Edit tour
Windows
Analysis Report
of5HklY9qP.exe
Overview
General Information
| Sample name: | of5HklY9qP.exerenamed because original name is a hash value |
| Original sample name: | 5aafd78c24d92f25dd27dfea5492fa2212d52586af05400e55853f3f2218de8d.exe |
| Analysis ID: | 1588704 |
| MD5: | 57e3ec29544a0c1841ba8c9bef860cf9 |
| SHA1: | c1c1ac0421a0b16d07c412f8957335348f24a64b |
| SHA256: | 5aafd78c24d92f25dd27dfea5492fa2212d52586af05400e55853f3f2218de8d |
| Tags: | exeuser-adrian__luca |
| Infos: |  |
 | |
Detection
| Score: | 88 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Switches to a custom stack to bypass stack traces
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected Costura Assembly Loader
AV process strings found (often used to terminate AV products)
Contains functionality for read data from the clipboard
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evasive API chain (date check)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Classification
- System is w10x64
of5HklY9qP.exe (PID: 3048 cmdline: "C:\Users\ user\Deskt op\of5HklY 9qP.exe" MD5: 57E3EC29544A0C1841BA8C9BEF860CF9) 
RegSvcs.exe (PID: 7288 cmdline: "C:\Users\ user\Deskt op\of5HklY 9qP.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
- cleanup
⊘No configs have been found
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_CosturaAssemblyLoader | Yara detected Costura Assembly Loader | Joe Security | ||
| JoeSecurity_CosturaAssemblyLoader | Yara detected Costura Assembly Loader | Joe Security | ||
| JoeSecurity_CosturaAssemblyLoader | Yara detected Costura Assembly Loader | Joe Security | ||
| JoeSecurity_CosturaAssemblyLoader | Yara detected Costura Assembly Loader | Joe Security |
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_CosturaAssemblyLoader | Yara detected Costura Assembly Loader | Joe Security | ||
| JoeSecurity_CosturaAssemblyLoader | Yara detected Costura Assembly Loader | Joe Security |
⊘No Sigma rule has matched
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2025-01-11T04:25:47.550561+0100 | 2859087 | 1 | Malware Command and Control Activity Detected | 192.168.2.10 | 49737 | 163.5.32.40 | 7702 | TCP |
| 2025-01-11T04:26:08.907493+0100 | 2859087 | 1 | Malware Command and Control Activity Detected | 192.168.2.10 | 49873 | 163.5.32.40 | 7702 | TCP |
| 2025-01-11T04:26:30.277546+0100 | 2859087 | 1 | Malware Command and Control Activity Detected | 192.168.2.10 | 49977 | 163.5.32.40 | 7702 | TCP |
| 2025-01-11T04:26:51.672483+0100 | 2859087 | 1 | Malware Command and Control Activity Detected | 192.168.2.10 | 49979 | 163.5.32.40 | 7702 | TCP |
| 2025-01-11T04:27:13.032866+0100 | 2859087 | 1 | Malware Command and Control Activity Detected | 192.168.2.10 | 49980 | 163.5.32.40 | 7702 | TCP |
| 2025-01-11T04:27:34.459237+0100 | 2859087 | 1 | Malware Command and Control Activity Detected | 192.168.2.10 | 49981 | 163.5.32.40 | 7702 | TCP |
| 2025-01-11T04:27:55.835030+0100 | 2859087 | 1 | Malware Command and Control Activity Detected | 192.168.2.10 | 49982 | 163.5.32.40 | 7702 | TCP |
| 2025-01-11T04:28:17.199597+0100 | 2859087 | 1 | Malware Command and Control Activity Detected | 192.168.2.10 | 49983 | 163.5.32.40 | 7702 | TCP |
| 2025-01-11T04:28:38.601940+0100 | 2859087 | 1 | Malware Command and Control Activity Detected | 192.168.2.10 | 49984 | 163.5.32.40 | 7702 | TCP |
| 2025-01-11T04:29:00.003866+0100 | 2859087 | 1 | Malware Command and Control Activity Detected | 192.168.2.10 | 49985 | 163.5.32.40 | 7702 | TCP |
| 2025-01-11T04:29:21.376936+0100 | 2859087 | 1 | Malware Command and Control Activity Detected | 192.168.2.10 | 49986 | 163.5.32.40 | 7702 | TCP |
| 2025-01-11T04:29:42.753769+0100 | 2859087 | 1 | Malware Command and Control Activity Detected | 192.168.2.10 | 49987 | 163.5.32.40 | 7702 | TCP |
Click to jump to signature section
Show All Signature Results
AV Detection |   |
|---|
| Source: | Virustotal: | Perma Link | ||
| Source: | ReversingLabs: | |||
| Source: | Integrated Neural Analysis Model: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Static PE information: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Code function: | 0_2_007D445A | |
| Source: | Code function: | 0_2_007DC6D1 | |
| Source: | Code function: | 0_2_007DC75C | |
| Source: | Code function: | 0_2_007DEF95 | |
| Source: | Code function: | 0_2_007DF0F2 | |
| Source: | Code function: | 0_2_007DF3F3 | |
| Source: | Code function: | 0_2_007D37EF | |
| Source: | Code function: | 0_2_007D3B12 | |
| Source: | Code function: | 0_2_007DBCBC | |
Networking | |
|---|
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | TCP traffic: | ||
| Source: | ASN Name: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | Code function: | 0_2_007E22EE | |
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | Code function: | 0_2_007E4164 | |
| Source: | Code function: | 0_2_007E4164 | |
| Source: | Code function: | 0_2_007E3F66 | |
| Source: | Code function: | 0_2_007D001C | |
| Source: | Code function: | 0_2_007FCABC | |
System Summary | |
|---|
| Source: | Code function: | 0_2_00773B3A | |
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | memstr_65bf7f8f-8 | |
| Source: | String found in binary or memory: | memstr_d9e2d379-f | |
| Source: | String found in binary or memory: | memstr_32f0f130-f | |
| Source: | String found in binary or memory: | memstr_c96774e3-a | |
| Source: | Code function: | 0_2_007DA1EF | |
| Source: | Code function: | 0_2_007C85B0 | |
| Source: | Code function: | 0_2_007D51BD | |
| Source: | Code function: | 0_2_0079D975 | |
| Source: | Code function: | 0_2_0077FCE0 | |
| Source: | Code function: | 0_2_007921C5 | |
| Source: | Code function: | 0_2_007A62D2 | |
| Source: | Code function: | 0_2_007F03DA | |
| Source: | Code function: | 0_2_007A242E | |
| Source: | Code function: | 0_2_007925FA | |
| Source: | Code function: | 0_2_007CE616 | |
| Source: | Code function: | 0_2_007866E1 | |
| Source: | Code function: | 0_2_0077E6A0 | |
| Source: | Code function: | 0_2_007A878F | |
| Source: | Code function: | 0_2_007F0857 | |
| Source: | Code function: | 0_2_007A6844 | |
| Source: | Code function: | 0_2_00788808 | |
| Source: | Code function: | 0_2_007D8889 | |
| Source: | Code function: | 0_2_0079CB21 | |
| Source: | Code function: | 0_2_007A6DB6 | |
| Source: | Code function: | 0_2_00786F9E | |
| Source: | Code function: | 0_2_00783030 | |
| Source: | Code function: | 0_2_0079F1D9 | |
| Source: | Code function: | 0_2_00793187 | |
| Source: | Code function: | 0_2_00771287 | |
| Source: | Code function: | 0_2_00791484 | |
| Source: | Code function: | 0_2_00785520 | |
| Source: | Code function: | 0_2_00797696 | |
| Source: | Code function: | 0_2_00785760 | |
| Source: | Code function: | 0_2_00791978 | |
| Source: | Code function: | 0_2_007A9AB5 | |
| Source: | Code function: | 0_2_007F7DDB | |
| Source: | Code function: | 0_2_0079BDA6 | |
| Source: | Code function: | 0_2_00791D90 | |
| Source: | Code function: | 0_2_0077DF00 | |
| Source: | Code function: | 0_2_00783FE0 | |
| Source: | Code function: | 0_2_01333448 | |
| Source: | Code function: | 2_2_029BD2D0 | |
| Source: | Code function: | 2_2_029B4D19 | |
| Source: | Code function: | 2_2_029B1530 | |
| Source: | Code function: | 2_2_029B4D28 | |
| Source: | Code function: | 2_2_029B1550 | |
| Source: | Code function: | 2_2_04FB7668 | |
| Source: | Code function: | 2_2_04FBC1A8 | |
| Source: | Code function: | 2_2_04FBC918 | |
| Source: | Code function: | 2_2_04FB4689 | |
| Source: | Code function: | 2_2_04FB7658 | |
| Source: | Code function: | 2_2_04FB30C9 | |
| Source: | Code function: | 2_2_04FB406C | |
| Source: | Code function: | 2_2_04FBC197 | |
| Source: | Code function: | 2_2_04FBC2BA | |
| Source: | Code function: | 2_2_04FBBA40 | |
| Source: | Code function: | 2_2_04FBBA31 | |
| Source: | Code function: | 2_2_0512671B | |
| Source: | Code function: | 2_2_05124A38 | |
| Source: | Code function: | 2_2_05129558 | |
| Source: | Code function: | 2_2_05129257 | |
| Source: | Code function: | 2_2_05377B00 | |
| Source: | Code function: | 2_2_05377E27 | |
| Source: | Code function: | 2_2_05378B98 | |
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Static PE information: | ||
| Source: | Classification label: | ||
| Source: | Code function: | 0_2_007DA06A | |
