Edit tour
Windows
Analysis Report
WGi85dsMNp.exe
Overview
General Information
| Sample name: | WGi85dsMNp.exerenamed because original name is a hash value |
| Original sample name: | 5fd6c5f71c6fdda582775fa5822b5ed0af1e5dc9431c06d453752a6bcbbe359a.exe |
| Analysis ID: | 1588318 |
| MD5: | 2275024102505f0997f027c71970750d |
| SHA1: | 10a4feb8f216f86caa840ff85ba02c85e00e8665 |
| SHA256: | 5fd6c5f71c6fdda582775fa5822b5ed0af1e5dc9431c06d453752a6bcbbe359a |
| Tags: | exeGuLoaderuser-adrian__luca |
| Infos: |  |
 | |
Detection
GuLoader
| Score: | 76 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Yara detected GuLoader
AI detected suspicious sample
Switches to a custom stack to bypass stack traces
Tries to detect virtualization through RDTSC time measurements
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to dynamically determine API calls
Contains functionality to shutdown / reboot the system
Creates a process in suspended mode (likely to inject code)
Detected non-DNS traffic on DNS port
Detected potential crypto function
Drops PE files
Enables debug privileges
Found dropped PE file which has not been started or loaded
Found potential string decryption / allocating functions
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
One or more processes crash
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Classification
- System is w10x64
WGi85dsMNp.exe (PID: 6996 cmdline:
"C:\Users\ user\Deskt op\WGi85ds MNp.exe" MD5: 2275024102505F0997F027C71970750D) "C:\Users\ user\Deskt op\WGi85ds MNp.exe" MD5: 2275024102505F0997F027C71970750D) 
WerFault.exe (PID: 6284 cmdline: C:\Windows \SysWOW64\ WerFault.e xe -u -p 4 484 -s 253 6 MD5: C31336C1EFC2CCB44B4326EA793040F2)
- cleanup
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| CloudEyE, GuLoader | CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored. | No Attribution |
⊘No configs have been found
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_GuLoader_2 | Yara detected GuLoader | Joe Security |
⊘No Sigma rule has matched
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2025-01-10T23:57:33.541992+0100 | 2803270 | 2 | Potentially Bad Traffic | 192.168.2.4 | 49732 | 142.250.181.238 | 443 | TCP |
Click to jump to signature section
Show All Signature Results
AV Detection |   |
|---|
| Source: | Avira: | ||
| Source: | ReversingLabs: | |||
| Source: | Virustotal: | Perma Link | ||
| Source: | Integrated Neural Analysis Model: | ||
| Source: | Static PE information: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | Static PE information: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Code function: | 0_2_0040672B | |
| Source: | Code function: | 0_2_00405AFA | |
| Source: | Code function: | 0_2_00402868 | |
| Source: | Code function: | 1_2_00402868 | |
| Source: | Code function: | 1_2_0040672B | |
| Source: | Code function: | 1_2_00405AFA | |
| Source: | TCP traffic: | ||
| Source: | IP Address: | ||
| Source: | JA3 fingerprint: | ||
| Source: | DNS query: | ||
| Source: | Suricata IDS: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | Code function: | 0_2_0040558F | |
| Source: | Code function: | 0_2_004034A5 | |
| Source: | Code function: | 1_2_004034A5 | |
| Source: | Code function: | 0_2_00404DCC | |
| Source: | Code function: | 0_2_00406AF2 | |
| Source: | Code function: | 0_2_6F981B5F | |
| Source: | Code function: | 1_2_00404DCC | |
| Source: | Code function: | 1_2_00406AF2 | |
| Source: | Code function: | 1_2_00162DD1 | |
| Source: | Code function: | ||
| Source: | Process created: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Static PE information: | ||
| Source: | Classification label: | ||
| Source: | Code function: | 0_2_004034A5 | |
| Source: | Code function: | 1_2_004034A5 | |
| Source: | Code function: | 0_2_00404850 | |
| Source: | Code function: | 0_2_00402104 | |
| Source: | File created: | Jump to behavior | ||
| Source: | Mutant created: | ||
| Source: | Mutant created: | ||
| Source: | File created: | Jump to behavior | ||
| Source: | Static PE information: | ||
| Source: | File read: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | ReversingLabs: | ||
| Source: | Virustotal: | ||
| Source: | File read: | Jump to behavior | ||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Key value queried: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | Static PE information: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
Data Obfuscation | |
|---|
| Source: | File source: | ||
| Source: | Code function: | 0_2_6F981B5F | |
| Source: | File created: | Jump to dropped file | ||
| Source: | Registry key monitored for changes: | Jump to behavior | ||
| Source: | Registry key monitored for changes: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
Malware Analysis System Evasion | |
|---|
| Source: | API/Special instruction interceptor: | ||
| Source: | API/Special instruction interceptor: | ||
| Source: | RDTSC instruction interceptor: | ||
| Source: | RDTSC instruction interceptor: | ||
| Source: | Memory allocated: | Jump to behavior | ||
| Source: | Memory allocated: | Jump to behavior | ||
| Source: | Memory allocated: | Jump to behavior | ||
| Source: | Dropped PE file which has not been started: | Jump to dropped file | ||
| Source: | Code function: | 0_2_0040672B | |
| Source: | Code function: | 0_2_00405AFA | |
| Source: | Code function: | 0_2_00402868 | |
| Source: | Code function: | 1_2_00402868 | |
| Source: | Code function: | 1_2_0040672B | |
| Source: | Code function: | 1_2_00405AFA | |
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | API call chain: | graph_0-4591 | ||
| Source: | API call chain: | graph_0-4746 | ||
| Source: | Code function: | 0_2_00401E49 | |
| Source: | Code function: | 0_2_6F981B5F | |
| Source: | Process token adjusted: | Jump to behavior | ||
| Source: | Memory allocated: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Code function: | 0_2_004034A5 | |
| Source: | Key value queried: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | 1 Native API | 1 DLL Side-Loading | 1 Access Token Manipulation | 1 Masquerading | OS Credential Dumping | 1 Query Registry | Remote Services | 1 Archive Collected Data | 11 Encrypted Channel | Exfiltration Over Other Network Medium | 1 System Shutdown/Reboot |
| Credentials | Domains | Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | 11 Process Injection | 1 Virtualization/Sandbox Evasion | LSASS Memory | 211 Security Software Discovery | Remote Desktop Protocol | 1 Clipboard Data | 1 Ingress Tool Transfer | Exfiltration Over Bluetooth | Network Denial of Service |
| Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | 1 DLL Side-Loading | 1 Disable or Modify Tools | Security Account Manager | 1 Virtualization/Sandbox Evasion | SMB/Windows Admin Shares | Data from Network Shared Drive | 2 Non-Application Layer Protocol | Automated Exfiltration | Data Encrypted for Impact |
| Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | 1 Access Token Manipulation | NTDS | 1 System Network Configuration Discovery | Distributed Component Object Model | Input Capture | 13 Application Layer Protocol | Traffic Duplication | Data Destruction |
| Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | 11 Process Injection | LSA Secrets | 2 File and Directory Discovery | SSH | Keylogging | Fallback Channels | Scheduled Transfer | Data Encrypted for Impact |
| Domain Properties | Botnet | Replication Through Removable Media | Scheduled Task | RC Scripts | RC Scripts | 1 Deobfuscate/Decode Files or Information | Cached Domain Credentials | 214 System Information Discovery | VNC | GUI Input Capture | Multiband Communication | Data Transfer Size Limits | Service Stop |
| DNS | Web Services | External Remote Services | Systemd Timers | Startup Items | Startup Items | 1 Obfuscated Files or Information | DCSync | Remote System Discovery | Windows Remote Management | Web Portal Capture | Commonly Used Port | Exfiltration Over C2 Channel | Inhibit System Recovery |
| Network Trust Dependencies | Serverless | Drive-by Compromise | Container Orchestration Job | Scheduled Task/Job | Scheduled Task/Job | 1 DLL Side-Loading | Proc Filesystem | System Owner/User Discovery | Cloud Services | Credential API Hooking | Application Layer Protocol | Exfiltration Over Alternative Protocol | Defacement |
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetThis section contains all screenshots as thumbnails, including those not shown in the slideshow.
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 61% | ReversingLabs | Win32.Trojan.Guloader | ||
| 76% | Virustotal | Browse | ||
| 100% | Avira | HEUR/AGEN.1337946 |
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 0% | ReversingLabs | |||
| 0% | Virustotal | Browse |
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
| Name | IP | Active | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|---|
| drive.google.com | 142.250.181.238 | true | false | high | |
| drive.usercontent.google.com | 142.250.185.129 | true | false | high | |
| checkip.dyndns.com | 158.101.44.242 | true | false | high | |
| checkip.dyndns.org | unknown | unknown | false | high | |
| 206.23.85.13.in-addr.arpa | unknown | unknown | false | high |
| Name | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|
| false | high |
| Name | Source | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
| IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
|---|---|---|---|---|---|---|
| 142.250.181.238 | drive.google.com | United States | 15169 | GOOGLEUS | false | |
| 142.250.185.129 | drive.usercontent.google.com | United States | 15169 | GOOGLEUS | false | |
| 158.101.44.242 | checkip.dyndns.com | United States | 31898 | ORACLE-BMC-31898US | false |
| Joe Sandbox version: | 42.0.0 Malachite |
| Analysis ID: | 1588318 |
| Start date and time: | 2025-01-10 23:56:22 +01:00 |
| Joe Sandbox product: | CloudBasic |
| Overall analysis duration: | 0h 6m 4s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
| Number of analysed new started processes analysed: | 9 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Sample name: | WGi85dsMNp.exerenamed because original name is a hash value |
| Original Sample Name: | 5fd6c5f71c6fdda582775fa5822b5ed0af1e5dc9431c06d453752a6bcbbe359a.exe |
| Detection: | MAL |
| Classification: | mal76.troj.evad.winEXE@4/13@4/3 |
| EGA Information: |
|
| HCA Information: |
|
| Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
- Excluded IPs from analysis (whitelisted): 52.168.117.173, 172.202.163.200, 40.126.32.74, 13.85.23.206, 13.107.246.44
- Excluded domains from analysis (whitelisted): onedsblobprdeus16.eastus.cloudapp.azure.com, ocsp.digicert.com, slscr.update.microsoft.com, login.live.com, otelrules.azureedge.net, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
- Execution Graph export aborted for target WGi85dsMNp.exe, PID 4484 because it is empty
- Not all processes where analyzed, report is missing behavior information
- Report size getting too big, too many NtOpenKeyEx calls found.
