Edit tour
Windows
Analysis Report
aS39AS7b0P.exe
Overview
General Information
| Sample name: | aS39AS7b0P.exerenamed because original name is a hash value |
| Original sample name: | de7e8561b2cf84f247a1f76a1fb4f1a53b5fd18b093d880bf563fd1b55a97d71.exe |
| Analysis ID: | 1589073 |
| MD5: | 10f089d7b9e39a47f1ba6e9ca2086d25 |
| SHA1: | 9fd173cf8141ed645d09cf87ccd569994c926eff |
| SHA256: | de7e8561b2cf84f247a1f76a1fb4f1a53b5fd18b093d880bf563fd1b55a97d71 |
| Tags: | exeSnakeKeyloggeruser-adrian__luca |
| Infos: |  |
 | |
Detection
Snake Keylogger
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected Snake Keylogger
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Switches to a custom stack to bypass stack traces
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected Generic Downloader
AV process strings found (often used to terminate AV products)
Contains functionality for read data from the clipboard
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected non-DNS traffic on DNS port
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evaded block containing many API calls
Found evasive API chain (date check)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer
Yara signature match
Classification
- System is w10x64
aS39AS7b0P.exe (PID: 7344 cmdline: "C:\Users\ user\Deskt op\aS39AS7 b0P.exe" MD5: 10F089D7B9E39A47F1BA6E9CA2086D25) 
RegSvcs.exe (PID: 7364 cmdline: "C:\Users\ user\Deskt op\aS39AS7 b0P.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
- cleanup
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| 404 Keylogger, Snake Keylogger | Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram. | No Attribution |
{"Exfil Mode": "Telegram", "Telegram URL": "https://api.telegram.org/bot7591642187:AAF3F6-zxp3HwWsP9s4_QJW4W-aEGhjsvDI/sendMessage?chat_id=6557702940", "Token": "7591642187:AAF3F6-zxp3HwWsP9s4_QJW4W-aEGhjsvDI", "Chat_id": "6557702940", "Version": "5.1"}| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
| JoeSecurity_GenericDownloader_1 | Yara detected Generic Downloader | Joe Security | ||
| JoeSecurity_SnakeKeylogger | Yara detected Snake Keylogger | Joe Security | ||
| Windows_Trojan_SnakeKeylogger_af3faa65 | unknown | unknown |
| |
| MAL_Envrial_Jan18_1 | Detects Encrial credential stealer malware | Florian Roth |
| |
| Click to see the 16 entries | ||||
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
| JoeSecurity_GenericDownloader_1 | Yara detected Generic Downloader | Joe Security | ||
| JoeSecurity_SnakeKeylogger | Yara detected Snake Keylogger | Joe Security | ||
| Windows_Trojan_SnakeKeylogger_af3faa65 | unknown | unknown |
| |
| MAL_Envrial_Jan18_1 | Detects Encrial credential stealer malware | Florian Roth |
| |
| Click to see the 15 entries | ||||
⊘No Sigma rule has matched
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2025-01-11T09:12:39.326128+0100 | 2803305 | 3 | Unknown Traffic | 192.168.2.4 | 49732 | 104.21.112.1 | 443 | TCP |
| 2025-01-11T09:12:46.406487+0100 | 2803305 | 3 | Unknown Traffic | 192.168.2.4 | 49742 | 104.21.112.1 | 443 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2025-01-11T09:12:37.633234+0100 | 2803274 | 2 | Potentially Bad Traffic | 192.168.2.4 | 49730 | 158.101.44.242 | 80 | TCP |
| 2025-01-11T09:12:38.726915+0100 | 2803274 | 2 | Potentially Bad Traffic | 192.168.2.4 | 49730 | 158.101.44.242 | 80 | TCP |
| 2025-01-11T09:12:40.105937+0100 | 2803274 | 2 | Potentially Bad Traffic | 192.168.2.4 | 49733 | 158.101.44.242 | 80 | TCP |
Click to jump to signature section
Show All Signature Results
AV Detection |   |
|---|
| Source: | Malware Configuration Extractor: | ||
| Source: | ReversingLabs: | |||
| Source: | Virustotal: | Perma Link | ||
| Source: | Integrated Neural Analysis Model: | ||
| Source: | Joe Sandbox ML: | ||
Location Tracking | |
|---|
| Source: | DNS query: | ||
| Source: | Static PE information: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Code function: | 0_2_007E6CA9 | |
| Source: | Code function: | 0_2_007E60DD | |
| Source: | Code function: | 0_2_007E63F9 | |
| Source: | Code function: | 0_2_007EEB60 | |
| Source: | Code function: | 0_2_007EF56F | |
| Source: | Code function: | 0_2_007EF5FA | |
