click to jump to signature section
Show All Signature Results
AV Detection |   |
|---|
| Source: | Malware Configuration Extractor: | ||
| Source: | Malware Configuration Extractor: | ||
| Source: | ReversingLabs: | |||
| Source: | Virustotal: | Perma Link | ||
| Source: | Integrated Neural Analysis Model: | ||
| Source: | Joe Sandbox ML: | ||
Location Tracking | |
|---|
| Source: | DNS query: | ||
| Source: | Static PE information: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Code function: | 2_2_000F445A | |
| Source: | Code function: | 2_2_000FC6D1 | |
| Source: | Code function: | 2_2_000FC75C | |
| Source: | Code function: | 2_2_000FEF95 | |
| Source: | Code function: | 2_2_000FF0F2 | |
| Source: | Code function: | 2_2_000FF3F3 | |
| Source: | Code function: | 2_2_000F37EF | |
| Source: | Code function: | 2_2_000F3B12 | |
| Source: | Code function: | 2_2_000FBCBC | |
| Source: | Code function: | 5_2_053EE168 | |
| Source: | Code function: | 5_2_053EC010 | |
| Source: | Code function: | 5_2_053E05F0 | |
| Source: | Code function: | 5_2_053EE5C0 | |
| Source: | Code function: | 5_2_053ED460 | |
| Source: | Code function: | 5_2_053EB760 | |
| Source: | Code function: | 5_2_053E0600 | |
| Source: | Code function: | 5_2_053E0040 | |
| Source: | Code function: | 5_2_053EB308 | |
| Source: | Code function: | 5_2_053EDD10 | |
| Source: | Code function: | 5_2_053EAEB0 | |
| Source: | Code function: | 5_2_053E0947 | |
| Source: | Code function: | 5_2_053ED8B8 | |
| Source: | Code function: | 5_2_053EBBB8 | |
| Source: | Code function: | 5_2_053EEA18 | |
| Source: | Code function: | 5_2_053EAA58 | |
Networking | |
|---|
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | DNS query: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | IP Address: | ||
| Source: | IP Address: | ||
| Source: | IP Address: | ||
| Source: | JA3 fingerprint: | ||
| Source: | JA3 fingerprint: | ||
| Source: | DNS query: | ||
| Source: | DNS query: | ||
| Source: | Suricata IDS: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | Code function: | 2_2_001022EE | |
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | Code function: | 2_2_00104164 | |
| Source: | Code function: | 2_2_00104164 | |
| Source: | Code function: | 2_2_00103F66 | |
| Source: | Code function: | 2_2_000F001C | |
| Source: | Code function: | 2_2_0011CABC | |
System Summary | |
|---|
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Code function: | 2_2_00093B3A | |
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | memstr_1ead78db-4 | |
| Source: | String found in binary or memory: | memstr_071f5945-2 | |
| Source: | String found in binary or memory: | memstr_2f38e062-8 | |
| Source: | String found in binary or memory: | memstr_9f0a85de-5 | |
| Source: | Code function: | 2_2_000FA1EF | |
| Source: | Code function: | 2_2_000E8310 | |
| Source: | Code function: | 2_2_000F51BD | |
| Source: | Code function: | 2_2_0009E6A0 | |
| Source: | Code function: | 2_2_000BD975 | |
| Source: | Code function: | 2_2_0009FCE0 | |
| Source: | Code function: | 2_2_000B21C5 | |
| Source: | Code function: | 2_2_000C62D2 | |
| Source: | Code function: | 2_2_001103DA | |
| Source: | Code function: | 2_2_000C242E | |
| Source: | Code function: | 2_2_000B25FA | |
| Source: | Code function: | 2_2_000EE616 | |
| Source: | Code function: | 2_2_000A66E1 | |
| Source: | Code function: | 2_2_000C878F | |
| Source: | Code function: | 2_2_000A8808 | |
| Source: | Code function: | 2_2_00110857 | |
| Source: | Code function: | 2_2_000C6844 | |
| Source: | Code function: | 2_2_000F8889 | |
| Source: | Code function: | 2_2_000BCB21 | |
| Source: | Code function: | 2_2_000C6DB6 | |
| Source: | Code function: | 2_2_000A6F9E | |
| Source: | Code function: | 2_2_000A3030 | |
| Source: | Code function: | 2_2_000B3187 | |
| Source: | Code function: | 2_2_000BF1D9 | |
| Source: | Code function: | 2_2_00091287 | |
| Source: | Code function: | 2_2_000B1484 | |
| Source: | Code function: | 2_2_000A5520 | |
| Source: | Code function: | 2_2_000B7696 | |
| Source: | Code function: | 2_2_000A5760 | |
| Source: | Code function: | 2_2_000B1978 | |
| Source: | Code function: | 2_2_000C9AB5 | |
| Source: | Code function: | 2_2_000B1D90 | |
| Source: | Code function: | 2_2_000BBDA6 | |
| Source: | Code function: | 2_2_00117DDB | |
| Source: | Code function: | 2_2_0009DF00 | |
| Source: | Code function: | 2_2_000A3FE0 | |
| Source: | Code function: | 2_2_01876270 | |
| Source: | Code function: | 5_2_00B54328 | |
| Source: | Code function: | 5_2_00B527B9 | |
| Source: | Code function: | 5_2_00B58DA0 | |
| Source: | Code function: | 5_2_00B52DD1 | |
| Source: | Code function: | 5_2_00B55968 | |
| Source: | Code function: | 5_2_00B55F90 | |
| Source: | Code function: | 5_2_053EC668 | |
| Source: | Code function: | 5_2_053EE168 | |
| Source: | Code function: | 5_2_053EC010 | |
| Source: | Code function: | 5_2_053E7210 | |
| Source: | Code function: | 5_2_053E2CF0 | |
| Source: | Code function: | 5_2_053EEE70 | |
| Source: | Code function: | 5_2_053E78E0 | |
| Source: | Code function: | 5_2_053EE5B0 | |
| Source: | Code function: | 5_2_053EE5C0 | |
| Source: | Code function: | 5_2_053ED460 | |
| Source: | Code function: | 5_2_053ED450 | |
| Source: | Code function: | 5_2_053EB760 | |
| Source: | Code function: | 5_2_053EB750 | |
| Source: | Code function: | 5_2_053EC658 | |
| Source: | Code function: | 5_2_053EE158 | |
| Source: | Code function: | 5_2_053E001A | |
| Source: | Code function: | 5_2_053EC001 | |
| Source: | Code function: | 5_2_053E0040 | |
| Source: | Code function: | 5_2_053EB308 | |
| Source: | Code function: | 5_2_053E6393 | |
| Source: | Code function: | 5_2_053EB2F9 | |
| Source: | Code function: | 5_2_053EDD10 | |
| Source: | Code function: | 5_2_053EDD00 | |
| Source: | Code function: | 5_2_053E2CE1 | |
| Source: | Code function: | 5_2_053E6FF0 | |
| Source: | Code function: | 5_2_053EEE60 | |
| Source: | Code function: | 5_2_053EAEB0 | |
| Source: | Code function: | 5_2_053EAEA1 | |
| Source: | Code function: | 5_2_053E787E | |
| Source: | Code function: | 5_2_053E6868 | |
| Source: | Code function: | 5_2_053E6858 | |
| Source: | Code function: | 5_2_053ED8B8 | |
| Source: | Code function: | 5_2_053ED8A8 | |
| Source: | Code function: | 5_2_053EBBB8 | |
| Source: | Code function: | 5_2_053EBBA8 | |
| Source: | Code function: | 5_2_053EEA18 | |
| Source: | Code function: | 5_2_053EEA09 | |
| Source: | Code function: | 5_2_053EAA58 | |
| Source: | Code function: | 5_2_053EAA49 | |
| Source: | Code function: | 5_2_0623C7B0 | |
| Source: | Code function: | 5_2_06234340 | |
| Source: | Code function: | 5_2_06235E18 | |
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Static PE information: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Classification label: | ||
| Source: | Code function: | 2_2_000FA06A | |