- Report size getting too big, too many NtQueryValueKey calls found.
- Report size getting too big, too many NtReadVirtualMemory calls found.
- Report size getting too big, too many NtSetInformationFile calls found.
- Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
| Time | Type | Description |
|---|---|---|
| 17:57:53 | API Interceptor |
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| 158.101.44.242 | Get hash | malicious | PureLog Stealer, Snake Keylogger, VIP Keylogger | Browse |
| |
| Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | MassLogger RAT | Browse |
| ||
| Get hash | malicious | GuLoader, MassLogger RAT | Browse |
| ||
| Get hash | malicious | MassLogger RAT | Browse |
| ||
| Get hash | malicious | GuLoader, MassLogger RAT | Browse |
| ||
| Get hash | malicious | MassLogger RAT | Browse |
| ||
| Get hash | malicious | MassLogger RAT | Browse |
| ||
| Get hash | malicious | GuLoader, Snake Keylogger | Browse |
| ||
| Get hash | malicious | MassLogger RAT | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| checkip.dyndns.com | Get hash | malicious | PureLog Stealer, Snake Keylogger, VIP Keylogger | Browse |
| |
| Get hash | malicious | MassLogger RAT | Browse |
| ||
| Get hash | malicious | MassLogger RAT | Browse |
| ||
| Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | GuLoader, MassLogger RAT | Browse |
| ||
| Get hash | malicious | Snake Keylogger | Browse |
| ||
| Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | MassLogger RAT | Browse |
| ||
| Get hash | malicious | MassLogger RAT, PureLog Stealer | Browse |
| ||
| Get hash | malicious | PureLog Stealer, Snake Keylogger, VIP Keylogger | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| ORACLE-BMC-31898US | Get hash | malicious | PureLog Stealer, Snake Keylogger, VIP Keylogger | Browse |
| |
| Get hash | malicious | MassLogger RAT | Browse |
| ||
| Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | GuLoader, MassLogger RAT | Browse |
| ||
| Get hash | malicious | MassLogger RAT | Browse |
| ||
| Get hash | malicious | PureLog Stealer, Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | GuLoader, MassLogger RAT | Browse |
| ||
| Get hash | malicious | Snake Keylogger | Browse |
| ||
| Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| 37f463bf4616ecd445d4a1937da06e19 | Get hash | malicious | Remcos, GuLoader | Browse |
| |
| Get hash | malicious | GuLoader, MassLogger RAT | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | GuLoader, MassLogger RAT | Browse |
| ||
| Get hash | malicious | GuLoader, Snake Keylogger | Browse |
| ||
| Get hash | malicious | GuLoader, MassLogger RAT | Browse |
| ||
| Get hash | malicious | GuLoader, MassLogger RAT | Browse |
| ||
| Get hash | malicious | GuLoader, MassLogger RAT | Browse |
| ||
| Get hash | malicious | GuLoader, MassLogger RAT | Browse |
| ||
| Get hash | malicious | GuLoader, MassLogger RAT | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| C:\Users\user\AppData\Local\Temp\nslB6AB.tmp\System.dll | Get hash | malicious | GuLoader, MassLogger RAT | Browse | ||
| Get hash | malicious | GuLoader, MassLogger RAT | Browse | |||
| Get hash | malicious | GuLoader, MassLogger RAT | Browse | |||
| Get hash | malicious | GuLoader, MassLogger RAT | Browse | |||
| Get hash | malicious | GuLoader, MassLogger RAT | Browse | |||
| Get hash | malicious | GuLoader, MassLogger RAT | Browse | |||
| Get hash | malicious | GuLoader, MassLogger RAT | Browse | |||
| Get hash | malicious | GuLoader, MassLogger RAT | Browse | |||
| Get hash | malicious | GuLoader, MassLogger RAT | Browse | |||
| Get hash | malicious | GuLoader, MassLogger RAT | Browse |
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_WGi85dsMNp.exe_f3148c7471c3aeed841fbeda81872f95916bae_75a62137_6591b616-f07d-4c67-811d-b88e813cf2dd\Report.wer 
Download File
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 65536 |
| Entropy (8bit): | 1.2246600705706754 |
| Encrypted: | false |
| SSDEEP: | 192:Oo1glbNT0BU/ojYm9rvGmKzuiF3Z24IO8QzJ:f1glbNABU/ojfGmKzuiF3Y4IO8Q |
| MD5: | 7947943E56EF461E72F46DB72A76314E |
| SHA1: | DC8CE7F9C924327778689C2CE04D7E22ABE9CD66 |
| SHA-256: | C10EADAE99D3866549F04D1056CEBA9D271ECEC8EDB928D2A31FF48732714975 |
| SHA-512: | 85098409ADFC632E1546A201AE6540585F6CCC9C1D67B6DCDAEF85DE62E2DC812D1F41F22008FD2F70D02811D0F541591DE587376A7A9D2DC44EB71EE8E15DBC |
| Malicious: | true |
| Reputation: | low |
| Preview: |
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 280614 |
| Entropy (8bit): | 3.7736619096552095 |
| Encrypted: | false |
| SSDEEP: | 3072:M/hFA61YEc4uEquymLTg4StHg9UwI5KASqAR3:ShFR1YEc4nykTg4StAKA |
| MD5: | A4BB53433908B277D92CA4EE295F5569 |
| SHA1: | 988B8E3E4911E131D13C3F631A57757309AFA957 |
| SHA-256: | 9B5E8A63CFAD89FA22225C6DC6846B15D98DE9B2BA4A9F8187EC012C6ACEA3AF |
| SHA-512: | 95202073C3A136FE496F4907F1A94D65059368A0E2B930EA1120A4D1D2AC93AA0F8B641CBAFE12DCA7573A6AD958B0B110E77B8C3823CA147B8551DA16681700 |
| Malicious: | false |
| Reputation: | low |
| Preview: |
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 6336 |
| Entropy (8bit): | 3.7280474137528365 |
| Encrypted: | false |
| SSDEEP: | 192:R6l7wVeJVi6IOpIYf40Sprr89bfNsfMVm:R6lXJA6I+IYf407fGfj |
| MD5: | D5C72977A55D83ABDA3C166AA2F6D3A7 |
| SHA1: | 7D2423D47EA9F036F7A1E9D33A6A226B4DDD15D5 |
| SHA-256: | B5DCD4B8002C4487D1A54A498C7C7C95237204425074370B1D0AA1CF42E3BF90 |
| SHA-512: | 39735A8918A356AA4D959FC7B8011220A21F0F031D63EDA602A7724A62CCE616B7BB15CBD099CB30C27242513C8ABC8684A1475F7730AD4B35CA4CE63FCE4ECC |
| Malicious: | false |
| Reputation: | low |
| Preview: |
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 4672 |
| Entropy (8bit): | 4.49489118851658 |
| Encrypted: | false |
| SSDEEP: | 48:cvIwWl8zs3wuJg77aI9kKwVrWpW8VY/yYm8M4JPjFNn+q8tli+NDXd:uIjfXI7Xj7Vm7Jn0i+NDXd |
| MD5: | E0AFA4023296BCBAEEA04BEF0121DBF1 |
| SHA1: | 7EDFEE54A819E91AF82DA1053E1D899423ACFA81 |
| SHA-256: | 14AE194ED68207ABDA9BD15FCBFAFD6BA81A20A36909DCFE7A5EE6A0E49D723D |
| SHA-512: | E6954E313F620A4398478D5D50A3E64C441B4F38FCF520C36A18EDCF7AC2301DD70F9DF575484D7A4143C7AF72677577E76378777F51344F7AF72DFF0E394264 |
| Malicious: | false |
| Reputation: | low |
| Preview: |
| Process: | C:\Users\user\Desktop\WGi85dsMNp.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 484658 |
| Entropy (8bit): | 7.809711763657168 |
| Encrypted: | false |
| SSDEEP: | 12288:W1S3xo63wl4biprI2S4WwWEcwxg9dvVAxZOCLF0DB:Wo3xX3y4bz2lWwWo6rSTZyd |
| MD5: | 5C727AE28F0DECF497FBB092BAE01B4E |
| SHA1: | AADE364AE8C2C91C6F59F85711B53078FB0763B7 |
| SHA-256: | 77CCACF58330509839E17A6CFD6B17FE3DE31577D8E2C37DC413839BA2FEEC80 |
| SHA-512: | 5246C0FBA41DF66AF89D986A3CEABC99B61DB9E9C217B28B2EC18AF31E3ED17C865387223CEB3A38A804243CF3307E07E557549026F49F52829BEBC4D4546C40 |
| Malicious: | false |
| Reputation: | moderate, very likely benign file |
| Preview: |
| Process: | C:\Users\user\Desktop\WGi85dsMNp.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 265451 |
| Entropy (8bit): | 7.782402940724189 |
| Encrypted: | false |
| SSDEEP: | 3072:MfD0sueIxWjINar/W+7HQEr2h68AS/58b3Pxlo4th+1rpu+MHr+yOvAYYR36Dbs:uTyD+7wEyzizP/o6hCtMHr+D/YR3b |
| MD5: | 0086A4711D718152A54D75819B459A34 |
| SHA1: | E2DC6C0ABE6C7F59801B94B5BA3337597FFC8D69 |
| SHA-256: | 746807F1588B3611FF5B28451BDFDB07FAE73CD2F0D5502C44D7A9D0C8667C0F |
| SHA-512: | 166D1A46B2A96E6B9183265CB01893EBB45CE65B35625F3EA71BC9918BCE2BBE19277231E5112E5B06A038375FA1B6F6D2E1564FBEC93269F11C57DCB7A04417 |
| Malicious: | false |
| Reputation: | low |
| Preview: |
| Process: | C:\Users\user\Desktop\WGi85dsMNp.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 112291 |
| Entropy (8bit): | 1.249420131631438 |
| Encrypted: | false |