| Source: | Code function: | 0_2_007C81CB | |
| Source: | Code function: | 0_2_007C87E1 | |
| Source: | Code function: | 0_2_007DB333 | |
| Source: | Code function: | 0_2_007EEE0D | |
| Source: | Code function: | 0_2_007E83BB | |
| Source: | Code function: | 0_2_00774E89 | |
| Source: | Mutant created: | ||
| Source: | Mutant created: | ||
| Source: | File created: | Jump to behavior | ||
| Source: | Static PE information: | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Virustotal: | ||
| Source: | ReversingLabs: | ||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Key value queried: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | Static file information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
Data Obfuscation | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | Code function: | 0_2_00774B37 | |
| Source: | Code function: | 0_2_0077C50D | |
| Source: | Code function: | 0_2_00798958 | |
| Source: | Code function: | 2_2_051210E9 | |
| Source: | Code function: | 0_2_007748D7 | |
| Source: | Code function: | 0_2_007F5376 | |
| Source: | Code function: | 0_2_00793187 | |
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
Malware Analysis System Evasion | |
|---|
| Source: | API/Special instruction interceptor: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Window / User API: | Jump to behavior | ||
| Source: | Window / User API: | Jump to behavior | ||
| Source: | Evasive API call chain: | graph_0-102434 | ||
| Source: | API coverage: | ||
| Source: | Code function: | 0_2_007D445A | |
| Source: | Code function: | 0_2_007DC6D1 | |
| Source: | Code function: | 0_2_007DC75C | |
| Source: | Code function: | 0_2_007DEF95 | |
| Source: | Code function: | 0_2_007DF0F2 | |
| Source: | Code function: | 0_2_007DF3F3 | |
| Source: | Code function: | 0_2_007D37EF | |
| Source: | Code function: | 0_2_007D3B12 | |
| Source: | Code function: | 0_2_007DBCBC | |
| Source: | Code function: | 0_2_007749A0 | |
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Code function: | 0_2_007E3F09 | |
| Source: | Code function: | 0_2_00773B3A | |
| Source: | Code function: | 0_2_007A5A7C | |
| Source: | Code function: | 0_2_00774B37 | |
| Source: | Code function: | 0_2_01333338 | |
| Source: | Code function: | 0_2_013332D8 | |
| Source: | Code function: | 0_2_01331C98 | |
| Source: | Code function: | 0_2_007C80A9 | |
| Source: | Code function: | 0_2_0079A155 | |
| Source: | Code function: | 0_2_0079A124 | |
| Source: | Memory allocated: | Jump to behavior | ||
HIPS / PFW / Operating System Protection Evasion | |
|---|
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | Code function: | 0_2_007C87B1 | |
| Source: | Code function: | 0_2_00773B3A | |
| Source: | Code function: | 0_2_007748D7 | |
| Source: | Code function: | 0_2_007D4C7F | |
| Source: | Process created: | Jump to behavior | ||
| Source: | Code function: | 0_2_007C7CAF | |
| Source: | Code function: | 0_2_007C874B | |
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Code function: | 0_2_0079862B | |
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Code function: | 0_2_007A4E87 | |
| Source: | Code function: | 0_2_007B1E06 | |
| Source: | Code function: | 0_2_007A3F3A | |
| Source: | Code function: | 0_2_007749A0 | |
| Source: | Key value queried: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Code function: | 0_2_007E6283 | |
| Source: | Code function: | 0_2_007E6747 | |
| Source: | Code function: | 0_2_007A7AA1 | |
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Gather Victim Identity Information | Acquire Infrastructure | 2 Valid Accounts | 2 Native API | 1 DLL Side-Loading | 1 Exploitation for Privilege Escalation | 11 Disable or Modify Tools | 21 Input Capture | 2 System Time Discovery | Remote Services | 1 Archive Collected Data | 1 Ingress Tool Transfer | Exfiltration Over Other Network Medium | 1 System Shutdown/Reboot |
| Credentials | Domains | Default Accounts | Scheduled Task/Job | 2 Valid Accounts | 1 DLL Side-Loading | 1 Deobfuscate/Decode Files or Information | LSASS Memory | 1 Account Discovery | Remote Desktop Protocol | 21 Input Capture | 1 Encrypted Channel | Exfiltration Over Bluetooth | Network Denial of Service |
| Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | 2 Valid Accounts | 2 Obfuscated Files or Information | Security Account Manager | 1 File and Directory Discovery | SMB/Windows Admin Shares | 3 Clipboard Data | 1 Non-Standard Port | Automated Exfiltration | Data Encrypted for Impact |
| Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | 21 Access Token Manipulation | 1 DLL Side-Loading | NTDS | 126 System Information Discovery | Distributed Component Object Model | Input Capture | Protocol Impersonation | Traffic Duplication | Data Destruction |
| Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | 212 Process Injection | 2 Valid Accounts | LSA Secrets | 241 Security Software Discovery | SSH | Keylogging | Fallback Channels | Scheduled Transfer | Data Encrypted for Impact |
| Domain Properties | Botnet | Replication Through Removable Media | Scheduled Task | RC Scripts | RC Scripts | 11 Virtualization/Sandbox Evasion | Cached Domain Credentials | 11 Virtualization/Sandbox Evasion | VNC | GUI Input Capture | Multiband Communication | Data Transfer Size Limits | Service Stop |
| DNS | Web Services | External Remote Services | Systemd Timers | Startup Items | Startup Items | 21 Access Token Manipulation | DCSync | 2 Process Discovery | Windows Remote Management | Web Portal Capture | Commonly Used Port | Exfiltration Over C2 Channel | Inhibit System Recovery |
| Network Trust Dependencies | Serverless | Drive-by Compromise | Container Orchestration Job | Scheduled Task/Job | Scheduled Task/Job | 212 Process Injection | Proc Filesystem | 11 Application Window Discovery | Cloud Services | Credential API Hooking | Application Layer Protocol | Exfiltration Over Alternative Protocol | Defacement |
| Network Topology | Malvertising | Exploit Public-Facing Application | Command and Scripting Interpreter | At | At | HTML Smuggling | /etc/passwd and /etc/shadow | 1 System Owner/User Discovery | Direct Cloud VM Connections | Data Staged | Web Protocols | Exfiltration Over Symmetric Encrypted Non-C2 Protocol | Internal Defacement |
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetThis section contains all screenshots as thumbnails, including those not shown in the slideshow.
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 64% | Virustotal | Browse | ||
| 79% | ReversingLabs | Win32.Trojan.AutoItinject | ||
| 100% | Joe Sandbox ML |
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
| Name | IP | Active | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|---|
| s-part-0017.t-0009.t-msedge.net | 13.107.246.45 | true | false | high |
| Name | Source | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
| IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
|---|---|---|---|---|---|---|
| 163.5.32.40 | unknown | France | 56339 | EPITECHFR | true |
| Joe Sandbox version: | 42.0.0 Malachite |
| Analysis ID: | 1588704 |
| Start date and time: | 2025-01-11 04:24:47 +01:00 |
| Joe Sandbox product: | CloudBasic |
| Overall analysis duration: | 0h 8m 5s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
| Number of analysed new started processes analysed: | 7 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Sample name: | of5HklY9qP.exerenamed because original name is a hash value |
| Original Sample Name: | 5aafd78c24d92f25dd27dfea5492fa2212d52586af05400e55853f3f2218de8d.exe |
| Detection: | MAL |
| Classification: | mal88.evad.winEXE@3/2@0/1 |
| EGA Information: |
|
| HCA Information: |
|
| Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
- Excluded IPs from analysis (whitelisted): 13.107.246.45, 20.109.210.53
- Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, otelrules.azureedge.net, otelrules.afd.azureedge.net, ctldl.windowsupdate.com, azureedge-t-prod.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
- Not all processes where analyzed, report is missing behavior information
- Report size exceeded maximum capacity and may have missing disassembly code.
- Report size getting too big, too many NtProtectVirtualMemory calls found.
- Report size getting too big, too many NtQueryValueKey calls found.