| Source: | Code function: | 2_2_000E81CB | |
| Source: | Code function: | 2_2_000E87E1 | |
| Source: | Code function: | 2_2_000FB333 | |
| Source: | Code function: | 2_2_0010EE0D | |
| Source: | Code function: | 2_2_000FC397 | |
| Source: | Code function: | 2_2_00094E89 | |
| Source: | Mutant created: | ||
| Source: | File created: | Jump to behavior | ||
| Source: | Static PE information: | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | ReversingLabs: | ||
| Source: | Virustotal: | ||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Code function: | 2_2_00094B37 | |
| Source: | Code function: | 2_2_000B8958 | |
| Source: | Code function: | 5_2_00B578E7 | |
| Source: | Code function: | 5_2_00B57BF8 | |
| Source: | Code function: | 5_2_00B57DA8 | |
| Source: | Code function: | 2_2_000948D7 | |
| Source: | Code function: | 2_2_00115376 | |
| Source: | Code function: | 2_2_000B3187 | |
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
Malware Analysis System Evasion | |
|---|
| Source: | API/Special instruction interceptor: | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Window / User API: | Jump to behavior | ||
| Source: | Window / User API: | Jump to behavior | ||
| Source: | Evasive API call chain: | graph_2-103571 | ||
| Source: | API coverage: | ||
| Source: | Code function: | 2_2_000F445A | |
| Source: | Code function: | 2_2_000FC6D1 | |
| Source: | Code function: | 2_2_000FC75C | |
| Source: | Code function: | 2_2_000FEF95 | |
| Source: | Code function: | 2_2_000FF0F2 | |
| Source: | Code function: | 2_2_000FF3F3 | |
| Source: | Code function: | 2_2_000F37EF | |
| Source: | Code function: | 2_2_000F3B12 | |
| Source: | Code function: | 2_2_000FBCBC | |
| Source: | Code function: | 2_2_000949A0 | |
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | API call chain: | graph_2-100886 | ||
| Source: | API call chain: | graph_2-101893 | ||
| Source: | Code function: | 5_2_053E7210 | |
| Source: | Code function: | 2_2_00103F09 | |
| Source: | Code function: | 2_2_00093B3A | |
| Source: | Code function: | 2_2_000C5A7C | |
| Source: | Code function: | 2_2_00094B37 | |
| Source: | Code function: | 2_2_01876100 | |
| Source: | Code function: | 2_2_01876160 | |
| Source: | Code function: | 2_2_01874AE0 | |
| Source: | Code function: | 2_2_000E80A9 | |
| Source: | Code function: | 2_2_000BA124 | |
| Source: | Code function: | 2_2_000BA155 | |
| Source: | Memory allocated: | Jump to behavior | ||
HIPS / PFW / Operating System Protection Evasion | |
|---|
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | Code function: | 2_2_000E87B1 | |
| Source: | Code function: | 2_2_00093B3A | |
| Source: | Code function: | 2_2_000948D7 | |
| Source: | Code function: | 2_2_000F4C27 | |
| Source: | Process created: | Jump to behavior | ||
| Source: | Code function: | 2_2_000E7CAF | |
| Source: | Code function: | 2_2_000E874B | |
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Code function: | 2_2_000B862B | |
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Code function: | 2_2_000C4E87 | |
| Source: | Code function: | 2_2_000D1E06 | |
| Source: | Code function: | 2_2_000C3F3A | |
| Source: | Code function: | 2_2_000949A0 | |
| Source: | Key value queried: | Jump to behavior | ||
Stealing of Sensitive Information | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
Remote Access Functionality | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | Code function: | 2_2_00106283 | |
| Source: | Code function: | 2_2_00106747 | |
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Gather Victim Identity Information | Acquire Infrastructure | 2 Valid Accounts | 2 Native API | 1 DLL Side-Loading | 1 Exploitation for Privilege Escalation | 11 Disable or Modify Tools | 1 OS Credential Dumping | 2 System Time Discovery | Remote Services | 1 Archive Collected Data | 1 Web Service | Exfiltration Over Other Network Medium | 1 System Shutdown/Reboot |
| Credentials | Domains | Default Accounts | Scheduled Task/Job | 2 Valid Accounts | 1 DLL Side-Loading | 1 Deobfuscate/Decode Files or Information | 21 Input Capture | 1 Account Discovery | Remote Desktop Protocol | 1 Data from Local System | 2 Ingress Tool Transfer | Exfiltration Over Bluetooth | Network Denial of Service |
| Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | 2 Valid Accounts | 3 Obfuscated Files or Information | Security Account Manager | 1 File and Directory Discovery | SMB/Windows Admin Shares | 1 Email Collection | 11 Encrypted Channel | Automated Exfiltration | Data Encrypted for Impact |
| Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | 21 Access Token Manipulation | 1 DLL Side-Loading | NTDS | 127 System Information Discovery | Distributed Component Object Model | 21 Input Capture | 3 Non-Application Layer Protocol | Traffic Duplication | Data Destruction |
| Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | 212 Process Injection | 2 Valid Accounts | LSA Secrets | 131 Security Software Discovery | SSH | 3 Clipboard Data | 14 Application Layer Protocol | Scheduled Transfer | Data Encrypted for Impact |
| Domain Properties | Botnet | Replication Through Removable Media | Scheduled Task | RC Scripts | RC Scripts | 11 Virtualization/Sandbox Evasion | Cached Domain Credentials | 11 Virtualization/Sandbox Evasion | VNC | GUI Input Capture | Multiband Communication | Data Transfer Size Limits | Service Stop |
| DNS | Web Services | External Remote Services | Systemd Timers | Startup Items | Startup Items | 21 Access Token Manipulation | DCSync | 2 Process Discovery | Windows Remote Management | Web Portal Capture | Commonly Used Port | Exfiltration Over C2 Channel | Inhibit System Recovery |
| Network Trust Dependencies | Serverless | Drive-by Compromise | Container Orchestration Job | Scheduled Task/Job | Scheduled Task/Job | 212 Process Injection | Proc Filesystem | 11 Application Window Discovery | Cloud Services | Credential API Hooking | Application Layer Protocol | Exfiltration Over Alternative Protocol | Defacement |
| Network Topology | Malvertising | Exploit Public-Facing Application | Command and Scripting Interpreter | At | At | HTML Smuggling | /etc/passwd and /etc/shadow | 1 System Owner/User Discovery | Direct Cloud VM Connections | Data Staged | Web Protocols | Exfiltration Over Symmetric Encrypted Non-C2 Protocol | Internal Defacement |
| IP Addresses | Compromise Infrastructure | Supply Chain Compromise | PowerShell | Cron | Cron | Dynamic API Resolution | Network Sniffing | 1 System Network Configuration Discovery | Shared Webroot | Local Data Staging | File Transfer Protocols | Exfiltration Over Asymmetric Encrypted Non-C2 Protocol | External Defacement |
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetThis section contains all screenshots as thumbnails, including those not shown in the slideshow.