| SSDEEP: | 768:5R+BCpkJWjYWL2MxTVLvUjpGqik9JiAfWA2DBQwD1PzUH+HYZmIo7x31sT:WCZY21w0I2NZYD |
| MD5: | 4D1D72CFC5940B09DFBD7B65916F532E |
| SHA1: | 30A45798B534842002B103A36A3B907063F8A96C |
| SHA-256: | 479F1904096978F1011DF05D52021FAEEE028D4CF331024C965CED8AF1C8D496 |
| SHA-512: | 048844A09E291903450188715BCDDF14F0F1F10BEAFBD005882EBF5D5E31A71D8F93EEBE788BD54B4AED2266C454F4DCA18AF4567977B7E773BBE29A38DEA45B |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\Desktop\WGi85dsMNp.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 362089 |
| Entropy (8bit): | 1.23992084267325 |
| Encrypted: | false |
| SSDEEP: | 768:xOeaameETrlE0+1mGOWb3h5WAV0hW+JSLSwzj2HlSdL0f6mhKZRaqOzWz6szt3cA:x+ds5dYOVxIW3hhdeRt6MeZ1W4vB |
| MD5: | A4340182CDDD2EC1F1480360218343F9 |
| SHA1: | 50EF929FEA713AA6FCC05E8B75F497B7946B285B |
| SHA-256: | B91E5B1FF5756F0B93DCF11CBC8B467CDA0C5792DE24D27EC86E7C74388B44B3 |
| SHA-512: | 021F198AFF7CCED92912C74FC97D1919A9E059F22E99AB1236FBAA36C16B520C07B78F47FC01FCFAC1B53A87CDAE3E440D0589FA2844612617FAB2EDB64A3573 |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\Desktop\WGi85dsMNp.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 139354 |
| Entropy (8bit): | 1.2473328695625903 |
| Encrypted: | false |
| SSDEEP: | 768:9OsMSh8lSnJGyUzWZsO2ipzPFmDZC9kpzroto48tf2+5lVp:9delFlqNawgJp |
| MD5: | B0FB6B583D6902DE58E1202D12BA4832 |
| SHA1: | 7F585B5C3A4581CE76E373C78A6513F157B20480 |
| SHA-256: | E6EA5F6D0C7F5FA407269C7F4FF6D97149B7611071BF5BF6C454B810501AE661 |
| SHA-512: | E0894FFBD76C3476DC083DAFD24F88964BF6E09E4CA955766B43FE73A764A00247C930E9996652A22B57B27826CD94F88B8178514060CA398DE568675F9E4571 |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\Desktop\WGi85dsMNp.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 29109 |
| Entropy (8bit): | 4.571452088399361 |
| Encrypted: | false |
| SSDEEP: | 384:NAaDWUweT7xl/UzbAZX2iGjoGdjtjc0bItS4GDyIEN3+nMTrXAw2KvZ6YHx8KM/Z:NT1zMsGiGLK0bItS12lrnxHx8K0ku |
| MD5: | 88F751E865173E78E89A78BAE34FD3D3 |
| SHA1: | 67825D4FBC5C0B462DAD04668080272D0E20D31B |
| SHA-256: | CD32E850C8641C3C2CB2AB071F82651261E4B08B26C045DE2964C2C099793866 |
| SHA-512: | 73445E8D885AFB4DF8D2169304035845D92DF4D0B053BBF3B9894D5E7E732AC8378EEAE215B8F0AFE22823823389091377FA0EC3895304B280A8C29589D59BAB |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\Desktop\WGi85dsMNp.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 12288 |
| Entropy (8bit): | 5.719859767584478 |
| Encrypted: | false |
| SSDEEP: | 192:1enY0LWelt70elWjvfstJcVtwtYbjnIOg5AaDnbC7ypXhtIj:18PJlt70esj0Mt9vn6ay6 |
| MD5: | 0D7AD4F45DC6F5AA87F606D0331C6901 |
| SHA1: | 48DF0911F0484CBE2A8CDD5362140B63C41EE457 |
| SHA-256: | 3EB38AE99653A7DBC724132EE240F6E5C4AF4BFE7C01D31D23FAF373F9F2EACA |
| SHA-512: | C07DE7308CB54205E8BD703001A7FE4FD7796C9AC1B4BB330C77C872BF712B093645F40B80CE7127531FE6746A5B66E18EA073AB6A644934ABED9BB64126FEA9 |
| Malicious: | false |
| Antivirus: |
|
| Joe Sandbox View: |
|
| Preview: |
| Process: | C:\Users\user\Desktop\WGi85dsMNp.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 1419231 |
| Entropy (8bit): | 5.474882951664024 |
| Encrypted: | false |
| SSDEEP: | 12288:DTyD+pL/bfcgq1S3xo63wl4biprI2S4WwWEcwxg9dvVAxZOCLF0DQZ2:/yD0L/bfEo3xX3y4bz2lWwWo6rSTZy/ |
| MD5: | F7D9F967CA2F71E3D562937FCB24C382 |
| SHA1: | C16A775DD27444712E51E969C48B92A59BC30A42 |
| SHA-256: | FC404818413612BDF92C72AB1F5EB9CC32D86D9D30D127C4D4E0114D70620B45 |
| SHA-512: | 9B448617B9A58A5F43B87165EE37BD36D2FEFEEA025E8173C00E33BCA4C0B0B0C66C765281FABEAC0857FEC2073940E021E4D0256144555DF784E91DF4A54073 |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 1835008 |
| Entropy (8bit): | 4.465602717972394 |
| Encrypted: | false |
| SSDEEP: | 6144:pIXfpi67eLPU9skLmb0b4+WSPKaJG8nAgejZMMhA2gX4WABl0uN/dwBCswSbG:aXD94+WlLZMM6YFHx+G |
| MD5: | D766A8700652B025795050B1DF9D2BAB |
| SHA1: | 2EF89DC37575F2D4EB38253089955B52342EE554 |
| SHA-256: | 0BF85789EDEB4D2C20401D06F1365F48D48C10AE478509C7C6C87FC5E8334BC2 |
| SHA-512: | E079ADC975643B559CB8D1EA4675EB9869C365DACFAF97B8F827C03FB1356109AA02224285FCD127EC38B7790D02B94C8946047272A16CB1B34BC36A741B3AF2 |
| Malicious: | false |
| Preview: |
| File type: | |
| Entropy (8bit): | 7.957075213429238 |
| TrID: |
|
| File name: | WGi85dsMNp.exe |
| File size: | 979'348 bytes |
| MD5: | 2275024102505f0997f027c71970750d |
| SHA1: | 10a4feb8f216f86caa840ff85ba02c85e00e8665 |
| SHA256: | 5fd6c5f71c6fdda582775fa5822b5ed0af1e5dc9431c06d453752a6bcbbe359a |
| SHA512: | 1ebf7e71b121a3102d2de3c756761fe7e2efae90b2561912886da7d8a43fe9fcf29322d5f239cd21614847d9ec3c519b2d2a1213252cf3e1ee5dc622d4e24182 |
| SSDEEP: | 24576:9jwKCNRVJ13mzBqtejjs3RgG9vWciasTKafa0aULP:V1CLFyqtukfiaJaCUP |
| TLSH: | C725234A5772CCA7D8164871962BCCA7B6B57E0238946ED353C0AB0F3CB131B4D29F99 |
| File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...Pf..Pf..Pf.*_9..Pf..Pg.LPf.*_;..Pf..sV..Pf..V`..Pf.Rich.Pf.........................PE..L...$..\.................f...*..... |
 | |
| Icon Hash: | 46224e4c19391d03 |
| Entrypoint: | 0x4034a5 |
| Entrypoint Section: | .text |
| Digitally signed: | false |
| Imagebase: | 0x400000 |
| Subsystem: | windows gui |
| Image File Characteristics: | RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE |
| DLL Characteristics: | DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE |
| Time Stamp: | 0x5C157F24 [Sat Dec 15 22:24:36 2018 UTC] |
| TLS Callbacks: | |
| CLR (.Net) Version: | |
| OS Version Major: | 4 |
| OS Version Minor: | 0 |
| File Version Major: | 4 |
| File Version Minor: | 0 |
| Subsystem Version Major: | 4 |
| Subsystem Version Minor: | 0 |
| Import Hash: | 1f23f452093b5c1ff091a2f9fb4fa3e9 |
| Instruction |
|---|
| sub esp, 000002D4h |
| push ebx |
| push esi |
| push edi |
| push 00000020h |
| pop edi |
| xor ebx, ebx |
| push 00008001h |
| mov dword ptr [esp+14h], ebx |
| mov dword ptr [esp+10h], 0040A230h |
| mov dword ptr [esp+1Ch], ebx |
| call dword ptr [004080ACh] |
| call dword ptr [004080A8h] |
| and eax, BFFFFFFFh |
| cmp ax, 00000006h |
| mov dword ptr [0042A24Ch], eax |
| je 00007F01E8C03C33h |
| push ebx |
| call 00007F01E8C06EFDh |
| cmp eax, ebx |
| je 00007F01E8C03C29h |
| push 00000C00h |
| call eax |
| mov esi, 004082B0h |
| push esi |
| call 00007F01E8C06E77h |
| push esi |
| call dword ptr [00408150h] |
| lea esi, dword ptr [esi+eax+01h] |
| cmp byte ptr [esi], 00000000h |
| jne 00007F01E8C03C0Ch |
| push 0000000Ah |
| call 00007F01E8C06ED0h |
| push 00000008h |
| call 00007F01E8C06EC9h |
| push 00000006h |
| mov dword ptr [0042A244h], eax |
| call 00007F01E8C06EBDh |
| cmp eax, ebx |
| je 00007F01E8C03C31h |
| push 0000001Eh |
| call eax |
| test eax, eax |
| je 00007F01E8C03C29h |
| or byte ptr [0042A24Fh], 00000040h |
| push ebp |
| call dword ptr [00408044h] |
| push ebx |
| call dword ptr [004082A0h] |
| mov dword ptr [0042A318h], eax |
| push ebx |
| lea eax, dword ptr [esp+34h] |
| push 000002B4h |
| push eax |
| push ebx |
| push 004216E8h |
| call dword ptr [00408188h] |
| push 0040A384h |
| Programming Language: |
|
| Name | Virtual Address | Virtual Size | Is in Section |
|---|---|---|---|
| IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IMPORT | 0x8504 | 0xa0 | .rdata |
| IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x55000 | 0x21068 | .rsrc |
| IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IAT | 0x8000 | 0x2b0 | .rdata |
| IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
| Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
|---|---|---|---|---|---|---|---|---|---|
| .text | 0x1000 | 0x6409 | 0x6600 | bfe2b726d49cbd922b87bad5eea65e61 | False | 0.6540287990196079 | data | 6.416186322230332 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