| Time | Type | Description |
|---|---|---|
| 22:25:47 | API Interceptor |
⊘No context
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| s-part-0017.t-0009.t-msedge.net | Get hash | malicious | GuLoader | Browse |
| |
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | FormBook | Browse |
| ||
| Get hash | malicious | AgentTesla | Browse |
| ||
| Get hash | malicious | GuLoader | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | FormBook | Browse |
| ||
| Get hash | malicious | Strela Downloader | Browse |
| ||
| Get hash | malicious | FormBook | Browse |
| ||
| Get hash | malicious | Strela Downloader | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| EPITECHFR | Get hash | malicious | Unknown | Browse |
| |
| Get hash | malicious | Mirai | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Python Stealer | Browse |
| ||
| Get hash | malicious | Python Stealer | Browse |
| ||
| Get hash | malicious | Python Stealer | Browse |
| ||
| Get hash | malicious | CobaltStrike | Browse |
| ||
| Get hash | malicious | CobaltStrike | Browse |
| ||
| Get hash | malicious | Mirai | Browse |
| ||
| Get hash | malicious | Mirai | Browse |
|
⊘No context
⊘No context
| Process: | C:\Users\user\Desktop\of5HklY9qP.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 423936 |
| Entropy (8bit): | 7.970480458053438 |
| Encrypted: | false |
| SSDEEP: | 12288:lAqk00hIVsZVACEHAQ6/s3c3WdMHwrVIx:WDUVsrACtqIWd6wyx |
| MD5: | 9E8E6E8BF8B55809DDF551D1D16480E7 |
| SHA1: | C53DE93EBE69CF1F6E4A2FB210CF4DC87BF2F019 |
| SHA-256: | 15BFA8A34C8A324382A03B8C6B46DED860B2DBE912483C31FDFE59837998662B |
| SHA-512: | 1CE474B485A8EFD32BB74A5FF81C3F358D11F01C06758315D76CA09268D17C7DFF7947D80393BCD942292C91D155234D634DA3F4903FCF9282D16570724E7EDE |
| Malicious: | false |
| Reputation: | low |
| Preview: |
| Process: | C:\Users\user\Desktop\of5HklY9qP.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 423936 |
| Entropy (8bit): | 7.970480458053438 |
| Encrypted: | false |
| SSDEEP: | 12288:lAqk00hIVsZVACEHAQ6/s3c3WdMHwrVIx:WDUVsrACtqIWd6wyx |
| MD5: | 9E8E6E8BF8B55809DDF551D1D16480E7 |
| SHA1: | C53DE93EBE69CF1F6E4A2FB210CF4DC87BF2F019 |
| SHA-256: | 15BFA8A34C8A324382A03B8C6B46DED860B2DBE912483C31FDFE59837998662B |
| SHA-512: | 1CE474B485A8EFD32BB74A5FF81C3F358D11F01C06758315D76CA09268D17C7DFF7947D80393BCD942292C91D155234D634DA3F4903FCF9282D16570724E7EDE |
| Malicious: | false |
| Reputation: | low |
| Preview: |
| File type: | |
| Entropy (8bit): | 7.319013668486431 |
| TrID: |
|
| File name: | of5HklY9qP.exe |
| File size: | 1'350'144 bytes |
| MD5: | 57e3ec29544a0c1841ba8c9bef860cf9 |
| SHA1: | c1c1ac0421a0b16d07c412f8957335348f24a64b |
| SHA256: | 5aafd78c24d92f25dd27dfea5492fa2212d52586af05400e55853f3f2218de8d |
| SHA512: | 0582a49ac257fb63551ef91085e36b2943527181377cfcb6ac0695d34926b3465b2bc483a1f3e8f2b1b0d04b76355f362cae7d310c45cbf4eaaf7294f51b9d68 |
| SSDEEP: | 24576:tu6J33O0c+JY5UZ+XC0kGso6FasX37NrlF4NjVS1uhiWY:fu0c++OCvkGs9FasXBrlgj8+Y |
| TLSH: | 8555DF2273DDC360CB769173BF69B7016EBF78614630B85B2F980D7DA950162262C7A3 |
| File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r}..r}..r}..4,".p}......s}.../..A}.../#..}.../".G}..{.@.{}..{.P.W}..r}..R.....)."}......s}.../..s}..r}T.s}......s}..Richr}. |
 | |
| Icon Hash: | aaf3e3e3938382a0 |
| Entrypoint: | 0x427dcd |
| Entrypoint Section: | .text |
| Digitally signed: | false |
| Imagebase: | 0x400000 |
| Subsystem: | windows gui |
| Image File Characteristics: | EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE |
| DLL Characteristics: | DYNAMIC_BASE, TERMINAL_SERVER_AWARE |
| Time Stamp: | 0x674EDC7F [Tue Dec 3 10:25:03 2024 UTC] |
| TLS Callbacks: | |
| CLR (.Net) Version: | |
| OS Version Major: | 5 |
| OS Version Minor: | 1 |
| File Version Major: | 5 |
| File Version Minor: | 1 |
| Subsystem Version Major: | 5 |
| Subsystem Version Minor: | 1 |
| Import Hash: | afcdf79be1557326c854b6e20cb900a7 |
| Instruction |
|---|
| call 00007F8FC4B15BAAh |
| jmp 00007F8FC4B08974h |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| push edi |
| push esi |
| mov esi, dword ptr [esp+10h] |
| mov ecx, dword ptr [esp+14h] |
| mov edi, dword ptr [esp+0Ch] |
| mov eax, ecx |
| mov edx, ecx |
| add eax, esi |
| cmp edi, esi |
| jbe 00007F8FC4B08AFAh |
| cmp edi, eax |
| jc 00007F8FC4B08E5Eh |
| bt dword ptr [004C31FCh], 01h |
| jnc 00007F8FC4B08AF9h |
| rep movsb |
| jmp 00007F8FC4B08E0Ch |
| cmp ecx, 00000080h |
| jc 00007F8FC4B08CC4h |
| mov eax, edi |
| xor eax, esi |
| test eax, 0000000Fh |
| jne 00007F8FC4B08B00h |
| bt dword ptr [004BE324h], 01h |
| jc 00007F8FC4B08FD0h |
| bt dword ptr [004C31FCh], 00000000h |
| jnc 00007F8FC4B08C9Dh |
| test edi, 00000003h |
| jne 00007F8FC4B08CAEh |
| test esi, 00000003h |
| jne 00007F8FC4B08C8Dh |
| bt edi, 02h |
| jnc 00007F8FC4B08AFFh |
| mov eax, dword ptr [esi] |
| sub ecx, 04h |
| lea esi, dword ptr [esi+04h] |
| mov dword ptr [edi], eax |
| lea edi, dword ptr [edi+04h] |
| bt edi, 03h |
| jnc 00007F8FC4B08B03h |
| movq xmm1, qword ptr [esi] |
| sub ecx, 08h |
| lea esi, dword ptr [esi+08h] |
| movq qword ptr [edi], xmm1 |
| lea edi, dword ptr [edi+08h] |
| test esi, 00000007h |
| je 00007F8FC4B08B55h |
| bt esi, 03h |
| jnc 00007F8FC4B08BA8h |
| Programming Language: |
|
| Name | Virtual Address | Virtual Size | Is in Section |
|---|---|---|---|
| IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IMPORT | 0xba44c | 0x17c | .rdata |
| IMAGE_DIRECTORY_ENTRY_RESOURCE | 0xc7000 | 0x810ac | .rsrc |
| IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x149000 | 0x711c | .reloc |
| IMAGE_DIRECTORY_ENTRY_DEBUG | 0x92bc0 | 0x1c | .rdata |
| IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0xa4870 | 0x40 | .rdata |
| IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IAT | 0x8f000 | 0x884 | .rdata |
| IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
| Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
|---|---|---|---|---|---|---|---|---|---|
| .text | 0x1000 | 0x8dcc4 | 0x8de00 | d28a820a1d9ff26cda02d12b888ba4b4 | False | 0.5728679102422908 | data | 6.676118058520316 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
| .rdata | 0x8f000 | 0x2e10e | 0x2e200 | 79b14b254506b0dbc8cd0ad67fb70ad9 | False | 0.33535526761517614 | OpenPGP Public Key | 5.76010872795207 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .data | 0xbe000 | 0x8f74 | 0x5200 | 9f9d6f746f1a415a63de45f8b7983d33 | False | 0.1017530487804878 | data | 1.198745897703538 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .rsrc | 0xc7000 | 0x810ac | 0x81200 | 59e979fb523f9dfb62e0412be8d524e7 | False | 0.949031567642788 | data | 7.937981103569764 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .reloc | 0x149000 | 0x711c | 0x7200 | 6fcae3cbbf6bfbabf5ec5bbe7cf612c3 | False | 0.7650767543859649 | data | 6.779031650454199 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
| Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
|---|---|---|---|---|---|---|
| RT_ICON | 0xc75a8 | 0x128 | Device independent bitmap graphic, 16 x 32 x 4, image size 192 | English | Great Britain | 0.7466216216216216 |
| RT_ICON | 0xc76d0 | 0x128 | Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors | English | Great Britain | 0.3277027027027027 |
| RT_ICON | 0xc77f8 | 0x128 | Device independent bitmap graphic, 16 x 32 x 4, image size 192 | English | Great Britain | 0.3885135135135135 |
| RT_ICON | 0xc7920 | 0x2e8 | Device independent bitmap graphic, 32 x 64 x 4, image size 0 | English | Great Britain | 0.3333333333333333 |
| RT_ICON | 0xc7c08 | 0x128 | Device independent bitmap graphic, 16 x 32 x 4, image size 0 | English | Great Britain | 0.5 |
| RT_ICON | 0xc7d30 | 0xea8 | Device independent bitmap graphic, 48 x 96 x 8, image size 0 | English | Great Britain | 0.2835820895522388 |
| RT_ICON | 0xc8bd8 | 0x8a8 | Device independent bitmap graphic, 32 x 64 x 8, image size 0 | English | Great Britain | 0.37906137184115524 |
| RT_ICON | 0xc9480 | 0x568 | Device independent bitmap graphic, 16 x 32 x 8, image size 0 | English | Great Britain | 0.23699421965317918 |
| RT_ICON | 0xc99e8 | 0x25a8 | Device independent bitmap graphic, 48 x 96 x 32, image size 0 | English | Great Britain | 0.13858921161825727 |
| RT_ICON | 0xcbf90 | 0x10a8 | Device independent bitmap graphic, 32 x 64 x 32, image size 0 | English | Great Britain | 0.25070356472795496 |
| RT_ICON | 0xcd038 | 0x468 | Device independent bitmap graphic, 16 x 32 x 32, image size 0 | English | Great Britain | 0.3173758865248227 |
| RT_MENU | 0xcd4a0 | 0x50 | data | English | Great Britain | 0.9 |
| RT_STRING | 0xcd4f0 | 0x594 | data | English | Great Britain | 0.3333333333333333 |
| RT_STRING | 0xcda84 | 0x68a | data | English | Great Britain | 0.2747909199522103 |
| RT_STRING | 0xce110 | 0x490 | data | English | Great Britain | 0.3715753424657534 |
| RT_STRING | 0xce5a0 | 0x5fc | data | English | Great Britain | 0.3087467362924282 |
| RT_STRING | 0xceb9c | 0x65c | data | English | Great Britain | 0.34336609336609336 |
| RT_STRING | 0xcf1f8 | 0x466 | data | English | Great Britain | 0.3605683836589698 |
| RT_STRING | 0xcf660 | 0x158 | Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0 | English | Great Britain | 0.502906976744186 |
| RT_RCDATA | 0xcf7b8 | 0x78373 | data | 1.0003269679510483 | ||
| RT_GROUP_ICON | 0x147b2c | 0x76 | data | English | Great Britain | 0.6610169491525424 |
| RT_GROUP_ICON | 0x147ba4 | 0x14 | data | English | Great Britain | 1.25 |
| RT_GROUP_ICON | 0x147bb8 | 0x14 | data | English | Great Britain | 1.15 |
| RT_GROUP_ICON | 0x147bcc | 0x14 | data | English | Great Britain | 1.25 |
| RT_VERSION | 0x147be0 | 0xdc | data | English | Great Britain | 0.6181818181818182 |