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 71% | ReversingLabs | Win32.Trojan.AutoitInject | ||
| 53% | Virustotal | Browse | ||
| 100% | Joe Sandbox ML |
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
| Name | IP | Active | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|---|
| reallyfreegeoip.org | 104.21.32.1 | true | false | high | |
| api.telegram.org | 149.154.167.220 | true | false | high | |
| checkip.dyndns.com | 193.122.6.168 | true | false | high | |
| checkip.dyndns.org | unknown | unknown | false | high |
| Name | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|
| false | high | ||
| false | high | ||
| false | high |
| Name | Source | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
| IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
|---|---|---|---|---|---|---|
| 149.154.167.220 | api.telegram.org | United Kingdom | 62041 | TELEGRAMRU | false | |
| 104.21.32.1 | reallyfreegeoip.org | United States | 13335 | CLOUDFLARENETUS | false | |
| 193.122.6.168 | checkip.dyndns.com | United States | 31898 | ORACLE-BMC-31898US | false |
| Joe Sandbox version: | 42.0.0 Malachite |
| Analysis ID: | 1588304 |
| Start date and time: | 2025-01-10 23:44:58 +01:00 |
| Joe Sandbox product: | CloudBasic |
| Overall analysis duration: | 0h 6m 22s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
| Number of analysed new started processes analysed: | 10 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Sample name: | 2NJzy3tiny.exerenamed because original name is a hash value |
| Original Sample Name: | d0cc8030e79953557d7a28af708b2049f2b226fb5f8c857ade629becc1deb182.exe |
| Detection: | MAL |
| Classification: | mal100.troj.spyw.evad.winEXE@3/2@3/3 |
| EGA Information: |
|
| HCA Information: |
|
| Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
- Excluded IPs from analysis (whitelisted): 13.107.246.45, 52.149.20.212
- Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
- Not all processes where analyzed, report is missing behavior information
- Report size exceeded maximum capacity and may have missing disassembly code.
- Report size getting too big, too many NtOpenKeyEx calls found.
- Report size getting too big, too many NtQueryValueKey calls found.
- Report size getting too big, too many NtReadVirtualMemory calls found.
| Time | Type | Description |
|---|---|---|
| 17:46:09 | API Interceptor |
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| 149.154.167.220 | Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse | ||
| Get hash | malicious | GuLoader, MassLogger RAT | Browse | |||
| Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse | |||
| Get hash | malicious | PureLog Stealer, Snake Keylogger, VIP Keylogger | Browse | |||
| Get hash | malicious | GuLoader, MassLogger RAT | Browse | |||
| Get hash | malicious | GuLoader, Snake Keylogger | Browse | |||
| Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse | |||
| Get hash | malicious | GuLoader, MassLogger RAT | Browse | |||
| Get hash | malicious | GuLoader, MassLogger RAT | Browse | |||
| Get hash | malicious | GuLoader, MassLogger RAT | Browse | |||
| 104.21.32.1 | Get hash | malicious | FormBook | Browse |
| |
| Get hash | malicious | CMSBrute | Browse |
| ||
| 193.122.6.168 | Get hash | malicious | GuLoader, MassLogger RAT | Browse |
| |
| Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | GuLoader, MassLogger RAT | Browse |
| ||
| Get hash | malicious | GuLoader, MassLogger RAT | Browse |
| ||
| Get hash | malicious | Snake Keylogger | Browse |
| ||
| Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | GuLoader, MassLogger RAT | Browse |
| ||
| Get hash | malicious | GuLoader, MassLogger RAT | Browse |
| ||
| Get hash | malicious | MassLogger RAT | Browse |
| ||
| Get hash | malicious | GuLoader, Snake Keylogger, VIP Keylogger | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| reallyfreegeoip.org | Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| |
| Get hash | malicious | GuLoader, MassLogger RAT | Browse |
| ||
| Get hash | malicious | Snake Keylogger | Browse |
| ||
| Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | MassLogger RAT | Browse |
| ||
| Get hash | malicious | MassLogger RAT, PureLog Stealer | Browse |
| ||
| Get hash | malicious | PureLog Stealer, Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | GuLoader, MassLogger RAT | Browse |
| ||
| Get hash | malicious | GuLoader, Snake Keylogger | Browse |
| ||
| Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
| checkip.dyndns.com | Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| |
| Get hash | malicious | GuLoader, MassLogger RAT | Browse |
| ||
| Get hash | malicious | Snake Keylogger | Browse |
| ||
| Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | MassLogger RAT | Browse |
| ||
| Get hash | malicious | MassLogger RAT, PureLog Stealer | Browse |
| ||
| Get hash | malicious | PureLog Stealer, Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | GuLoader, MassLogger RAT | Browse |
| ||
| Get hash | malicious | GuLoader, Snake Keylogger | Browse |
| ||
| Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
| api.telegram.org | Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| |
| Get hash | malicious | GuLoader, MassLogger RAT | Browse |
| ||
| Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | PureLog Stealer, Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | GuLoader, MassLogger RAT | Browse |
| ||
| Get hash | malicious | GuLoader, Snake Keylogger | Browse |
| ||
| Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | GuLoader, MassLogger RAT | Browse |
| ||
| Get hash | malicious | GuLoader, MassLogger RAT | Browse |
| ||
| Get hash | malicious | GuLoader, MassLogger RAT | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| ORACLE-BMC-31898US | Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| |
| Get hash | malicious | GuLoader, MassLogger RAT | Browse |
| ||
| Get hash | malicious | MassLogger RAT | Browse |
| ||
| Get hash | malicious | PureLog Stealer, Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | GuLoader, MassLogger RAT | Browse |
| ||
| Get hash | malicious | Snake Keylogger | Browse |
| ||
| Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | MassLogger RAT | Browse |
| ||
| Get hash | malicious | GuLoader, MassLogger RAT | Browse |
| ||
| TELEGRAMRU | Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| |
| Get hash | malicious | GuLoader, MassLogger RAT | Browse |
| ||
| Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | PureLog Stealer, Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | GuLoader, MassLogger RAT | Browse |
| ||
| Get hash | malicious | GuLoader, Snake Keylogger | Browse |
| ||
| Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | GuLoader, MassLogger RAT | Browse |
| ||
| Get hash | malicious | GuLoader, MassLogger RAT | Browse |
| ||
| Get hash | malicious | GuLoader, MassLogger RAT | Browse |
| ||
| CLOUDFLARENETUS | Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| |
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | AgentTesla | Browse |
| ||
| Get hash | malicious | GuLoader, MassLogger RAT | Browse |
| ||
| Get hash | malicious | Snake Keylogger | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | MassLogger RAT | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| 54328bd36c14bd82ddaa0c04b25ed9ad | Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| |
| Get hash | malicious | GuLoader, MassLogger RAT | Browse |
| ||
| Get hash | malicious | Snake Keylogger | Browse |
| ||
| Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | MassLogger RAT | Browse |
| ||
| Get hash | malicious | MassLogger RAT, PureLog Stealer | Browse |
| ||
| Get hash | malicious | PureLog Stealer, Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | GuLoader, MassLogger RAT | Browse |
| ||
| Get hash | malicious | GuLoader, Snake Keylogger | Browse |
| ||
| Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
| 3b5074b1b5d032e5620f69f9f700ff0e | Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| |
| Get hash | malicious | AgentTesla | Browse |
| ||
| Get hash | malicious | GuLoader, MassLogger RAT | Browse |
| ||
| Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | PureLog Stealer, Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | GuLoader, MassLogger RAT | Browse |
| ||
| Get hash | malicious | GuLoader, Snake Keylogger | Browse |
| ||
| Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
|