| .rdata | 0x8000 | 0x1396 | 0x1400 | d45dcba8ca646543f7e339e20089687e | False | 0.45234375 | data | 5.154907432640367 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .data | 0xa000 | 0x20358 | 0x600 | 8575fc5e872ca789611c386779287649 | False | 0.5026041666666666 | data | 4.004402321344153 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .ndata | 0x2b000 | 0x2a000 | 0x0 | d41d8cd98f00b204e9800998ecf8427e | False | 0 | empty | 0.0 | IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .rsrc | 0x55000 | 0x21068 | 0x21200 | 03ed2ed76ba15352dac9e48819696134 | False | 0.8714696344339623 | data | 7.556190648348207 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
|---|---|---|---|---|---|---|
| RT_BITMAP | 0x554c0 | 0x368 | Device independent bitmap graphic, 96 x 16 x 4, image size 768 | English | United States | 0.23623853211009174 |
| RT_ICON | 0x55828 | 0xc2a3 | PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced | English | United States | 0.9966684729162903 |
| RT_ICON | 0x61ad0 | 0x86e0 | PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced | English | United States | 0.990210843373494 |
| RT_ICON | 0x6a1b0 | 0x5085 | PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced | English | United States | 0.9867559307233299 |
| RT_ICON | 0x6f238 | 0x25a8 | Device independent bitmap graphic, 48 x 96 x 32, image size 9600 | English | United States | 0.4358921161825726 |
| RT_ICON | 0x717e0 | 0x10a8 | Device independent bitmap graphic, 32 x 64 x 32, image size 4224 | English | United States | 0.4896810506566604 |
| RT_ICON | 0x72888 | 0xea8 | Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors | English | United States | 0.5367803837953091 |
| RT_ICON | 0x73730 | 0x8a8 | Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors | English | United States | 0.6913357400722022 |
| RT_ICON | 0x73fd8 | 0x668 | Device independent bitmap graphic, 48 x 96 x 4, image size 1152 | English | United States | 0.38597560975609757 |
| RT_ICON | 0x74640 | 0x568 | Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors | English | United States | 0.4934971098265896 |
| RT_ICON | 0x74ba8 | 0x468 | Device independent bitmap graphic, 16 x 32 x 32, image size 1088 | English | United States | 0.651595744680851 |
| RT_ICON | 0x75010 | 0x2e8 | Device independent bitmap graphic, 32 x 64 x 4, image size 512 | English | United States | 0.46908602150537637 |
| RT_ICON | 0x752f8 | 0x128 | Device independent bitmap graphic, 16 x 32 x 4, image size 128 | English | United States | 0.5472972972972973 |
| RT_DIALOG | 0x75420 | 0x120 | data | English | United States | 0.53125 |
| RT_DIALOG | 0x75540 | 0x118 | data | English | United States | 0.5678571428571428 |
| RT_DIALOG | 0x75658 | 0x120 | data | English | United States | 0.5104166666666666 |
| RT_DIALOG | 0x75778 | 0xf8 | data | English | United States | 0.6330645161290323 |
| RT_DIALOG | 0x75870 | 0xa0 | data | English | United States | 0.6125 |
| RT_DIALOG | 0x75910 | 0x60 | data | English | United States | 0.7291666666666666 |
| RT_GROUP_ICON | 0x75970 | 0xae | data | English | United States | 0.6091954022988506 |
| RT_VERSION | 0x75a20 | 0x308 | data | English | United States | 0.47036082474226804 |
| RT_MANIFEST | 0x75d28 | 0x33e | XML 1.0 document, ASCII text, with very long lines (830), with no line terminators | English | United States | 0.5542168674698795 |
| DLL | Import |
|---|---|
| KERNEL32.dll | ExitProcess, SetFileAttributesW, Sleep, GetTickCount, CreateFileW, GetFileSize, GetModuleFileNameW, GetCurrentProcess, SetCurrentDirectoryW, GetFileAttributesW, SetEnvironmentVariableW, GetWindowsDirectoryW, GetTempPathW, GetCommandLineW, GetVersion, SetErrorMode, lstrlenW, lstrcpynW, CopyFileW, GetShortPathNameW, GlobalLock, CreateThread, GetLastError, CreateDirectoryW, CreateProcessW, RemoveDirectoryW, lstrcmpiA, GetTempFileNameW, WriteFile, lstrcpyA, MoveFileExW, lstrcatW, GetSystemDirectoryW, GetProcAddress, GetModuleHandleA, GetExitCodeProcess, WaitForSingleObject, lstrcmpiW, MoveFileW, GetFullPathNameW, SetFileTime, SearchPathW, CompareFileTime, lstrcmpW, CloseHandle, ExpandEnvironmentStringsW, GlobalFree, GlobalUnlock, GetDiskFreeSpaceW, GlobalAlloc, FindFirstFileW, FindNextFileW, DeleteFileW, SetFilePointer, ReadFile, FindClose, lstrlenA, MulDiv, MultiByteToWideChar, WideCharToMultiByte, GetPrivateProfileStringW, WritePrivateProfileStringW, FreeLibrary, LoadLibraryExW, GetModuleHandleW |
| USER32.dll | GetSystemMenu, SetClassLongW, EnableMenuItem, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongW, SetCursor, LoadCursorW, CheckDlgButton, GetMessagePos, LoadBitmapW, CallWindowProcW, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, OpenClipboard, ScreenToClient, GetWindowRect, GetDlgItem, GetSystemMetrics, SetDlgItemTextW, GetDlgItemTextW, MessageBoxIndirectW, CharPrevW, CharNextA, wsprintfA, DispatchMessageW, PeekMessageW, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, DrawTextW, EndDialog, RegisterClassW, SystemParametersInfoW, CreateWindowExW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, GetDC, SetTimer, SetWindowTextW, LoadImageW, SetForegroundWindow, ShowWindow, IsWindow, SetWindowLongW, FindWindowExW, TrackPopupMenu, AppendMenuW, CreatePopupMenu, EndPaint, CreateDialogParamW, SendMessageTimeoutW, wsprintfW, PostQuitMessage |
| GDI32.dll | SelectObject, SetBkMode, CreateFontIndirectW, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor |
| SHELL32.dll | SHGetSpecialFolderLocation, ShellExecuteExW, SHGetPathFromIDListW, SHBrowseForFolderW, SHGetFileInfoW, SHFileOperationW |
| ADVAPI32.dll | AdjustTokenPrivileges, RegCreateKeyExW, RegOpenKeyExW, SetFileSecurityW, OpenProcessToken, LookupPrivilegeValueW, RegEnumValueW, RegDeleteKeyW, RegDeleteValueW, RegCloseKey, RegSetValueExW, RegQueryValueExW, RegEnumKeyW |
| COMCTL32.dll | ImageList_Create, ImageList_AddMasked, ImageList_Destroy |
| ole32.dll | OleUninitialize, OleInitialize, CoTaskMemFree, CoCreateInstance |
| Language of compilation system | Country where language is spoken | Map |
|---|---|---|
| English | United States |  |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library Node| Timestamp | SID | Signature | Severity | Source IP | Source Port | Dest IP | Dest Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2025-01-10T23:57:33.541992+0100 | 2803270 | ETPRO MALWARE Common Downloader Header Pattern UHCa | 2 | 192.168.2.4 | 49732 | 142.250.181.238 | 443 | TCP |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Jan 10, 2025 23:57:32.421971083 CET | 49732 | 443 | 192.168.2.4 | 142.250.181.238 |
| Jan 10, 2025 23:57:32.422020912 CET | 443 | 49732 | 142.250.181.238 | 192.168.2.4 |
| Jan 10, 2025 23:57:32.422091007 CET | 49732 | 443 | 192.168.2.4 | 142.250.181.238 |
| Jan 10, 2025 23:57:32.503108025 CET | 49732 | 443 | 192.168.2.4 | 142.250.181.238 |
| Jan 10, 2025 23:57:32.503149986 CET | 443 | 49732 | 142.250.181.238 | 192.168.2.4 |
| Jan 10, 2025 23:57:33.165333986 CET | 443 | 49732 | 142.250.181.238 | 192.168.2.4 |
| Jan 10, 2025 23:57:33.165416956 CET | 49732 | 443 | 192.168.2.4 | 142.250.181.238 |
| Jan 10, 2025 23:57:33.166425943 CET | 443 | 49732 | 142.250.181.238 | 192.168.2.4 |
| Jan 10, 2025 23:57:33.166479111 CET | 49732 | 443 | 192.168.2.4 | 142.250.181.238 |
| Jan 10, 2025 23:57:33.233925104 CET | 49732 | 443 | 192.168.2.4 | 142.250.181.238 |
| Jan 10, 2025 23:57:33.233999968 CET | 443 | 49732 | 142.250.181.238 | 192.168.2.4 |
| Jan 10, 2025 23:57:33.234347105 CET | 443 | 49732 | 142.250.181.238 | 192.168.2.4 |
| Jan 10, 2025 23:57:33.234415054 CET | 49732 | 443 | 192.168.2.4 | 142.250.181.238 |
| Jan 10, 2025 23:57:33.244590044 CET | 49732 | 443 | 192.168.2.4 | 142.250.181.238 |