| RT_MANIFEST | 0x147cbc | 0x3ef | ASCII text, with CRLF line terminators | English | Great Britain | 0.5074478649453823 |
| DLL | Import |
|---|---|
| WSOCK32.dll | WSACleanup, socket, inet_ntoa, setsockopt, ntohs, recvfrom, ioctlsocket, htons, WSAStartup, __WSAFDIsSet, select, accept, listen, bind, closesocket, WSAGetLastError, recv, sendto, send, inet_addr, gethostbyname, gethostname, connect |
| VERSION.dll | GetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW |
| WINMM.dll | timeGetTime, waveOutSetVolume, mciSendStringW |
| COMCTL32.dll | ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create |
| MPR.dll | WNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W |
| WININET.dll | InternetQueryDataAvailable, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetConnectW |
| PSAPI.DLL | GetProcessMemoryInfo |
| IPHLPAPI.DLL | IcmpCreateFile, IcmpCloseHandle, IcmpSendEcho |
| USERENV.dll | DestroyEnvironmentBlock, UnloadUserProfile, CreateEnvironmentBlock, LoadUserProfileW |
| UxTheme.dll | IsThemeActive |
| KERNEL32.dll | DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, SetCurrentDirectoryW, GetLongPathNameW, GetShortPathNameW, DeleteFileW, FindNextFileW, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, GetCurrentProcess, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, LoadLibraryW, VirtualAlloc, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, GetCurrentThread, CloseHandle, GetFullPathNameW, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, WriteConsoleW, FindClose, SetEnvironmentVariableA |
| USER32.dll | AdjustWindowRectEx, CopyImage, SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, SetRect, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, MonitorFromRect, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, PeekMessageW, UnregisterHotKey, CheckMenuRadioItem, CharLowerBuffW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, LoadImageW, GetClassNameW |
| GDI32.dll | StrokePath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, GetDeviceCaps, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, DeleteDC, GetPixel, CreateDCW, GetStockObject, GetTextFaceW, CreateFontW, SetTextColor, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, StrokeAndFillPath |
| COMDLG32.dll | GetOpenFileNameW, GetSaveFileNameW |
| ADVAPI32.dll | GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, RegCreateKeyExW, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, AddAce, SetSecurityDescriptorDacl, GetUserNameW, InitiateSystemShutdownExW |
| SHELL32.dll | DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish |
| ole32.dll | CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoSetProxyBlanket, CoCreateInstanceEx, CoInitializeSecurity |
| OLEAUT32.dll | LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, RegisterTypeLib, CreateStdDispatch, DispCallFunc, VariantChangeType, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, VariantCopy, VariantClear, OleLoadPicture, QueryPathOfRegTypeLib, RegisterTypeLibForUser, UnRegisterTypeLibForUser, UnRegisterTypeLib, CreateDispTypeInfo, SysAllocString, VariantInit |
| Language of compilation system | Country where language is spoken | Map |
|---|---|---|
| English | Great Britain |  |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library Node| Timestamp | SID | Signature | Severity | Source IP | Source Port | Dest IP | Dest Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2025-01-11T04:25:47.550561+0100 | 2859087 | ETPRO MALWARE Win32/zgRAT CnC Checkin | 1 | 192.168.2.10 | 49737 | 163.5.32.40 | 7702 | TCP |
| 2025-01-11T04:26:08.907493+0100 | 2859087 | ETPRO MALWARE Win32/zgRAT CnC Checkin | 1 | 192.168.2.10 | 49873 | 163.5.32.40 | 7702 | TCP |
| 2025-01-11T04:26:30.277546+0100 | 2859087 | ETPRO MALWARE Win32/zgRAT CnC Checkin | 1 | 192.168.2.10 | 49977 | 163.5.32.40 | 7702 | TCP |
| 2025-01-11T04:26:51.672483+0100 | 2859087 | ETPRO MALWARE Win32/zgRAT CnC Checkin | 1 | 192.168.2.10 | 49979 | 163.5.32.40 | 7702 | TCP |
| 2025-01-11T04:27:13.032866+0100 | 2859087 | ETPRO MALWARE Win32/zgRAT CnC Checkin | 1 | 192.168.2.10 | 49980 | 163.5.32.40 | 7702 | TCP |
| 2025-01-11T04:27:34.459237+0100 | 2859087 | ETPRO MALWARE Win32/zgRAT CnC Checkin | 1 | 192.168.2.10 | 49981 | 163.5.32.40 | 7702 | TCP |
| 2025-01-11T04:27:55.835030+0100 | 2859087 | ETPRO MALWARE Win32/zgRAT CnC Checkin | 1 | 192.168.2.10 | 49982 | 163.5.32.40 | 7702 | TCP |
| 2025-01-11T04:28:17.199597+0100 | 2859087 | ETPRO MALWARE Win32/zgRAT CnC Checkin | 1 | 192.168.2.10 | 49983 | 163.5.32.40 | 7702 | TCP |
| 2025-01-11T04:28:38.601940+0100 | 2859087 | ETPRO MALWARE Win32/zgRAT CnC Checkin | 1 | 192.168.2.10 | 49984 | 163.5.32.40 | 7702 | TCP |
| 2025-01-11T04:29:00.003866+0100 | 2859087 | ETPRO MALWARE Win32/zgRAT CnC Checkin | 1 | 192.168.2.10 | 49985 | 163.5.32.40 | 7702 | TCP |
| 2025-01-11T04:29:21.376936+0100 | 2859087 | ETPRO MALWARE Win32/zgRAT CnC Checkin | 1 | 192.168.2.10 | 49986 | 163.5.32.40 | 7702 | TCP |
| 2025-01-11T04:29:42.753769+0100 | 2859087 | ETPRO MALWARE Win32/zgRAT CnC Checkin | 1 | 192.168.2.10 | 49987 | 163.5.32.40 | 7702 | TCP |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Jan 11, 2025 04:25:47.528083086 CET | 49737 | 7702 | 192.168.2.10 | 163.5.32.40 |
| Jan 11, 2025 04:25:47.532896996 CET | 7702 | 49737 | 163.5.32.40 | 192.168.2.10 |
| Jan 11, 2025 04:25:47.532994986 CET | 49737 | 7702 | 192.168.2.10 | 163.5.32.40 |
| Jan 11, 2025 04:25:47.545682907 CET | 49737 | 7702 | 192.168.2.10 | 163.5.32.40 |
| Jan 11, 2025 04:25:47.550448895 CET | 7702 | 49737 | 163.5.32.40 | 192.168.2.10 |
| Jan 11, 2025 04:25:47.550560951 CET | 49737 | 7702 | 192.168.2.10 | 163.5.32.40 |
| Jan 11, 2025 04:25:47.555361986 CET | 7702 | 49737 | 163.5.32.40 | 192.168.2.10 |
| Jan 11, 2025 04:26:08.895751953 CET | 7702 | 49737 | 163.5.32.40 | 192.168.2.10 |
| Jan 11, 2025 04:26:08.896100998 CET | 49737 | 7702 | 192.168.2.10 | 163.5.32.40 |
| Jan 11, 2025 04:26:08.896724939 CET | 49737 | 7702 | 192.168.2.10 | 163.5.32.40 |
| Jan 11, 2025 04:26:08.896912098 CET | 49873 | 7702 | 192.168.2.10 | 163.5.32.40 |
| Jan 11, 2025 04:26:08.901567936 CET | 7702 | 49737 | 163.5.32.40 | 192.168.2.10 |
| Jan 11, 2025 04:26:08.901695013 CET | 7702 | 49873 | 163.5.32.40 | 192.168.2.10 |
| Jan 11, 2025 04:26:08.901782036 CET | 49873 | 7702 | 192.168.2.10 | 163.5.32.40 |
| Jan 11, 2025 04:26:08.902621984 CET | 49873 | 7702 | 192.168.2.10 | 163.5.32.40 |
| Jan 11, 2025 04:26:08.907416105 CET | 7702 | 49873 | 163.5.32.40 | 192.168.2.10 |
| Jan 11, 2025 04:26:08.907493114 CET | 49873 | 7702 | 192.168.2.10 | 163.5.32.40 |
| Jan 11, 2025 04:26:08.912245035 CET | 7702 | 49873 | 163.5.32.40 | 192.168.2.10 |
| Jan 11, 2025 04:26:28.890216112 CET | 49873 | 7702 | 192.168.2.10 | 163.5.32.40 |
| Jan 11, 2025 04:26:28.895029068 CET | 7702 | 49873 | 163.5.32.40 | 192.168.2.10 |
| Jan 11, 2025 04:26:28.895179987 CET | 49873 | 7702 | 192.168.2.10 | 163.5.32.40 |
| Jan 11, 2025 04:26:28.900007010 CET | 7702 | 49873 | 163.5.32.40 | 192.168.2.10 |
| Jan 11, 2025 04:26:30.266405106 CET | 7702 | 49873 | 163.5.32.40 | 192.168.2.10 |
| Jan 11, 2025 04:26:30.266482115 CET | 49873 | 7702 | 192.168.2.10 | 163.5.32.40 |
| Jan 11, 2025 04:26:30.266638041 CET | 49873 | 7702 | 192.168.2.10 | 163.5.32.40 |
| Jan 11, 2025 04:26:30.266927958 CET | 49977 | 7702 | 192.168.2.10 | 163.5.32.40 |
| Jan 11, 2025 04:26:30.271493912 CET | 7702 | 49873 | 163.5.32.40 | 192.168.2.10 |
| Jan 11, 2025 04:26:30.271821976 CET | 7702 | 49977 | 163.5.32.40 | 192.168.2.10 |
| Jan 11, 2025 04:26:30.271900892 CET | 49977 | 7702 | 192.168.2.10 | 163.5.32.40 |
| Jan 11, 2025 04:26:30.272703886 CET | 49977 | 7702 | 192.168.2.10 | 163.5.32.40 |
| Jan 11, 2025 04:26:30.277477980 CET | 7702 | 49977 | 163.5.32.40 | 192.168.2.10 |
| Jan 11, 2025 04:26:30.277545929 CET | 49977 | 7702 | 192.168.2.10 | 163.5.32.40 |
| Jan 11, 2025 04:26:30.282345057 CET | 7702 | 49977 | 163.5.32.40 | 192.168.2.10 |
| Jan 11, 2025 04:26:51.639838934 CET | 7702 | 49977 | 163.5.32.40 | 192.168.2.10 |
| Jan 11, 2025 04:26:51.639967918 CET | 49977 | 7702 | 192.168.2.10 | 163.5.32.40 |
| Jan 11, 2025 04:26:51.643862009 CET | 49977 | 7702 | 192.168.2.10 | 163.5.32.40 |
| Jan 11, 2025 04:26:51.648627996 CET | 49979 | 7702 | 192.168.2.10 | 163.5.32.40 |
| Jan 11, 2025 04:26:51.648683071 CET | 7702 | 49977 | 163.5.32.40 | 192.168.2.10 |
| Jan 11, 2025 04:26:51.653584003 CET | 7702 | 49979 | 163.5.32.40 | 192.168.2.10 |
| Jan 11, 2025 04:26:51.653727055 CET | 49979 | 7702 | 192.168.2.10 | 163.5.32.40 |
| Jan 11, 2025 04:26:51.667366982 CET | 49979 | 7702 | 192.168.2.10 | 163.5.32.40 |
| Jan 11, 2025 04:26:51.672224045 CET | 7702 | 49979 | 163.5.32.40 | 192.168.2.10 |
| Jan 11, 2025 04:26:51.672482967 CET | 49979 | 7702 | 192.168.2.10 | 163.5.32.40 |
| Jan 11, 2025 04:26:51.677354097 CET | 7702 | 49979 | 163.5.32.40 | 192.168.2.10 |
| Jan 11, 2025 04:27:13.017925978 CET | 7702 | 49979 | 163.5.32.40 | 192.168.2.10 |
| Jan 11, 2025 04:27:13.020961046 CET | 49979 | 7702 | 192.168.2.10 | 163.5.32.40 |
| Jan 11, 2025 04:27:13.020961046 CET | 49979 | 7702 | 192.168.2.10 | 163.5.32.40 |
| Jan 11, 2025 04:27:13.021318913 CET | 49980 | 7702 | 192.168.2.10 | 163.5.32.40 |
| Jan 11, 2025 04:27:13.025815964 CET | 7702 | 49979 | 163.5.32.40 | 192.168.2.10 |
| Jan 11, 2025 04:27:13.026176929 CET | 7702 | 49980 | 163.5.32.40 | 192.168.2.10 |
| Jan 11, 2025 04:27:13.026662111 CET | 49980 | 7702 | 192.168.2.10 | 163.5.32.40 |
| Jan 11, 2025 04:27:13.027333021 CET | 49980 | 7702 | 192.168.2.10 | 163.5.32.40 |
| Jan 11, 2025 04:27:13.032196999 CET | 7702 | 49980 | 163.5.32.40 | 192.168.2.10 |
| Jan 11, 2025 04:27:13.032866001 CET | 49980 | 7702 | 192.168.2.10 | 163.5.32.40 |