⊘No context
| Process: | C:\Users\user\Desktop\2NJzy3tiny.exe |
| File Type: | |
| Category: | modified |
| Size (bytes): | 93696 |
| Entropy (8bit): | 6.831049166843946 |
| Encrypted: | false |
| SSDEEP: | 1536:7T4z3GfZXRlN27Bb95ftvcP9s23llcc+0t6+tzQkPgqOoL3C58L6n7mpSIpHBS:/HhIBbf6PX1mItDS5hCAOhS |
| MD5: | 1D1D441970EB406EED135D759FBE31D5 |
| SHA1: | 01F84ACEF864C44B9D16CA0B1C41F96951C29FE7 |
| SHA-256: | 8104B7A62998D27CD733DB284CCCE4C42FDBB3591696FD638DBED9150986511A |
| SHA-512: | 356FF646D83C9F421DC150504B4AC84D6C1F5517FDD9DB820D715DAFE90D7149BBDB459C99FE28AFB441DC3597481C2AF3932C98538438AB4564F719B8665156 |
| Malicious: | false |
| Reputation: | low |
| Preview: |
| Process: | C:\Users\user\Desktop\2NJzy3tiny.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 69732 |
| Entropy (8bit): | 7.924773296780234 |
| Encrypted: | false |
| SSDEEP: | 1536:VN90j1zk17RfMnb+MCJLDLtxq2hd5jDXylT:Vols7RfUb+LJnhxqO5jDXy5 |
| MD5: | 8A2C6BB3D72A5B6CB6AF3B743223D9A1 |
| SHA1: | A3A66F08D55206FE75B47BC3D15AE38DFACA3F1A |
| SHA-256: | BDB5BA4C44958CC16D26684C3CD05252782F30D2CC7E121E349278D3E43BC5A1 |
| SHA-512: | DC9B2DE0B07CC8259FCDD3EB7F1D7A5252225872E2640F948CB7119ADF9D1448A998B92CCD32F4DDEABA6CD86D5F3C512EA9A9156EA67BF82027B3E44022CCD3 |
| Malicious: | false |
| Reputation: | low |
| Preview: |
| File type: | |
| Entropy (8bit): | 6.911448664995453 |
| TrID: |
|
| File name: | 2NJzy3tiny.exe |
| File size: | 994'304 bytes |
| MD5: | 2cd4ad6cec0f7ee2bc74b42753d03645 |
| SHA1: | cac0ff491afab77b6a3a4ff28b65e988c00b5358 |
| SHA256: | d0cc8030e79953557d7a28af708b2049f2b226fb5f8c857ade629becc1deb182 |
| SHA512: | f5a9ef943dad5bd431050e578620f5bdc8443b913dd55db6973f70c45905f77f7f9d3ba2e8f90c638c237bab6d0a11ae8390087584234a504fcb5cfadf00d606 |
| SSDEEP: | 24576:Iu6J33O0c+JY5UZ+XC0kGso6Fa+CTqfgMFAWY:iu0c++OCvkGs9Fa+CmTY |
| TLSH: | 8B25BE2273DDC360CB669173BF69B3016EBF7C650630B85B2F881D79A960171262D7A3 |
| File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r}..r}..r}..4,".p}......s}.../..A}.../#..}.../".G}..{.@.{}..{.P.W}..r}..R.....)."}......s}.../..s}..r}T.s}......s}..Richr}. |
 | |
| Icon Hash: | 0b1888c999ad811f |
| Entrypoint: | 0x427dcd |
| Entrypoint Section: | .text |
| Digitally signed: | false |
| Imagebase: | 0x400000 |
| Subsystem: | windows gui |
| Image File Characteristics: | EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE |
| DLL Characteristics: | DYNAMIC_BASE, TERMINAL_SERVER_AWARE |
| Time Stamp: | 0x67560802 [Sun Dec 8 20:56:34 2024 UTC] |
| TLS Callbacks: | |
| CLR (.Net) Version: | |
| OS Version Major: | 5 |
| OS Version Minor: | 1 |
| File Version Major: | 5 |
| File Version Minor: | 1 |
| Subsystem Version Major: | 5 |
| Subsystem Version Minor: | 1 |
| Import Hash: | afcdf79be1557326c854b6e20cb900a7 |
| Instruction |
|---|
| call 00007F27A14E2B5Ah |
| jmp 00007F27A14D5924h |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| push edi |
| push esi |
| mov esi, dword ptr [esp+10h] |
| mov ecx, dword ptr [esp+14h] |
| mov edi, dword ptr [esp+0Ch] |
| mov eax, ecx |
| mov edx, ecx |
| add eax, esi |
| cmp edi, esi |
| jbe 00007F27A14D5AAAh |
| cmp edi, eax |
| jc 00007F27A14D5E0Eh |
| bt dword ptr [004C31FCh], 01h |
| jnc 00007F27A14D5AA9h |
| rep movsb |
| jmp 00007F27A14D5DBCh |
| cmp ecx, 00000080h |
| jc 00007F27A14D5C74h |
| mov eax, edi |
| xor eax, esi |
| test eax, 0000000Fh |
| jne 00007F27A14D5AB0h |
| bt dword ptr [004BE324h], 01h |
| jc 00007F27A14D5F80h |
| bt dword ptr [004C31FCh], 00000000h |
| jnc 00007F27A14D5C4Dh |
| test edi, 00000003h |
| jne 00007F27A14D5C5Eh |
| test esi, 00000003h |
| jne 00007F27A14D5C3Dh |
| bt edi, 02h |
| jnc 00007F27A14D5AAFh |
| mov eax, dword ptr [esi] |
| sub ecx, 04h |
| lea esi, dword ptr [esi+04h] |
| mov dword ptr [edi], eax |
| lea edi, dword ptr [edi+04h] |
| bt edi, 03h |
| jnc 00007F27A14D5AB3h |
| movq xmm1, qword ptr [esi] |
| sub ecx, 08h |
| lea esi, dword ptr [esi+08h] |
| movq qword ptr [edi], xmm1 |
| lea edi, dword ptr [edi+08h] |
| test esi, 00000007h |
| je 00007F27A14D5B05h |
| bt esi, 03h |
| jnc 00007F27A14D5B58h |
| Programming Language: |
|
| Name | Virtual Address | Virtual Size | Is in Section |
|---|---|---|---|
| IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IMPORT | 0xba44c | 0x17c | .rdata |
| IMAGE_DIRECTORY_ENTRY_RESOURCE | 0xc7000 | 0x2a238 | .rsrc |
| IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BASERELOC | 0xf2000 | 0x711c | .reloc |
| IMAGE_DIRECTORY_ENTRY_DEBUG | 0x92bc0 | 0x1c | .rdata |
| IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0xa4870 | 0x40 | .rdata |
| IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IAT | 0x8f000 | 0x884 | .rdata |
| IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
| Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
|---|---|---|---|---|---|---|---|---|---|
| .text | 0x1000 | 0x8dcc4 | 0x8de00 | d28a820a1d9ff26cda02d12b888ba4b4 | False | 0.5728679102422908 | data | 6.676118058520316 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
| .rdata | 0x8f000 | 0x2e10e | 0x2e200 | 79b14b254506b0dbc8cd0ad67fb70ad9 | False | 0.33535526761517614 | OpenPGP Public Key | 5.76010872795207 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .data | 0xbe000 | 0x8f74 | 0x5200 | 9f9d6f746f1a415a63de45f8b7983d33 | False | 0.1017530487804878 | data | 1.198745897703538 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .rsrc | 0xc7000 | 0x2a238 | 0x2a400 | 549ba77c18356eeed823b608f692eec1 | False | 0.8793165218195266 | data | 7.733725226014329 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .reloc | 0xf2000 | 0x711c | 0x7200 | 6fcae3cbbf6bfbabf5ec5bbe7cf612c3 | False | 0.7650767543859649 | data | 6.779031650454199 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
| Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
|---|---|---|---|---|---|---|
| RT_ICON | 0xc7458 | 0x128 | Device independent bitmap graphic, 16 x 32 x 4, image size 192 | English | Great Britain | 0.7466216216216216 |
| RT_ICON | 0xc7580 | 0x128 | Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors | English | Great Britain | 0.3277027027027027 |
| RT_ICON | 0xc76a8 | 0x128 | Device independent bitmap graphic, 16 x 32 x 4, image size 192 | English | Great Britain | 0.3885135135135135 |
| RT_ICON | 0xc77d0 | 0x4228 | Device independent bitmap graphic, 64 x 128 x 32, image size 16384, resolution 60472 x 60472 px/m | English | Great Britain | 0.2639348134152102 |
| RT_MENU | 0xcb9f8 | 0x50 | data | English | Great Britain | 0.9 |
| RT_STRING | 0xcba48 | 0x594 | data | English | Great Britain | 0.3333333333333333 |
| RT_STRING | 0xcbfdc | 0x68a | data | English | Great Britain | 0.2747909199522103 |
| RT_STRING | 0xcc668 | 0x490 | data | English | Great Britain | 0.3715753424657534 |
| RT_STRING | 0xccaf8 | 0x5fc | data | English | Great Britain | 0.3087467362924282 |
| RT_STRING | 0xcd0f4 | 0x65c | data | English | Great Britain | 0.34336609336609336 |
| RT_STRING | 0xcd750 | 0x466 | data | English | Great Britain | 0.3605683836589698 |
| RT_STRING | 0xcdbb8 | 0x158 | Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0 | English | Great Britain | 0.502906976744186 |
| RT_RCDATA | 0xcdd10 | 0x2300b | data | 1.000355720473457 | ||
| RT_GROUP_ICON | 0xf0d1c | 0x14 | data | English | Great Britain | 1.25 |
| RT_GROUP_ICON | 0xf0d30 | 0x14 | data | English | Great Britain | 1.25 |
| RT_GROUP_ICON | 0xf0d44 | 0x14 | data | English | Great Britain | 1.15 |
| RT_GROUP_ICON | 0xf0d58 | 0x14 | data | English | Great Britain | 1.25 |
| RT_VERSION | 0xf0d6c | 0xdc | data | English | Great Britain | 0.6181818181818182 |
| RT_MANIFEST | 0xf0e48 | 0x3ef | ASCII text, with CRLF line terminators | English | Great Britain | 0.5074478649453823 |
| DLL | Import |
|---|---|
| WSOCK32.dll | WSACleanup, socket, inet_ntoa, setsockopt, ntohs, recvfrom, ioctlsocket, htons, WSAStartup, __WSAFDIsSet, select, accept, listen, bind, closesocket, WSAGetLastError, recv, sendto, send, inet_addr, gethostbyname, gethostname, connect |
| VERSION.dll | GetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW |
| WINMM.dll | timeGetTime, waveOutSetVolume, mciSendStringW |
| COMCTL32.dll | ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create |
| MPR.dll | WNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W |
| WININET.dll | InternetQueryDataAvailable, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetConnectW |
| PSAPI.DLL | GetProcessMemoryInfo |