| Jan 10, 2025 23:57:33.291326046 CET | 443 | 49732 | 142.250.181.238 | 192.168.2.4 |
| Jan 10, 2025 23:57:33.542035103 CET | 443 | 49732 | 142.250.181.238 | 192.168.2.4 |
| Jan 10, 2025 23:57:33.542298079 CET | 49732 | 443 | 192.168.2.4 | 142.250.181.238 |
| Jan 10, 2025 23:57:33.542330980 CET | 443 | 49732 | 142.250.181.238 | 192.168.2.4 |
| Jan 10, 2025 23:57:33.542433023 CET | 49732 | 443 | 192.168.2.4 | 142.250.181.238 |
| Jan 10, 2025 23:57:33.542510986 CET | 49732 | 443 | 192.168.2.4 | 142.250.181.238 |
| Jan 10, 2025 23:57:33.542587042 CET | 443 | 49732 | 142.250.181.238 | 192.168.2.4 |
| Jan 10, 2025 23:57:33.542861938 CET | 49732 | 443 | 192.168.2.4 | 142.250.181.238 |
| Jan 10, 2025 23:57:33.597362041 CET | 49735 | 443 | 192.168.2.4 | 142.250.185.129 |
| Jan 10, 2025 23:57:33.597414017 CET | 443 | 49735 | 142.250.185.129 | 192.168.2.4 |
| Jan 10, 2025 23:57:33.597518921 CET | 49735 | 443 | 192.168.2.4 | 142.250.185.129 |
| Jan 10, 2025 23:57:33.597976923 CET | 49735 | 443 | 192.168.2.4 | 142.250.185.129 |
| Jan 10, 2025 23:57:33.597999096 CET | 443 | 49735 | 142.250.185.129 | 192.168.2.4 |
| Jan 10, 2025 23:57:34.232547998 CET | 443 | 49735 | 142.250.185.129 | 192.168.2.4 |
| Jan 10, 2025 23:57:34.232757092 CET | 49735 | 443 | 192.168.2.4 | 142.250.185.129 |
| Jan 10, 2025 23:57:34.246968031 CET | 49735 | 443 | 192.168.2.4 | 142.250.185.129 |
| Jan 10, 2025 23:57:34.247004986 CET | 443 | 49735 | 142.250.185.129 | 192.168.2.4 |
| Jan 10, 2025 23:57:34.247380972 CET | 443 | 49735 | 142.250.185.129 | 192.168.2.4 |
| Jan 10, 2025 23:57:34.247494936 CET | 49735 | 443 | 192.168.2.4 | 142.250.185.129 |
| Jan 10, 2025 23:57:34.247837067 CET | 49735 | 443 | 192.168.2.4 | 142.250.185.129 |
| Jan 10, 2025 23:57:34.291343927 CET | 443 | 49735 | 142.250.185.129 | 192.168.2.4 |
| Jan 10, 2025 23:57:37.084683895 CET | 443 | 49735 | 142.250.185.129 | 192.168.2.4 |
| Jan 10, 2025 23:57:37.084777117 CET | 49735 | 443 | 192.168.2.4 | 142.250.185.129 |
| Jan 10, 2025 23:57:37.090589046 CET | 443 | 49735 | 142.250.185.129 | 192.168.2.4 |
| Jan 10, 2025 23:57:37.090667009 CET | 49735 | 443 | 192.168.2.4 | 142.250.185.129 |
| Jan 10, 2025 23:57:37.103182077 CET | 443 | 49735 | 142.250.185.129 | 192.168.2.4 |
| Jan 10, 2025 23:57:37.103270054 CET | 49735 | 443 | 192.168.2.4 | 142.250.185.129 |
| Jan 10, 2025 23:57:37.103285074 CET | 443 | 49735 | 142.250.185.129 | 192.168.2.4 |
| Jan 10, 2025 23:57:37.103409052 CET | 49735 | 443 | 192.168.2.4 | 142.250.185.129 |
| Jan 10, 2025 23:57:37.109471083 CET | 443 | 49735 | 142.250.185.129 | 192.168.2.4 |
| Jan 10, 2025 23:57:37.109548092 CET | 49735 | 443 | 192.168.2.4 | 142.250.185.129 |
| Jan 10, 2025 23:57:37.171766996 CET | 443 | 49735 | 142.250.185.129 | 192.168.2.4 |
| Jan 10, 2025 23:57:37.171844006 CET | 443 | 49735 | 142.250.185.129 | 192.168.2.4 |
| Jan 10, 2025 23:57:37.171869040 CET | 49735 | 443 | 192.168.2.4 | 142.250.185.129 |
| Jan 10, 2025 23:57:37.171921968 CET | 443 | 49735 | 142.250.185.129 | 192.168.2.4 |
| Jan 10, 2025 23:57:37.171960115 CET | 49735 | 443 | 192.168.2.4 | 142.250.185.129 |
| Jan 10, 2025 23:57:37.171986103 CET | 49735 | 443 | 192.168.2.4 | 142.250.185.129 |
| Jan 10, 2025 23:57:37.174102068 CET | 443 | 49735 | 142.250.185.129 | 192.168.2.4 |
| Jan 10, 2025 23:57:37.174170971 CET | 49735 | 443 | 192.168.2.4 | 142.250.185.129 |
| Jan 10, 2025 23:57:37.174196959 CET | 443 | 49735 | 142.250.185.129 | 192.168.2.4 |
| Jan 10, 2025 23:57:37.174321890 CET | 49735 | 443 | 192.168.2.4 | 142.250.185.129 |
| Jan 10, 2025 23:57:37.197053909 CET | 443 | 49735 | 142.250.185.129 | 192.168.2.4 |
| Jan 10, 2025 23:57:37.197134972 CET | 49735 | 443 | 192.168.2.4 | 142.250.185.129 |
| Jan 10, 2025 23:57:37.197150946 CET | 443 | 49735 | 142.250.185.129 | 192.168.2.4 |
| Jan 10, 2025 23:57:37.197191954 CET | 443 | 49735 | 142.250.185.129 | 192.168.2.4 |
| Jan 10, 2025 23:57:37.197242975 CET | 49735 | 443 | 192.168.2.4 | 142.250.185.129 |
| Jan 10, 2025 23:57:37.197259903 CET | 443 | 49735 | 142.250.185.129 | 192.168.2.4 |
| Jan 10, 2025 23:57:37.197359085 CET | 443 | 49735 | 142.250.185.129 | 192.168.2.4 |
| Jan 10, 2025 23:57:37.197408915 CET | 49735 | 443 | 192.168.2.4 | 142.250.185.129 |
| Jan 10, 2025 23:57:37.197427988 CET | 443 | 49735 | 142.250.185.129 | 192.168.2.4 |
| Jan 10, 2025 23:57:37.197484016 CET | 49735 | 443 | 192.168.2.4 | 142.250.185.129 |
| Jan 10, 2025 23:57:37.199304104 CET | 443 | 49735 | 142.250.185.129 | 192.168.2.4 |
| Jan 10, 2025 23:57:37.199390888 CET | 49735 | 443 | 192.168.2.4 | 142.250.185.129 |
| Jan 10, 2025 23:57:37.199402094 CET | 443 | 49735 | 142.250.185.129 | 192.168.2.4 |
| Jan 10, 2025 23:57:37.199582100 CET | 49735 | 443 | 192.168.2.4 | 142.250.185.129 |
| Jan 10, 2025 23:57:37.206037998 CET | 443 | 49735 | 142.250.185.129 | 192.168.2.4 |
| Jan 10, 2025 23:57:37.206104994 CET | 49735 | 443 | 192.168.2.4 | 142.250.185.129 |
| Jan 10, 2025 23:57:37.206140041 CET | 443 | 49735 | 142.250.185.129 | 192.168.2.4 |
| Jan 10, 2025 23:57:37.206248045 CET | 49735 | 443 | 192.168.2.4 | 142.250.185.129 |
| Jan 10, 2025 23:57:37.211906910 CET | 443 | 49735 | 142.250.185.129 | 192.168.2.4 |
| Jan 10, 2025 23:57:37.212146044 CET | 49735 | 443 | 192.168.2.4 | 142.250.185.129 |
| Jan 10, 2025 23:57:37.212157011 CET | 443 | 49735 | 142.250.185.129 | 192.168.2.4 |
| Jan 10, 2025 23:57:37.212349892 CET | 49735 | 443 | 192.168.2.4 | 142.250.185.129 |
| Jan 10, 2025 23:57:37.217760086 CET | 443 | 49735 | 142.250.185.129 | 192.168.2.4 |
| Jan 10, 2025 23:57:37.218755007 CET | 49735 | 443 | 192.168.2.4 | 142.250.185.129 |
| Jan 10, 2025 23:57:37.218761921 CET | 443 | 49735 | 142.250.185.129 | 192.168.2.4 |
| Jan 10, 2025 23:57:37.218817949 CET | 49735 | 443 | 192.168.2.4 | 142.250.185.129 |
| Jan 10, 2025 23:57:37.223445892 CET | 443 | 49735 | 142.250.185.129 | 192.168.2.4 |
| Jan 10, 2025 23:57:37.223932981 CET | 49735 | 443 | 192.168.2.4 | 142.250.185.129 |
| Jan 10, 2025 23:57:37.223937988 CET | 443 | 49735 | 142.250.185.129 | 192.168.2.4 |
| Jan 10, 2025 23:57:37.224131107 CET | 49735 | 443 | 192.168.2.4 | 142.250.185.129 |
| Jan 10, 2025 23:57:37.229268074 CET | 443 | 49735 | 142.250.185.129 | 192.168.2.4 |
| Jan 10, 2025 23:57:37.229509115 CET | 49735 | 443 | 192.168.2.4 | 142.250.185.129 |
| Jan 10, 2025 23:57:37.229515076 CET | 443 | 49735 | 142.250.185.129 | 192.168.2.4 |
| Jan 10, 2025 23:57:37.229562998 CET | 49735 | 443 | 192.168.2.4 | 142.250.185.129 |
| Jan 10, 2025 23:57:37.235059023 CET | 443 | 49735 | 142.250.185.129 | 192.168.2.4 |
| Jan 10, 2025 23:57:37.235907078 CET | 49735 | 443 | 192.168.2.4 | 142.250.185.129 |
| Jan 10, 2025 23:57:37.239411116 CET | 443 | 49735 | 142.250.185.129 | 192.168.2.4 |
| Jan 10, 2025 23:57:37.239478111 CET | 49735 | 443 | 192.168.2.4 | 142.250.185.129 |
| Jan 10, 2025 23:57:37.240895987 CET | 443 | 49735 | 142.250.185.129 | 192.168.2.4 |
| Jan 10, 2025 23:57:37.242108107 CET | 49735 | 443 | 192.168.2.4 | 142.250.185.129 |
| Jan 10, 2025 23:57:37.258084059 CET | 443 | 49735 | 142.250.185.129 | 192.168.2.4 |
| Jan 10, 2025 23:57:37.258156061 CET | 443 | 49735 | 142.250.185.129 | 192.168.2.4 |
| Jan 10, 2025 23:57:37.258178949 CET | 443 | 49735 | 142.250.185.129 | 192.168.2.4 |
| Jan 10, 2025 23:57:37.258238077 CET | 49735 | 443 | 192.168.2.4 | 142.250.185.129 |
| Jan 10, 2025 23:57:37.258269072 CET | 443 | 49735 | 142.250.185.129 | 192.168.2.4 |
| Jan 10, 2025 23:57:37.258301020 CET | 49735 | 443 | 192.168.2.4 | 142.250.185.129 |
| Jan 10, 2025 23:57:37.258316994 CET | 49735 | 443 | 192.168.2.4 | 142.250.185.129 |
| Jan 10, 2025 23:57:37.258358002 CET | 443 | 49735 | 142.250.185.129 | 192.168.2.4 |
| Jan 10, 2025 23:57:37.258449078 CET | 49735 | 443 | 192.168.2.4 | 142.250.185.129 |