| Jan 11, 2025 04:27:13.037807941 CET | 7702 | 49980 | 163.5.32.40 | 192.168.2.10 |
| Jan 11, 2025 04:27:29.577552080 CET | 49980 | 7702 | 192.168.2.10 | 163.5.32.40 |
| Jan 11, 2025 04:27:29.582648039 CET | 7702 | 49980 | 163.5.32.40 | 192.168.2.10 |
| Jan 11, 2025 04:27:29.582714081 CET | 49980 | 7702 | 192.168.2.10 | 163.5.32.40 |
| Jan 11, 2025 04:27:29.587532997 CET | 7702 | 49980 | 163.5.32.40 | 192.168.2.10 |
| Jan 11, 2025 04:27:34.441215038 CET | 7702 | 49980 | 163.5.32.40 | 192.168.2.10 |
| Jan 11, 2025 04:27:34.443185091 CET | 49980 | 7702 | 192.168.2.10 | 163.5.32.40 |
| Jan 11, 2025 04:27:34.443373919 CET | 49980 | 7702 | 192.168.2.10 | 163.5.32.40 |
| Jan 11, 2025 04:27:34.443641901 CET | 49981 | 7702 | 192.168.2.10 | 163.5.32.40 |
| Jan 11, 2025 04:27:34.448183060 CET | 7702 | 49980 | 163.5.32.40 | 192.168.2.10 |
| Jan 11, 2025 04:27:34.449959040 CET | 7702 | 49981 | 163.5.32.40 | 192.168.2.10 |
| Jan 11, 2025 04:27:34.450098038 CET | 49981 | 7702 | 192.168.2.10 | 163.5.32.40 |
| Jan 11, 2025 04:27:34.454101086 CET | 49981 | 7702 | 192.168.2.10 | 163.5.32.40 |
| Jan 11, 2025 04:27:34.458913088 CET | 7702 | 49981 | 163.5.32.40 | 192.168.2.10 |
| Jan 11, 2025 04:27:34.459237099 CET | 49981 | 7702 | 192.168.2.10 | 163.5.32.40 |
| Jan 11, 2025 04:27:34.464093924 CET | 7702 | 49981 | 163.5.32.40 | 192.168.2.10 |
| Jan 11, 2025 04:27:37.123934031 CET | 49981 | 7702 | 192.168.2.10 | 163.5.32.40 |
| Jan 11, 2025 04:27:37.128858089 CET | 7702 | 49981 | 163.5.32.40 | 192.168.2.10 |
| Jan 11, 2025 04:27:37.128926039 CET | 49981 | 7702 | 192.168.2.10 | 163.5.32.40 |
| Jan 11, 2025 04:27:37.133781910 CET | 7702 | 49981 | 163.5.32.40 | 192.168.2.10 |
| Jan 11, 2025 04:27:37.827598095 CET | 49981 | 7702 | 192.168.2.10 | 163.5.32.40 |
| Jan 11, 2025 04:27:37.832582951 CET | 7702 | 49981 | 163.5.32.40 | 192.168.2.10 |
| Jan 11, 2025 04:27:37.832696915 CET | 49981 | 7702 | 192.168.2.10 | 163.5.32.40 |
| Jan 11, 2025 04:27:37.837506056 CET | 7702 | 49981 | 163.5.32.40 | 192.168.2.10 |
| Jan 11, 2025 04:27:37.983211994 CET | 49981 | 7702 | 192.168.2.10 | 163.5.32.40 |
| Jan 11, 2025 04:27:37.988275051 CET | 7702 | 49981 | 163.5.32.40 | 192.168.2.10 |
| Jan 11, 2025 04:27:37.988348007 CET | 49981 | 7702 | 192.168.2.10 | 163.5.32.40 |
| Jan 11, 2025 04:27:37.993235111 CET | 7702 | 49981 | 163.5.32.40 | 192.168.2.10 |
| Jan 11, 2025 04:27:39.311923981 CET | 49981 | 7702 | 192.168.2.10 | 163.5.32.40 |
| Jan 11, 2025 04:27:39.316997051 CET | 7702 | 49981 | 163.5.32.40 | 192.168.2.10 |
| Jan 11, 2025 04:27:39.317050934 CET | 49981 | 7702 | 192.168.2.10 | 163.5.32.40 |
| Jan 11, 2025 04:27:39.321901083 CET | 7702 | 49981 | 163.5.32.40 | 192.168.2.10 |
| Jan 11, 2025 04:27:50.827169895 CET | 49981 | 7702 | 192.168.2.10 | 163.5.32.40 |
| Jan 11, 2025 04:27:50.832667112 CET | 7702 | 49981 | 163.5.32.40 | 192.168.2.10 |
| Jan 11, 2025 04:27:50.832710981 CET | 49981 | 7702 | 192.168.2.10 | 163.5.32.40 |
| Jan 11, 2025 04:27:50.838406086 CET | 7702 | 49981 | 163.5.32.40 | 192.168.2.10 |
| Jan 11, 2025 04:27:52.764333010 CET | 49981 | 7702 | 192.168.2.10 | 163.5.32.40 |
| Jan 11, 2025 04:27:52.770684004 CET | 7702 | 49981 | 163.5.32.40 | 192.168.2.10 |
| Jan 11, 2025 04:27:52.770786047 CET | 49981 | 7702 | 192.168.2.10 | 163.5.32.40 |
| Jan 11, 2025 04:27:52.777183056 CET | 7702 | 49981 | 163.5.32.40 | 192.168.2.10 |
| Jan 11, 2025 04:27:53.890866995 CET | 49981 | 7702 | 192.168.2.10 | 163.5.32.40 |
| Jan 11, 2025 04:27:53.895800114 CET | 7702 | 49981 | 163.5.32.40 | 192.168.2.10 |
| Jan 11, 2025 04:27:53.895931005 CET | 49981 | 7702 | 192.168.2.10 | 163.5.32.40 |
| Jan 11, 2025 04:27:53.901642084 CET | 7702 | 49981 | 163.5.32.40 | 192.168.2.10 |
| Jan 11, 2025 04:27:55.819690943 CET | 7702 | 49981 | 163.5.32.40 | 192.168.2.10 |
| Jan 11, 2025 04:27:55.819751978 CET | 49981 | 7702 | 192.168.2.10 | 163.5.32.40 |
| Jan 11, 2025 04:27:55.820003033 CET | 49981 | 7702 | 192.168.2.10 | 163.5.32.40 |
| Jan 11, 2025 04:27:55.820302010 CET | 49982 | 7702 | 192.168.2.10 | 163.5.32.40 |
| Jan 11, 2025 04:27:55.828353882 CET | 7702 | 49981 | 163.5.32.40 | 192.168.2.10 |
| Jan 11, 2025 04:27:55.828367949 CET | 7702 | 49982 | 163.5.32.40 | 192.168.2.10 |
| Jan 11, 2025 04:27:55.828516006 CET | 49982 | 7702 | 192.168.2.10 | 163.5.32.40 |
| Jan 11, 2025 04:27:55.829281092 CET | 49982 | 7702 | 192.168.2.10 | 163.5.32.40 |
| Jan 11, 2025 04:27:55.834901094 CET | 7702 | 49982 | 163.5.32.40 | 192.168.2.10 |
| Jan 11, 2025 04:27:55.835030079 CET | 49982 | 7702 | 192.168.2.10 | 163.5.32.40 |
| Jan 11, 2025 04:27:55.841049910 CET | 7702 | 49982 | 163.5.32.40 | 192.168.2.10 |
| Jan 11, 2025 04:27:57.451941967 CET | 49982 | 7702 | 192.168.2.10 | 163.5.32.40 |
| Jan 11, 2025 04:27:57.456943989 CET | 7702 | 49982 | 163.5.32.40 | 192.168.2.10 |
| Jan 11, 2025 04:27:57.457025051 CET | 49982 | 7702 | 192.168.2.10 | 163.5.32.40 |
| Jan 11, 2025 04:27:57.461903095 CET | 7702 | 49982 | 163.5.32.40 | 192.168.2.10 |
| Jan 11, 2025 04:28:07.077136040 CET | 49982 | 7702 | 192.168.2.10 | 163.5.32.40 |
| Jan 11, 2025 04:28:07.082175970 CET | 7702 | 49982 | 163.5.32.40 | 192.168.2.10 |
| Jan 11, 2025 04:28:07.082241058 CET | 49982 | 7702 | 192.168.2.10 | 163.5.32.40 |
| Jan 11, 2025 04:28:07.087071896 CET | 7702 | 49982 | 163.5.32.40 | 192.168.2.10 |
| Jan 11, 2025 04:28:08.280673981 CET | 49982 | 7702 | 192.168.2.10 | 163.5.32.40 |
| Jan 11, 2025 04:28:08.285593987 CET | 7702 | 49982 | 163.5.32.40 | 192.168.2.10 |
| Jan 11, 2025 04:28:08.287019968 CET | 49982 | 7702 | 192.168.2.10 | 163.5.32.40 |
| Jan 11, 2025 04:28:08.291946888 CET | 7702 | 49982 | 163.5.32.40 | 192.168.2.10 |
| Jan 11, 2025 04:28:12.717811108 CET | 49982 | 7702 | 192.168.2.10 | 163.5.32.40 |
| Jan 11, 2025 04:28:12.722758055 CET | 7702 | 49982 | 163.5.32.40 | 192.168.2.10 |
| Jan 11, 2025 04:28:12.723015070 CET | 49982 | 7702 | 192.168.2.10 | 163.5.32.40 |
| Jan 11, 2025 04:28:12.727859020 CET | 7702 | 49982 | 163.5.32.40 | 192.168.2.10 |
| Jan 11, 2025 04:28:13.530481100 CET | 49982 | 7702 | 192.168.2.10 | 163.5.32.40 |
| Jan 11, 2025 04:28:13.535449982 CET | 7702 | 49982 | 163.5.32.40 | 192.168.2.10 |
| Jan 11, 2025 04:28:13.535501957 CET | 49982 | 7702 | 192.168.2.10 | 163.5.32.40 |
| Jan 11, 2025 04:28:13.540291071 CET | 7702 | 49982 | 163.5.32.40 | 192.168.2.10 |
| Jan 11, 2025 04:28:14.327044964 CET | 49982 | 7702 | 192.168.2.10 | 163.5.32.40 |
| Jan 11, 2025 04:28:14.332022905 CET | 7702 | 49982 | 163.5.32.40 | 192.168.2.10 |
| Jan 11, 2025 04:28:14.333095074 CET | 49982 | 7702 | 192.168.2.10 | 163.5.32.40 |
| Jan 11, 2025 04:28:14.338493109 CET | 7702 | 49982 | 163.5.32.40 | 192.168.2.10 |
| Jan 11, 2025 04:28:17.188234091 CET | 7702 | 49982 | 163.5.32.40 | 192.168.2.10 |
| Jan 11, 2025 04:28:17.188297033 CET | 49982 | 7702 | 192.168.2.10 | 163.5.32.40 |
| Jan 11, 2025 04:28:17.188771963 CET | 49983 | 7702 | 192.168.2.10 | 163.5.32.40 |
| Jan 11, 2025 04:28:17.188879013 CET | 49982 | 7702 | 192.168.2.10 | 163.5.32.40 |
| Jan 11, 2025 04:28:17.193672895 CET | 7702 | 49983 | 163.5.32.40 | 192.168.2.10 |
| Jan 11, 2025 04:28:17.193684101 CET | 7702 | 49982 | 163.5.32.40 | 192.168.2.10 |
| Jan 11, 2025 04:28:17.193773985 CET | 49983 | 7702 | 192.168.2.10 | 163.5.32.40 |
| Jan 11, 2025 04:28:17.194732904 CET | 49983 | 7702 | 192.168.2.10 | 163.5.32.40 |
| Jan 11, 2025 04:28:17.199553967 CET | 7702 | 49983 | 163.5.32.40 | 192.168.2.10 |
| Jan 11, 2025 04:28:17.199596882 CET | 49983 | 7702 | 192.168.2.10 | 163.5.32.40 |
| Jan 11, 2025 04:28:17.204355955 CET | 7702 | 49983 | 163.5.32.40 | 192.168.2.10 |
| Jan 11, 2025 04:28:28.452205896 CET | 49983 | 7702 | 192.168.2.10 | 163.5.32.40 |
| Jan 11, 2025 04:28:28.457077026 CET | 7702 | 49983 | 163.5.32.40 | 192.168.2.10 |
| Jan 11, 2025 04:28:28.457138062 CET | 49983 | 7702 | 192.168.2.10 | 163.5.32.40 |
| Jan 11, 2025 04:28:28.461992025 CET | 7702 | 49983 | 163.5.32.40 | 192.168.2.10 |
| Jan 11, 2025 04:28:38.583283901 CET | 7702 | 49983 | 163.5.32.40 | 192.168.2.10 |
| Jan 11, 2025 04:28:38.583415985 CET | 49983 | 7702 | 192.168.2.10 | 163.5.32.40 |
| Jan 11, 2025 04:28:38.589719057 CET | 49983 | 7702 | 192.168.2.10 | 163.5.32.40 |
| Jan 11, 2025 04:28:38.590487957 CET | 49984 | 7702 | 192.168.2.10 | 163.5.32.40 |
| Jan 11, 2025 04:28:38.594511032 CET | 7702 | 49983 | 163.5.32.40 | 192.168.2.10 |
| Jan 11, 2025 04:28:38.595334053 CET | 7702 | 49984 | 163.5.32.40 | 192.168.2.10 |
| Jan 11, 2025 04:28:38.595396996 CET | 49984 | 7702 | 192.168.2.10 | 163.5.32.40 |
| Jan 11, 2025 04:28:38.597090006 CET | 49984 | 7702 | 192.168.2.10 | 163.5.32.40 |
| Jan 11, 2025 04:28:38.601888895 CET | 7702 | 49984 | 163.5.32.40 | 192.168.2.10 |
| Jan 11, 2025 04:28:38.601939917 CET | 49984 | 7702 | 192.168.2.10 | 163.5.32.40 |
| Jan 11, 2025 04:28:38.606702089 CET | 7702 | 49984 | 163.5.32.40 | 192.168.2.10 |
| Jan 11, 2025 04:28:54.937012911 CET | 49984 | 7702 | 192.168.2.10 | 163.5.32.40 |
| Jan 11, 2025 04:28:54.941978931 CET | 7702 | 49984 | 163.5.32.40 | 192.168.2.10 |
| Jan 11, 2025 04:28:54.942075014 CET | 49984 | 7702 | 192.168.2.10 | 163.5.32.40 |
| Jan 11, 2025 04:28:54.946953058 CET | 7702 | 49984 | 163.5.32.40 | 192.168.2.10 |
| Jan 11, 2025 04:28:56.713720083 CET | 49984 | 7702 | 192.168.2.10 | 163.5.32.40 |
| Jan 11, 2025 04:28:56.719296932 CET | 7702 | 49984 | 163.5.32.40 | 192.168.2.10 |
| Jan 11, 2025 04:28:56.719388008 CET | 49984 | 7702 | 192.168.2.10 | 163.5.32.40 |
| Jan 11, 2025 04:28:56.724988937 CET | 7702 | 49984 | 163.5.32.40 | 192.168.2.10 |
| Jan 11, 2025 04:28:59.436681032 CET | 49984 | 7702 | 192.168.2.10 | 163.5.32.40 |
| Jan 11, 2025 04:28:59.441613913 CET | 7702 | 49984 | 163.5.32.40 | 192.168.2.10 |