| IPHLPAPI.DLL | IcmpCreateFile, IcmpCloseHandle, IcmpSendEcho |
| USERENV.dll | DestroyEnvironmentBlock, UnloadUserProfile, CreateEnvironmentBlock, LoadUserProfileW |
| UxTheme.dll | IsThemeActive |
| KERNEL32.dll | DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, SetCurrentDirectoryW, GetLongPathNameW, GetShortPathNameW, DeleteFileW, FindNextFileW, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, GetCurrentProcess, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, LoadLibraryW, VirtualAlloc, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, GetCurrentThread, CloseHandle, GetFullPathNameW, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, WriteConsoleW, FindClose, SetEnvironmentVariableA |
| USER32.dll | AdjustWindowRectEx, CopyImage, SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, SetRect, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, MonitorFromRect, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, PeekMessageW, UnregisterHotKey, CheckMenuRadioItem, CharLowerBuffW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, LoadImageW, GetClassNameW |
| GDI32.dll | StrokePath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, GetDeviceCaps, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, DeleteDC, GetPixel, CreateDCW, GetStockObject, GetTextFaceW, CreateFontW, SetTextColor, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, StrokeAndFillPath |
| COMDLG32.dll | GetOpenFileNameW, GetSaveFileNameW |
| ADVAPI32.dll | GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, RegCreateKeyExW, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, AddAce, SetSecurityDescriptorDacl, GetUserNameW, InitiateSystemShutdownExW |
| SHELL32.dll | DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish |
| ole32.dll | CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoSetProxyBlanket, CoCreateInstanceEx, CoInitializeSecurity |
| OLEAUT32.dll | LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, RegisterTypeLib, CreateStdDispatch, DispCallFunc, VariantChangeType, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, VariantCopy, VariantClear, OleLoadPicture, QueryPathOfRegTypeLib, RegisterTypeLibForUser, UnRegisterTypeLibForUser, UnRegisterTypeLib, CreateDispTypeInfo, SysAllocString, VariantInit |
| Language of compilation system | Country where language is spoken | Map |
|---|---|---|
| English | Great Britain |  |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library Node| Timestamp | SID | Signature | Severity | Source IP | Source Port | Dest IP | Dest Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2025-01-10T23:46:01.526747+0100 | 2803274 | ETPRO MALWARE Common Downloader Header Pattern UH | 2 | 192.168.2.7 | 49699 | 193.122.6.168 | 80 | TCP |
| 2025-01-10T23:46:09.948698+0100 | 2803274 | ETPRO MALWARE Common Downloader Header Pattern UH | 2 | 192.168.2.7 | 49699 | 193.122.6.168 | 80 | TCP |
| 2025-01-10T23:46:10.839573+0100 | 1810008 | Joe Security ANOMALY Telegram Send File | 1 | 192.168.2.7 | 49732 | 149.154.167.220 | 443 | TCP |
| 2025-01-10T23:46:11.253496+0100 | 2057744 | ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram | 1 | 192.168.2.7 | 49732 | 149.154.167.220 | 443 | TCP |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Jan 10, 2025 23:46:00.530488968 CET | 49699 | 80 | 192.168.2.7 | 193.122.6.168 |
| Jan 10, 2025 23:46:00.535485983 CET | 80 | 49699 | 193.122.6.168 | 192.168.2.7 |
| Jan 10, 2025 23:46:00.535573959 CET | 49699 | 80 | 192.168.2.7 | 193.122.6.168 |
| Jan 10, 2025 23:46:00.536077023 CET | 49699 | 80 | 192.168.2.7 | 193.122.6.168 |
| Jan 10, 2025 23:46:00.540982008 CET | 80 | 49699 | 193.122.6.168 | 192.168.2.7 |
| Jan 10, 2025 23:46:01.268049955 CET | 80 | 49699 | 193.122.6.168 | 192.168.2.7 |
| Jan 10, 2025 23:46:01.272322893 CET | 49699 | 80 | 192.168.2.7 | 193.122.6.168 |
| Jan 10, 2025 23:46:01.277173996 CET | 80 | 49699 | 193.122.6.168 | 192.168.2.7 |
| Jan 10, 2025 23:46:01.485168934 CET | 80 | 49699 | 193.122.6.168 | 192.168.2.7 |
| Jan 10, 2025 23:46:01.526746988 CET | 49699 | 80 | 192.168.2.7 | 193.122.6.168 |
| Jan 10, 2025 23:46:01.534575939 CET | 49700 | 443 | 192.168.2.7 | 104.21.32.1 |
| Jan 10, 2025 23:46:01.534615993 CET | 443 | 49700 | 104.21.32.1 | 192.168.2.7 |
| Jan 10, 2025 23:46:01.534686089 CET | 49700 | 443 | 192.168.2.7 | 104.21.32.1 |
| Jan 10, 2025 23:46:01.541595936 CET | 49700 | 443 | 192.168.2.7 | 104.21.32.1 |
| Jan 10, 2025 23:46:01.541620970 CET | 443 | 49700 | 104.21.32.1 | 192.168.2.7 |
| Jan 10, 2025 23:46:02.014539003 CET | 443 | 49700 | 104.21.32.1 | 192.168.2.7 |
| Jan 10, 2025 23:46:02.014734983 CET | 49700 | 443 | 192.168.2.7 | 104.21.32.1 |
| Jan 10, 2025 23:46:02.025932074 CET | 49700 | 443 | 192.168.2.7 | 104.21.32.1 |
| Jan 10, 2025 23:46:02.025957108 CET | 443 | 49700 | 104.21.32.1 | 192.168.2.7 |
| Jan 10, 2025 23:46:02.026314974 CET | 443 | 49700 | 104.21.32.1 | 192.168.2.7 |
| Jan 10, 2025 23:46:02.073725939 CET | 49700 | 443 | 192.168.2.7 | 104.21.32.1 |
| Jan 10, 2025 23:46:02.524624109 CET | 49700 | 443 | 192.168.2.7 | 104.21.32.1 |
| Jan 10, 2025 23:46:02.567329884 CET | 443 | 49700 | 104.21.32.1 | 192.168.2.7 |
| Jan 10, 2025 23:46:02.636349916 CET | 443 | 49700 | 104.21.32.1 | 192.168.2.7 |
| Jan 10, 2025 23:46:02.636518002 CET | 443 | 49700 | 104.21.32.1 | 192.168.2.7 |
| Jan 10, 2025 23:46:02.636596918 CET | 49700 | 443 | 192.168.2.7 | 104.21.32.1 |
| Jan 10, 2025 23:46:02.914594889 CET | 49700 | 443 | 192.168.2.7 | 104.21.32.1 |
| Jan 10, 2025 23:46:08.569119930 CET | 49699 | 80 | 192.168.2.7 | 193.122.6.168 |
| Jan 10, 2025 23:46:08.574043036 CET | 80 | 49699 | 193.122.6.168 | 192.168.2.7 |
| Jan 10, 2025 23:46:09.907165051 CET | 80 | 49699 | 193.122.6.168 | 192.168.2.7 |
| Jan 10, 2025 23:46:09.948698044 CET | 49699 | 80 | 192.168.2.7 | 193.122.6.168 |
| Jan 10, 2025 23:46:10.159571886 CET | 49732 | 443 | 192.168.2.7 | 149.154.167.220 |
| Jan 10, 2025 23:46:10.159615040 CET | 443 | 49732 | 149.154.167.220 | 192.168.2.7 |
| Jan 10, 2025 23:46:10.159719944 CET | 49732 | 443 | 192.168.2.7 | 149.154.167.220 |
| Jan 10, 2025 23:46:10.160234928 CET | 49732 | 443 | 192.168.2.7 | 149.154.167.220 |
| Jan 10, 2025 23:46:10.160253048 CET | 443 | 49732 | 149.154.167.220 | 192.168.2.7 |
| Jan 10, 2025 23:46:10.792145967 CET | 443 | 49732 | 149.154.167.220 | 192.168.2.7 |
| Jan 10, 2025 23:46:10.792220116 CET | 49732 | 443 | 192.168.2.7 | 149.154.167.220 |
| Jan 10, 2025 23:46:10.795527935 CET | 49732 | 443 | 192.168.2.7 | 149.154.167.220 |
| Jan 10, 2025 23:46:10.795548916 CET | 443 | 49732 | 149.154.167.220 | 192.168.2.7 |
| Jan 10, 2025 23:46:10.796031952 CET | 443 | 49732 | 149.154.167.220 | 192.168.2.7 |
| Jan 10, 2025 23:46:10.797802925 CET | 49732 | 443 | 192.168.2.7 | 149.154.167.220 |
| Jan 10, 2025 23:46:10.839339018 CET | 443 | 49732 | 149.154.167.220 | 192.168.2.7 |
| Jan 10, 2025 23:46:10.839401007 CET | 49732 | 443 | 192.168.2.7 | 149.154.167.220 |
| Jan 10, 2025 23:46:10.839409113 CET | 443 | 49732 | 149.154.167.220 | 192.168.2.7 |
| Jan 10, 2025 23:46:11.253648043 CET | 443 | 49732 | 149.154.167.220 | 192.168.2.7 |
| Jan 10, 2025 23:46:11.253850937 CET | 443 | 49732 | 149.154.167.220 | 192.168.2.7 |
| Jan 10, 2025 23:46:11.253901958 CET | 49732 | 443 | 192.168.2.7 | 149.154.167.220 |
| Jan 10, 2025 23:46:11.254631042 CET | 49732 | 443 | 192.168.2.7 | 149.154.167.220 |
| Jan 10, 2025 23:47:14.907874107 CET | 80 | 49699 | 193.122.6.168 | 192.168.2.7 |
| Jan 10, 2025 23:47:14.908001900 CET | 49699 | 80 | 192.168.2.7 | 193.122.6.168 |
| Jan 10, 2025 23:47:42.686562061 CET | 49699 | 80 | 192.168.2.7 | 193.122.6.168 |
| Jan 10, 2025 23:47:42.691462040 CET | 80 | 49699 | 193.122.6.168 | 192.168.2.7 |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Jan 10, 2025 23:46:00.513812065 CET | 63843 | 53 | 192.168.2.7 | 1.1.1.1 |
| Jan 10, 2025 23:46:00.521626949 CET | 53 | 63843 | 1.1.1.1 | 192.168.2.7 |
| Jan 10, 2025 23:46:01.526083946 CET | 51181 | 53 | 192.168.2.7 | 1.1.1.1 |
| Jan 10, 2025 23:46:01.533956051 CET | 53 | 51181 | 1.1.1.1 | 192.168.2.7 |
| Jan 10, 2025 23:46:10.151846886 CET | 60067 | 53 | 192.168.2.7 | 1.1.1.1 |
| Jan 10, 2025 23:46:10.158711910 CET | 53 | 60067 | 1.1.1.1 | 192.168.2.7 |
| Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|
| Jan 10, 2025 23:46:00.513812065 CET | 192.168.2.7 | 1.1.1.1 | 0xa886 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Jan 10, 2025 23:46:01.526083946 CET | 192.168.2.7 | 1.1.1.1 | 0x5e86 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Jan 10, 2025 23:46:10.151846886 CET | 192.168.2.7 | 1.1.1.1 | 0x3a40 | Standard query (0) | A (IP address) | IN (0x0001) | false |
| Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|---|---|
| Jan 10, 2025 23:46:00.521626949 CET | 1.1.1.1 | 192.168.2.7 | 0xa886 | No error (0) | checkip.dyndns.com | CNAME (Canonical name) | IN (0x0001) | false | ||
| Jan 10, 2025 23:46:00.521626949 CET | 1.1.1.1 | 192.168.2.7 | 0xa886 | No error (0) | 193.122.6.168 | A (IP address) | IN (0x0001) | false | ||
| Jan 10, 2025 23:46:00.521626949 CET | 1.1.1.1 | 192.168.2.7 | 0xa886 | No error (0) | 193.122.130.0 | A (IP address) | IN (0x0001) | false | ||
| Jan 10, 2025 23:46:00.521626949 CET | 1.1.1.1 | 192.168.2.7 | 0xa886 | No error (0) | 158.101.44.242 | A (IP address) | IN (0x0001) | false | ||
| Jan 10, 2025 23:46:00.521626949 CET | 1.1.1.1 | 192.168.2.7 | 0xa886 | No error (0) | 132.226.8.169 | A (IP address) | IN (0x0001) | false | ||
| Jan 10, 2025 23:46:00.521626949 CET | 1.1.1.1 | 192.168.2.7 | 0xa886 | No error (0) | 132.226.247.73 | A (IP address) | IN (0x0001) | false | ||
| Jan 10, 2025 23:46:01.533956051 CET | 1.1.1.1 | 192.168.2.7 | 0x5e86 | No error (0) | 104.21.32.1 | A (IP address) | IN (0x0001) | false | ||
| Jan 10, 2025 23:46:01.533956051 CET | 1.1.1.1 | 192.168.2.7 | 0x5e86 | No error (0) | 104.21.96.1 | A (IP address) | IN (0x0001) | false | ||
| Jan 10, 2025 23:46:01.533956051 CET | 1.1.1.1 | 192.168.2.7 | 0x5e86 | No error (0) | 104.21.64.1 | A (IP address) | IN (0x0001) | false | ||
| Jan 10, 2025 23:46:01.533956051 CET | 1.1.1.1 | 192.168.2.7 | 0x5e86 | No error (0) | 104.21.112.1 | A (IP address) | IN (0x0001) | false | ||
| Jan 10, 2025 23:46:01.533956051 CET | 1.1.1.1 | 192.168.2.7 | 0x5e86 | No error (0) | 104.21.48.1 | A (IP address) | IN (0x0001) | false | ||
| Jan 10, 2025 23:46:01.533956051 CET | 1.1.1.1 | 192.168.2.7 | 0x5e86 | No error (0) | 104.21.16.1 | A (IP address) | IN (0x0001) | false | ||
| Jan 10, 2025 23:46:01.533956051 CET | 1.1.1.1 | 192.168.2.7 | 0x5e86 | No error (0) | 104.21.80.1 | A (IP address) | IN (0x0001) | false | ||
| Jan 10, 2025 23:46:10.158711910 CET | 1.1.1.1 | 192.168.2.7 | 0x3a40 | No error (0) | 149.154.167.220 | A (IP address) | IN (0x0001) | false |
|
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 0 | 192.168.2.7 | 49699 | 193.122.6.168 | 80 | 7280 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| Jan 10, 2025 23:46:00.536077023 CET | 151 | OUT | |
| Jan 10, 2025 23:46:01.268049955 CET | 273 | IN | |
| Jan 10, 2025 23:46:01.272322893 CET | 127 | OUT | |
| Jan 10, 2025 23:46:01.485168934 CET | 273 | IN | |
| Jan 10, 2025 23:46:08.569119930 CET | 127 | OUT | |
| Jan 10, 2025 23:46:09.907165051 CET | 273 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 0 | 192.168.2.7 | 49700 | 104.21.32.1 | 443 | 7280 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2025-01-10 22:46:02 UTC | 85 | OUT | |
| 2025-01-10 22:46:02 UTC | 865 | IN | |
| 2025-01-10 22:46:02 UTC | 362 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 1 | 192.168.2.7 | 49732 | 149.154.167.220 | 443 | 7280 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2025-01-10 22:46:10 UTC | 299 | OUT | |
| 2025-01-10 22:46:10 UTC | 1090 | OUT | |
| 2025-01-10 22:46:11 UTC | 388 | IN | |
| 2025-01-10 22:46:11 UTC | 551 | IN |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
| Target ID: | 2 |
| Start time: | 17:45:55 |
| Start date: | 10/01/2025 |
| Path: | C:\Users\user\Desktop\2NJzy3tiny.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x90000 |
| File size: | 994'304 bytes |
| MD5 hash: | 2CD4AD6CEC0F7EE2BC74B42753D03645 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Yara matches: |
|
| Reputation: | low |
| Has exited: | true |
| Target ID: | 5 |
| Start time: | 17:45:59 |
| Start date: | 10/01/2025 |
| Path: | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x520000 |
| File size: | 45'984 bytes |
| MD5 hash: | 9D352BC46709F0CB5EC974633A0C3C94 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Yara matches: |
|
| Reputation: | high |
| Has exited: | false |
Execution Graph
| Execution Coverage: | 4% |
| Dynamic/Decrypted Code Coverage: | 0.4% |
| Signature Coverage: | 6.6% |
| Total number of Nodes: | 2000 |
| Total number of Limit Nodes: | 52 |
Graph
Function 00093B3A Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 153windowCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000949A0 Relevance: 10.7, APIs: 7, Instructions: 223COMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0009FCE0 Relevance: 5.5, APIs: 3, Instructions: 1040COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000F445A Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0009E6A0 Relevance: 2.4, Strings: 1, Instructions: 1102COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000A09D0 Relevance: 57.3, APIs: 27, Strings: 5, Instructions: 1300windowsleeptimeCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000F9155 Relevance: 19.8, APIs: 13, Instructions: 322fileCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0009301C Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 73windowregistryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00093041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54windowregistryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0009708B Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201registryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00093A46 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71windowregistryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00093633 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151windowtimeregistryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 01875250 Relevance: 10.7, APIs: 7, Instructions: 239fileCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 01875020 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 145fileCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0009407C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88windowCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000935B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000F955B Relevance: 6.2, APIs: 4, Instructions: 155COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000B470A Relevance: 6.1, APIs: 4, Instructions: 136COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0010CADD Relevance: 4.9, APIs: 3, Instructions: 392COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0009F76F Relevance: 4.7, APIs: 3, Instructions: 168comCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0009434A Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000B571C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000F8D0D Relevance: 4.5, APIs: 3, Instructions: 22COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00097A51 Relevance: 3.1, APIs: 2, Instructions: 97COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000947D0 Relevance: 3.1, APIs: 2, Instructions: 59COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000B0C08 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000CFCAC Relevance: 1.6, APIs: 1, Instructions: 88COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00097B53 Relevance: 1.6, APIs: 1, Instructions: 84COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0009784B Relevance: 1.6, APIs: 1, Instructions: 71COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00094DDD Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000CFD85 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000B4863 Relevance: 1.5, APIs: 1, Instructions: 36COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00094E4A Relevance: 1.5, APIs: 1, Instructions: 28COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000B0791 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000F8E9F Relevance: 1.5, APIs: 1, Instructions: 22COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000B525B Relevance: 1.5, APIs: 1, Instructions: 9COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 01874F10 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0011CABC Relevance: 74.1, APIs: 40, Strings: 2, Instructions: 632windowkeyboardCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000948D7 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 131keyboardthreadwindowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000FC75C Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 280timefileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000FEF95 