| Jan 10, 2025 23:57:37.260423899 CET | 443 | 49735 | 142.250.185.129 | 192.168.2.4 |
| Jan 10, 2025 23:57:37.260476112 CET | 49735 | 443 | 192.168.2.4 | 142.250.185.129 |
| Jan 10, 2025 23:57:37.260807991 CET | 443 | 49735 | 142.250.185.129 | 192.168.2.4 |
| Jan 10, 2025 23:57:37.260870934 CET | 49735 | 443 | 192.168.2.4 | 142.250.185.129 |
| Jan 10, 2025 23:57:37.266160965 CET | 443 | 49735 | 142.250.185.129 | 192.168.2.4 |
| Jan 10, 2025 23:57:37.266221046 CET | 49735 | 443 | 192.168.2.4 | 142.250.185.129 |
| Jan 10, 2025 23:57:37.266233921 CET | 443 | 49735 | 142.250.185.129 | 192.168.2.4 |
| Jan 10, 2025 23:57:37.266292095 CET | 49735 | 443 | 192.168.2.4 | 142.250.185.129 |
| Jan 10, 2025 23:57:37.266302109 CET | 443 | 49735 | 142.250.185.129 | 192.168.2.4 |
| Jan 10, 2025 23:57:37.266422033 CET | 49735 | 443 | 192.168.2.4 | 142.250.185.129 |
| Jan 10, 2025 23:57:37.271857023 CET | 443 | 49735 | 142.250.185.129 | 192.168.2.4 |
| Jan 10, 2025 23:57:37.271900892 CET | 49735 | 443 | 192.168.2.4 | 142.250.185.129 |
| Jan 10, 2025 23:57:37.271996975 CET | 443 | 49735 | 142.250.185.129 | 192.168.2.4 |
| Jan 10, 2025 23:57:37.272049904 CET | 49735 | 443 | 192.168.2.4 | 142.250.185.129 |
| Jan 10, 2025 23:57:37.276983023 CET | 443 | 49735 | 142.250.185.129 | 192.168.2.4 |
| Jan 10, 2025 23:57:37.277036905 CET | 49735 | 443 | 192.168.2.4 | 142.250.185.129 |
| Jan 10, 2025 23:57:37.277051926 CET | 443 | 49735 | 142.250.185.129 | 192.168.2.4 |
| Jan 10, 2025 23:57:37.277113914 CET | 49735 | 443 | 192.168.2.4 | 142.250.185.129 |
| Jan 10, 2025 23:57:37.281975031 CET | 443 | 49735 | 142.250.185.129 | 192.168.2.4 |
| Jan 10, 2025 23:57:37.282032967 CET | 49735 | 443 | 192.168.2.4 | 142.250.185.129 |
| Jan 10, 2025 23:57:37.282046080 CET | 443 | 49735 | 142.250.185.129 | 192.168.2.4 |
| Jan 10, 2025 23:57:37.282110929 CET | 49735 | 443 | 192.168.2.4 | 142.250.185.129 |
| Jan 10, 2025 23:57:37.286879063 CET | 443 | 49735 | 142.250.185.129 | 192.168.2.4 |
| Jan 10, 2025 23:57:37.286955118 CET | 49735 | 443 | 192.168.2.4 | 142.250.185.129 |
| Jan 10, 2025 23:57:37.286997080 CET | 443 | 49735 | 142.250.185.129 | 192.168.2.4 |
| Jan 10, 2025 23:57:37.287054062 CET | 49735 | 443 | 192.168.2.4 | 142.250.185.129 |
| Jan 10, 2025 23:57:37.291574955 CET | 443 | 49735 | 142.250.185.129 | 192.168.2.4 |
| Jan 10, 2025 23:57:37.291903973 CET | 49735 | 443 | 192.168.2.4 | 142.250.185.129 |
| Jan 10, 2025 23:57:37.291920900 CET | 443 | 49735 | 142.250.185.129 | 192.168.2.4 |
| Jan 10, 2025 23:57:37.293471098 CET | 49735 | 443 | 192.168.2.4 | 142.250.185.129 |
| Jan 10, 2025 23:57:37.296360016 CET | 443 | 49735 | 142.250.185.129 | 192.168.2.4 |
| Jan 10, 2025 23:57:37.296518087 CET | 49735 | 443 | 192.168.2.4 | 142.250.185.129 |
| Jan 10, 2025 23:57:37.296533108 CET | 443 | 49735 | 142.250.185.129 | 192.168.2.4 |
| Jan 10, 2025 23:57:37.297197104 CET | 49735 | 443 | 192.168.2.4 | 142.250.185.129 |
| Jan 10, 2025 23:57:37.301065922 CET | 443 | 49735 | 142.250.185.129 | 192.168.2.4 |
| Jan 10, 2025 23:57:37.301136017 CET | 49735 | 443 | 192.168.2.4 | 142.250.185.129 |
| Jan 10, 2025 23:57:37.301151991 CET | 443 | 49735 | 142.250.185.129 | 192.168.2.4 |
| Jan 10, 2025 23:57:37.301248074 CET | 49735 | 443 | 192.168.2.4 | 142.250.185.129 |
| Jan 10, 2025 23:57:37.305794001 CET | 443 | 49735 | 142.250.185.129 | 192.168.2.4 |
| Jan 10, 2025 23:57:37.305860996 CET | 49735 | 443 | 192.168.2.4 | 142.250.185.129 |
| Jan 10, 2025 23:57:37.305877924 CET | 443 | 49735 | 142.250.185.129 | 192.168.2.4 |
| Jan 10, 2025 23:57:37.305952072 CET | 49735 | 443 | 192.168.2.4 | 142.250.185.129 |
| Jan 10, 2025 23:57:37.310332060 CET | 443 | 49735 | 142.250.185.129 | 192.168.2.4 |
| Jan 10, 2025 23:57:37.310410976 CET | 49735 | 443 | 192.168.2.4 | 142.250.185.129 |
| Jan 10, 2025 23:57:37.310429096 CET | 443 | 49735 | 142.250.185.129 | 192.168.2.4 |
| Jan 10, 2025 23:57:37.311927080 CET | 49735 | 443 | 192.168.2.4 | 142.250.185.129 |
| Jan 10, 2025 23:57:37.314984083 CET | 443 | 49735 | 142.250.185.129 | 192.168.2.4 |
| Jan 10, 2025 23:57:37.315917969 CET | 49735 | 443 | 192.168.2.4 | 142.250.185.129 |
| Jan 10, 2025 23:57:37.315937996 CET | 443 | 49735 | 142.250.185.129 | 192.168.2.4 |
| Jan 10, 2025 23:57:37.316957951 CET | 49735 | 443 | 192.168.2.4 | 142.250.185.129 |
| Jan 10, 2025 23:57:37.319395065 CET | 443 | 49735 | 142.250.185.129 | 192.168.2.4 |
| Jan 10, 2025 23:57:37.319461107 CET | 49735 | 443 | 192.168.2.4 | 142.250.185.129 |
| Jan 10, 2025 23:57:37.319477081 CET | 443 | 49735 | 142.250.185.129 | 192.168.2.4 |
| Jan 10, 2025 23:57:37.319535971 CET | 49735 | 443 | 192.168.2.4 | 142.250.185.129 |
| Jan 10, 2025 23:57:37.323529959 CET | 443 | 49735 | 142.250.185.129 | 192.168.2.4 |
| Jan 10, 2025 23:57:37.323584080 CET | 49735 | 443 | 192.168.2.4 | 142.250.185.129 |
| Jan 10, 2025 23:57:37.323599100 CET | 443 | 49735 | 142.250.185.129 | 192.168.2.4 |
| Jan 10, 2025 23:57:37.323649883 CET | 49735 | 443 | 192.168.2.4 | 142.250.185.129 |
| Jan 10, 2025 23:57:37.323659897 CET | 443 | 49735 | 142.250.185.129 | 192.168.2.4 |
| Jan 10, 2025 23:57:37.323724031 CET | 443 | 49735 | 142.250.185.129 | 192.168.2.4 |
| Jan 10, 2025 23:57:37.323724985 CET | 49735 | 443 | 192.168.2.4 | 142.250.185.129 |
| Jan 10, 2025 23:57:37.323777914 CET | 49735 | 443 | 192.168.2.4 | 142.250.185.129 |
| Jan 10, 2025 23:57:37.323817968 CET | 49735 | 443 | 192.168.2.4 | 142.250.185.129 |
| Jan 10, 2025 23:57:37.323858023 CET | 443 | 49735 | 142.250.185.129 | 192.168.2.4 |
| Jan 10, 2025 23:57:37.323882103 CET | 49735 | 443 | 192.168.2.4 | 142.250.185.129 |
| Jan 10, 2025 23:57:37.324058056 CET | 49735 | 443 | 192.168.2.4 | 142.250.185.129 |
| Jan 10, 2025 23:57:38.072413921 CET | 49738 | 80 | 192.168.2.4 | 158.101.44.242 |
| Jan 10, 2025 23:57:38.077256918 CET | 80 | 49738 | 158.101.44.242 | 192.168.2.4 |
| Jan 10, 2025 23:57:38.077342987 CET | 49738 | 80 | 192.168.2.4 | 158.101.44.242 |
| Jan 10, 2025 23:57:38.077563047 CET | 49738 | 80 | 192.168.2.4 | 158.101.44.242 |
| Jan 10, 2025 23:57:38.082355976 CET | 80 | 49738 | 158.101.44.242 | 192.168.2.4 |
| Jan 10, 2025 23:57:38.639904022 CET | 80 | 49738 | 158.101.44.242 | 192.168.2.4 |
| Jan 10, 2025 23:57:38.694974899 CET | 49738 | 80 | 192.168.2.4 | 158.101.44.242 |
| Jan 10, 2025 23:57:46.999535084 CET | 55961 | 53 | 192.168.2.4 | 162.159.36.2 |
| Jan 10, 2025 23:57:47.005217075 CET | 53 | 55961 | 162.159.36.2 | 192.168.2.4 |
| Jan 10, 2025 23:57:47.005321980 CET | 55961 | 53 | 192.168.2.4 | 162.159.36.2 |
| Jan 10, 2025 23:57:47.010185957 CET | 53 | 55961 | 162.159.36.2 | 192.168.2.4 |
| Jan 10, 2025 23:57:47.450421095 CET | 55961 | 53 | 192.168.2.4 | 162.159.36.2 |
| Jan 10, 2025 23:57:47.455492973 CET | 53 | 55961 | 162.159.36.2 | 192.168.2.4 |
| Jan 10, 2025 23:57:47.455555916 CET | 55961 | 53 | 192.168.2.4 | 162.159.36.2 |
| Jan 10, 2025 23:57:57.570580959 CET | 49738 | 80 | 192.168.2.4 | 158.101.44.242 |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Jan 10, 2025 23:57:32.409724951 CET | 64148 | 53 | 192.168.2.4 | 1.1.1.1 |
| Jan 10, 2025 23:57:32.416606903 CET | 53 | 64148 | 1.1.1.1 | 192.168.2.4 |
| Jan 10, 2025 23:57:33.589677095 CET | 58563 | 53 | 192.168.2.4 | 1.1.1.1 |
| Jan 10, 2025 23:57:33.596544027 CET | 53 | 58563 | 1.1.1.1 | 192.168.2.4 |
| Jan 10, 2025 23:57:38.059799910 CET | 51068 | 53 | 192.168.2.4 | 1.1.1.1 |
| Jan 10, 2025 23:57:38.066982031 CET | 53 | 51068 | 1.1.1.1 | 192.168.2.4 |
| Jan 10, 2025 23:57:46.999002934 CET | 53 | 51292 | 162.159.36.2 | 192.168.2.4 |
| Jan 10, 2025 23:57:47.458383083 CET | 58997 | 53 | 192.168.2.4 | 1.1.1.1 |
| Jan 10, 2025 23:57:47.466106892 CET | 53 | 58997 | 1.1.1.1 | 192.168.2.4 |
| Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|
| Jan 10, 2025 23:57:32.409724951 CET | 192.168.2.4 | 1.1.1.1 | 0x8878 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Jan 10, 2025 23:57:33.589677095 CET | 192.168.2.4 | 1.1.1.1 | 0x9cae | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Jan 10, 2025 23:57:38.059799910 CET | 192.168.2.4 | 1.1.1.1 | 0x9e59 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Jan 10, 2025 23:57:47.458383083 CET | 192.168.2.4 | 1.1.1.1 | 0x7e6b | Standard query (0) | PTR (Pointer record) | IN (0x0001) | false |
| Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|---|---|
| Jan 10, 2025 23:57:32.416606903 CET | 1.1.1.1 | 192.168.2.4 | 0x8878 | No error (0) | 142.250.181.238 | A (IP address) | IN (0x0001) | false | ||
| Jan 10, 2025 23:57:33.596544027 CET | 1.1.1.1 | 192.168.2.4 | 0x9cae | No error (0) | 142.250.185.129 | A (IP address) | IN (0x0001) | false | ||
| Jan 10, 2025 23:57:38.066982031 CET | 1.1.1.1 | 192.168.2.4 | 0x9e59 | No error (0) | checkip.dyndns.com | CNAME (Canonical name) | IN (0x0001) | false | ||
| Jan 10, 2025 23:57:38.066982031 CET | 1.1.1.1 | 192.168.2.4 | 0x9e59 | No error (0) | 158.101.44.242 | A (IP address) | IN (0x0001) | false | ||
| Jan 10, 2025 23:57:38.066982031 CET | 1.1.1.1 | 192.168.2.4 | 0x9e59 | No error (0) | 132.226.247.73 | A (IP address) | IN (0x0001) | false | ||
| Jan 10, 2025 23:57:38.066982031 CET | 1.1.1.1 | 192.168.2.4 | 0x9e59 | No error (0) | 132.226.8.169 | A (IP address) | IN (0x0001) | false | ||
| Jan 10, 2025 23:57:38.066982031 CET | 1.1.1.1 | 192.168.2.4 | 0x9e59 | No error (0) | 193.122.6.168 | A (IP address) | IN (0x0001) | false | ||
| Jan 10, 2025 23:57:38.066982031 CET | 1.1.1.1 | 192.168.2.4 | 0x9e59 | No error (0) | 193.122.130.0 | A (IP address) | IN (0x0001) | false | ||
| Jan 10, 2025 23:57:47.466106892 CET | 1.1.1.1 | 192.168.2.4 | 0x7e6b | Name error (3) | none | none | PTR (Pointer record) | IN (0x0001) | false |
|
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 0 | 192.168.2.4 | 49738 | 158.101.44.242 | 80 | 4484 | C:\Users\user\Desktop\WGi85dsMNp.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| Jan 10, 2025 23:57:38.077563047 CET | 151 | OUT | |
| Jan 10, 2025 23:57:38.639904022 CET | 730 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 0 | 192.168.2.4 | 49732 | 142.250.181.238 | 443 | 4484 | C:\Users\user\Desktop\WGi85dsMNp.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2025-01-10 22:57:33 UTC | 216 | OUT | |
| 2025-01-10 22:57:33 UTC | 1920 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 1 | 192.168.2.4 | 49735 | 142.250.185.129 | 443 | 4484 | C:\Users\user\Desktop\WGi85dsMNp.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2025-01-10 22:57:34 UTC | 258 | OUT | |
| 2025-01-10 22:57:37 UTC | 4934 | IN | |
| 2025-01-10 22:57:37 UTC | 4934 | IN | |
| 2025-01-10 22:57:37 UTC | 4833 | IN | |
| 2025-01-10 22:57:37 UTC | 1320 | IN | |
| 2025-01-10 22:57:37 UTC | 1390 | IN | |
| 2025-01-10 22:57:37 UTC | 1390 | IN | |
| 2025-01-10 22:57:37 UTC | 1390 | IN | |
| 2025-01-10 22:57:37 UTC | 1390 | IN | |
| 2025-01-10 22:57:37 UTC | 1390 | IN | |
| 2025-01-10 22:57:37 UTC | 1390 | IN | |
| 2025-01-10 22:57:37 UTC | 1390 | IN |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
| Target ID: | 0 |
| Start time: | 17:57:14 |
| Start date: | 10/01/2025 |
| Path: | C:\Users\user\Desktop\WGi85dsMNp.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x400000 |
| File size: | 979'348 bytes |
| MD5 hash: | 2275024102505F0997F027C71970750D |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Yara matches: |
|
| Reputation: | low |
| Has exited: | true |
| Target ID: | 1 |
| Start time: | 17:57:26 |
| Start date: | 10/01/2025 |
| Path: | C:\Users\user\Desktop\WGi85dsMNp.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x400000 |
| File size: | 979'348 bytes |
| MD5 hash: | 2275024102505F0997F027C71970750D |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | low |
| Has exited: | true |
| Target ID: | 7 |
| Start time: | 17:57:38 |
| Start date: | 10/01/2025 |
| Path: | C:\Windows\SysWOW64\WerFault.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x140000 |
| File size: | 483'680 bytes |
| MD5 hash: | C31336C1EFC2CCB44B4326EA793040F2 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
Execution Graph
| Execution Coverage: | 20.3% |
| Dynamic/Decrypted Code Coverage: | 0% |
| Signature Coverage: | 20% |
| Total number of Nodes: | 1599 |
| Total number of Limit Nodes: | 38 |
Graph
Function 004034A5 Relevance: 84.4, APIs: 32, Strings: 16, Instructions: 410stringfilecomCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00404DCC Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 481windowmemoryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6F981B5F Relevance: 20.1, APIs: 13, Instructions: 576stringlibrarymemoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405AFA Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 148filestringCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00406AF2 Relevance: 5.4, APIs: 4, Instructions: 382COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00401E49 Relevance: 3.0, APIs: 2, Instructions: 25COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00403E86 Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 346windowstringCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00403AD8 Relevance: 44.0, APIs: 13, Strings: 12, Instructions: 215stringregistryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00402F30 Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 203memoryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040640A Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 209stringCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040176F Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 145stringtimeCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040264A Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 153fileCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00406752 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36libraryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004023E4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64registrystringCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004053C4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004062B6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44registryCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00406F27 Relevance: 5.2, APIs: 4, Instructions: 236COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00407128 Relevance: 5.2, APIs: 4, Instructions: 208COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00406E3E Relevance: 5.2, APIs: 4, Instructions: 205COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00406943 Relevance: 5.2, APIs: 4, Instructions: 198COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00406D91 Relevance: 5.2, APIs: 4, Instructions: 180COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00406EAF Relevance: 5.2, APIs: 4, Instructions: 170COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00406DFB Relevance: 5.2, APIs: 4, Instructions: 168COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004032DE Relevance: 4.6, APIs: 3, Instructions: 101COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00402032 Relevance: 4.6, APIs: 3, Instructions: 73libraryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004031D6 Relevance: 3.1, APIs: 2, Instructions: 88COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405EDE Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040599C Relevance: 3.0, APIs: 2, Instructions: 9COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6F982AAC Relevance: 1.6, APIs: 1, Instructions: 143fileCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040167B Relevance: 1.5, APIs: 1, Instructions: 38fileCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004027EF Relevance: 1.5, APIs: 1, Instructions: 28COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405F61 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405F90 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6F982993 Relevance: 1.5, APIs: 1, Instructions: 21memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040345D Relevance: 1.5, APIs: 1, Instructions: 6COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00404394 Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040558F Relevance: 66.8, APIs: 36, Strings: 2, Instructions: 284windowclipboardmemoryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00404850 Relevance: 23.0, APIs: 10, Strings: 3, Instructions: 275stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00402868 Relevance: 1.5, APIs: 1, Instructions: 30fileCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040451E Relevance: 37.0, APIs: 19, Strings: 2, Instructions: 204windowstringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00406034 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 130memorystringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004043C6 Relevance: 12.1, APIs: 8, Instructions: 68COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00404D1A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00402DF3 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 36timeCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6F982569 Relevance: 9.1, APIs: 6, Instructions: 109COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00404C0C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 84stringCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00402598 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 69stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6F9818D9 Relevance: 7.7, APIs: 5, Instructions: 194COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6F982394 Relevance: 7.6, APIs: 5, Instructions: 135memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00401DB9 Relevance: 7.5, APIs: 5, Instructions: 43COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6F98161D Relevance: 7.5, APIs: 5, Instructions: 41memorylibraryloaderCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00401D5D Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00401C1F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405CBD Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405DC5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004059D1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405D09 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6F9810E1 Relevance: 5.1, APIs: 4, Instructions: 104memoryCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405E43 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00162DD1 Relevance: 2.9, Strings: 2, Instructions: 427COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001619B8 Relevance: 8.5, Strings: 6, Instructions: 967COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00160B29 Relevance: 1.5, Strings: 1, Instructions: 203COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00160B30 Relevance: 1.4, Strings: 1, Instructions: 200COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001618C8 Relevance: .1, Instructions: 77COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0009D4DC Relevance: .1, Instructions: 75COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00160EC8 Relevance: .1, Instructions: 70COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0016324D Relevance: .1, Instructions: 68COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001617B8 Relevance: .1, Instructions: 66COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0009D4D7 Relevance: .1, Instructions: 56COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00161877 Relevance: .0, Instructions: 25COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00161888 Relevance: .0, Instructions: 19COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004034A5 Relevance: 75.7, APIs: 32, Strings: 11, Instructions: 410stringfilecomCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00404DCC Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 481windowmemoryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405AFA Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 148filestringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00406AF2 Relevance: 5.4, APIs: 4, Instructions: 382COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040558F Relevance: 66.8, APIs: 36, Strings: 2, Instructions: 284windowclipboardmemoryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00403E86 Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 346windowstringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00403AD8 Relevance: 38.7, APIs: 13, Strings: 9, Instructions: 215stringregistryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040451E Relevance: 35.2, APIs: 19, Strings: 1, Instructions: 204windowstringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00404850 Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 275stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00406034 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 130memorystringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00402F30 Relevance: 19.5, APIs: 5, Strings: 6, Instructions: 203memoryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040640A Relevance: 16.0, APIs: 7, Strings: 2, Instructions: 209stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004043C6 Relevance: 12.1, APIs: 8, Instructions: 68COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040264A Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 153fileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00404D1A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00406752 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36libraryCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00402DF3 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 36timeCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00404C0C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 84stringCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00401DB9 Relevance: 7.5, APIs: 5, Instructions: 43COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00401D5D Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00401C1F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040591F Relevance: 6.0, APIs: 4, Instructions: 39COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405DC5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004053C4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004059D1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00406F27 Relevance: 5.2, APIs: 4, Instructions: 236COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00407128 Relevance: 5.2, APIs: 4, Instructions: 208COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00406E3E Relevance: 5.2, APIs: 4, Instructions: 205COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00406943 Relevance: 5.2, APIs: 4, Instructions: 198COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00406D91 Relevance: 5.2, APIs: 4, Instructions: 180COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00406EAF Relevance: 5.2, APIs: 4, Instructions: 170COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00406DFB Relevance: 5.2, APIs: 4, Instructions: 168COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00161A40 Relevance: 5.1, Strings: 4, Instructions: 98COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405E43 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|