| Jan 11, 2025 04:28:59.441745996 CET | 49984 | 7702 | 192.168.2.10 | 163.5.32.40 |
| Jan 11, 2025 04:28:59.446568966 CET | 7702 | 49984 | 163.5.32.40 | 192.168.2.10 |
| Jan 11, 2025 04:28:59.991606951 CET | 7702 | 49984 | 163.5.32.40 | 192.168.2.10 |
| Jan 11, 2025 04:28:59.991669893 CET | 49984 | 7702 | 192.168.2.10 | 163.5.32.40 |
| Jan 11, 2025 04:28:59.991827965 CET | 49984 | 7702 | 192.168.2.10 | 163.5.32.40 |
| Jan 11, 2025 04:28:59.992886066 CET | 49985 | 7702 | 192.168.2.10 | 163.5.32.40 |
| Jan 11, 2025 04:28:59.996599913 CET | 7702 | 49984 | 163.5.32.40 | 192.168.2.10 |
| Jan 11, 2025 04:28:59.997642994 CET | 7702 | 49985 | 163.5.32.40 | 192.168.2.10 |
| Jan 11, 2025 04:28:59.997708082 CET | 49985 | 7702 | 192.168.2.10 | 163.5.32.40 |
| Jan 11, 2025 04:28:59.999039888 CET | 49985 | 7702 | 192.168.2.10 | 163.5.32.40 |
| Jan 11, 2025 04:29:00.003822088 CET | 7702 | 49985 | 163.5.32.40 | 192.168.2.10 |
| Jan 11, 2025 04:29:00.003865957 CET | 49985 | 7702 | 192.168.2.10 | 163.5.32.40 |
| Jan 11, 2025 04:29:00.008879900 CET | 7702 | 49985 | 163.5.32.40 | 192.168.2.10 |
| Jan 11, 2025 04:29:00.874650002 CET | 49985 | 7702 | 192.168.2.10 | 163.5.32.40 |
| Jan 11, 2025 04:29:00.879565001 CET | 7702 | 49985 | 163.5.32.40 | 192.168.2.10 |
| Jan 11, 2025 04:29:00.879625082 CET | 49985 | 7702 | 192.168.2.10 | 163.5.32.40 |
| Jan 11, 2025 04:29:00.884427071 CET | 7702 | 49985 | 163.5.32.40 | 192.168.2.10 |
| Jan 11, 2025 04:29:05.499236107 CET | 49985 | 7702 | 192.168.2.10 | 163.5.32.40 |
| Jan 11, 2025 04:29:05.504275084 CET | 7702 | 49985 | 163.5.32.40 | 192.168.2.10 |
| Jan 11, 2025 04:29:05.505671024 CET | 49985 | 7702 | 192.168.2.10 | 163.5.32.40 |
| Jan 11, 2025 04:29:05.510586023 CET | 7702 | 49985 | 163.5.32.40 | 192.168.2.10 |
| Jan 11, 2025 04:29:12.311882973 CET | 49985 | 7702 | 192.168.2.10 | 163.5.32.40 |
| Jan 11, 2025 04:29:12.316704988 CET | 7702 | 49985 | 163.5.32.40 | 192.168.2.10 |
| Jan 11, 2025 04:29:12.316768885 CET | 49985 | 7702 | 192.168.2.10 | 163.5.32.40 |
| Jan 11, 2025 04:29:12.321583033 CET | 7702 | 49985 | 163.5.32.40 | 192.168.2.10 |
| Jan 11, 2025 04:29:21.363099098 CET | 7702 | 49985 | 163.5.32.40 | 192.168.2.10 |
| Jan 11, 2025 04:29:21.363229990 CET | 49985 | 7702 | 192.168.2.10 | 163.5.32.40 |
| Jan 11, 2025 04:29:21.363878012 CET | 49985 | 7702 | 192.168.2.10 | 163.5.32.40 |
| Jan 11, 2025 04:29:21.363878965 CET | 49986 | 7702 | 192.168.2.10 | 163.5.32.40 |
| Jan 11, 2025 04:29:21.368642092 CET | 7702 | 49985 | 163.5.32.40 | 192.168.2.10 |
| Jan 11, 2025 04:29:21.368716002 CET | 7702 | 49986 | 163.5.32.40 | 192.168.2.10 |
| Jan 11, 2025 04:29:21.369250059 CET | 49986 | 7702 | 192.168.2.10 | 163.5.32.40 |
| Jan 11, 2025 04:29:21.372060061 CET | 49986 | 7702 | 192.168.2.10 | 163.5.32.40 |
| Jan 11, 2025 04:29:21.376857042 CET | 7702 | 49986 | 163.5.32.40 | 192.168.2.10 |
| Jan 11, 2025 04:29:21.376935959 CET | 49986 | 7702 | 192.168.2.10 | 163.5.32.40 |
| Jan 11, 2025 04:29:21.381710052 CET | 7702 | 49986 | 163.5.32.40 | 192.168.2.10 |
| Jan 11, 2025 04:29:25.811402082 CET | 49986 | 7702 | 192.168.2.10 | 163.5.32.40 |
| Jan 11, 2025 04:29:25.816252947 CET | 7702 | 49986 | 163.5.32.40 | 192.168.2.10 |
| Jan 11, 2025 04:29:25.816350937 CET | 49986 | 7702 | 192.168.2.10 | 163.5.32.40 |
| Jan 11, 2025 04:29:25.821144104 CET | 7702 | 49986 | 163.5.32.40 | 192.168.2.10 |
| Jan 11, 2025 04:29:28.796437025 CET | 49986 | 7702 | 192.168.2.10 | 163.5.32.40 |
| Jan 11, 2025 04:29:28.801445007 CET | 7702 | 49986 | 163.5.32.40 | 192.168.2.10 |
| Jan 11, 2025 04:29:28.801496983 CET | 49986 | 7702 | 192.168.2.10 | 163.5.32.40 |
| Jan 11, 2025 04:29:28.806301117 CET | 7702 | 49986 | 163.5.32.40 | 192.168.2.10 |
| Jan 11, 2025 04:29:30.125243902 CET | 49986 | 7702 | 192.168.2.10 | 163.5.32.40 |
| Jan 11, 2025 04:29:30.130220890 CET | 7702 | 49986 | 163.5.32.40 | 192.168.2.10 |
| Jan 11, 2025 04:29:30.130290985 CET | 49986 | 7702 | 192.168.2.10 | 163.5.32.40 |
| Jan 11, 2025 04:29:30.135159016 CET | 7702 | 49986 | 163.5.32.40 | 192.168.2.10 |
| Jan 11, 2025 04:29:42.452297926 CET | 49986 | 7702 | 192.168.2.10 | 163.5.32.40 |
| Jan 11, 2025 04:29:42.457659960 CET | 7702 | 49986 | 163.5.32.40 | 192.168.2.10 |
| Jan 11, 2025 04:29:42.457720041 CET | 49986 | 7702 | 192.168.2.10 | 163.5.32.40 |
| Jan 11, 2025 04:29:42.462686062 CET | 7702 | 49986 | 163.5.32.40 | 192.168.2.10 |
| Jan 11, 2025 04:29:42.739973068 CET | 7702 | 49986 | 163.5.32.40 | 192.168.2.10 |
| Jan 11, 2025 04:29:42.740063906 CET | 49986 | 7702 | 192.168.2.10 | 163.5.32.40 |
| Jan 11, 2025 04:29:42.742054939 CET | 49986 | 7702 | 192.168.2.10 | 163.5.32.40 |
| Jan 11, 2025 04:29:42.742628098 CET | 49987 | 7702 | 192.168.2.10 | 163.5.32.40 |
| Jan 11, 2025 04:29:42.746942043 CET | 7702 | 49986 | 163.5.32.40 | 192.168.2.10 |
| Jan 11, 2025 04:29:42.747565985 CET | 7702 | 49987 | 163.5.32.40 | 192.168.2.10 |
| Jan 11, 2025 04:29:42.747652054 CET | 49987 | 7702 | 192.168.2.10 | 163.5.32.40 |
| Jan 11, 2025 04:29:42.748837948 CET | 49987 | 7702 | 192.168.2.10 | 163.5.32.40 |
| Jan 11, 2025 04:29:42.753714085 CET | 7702 | 49987 | 163.5.32.40 | 192.168.2.10 |
| Jan 11, 2025 04:29:42.753768921 CET | 49987 | 7702 | 192.168.2.10 | 163.5.32.40 |
| Jan 11, 2025 04:29:42.758734941 CET | 7702 | 49987 | 163.5.32.40 | 192.168.2.10 |
| Jan 11, 2025 04:29:49.983886003 CET | 49987 | 7702 | 192.168.2.10 | 163.5.32.40 |
| Jan 11, 2025 04:29:49.988789082 CET | 7702 | 49987 | 163.5.32.40 | 192.168.2.10 |
| Jan 11, 2025 04:29:49.989116907 CET | 49987 | 7702 | 192.168.2.10 | 163.5.32.40 |
| Jan 11, 2025 04:29:49.993913889 CET | 7702 | 49987 | 163.5.32.40 | 192.168.2.10 |
| Jan 11, 2025 04:29:50.663141012 CET | 49987 | 7702 | 192.168.2.10 | 163.5.32.40 |
| Jan 11, 2025 04:29:50.668389082 CET | 7702 | 49987 | 163.5.32.40 | 192.168.2.10 |
| Jan 11, 2025 04:29:50.668452978 CET | 49987 | 7702 | 192.168.2.10 | 163.5.32.40 |
| Jan 11, 2025 04:29:50.673331022 CET | 7702 | 49987 | 163.5.32.40 | 192.168.2.10 |
| Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|---|---|
| Jan 11, 2025 04:25:41.491877079 CET | 1.1.1.1 | 192.168.2.10 | 0x578d | No error (0) | s-part-0017.t-0009.t-msedge.net | CNAME (Canonical name) | IN (0x0001) | false | ||
| Jan 11, 2025 04:25:41.491877079 CET | 1.1.1.1 | 192.168.2.10 | 0x578d | No error (0) | 13.107.246.45 | A (IP address) | IN (0x0001) | false |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
| Target ID: | 0 |
| Start time: | 22:25:44 |
| Start date: | 10/01/2025 |
| Path: | C:\Users\user\Desktop\of5HklY9qP.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x770000 |
| File size: | 1'350'144 bytes |
| MD5 hash: | 57E3EC29544A0C1841BA8C9BEF860CF9 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | low |
| Has exited: | true |
| Target ID: | 2 |
| Start time: | 22:25:45 |
| Start date: | 10/01/2025 |
| Path: | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x7c0000 |
| File size: | 45'984 bytes |
| MD5 hash: | 9D352BC46709F0CB5EC974633A0C3C94 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Yara matches: |
|
| Reputation: | high |
| Has exited: | false |
Execution Graph
| Execution Coverage: | 3.4% |
| Dynamic/Decrypted Code Coverage: | 0.4% |
| Signature Coverage: | 10.2% |
| Total number of Nodes: | 2000 |
| Total number of Limit Nodes: | 152 |
Graph
Function 00773B3A Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 153windowCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007749A0 Relevance: 10.7, APIs: 7, Instructions: 223COMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0077FCE0 Relevance: 5.5, APIs: 3, Instructions: 1040COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007D445A Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007809D0 Relevance: 57.3, APIs: 27, Strings: 5, Instructions: 1300windowsleeptimeCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007D9155 Relevance: 19.8, APIs: 13, Instructions: 322fileCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0077301C Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 73windowregistryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00773041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54windowregistryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0077708B Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201registryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00773A46 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71windowregistryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00773633 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151windowtimeregistryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 01332428 Relevance: 10.7, APIs: 7, Instructions: 239fileCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 013321D8 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 152fileCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0077407C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88windowCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007735B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0079470A Relevance: 6.1, APIs: 4, Instructions: 136COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007ECADD Relevance: 4.9, APIs: 3, Instructions: 392COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0077F76F Relevance: 4.7, APIs: 3, Instructions: 168comCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0077434A Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0079571C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007D8D0D Relevance: 4.5, APIs: 3, Instructions: 22COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00777A51 Relevance: 3.1, APIs: 2, Instructions: 97COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007747D0 Relevance: 3.1, APIs: 2, Instructions: 59COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00790C08 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007AFCAC Relevance: 1.6, APIs: 1, Instructions: 88COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00777B53 Relevance: 1.6, APIs: 1, Instructions: 84COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00774DDD Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007AFD85 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0079072A Relevance: 1.6, APIs: 1, Instructions: 59COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00794863 Relevance: 1.5, APIs: 1, Instructions: 36COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00774E4A Relevance: 1.5, APIs: 1, Instructions: 28COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00790791 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0079525B Relevance: 1.5, APIs: 1, Instructions: 9COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 013320C8 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007FCABC Relevance: 74.1, APIs: 40, Strings: 2, Instructions: 632windowkeyboardCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007748D7 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 131keyboardthreadwindowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007DC75C Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 280timefileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007DEF95 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 119fileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007F0857 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007DF0F2 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 112fileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007DA1EF Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007866E1 Relevance: 20.9, Strings: 16, Instructions: 889COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007E83BB Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007E4164 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007D37EF Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167fileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007DF3F3 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120filesleepCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00785760 Relevance: 11.0, APIs: 7, Instructions: 532COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007D3B12 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007D51BD Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59shutdownCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007E6283 Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007C85B0 Relevance: 9.1, APIs: 6, Instructions: 61processCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00785520 Relevance: 8.0, APIs: 5, Instructions: 516COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00771287 Relevance: 7.9, APIs: 5, Instructions: 379COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007DBCBC Relevance: 7.6, APIs: 5, Instructions: 143fileCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007F5376 Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007C80A9 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00774B37 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007CE616 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 561stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007DB333 Relevance: 4.6, APIs: 3, Instructions: 73COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007C87E1 Relevance: 4.6, APIs: 3, Instructions: 67COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007C874B Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007DC6D1 Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007DA06A Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007C81CB Relevance: 3.0, APIs: 2, Instructions: 22COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0077E6A0 Relevance: 2.4, Strings: 1, Instructions: 1102COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0079F1D9 Relevance: 2.1, APIs: 1, Instructions: 645COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007A242E Relevance: 1.8, APIs: 1, Instructions: 294COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007D8889 Relevance: 1.6, APIs: 1, Instructions: 68COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007C87B1 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0079A124 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00788808 Relevance: .6, Instructions: 590COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007921C5 Relevance: .3, Instructions: 345COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007925FA Relevance: .3, Instructions: 341COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00791978 Relevance: .3, Instructions: 323COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 01333448 Relevance: .1, Instructions: 92COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 01333338 Relevance: .0, Instructions: 35COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 013332D8 Relevance: .0, Instructions: 35COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 01331C98 Relevance: .0, Instructions: 6COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007F356B Relevance: 51.1, APIs: 6, Strings: 23, Instructions: 365windowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007FA5DA Relevance: 49.8, APIs: 33, Instructions: 260COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00772C18 Relevance: 49.5, APIs: 27, Strings: 1, Instructions: 486windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007E74AB Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 284windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007F9A1C Relevance: 42.5, APIs: 23, Strings: 1, Instructions: 455windowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007F89D5 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 401windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007F488F Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007727D9 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 286windowtimeCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007CA439 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007E4FFD Relevance: 25.6, APIs: 17, Instructions: 110COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007FA1B9 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007FC5FE Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 181windowfileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007D7D1A Relevance: 23.1, APIs: 11, Strings: 2, Instructions: 378timeCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007F4392 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 251windowCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007FB7FE Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 197windowlibraryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007DDC1A Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 185timeCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007CF8AA Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 138windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007FC1AC Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007E731A Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007CF7A1 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 75windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007D46B7 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networkCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007D4F75 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007DD58D Relevance: 18.3, APIs: 12, Instructions: 283comCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007CC267 Relevance: 18.2, APIs: 12, Instructions: 174COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0077201B Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007721A5 Relevance: 18.1, APIs: 12, Instructions: 132COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007F7152 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007F74BB Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00796E03 Relevance: 16.8, APIs: 11, Instructions: 258COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007E5732 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007C8F8F Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 82windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007C907A Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007C9163 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 72windowCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007E88AB Relevance: 15.3, APIs: 10, Instructions: 324fileCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007D7990 Relevance: 15.3, APIs: 10, Instructions: 292COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0077FA5D Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 264comCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00772E26 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 186windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007E1A15 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 134networkCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007E8C46 Relevance: 13.9, APIs: 9, Instructions: 438COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007F8645 Relevance: 13.7, APIs: 9, Instructions: 168COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007C966E Relevance: 13.6, APIs: 9, Instructions: 66sleepkeyboardwindowCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007F6D80 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 143windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007D2F94 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 82windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007D42F8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00772A5B Relevance: 12.1, APIs: 8, Instructions: 129COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007D70C6 Relevance: 12.1, APIs: 8, Instructions: 101fileCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007F61D3 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007CBBAF Relevance: 12.1, APIs: 8, Instructions: 92COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00771424 Relevance: 10.7, APIs: 7, Instructions: 219COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007D55FD Relevance: 10.6, APIs: 7, Instructions: 138timeCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007D3671 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111filestringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007F7291 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007F62CD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007CDAEB Relevance: 10.6, APIs: 7, Instructions: 95memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007CDBC4 Relevance: 10.6, APIs: 7, Instructions: 90memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007F75CD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00799AE6 Relevance: 10.5, APIs: 7, Instructions: 45threadCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0079406B Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007D64B8 Relevance: 9.2, APIs: 6, Instructions: 205COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007F5799 Relevance: 9.2, APIs: 6, Instructions: 160windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007CEEEC Relevance: 9.2, APIs: 6, Instructions: 159COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007D220A Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00771765 Relevance: 9.1, APIs: 6, Instructions: 113COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007FB69E Relevance: 9.1, APIs: 6, Instructions: 109windowCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007E709E Relevance: 9.1, APIs: 6, Instructions: 97COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007C8879 Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007C85B1 Relevance: 9.1, APIs: 6, Instructions: 65processCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007CB790 Relevance: 9.0, APIs: 6, Instructions: 49COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007D7230 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007C8992 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007D2A96 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195windowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007CD56C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 121comlibraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007D2753 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007C8E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007E182D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 86networkCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007F63E7 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007D6D9C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007D6E6A Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007D1142 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 51sleepCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007EEB55 Relevance: 7.7, APIs: 5, Instructions: 247COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007DE571 Relevance: 7.6, APIs: 5, Instructions: 135COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007FA056 Relevance: 7.6, APIs: 5, Instructions: 130COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007C63AA Relevance: 7.6, APIs: 5, Instructions: 97windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007CB1EC Relevance: 7.6, APIs: 5, Instructions: 88windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007FB14B Relevance: 7.6, APIs: 5, Instructions: 85COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007C9307 Relevance: 7.6, APIs: 5, Instructions: 84windowCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007E5A4D Relevance: 7.6, APIs: 5, Instructions: 70COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007712F3 Relevance: 7.6, APIs: 5, Instructions: 67COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007CBC9E Relevance: 7.6, APIs: 5, Instructions: 61COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007D4A93 Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadwindowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007C8202 Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007C710A Relevance: 7.5, APIs: 5, Instructions: 48stringCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007D5244 Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007C810A Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007713B0 Relevance: 7.5, APIs: 5, Instructions: 29COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007C97F5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 122windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007F73D9 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90windowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007F7B93 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 88windowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007F6CB0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007F770E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00774C36 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00774C03 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007F0DE7 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007E90E0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007C717D Relevance: 6.3, APIs: 4, Instructions: 333COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007EE02A Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007E8093 Relevance: 6.3, APIs: 4, Instructions: 267COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007C7530 Relevance: 6.2, APIs: 4, Instructions: 231COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007C687D Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007D955B Relevance: 6.2, APIs: 4, Instructions: 155COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007F97F4 Relevance: 6.1, APIs: 4, Instructions: 140COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007C9A80 Relevance: 6.1, APIs: 4, Instructions: 129windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007E641A Relevance: 6.1, APIs: 4, Instructions: 116COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007DB7F4 Relevance: 6.1, APIs: 4, Instructions: 111fileCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007F8851 Relevance: 6.1, APIs: 4, Instructions: 109COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007FAB37 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007F4EEE Relevance: 6.1, APIs: 4, Instructions: 95COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007D3C55 Relevance: 6.1, APIs: 4, Instructions: 85processCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007FC498 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007C8656 Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0079098C Relevance: 6.1, APIs: 4, Instructions: 79COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007E1767 Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007D3A2A Relevance: 6.1, APIs: 4, Instructions: 78COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007CDCBE Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007E6369 Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007C8B41 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00771290 Relevance: 6.1, APIs: 4, Instructions: 59COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00771D35 Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007FB2C5 Relevance: 6.0, APIs: 4, Instructions: 47COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007FB635 Relevance: 6.0, APIs: 4, Instructions: 40processCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007D6BDA Relevance: 6.0, APIs: 4, Instructions: 33COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007FBD1C Relevance: 6.0, APIs: 4, Instructions: 31COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00772218 Relevance: 6.0, APIs: 4, Instructions: 23COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007C8712 Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007B1D5D Relevance: 6.0, APIs: 4, Instructions: 20COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007B1D71 Relevance: 6.0, APIs: 4, Instructions: 19COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007DAFAC Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201shareCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00782957 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007E258E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007F7A71 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97windowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007D28A2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88windowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007F66D4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007F6920 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007D29AF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007E21D6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007C8E05 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007C8CFD Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007C8D82 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007C7C74 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007F5964 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007F5998 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|