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 119fileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00110857 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000FF0F2 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 112fileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000FA1EF Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000A66E1 Relevance: 22.1, Strings: 17, Instructions: 889COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00104164 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000F37EF Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167fileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000FF3F3 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120filesleepCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000A5760 Relevance: 11.0, APIs: 7, Instructions: 532COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000F3B12 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000F51BD Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59shutdownCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00106283 Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000A5520 Relevance: 8.0, APIs: 5, Instructions: 516COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00091287 Relevance: 7.9, APIs: 5, Instructions: 379COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00115376 Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000E80A9 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00094B37 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000EE616 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 561stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000FB333 Relevance: 4.6, APIs: 3, Instructions: 73COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000E87E1 Relevance: 4.6, APIs: 3, Instructions: 67COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000E874B Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000FC6D1 Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000FA06A Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000E81CB Relevance: 3.0, APIs: 2, Instructions: 22COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000BF1D9 Relevance: 2.1, APIs: 1, Instructions: 645COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000C242E Relevance: 1.8, APIs: 1, Instructions: 294COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000F8889 Relevance: 1.6, APIs: 1, Instructions: 68COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000F4C27 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000E87B1 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000BA124 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000A8808 Relevance: .6, Instructions: 590COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000B21C5 Relevance: .3, Instructions: 345COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000B25FA Relevance: .3, Instructions: 341COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000B1978 Relevance: .3, Instructions: 323COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00107806 Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 491filecommemoryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0011356B Relevance: 51.1, APIs: 6, Strings: 23, Instructions: 365windowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0011A5DA Relevance: 49.8, APIs: 33, Instructions: 260COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00092C18 Relevance: 49.5, APIs: 27, Strings: 1, Instructions: 486windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001074AB Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 284windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00119A1C Relevance: 42.5, APIs: 23, Strings: 1, Instructions: 455windowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001189D5 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 401windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0011488F Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000927D9 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 286windowtimeCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000EA439 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00104FFD Relevance: 25.6, APIs: 17, Instructions: 110COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0011A1B9 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0011C5FE Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 181windowfileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00114392 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 251windowCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0011B7FE Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 197windowlibraryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000FDC1A Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 185timeCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000EF8AA Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 138windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0011C1AC Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0010731A Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000E77DC Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 128registryshareCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000EF7A1 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 75windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000F46B7 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networkCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000F4F75 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000FD58D Relevance: 18.3, APIs: 12, Instructions: 283comCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000EC267 Relevance: 18.2, APIs: 12, Instructions: 174COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0009201B Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000921A5 Relevance: 18.1, APIs: 12, Instructions: 132COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00117152 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001174BB Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000B6E03 Relevance: 16.8, APIs: 11, Instructions: 258COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001083BB Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00105732 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000E8F8F Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 82windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000E907A Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000E9163 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 72windowCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001088AB Relevance: 15.3, APIs: 10, Instructions: 324fileCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000F7990 Relevance: 15.3, APIs: 10, Instructions: 292COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0009FA5D Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 264comCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00092E26 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 186windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00101A15 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 134networkCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00108C46 Relevance: 13.9, APIs: 9, Instructions: 438COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00118645 Relevance: 13.7, APIs: 9, Instructions: 168COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000E966E Relevance: 13.6, APIs: 9, Instructions: 66sleepkeyboardwindowCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00116D80 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 143windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000F2F94 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 82windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000F42F8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00092A5B Relevance: 12.1, APIs: 8, Instructions: 129COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000F70C6 Relevance: 12.1, APIs: 8, Instructions: 101fileCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001161D3 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000EBBAF Relevance: 12.1, APIs: 8, Instructions: 92COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00091424 Relevance: 10.7, APIs: 7, Instructions: 219COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000F55FD Relevance: 10.6, APIs: 7, Instructions: 138timeCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000F3671 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111filestringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00117291 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001162CD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000EDAEB Relevance: 10.6, APIs: 7, Instructions: 95memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000EDBC4 Relevance: 10.6, APIs: 7, Instructions: 90memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001175CD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000B9AE6 Relevance: 10.5, APIs: 7, Instructions: 45threadCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000B406B Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000F64B8 Relevance: 9.2, APIs: 6, Instructions: 205COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00115799 Relevance: 9.2, APIs: 6, Instructions: 160windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000EEEEC Relevance: 9.2, APIs: 6, Instructions: 159COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000F220A Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00091765 Relevance: 9.1, APIs: 6, Instructions: 113COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0011B69E Relevance: 9.1, APIs: 6, Instructions: 109windowCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0010709E Relevance: 9.1, APIs: 6, Instructions: 97COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000E8879 Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000E85B1 Relevance: 9.1, APIs: 6, Instructions: 65processCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000EB790 Relevance: 9.0, APIs: 6, Instructions: 49COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000F7230 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000E8992 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000F2A96 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195windowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000ED56C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 121comlibraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000F2753 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000E8E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0010182D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 86networkCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001163E7 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000F6D9C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000F6E6A Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0010EB55 Relevance: 7.7, APIs: 5, Instructions: 247COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000FE571 Relevance: 7.6, APIs: 5, Instructions: 135COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0011A056 Relevance: 7.6, APIs: 5, Instructions: 130COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000E63AA Relevance: 7.6, APIs: 5, Instructions: 97windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000EB1EC Relevance: 7.6, APIs: 5, Instructions: 88windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0011B14B Relevance: 7.6, APIs: 5, Instructions: 85COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000E9307 Relevance: 7.6, APIs: 5, Instructions: 84windowCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00105A4D Relevance: 7.6, APIs: 5, Instructions: 70COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000912F3 Relevance: 7.6, APIs: 5, Instructions: 67COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000EBC9E Relevance: 7.6, APIs: 5, Instructions: 61COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000F4A93 Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadwindowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000E8202 Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000E710A Relevance: 7.5, APIs: 5, Instructions: 48stringCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000F5244 Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000E810A Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000913B0 Relevance: 7.5, APIs: 5, Instructions: 29COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000E97F5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 122windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001173D9 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90windowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00117B93 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 88windowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00116CB0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0011770E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00094C03 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00094C36 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00110DE7 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001090E0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000E717D Relevance: 6.3, APIs: 4, Instructions: 333COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0010E02A Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00108093 Relevance: 6.3, APIs: 4, Instructions: 267COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000E7530 Relevance: 6.2, APIs: 4, Instructions: 231COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000E687D Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001197F4 Relevance: 6.1, APIs: 4, Instructions: 140COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000E9A80 Relevance: 6.1, APIs: 4, Instructions: 129windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0010641A Relevance: 6.1, APIs: 4, Instructions: 116COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000FB7F4 Relevance: 6.1, APIs: 4, Instructions: 111fileCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00118851 Relevance: 6.1, APIs: 4, Instructions: 109COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0011AB37 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00114EEE Relevance: 6.1, APIs: 4, Instructions: 95COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000F3C55 Relevance: 6.1, APIs: 4, Instructions: 85processCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0011C498 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000E8656 Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000B098C Relevance: 6.1, APIs: 4, Instructions: 79COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00101767 Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000F3A2A Relevance: 6.1, APIs: 4, Instructions: 78COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000EDCBE Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00106369 Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000E8B41 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00091290 Relevance: 6.1, APIs: 4, Instructions: 59COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000F1142 Relevance: 6.1, APIs: 4, Instructions: 51sleepCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0011B2C5 Relevance: 6.0, APIs: 4, Instructions: 47COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0011B635 Relevance: 6.0, APIs: 4, Instructions: 40processCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000F6BDA Relevance: 6.0, APIs: 4, Instructions: 33COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00092218 Relevance: 6.0, APIs: 4, Instructions: 23COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000E8712 Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000FAFAC Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201shareCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000A2957 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0010258E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00117A71 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97windowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000F28A2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88windowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001166D4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00116920 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000F29AF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001021D6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000E8E05 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000E8CFD Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000E8D82 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000E7C74 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00115964 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00115998 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|