| Source: | Code function: | 0_2_007F1B2F | |
| Source: | Code function: | 0_2_007F1C8A | |
| Source: | Code function: | 0_2_007F1F94 | |
| Source: | Code function: | 1_2_00C1F007 | |
| Source: | Code function: | 1_2_00C1F007 | |
| Source: | Code function: | 1_2_00C1E528 | |
Networking | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | TCP traffic: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | IP Address: | ||
| Source: | IP Address: | ||
| Source: | IP Address: | ||
| Source: | JA3 fingerprint: | ||
| Source: | DNS query: | ||
| Source: | DNS query: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | Code function: | 0_2_007F4EB5 | |
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Code function: | 0_2_007F6B0C | |
| Source: | Code function: | 0_2_007F6D07 | |
| Source: | Code function: | 0_2_007F6B0C | |
| Source: | Code function: | 0_2_007E2B37 | |
| Source: | Code function: | 0_2_0080F7FF | |
System Summary | |
|---|
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Code function: | 0_2_007A3D19 | |
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | memstr_6402740f-2 | |
| Source: | String found in binary or memory: | memstr_aadd8a01-3 | |
| Source: | String found in binary or memory: | memstr_5e153ab8-b | |
| Source: | String found in binary or memory: | memstr_1d4f7b29-9 | |
| Source: | Code function: | 0_2_007E6606 | |
| Source: | Code function: | 0_2_007DACC5 | |
| Source: | Code function: | 0_2_007E79D3 | |
| Source: | Code function: | 0_2_007CB043 | |
| Source: | Code function: | 0_2_007D410F | |
| Source: | Code function: | 0_2_007C02A4 | |
| Source: | Code function: | 0_2_007AE3B0 | |
| Source: | Code function: | 0_2_007D038E | |
| Source: | Code function: | 0_2_007D467F | |
| Source: | Code function: | 0_2_007C06D9 | |
| Source: | Code function: | 0_2_0080AACE | |
| Source: | Code function: | 0_2_007D4BEF | |
| Source: | Code function: | 0_2_007CCCC1 | |
| Source: | Code function: | 0_2_007AAF50 | |
| Source: | Code function: | 0_2_007A6F07 | |
| Source: | Code function: | 0_2_008031BC | |
| Source: | Code function: | 0_2_007BB11F | |
| Source: | Code function: | 0_2_007CD1B9 | |
| Source: | Code function: | 0_2_007D724D | |
| Source: | Code function: | 0_2_007C123A | |
| Source: | Code function: | 0_2_007B3200 | |
| Source: | Code function: | 0_2_007A93F0 | |
| Source: | Code function: | 0_2_007E13CA | |
| Source: | Code function: | 0_2_007BF563 | |
| Source: | Code function: | 0_2_007EB6CC | |
| Source: | Code function: | 0_2_007A96C0 | |
| Source: | Code function: | 0_2_0080F7FF | |
| Source: | Code function: | 0_2_007A77B0 | |
| Source: | Code function: | 0_2_007D79C9 | |
| Source: | Code function: | 0_2_007BFA57 | |
| Source: | Code function: | 0_2_007B3B70 | |
| Source: | Code function: | 0_2_007A9B60 | |
| Source: | Code function: | 0_2_007A7D19 | |
| Source: | Code function: | 0_2_007BFE6F | |
| Source: | Code function: | 0_2_007C9ED0 | |
| Source: | Code function: | 0_2_007A7FA3 | |
| Source: | Code function: | 0_2_01563068 | |
| Source: | Code function: | 1_2_00C1F007 | |
| Source: | Code function: | 1_2_00C1C190 | |
| Source: | Code function: | 1_2_00C16108 | |
| Source: | Code function: | 1_2_00C1B328 | |
| Source: | Code function: | 1_2_00C1C470 | |
| Source: | Code function: | 1_2_00C19540 | |
| Source: | Code function: | 1_2_00C1C752 | |
| Source: | Code function: | 1_2_00C16730 | |
| Source: | Code function: | 1_2_00C14AD9 | |
| Source: | Code function: | 1_2_00C1CA32 | |
| Source: | Code function: | 1_2_00C1BBD2 | |
| Source: | Code function: | 1_2_00C1BEB0 | |
| Source: | Code function: | 1_2_00C1B4F2 | |
| Source: | Code function: | 1_2_00C13572 | |
| Source: | Code function: | 1_2_00C1E517 | |
| Source: | Code function: | 1_2_00C1E528 | |
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Static PE information: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Classification label: | ||
| Source: | Code function: | 0_2_007ECE7A | |
| Source: | Code function: | 0_2_007DAB84 | |
| Source: | Code function: | 0_2_007DB134 | |
| Source: | Code function: | 0_2_007EE1FD | |
| Source: | Code function: | 0_2_007E6532 | |
| Source: | Code function: | 0_2_007FC18C | |
| Source: | Code function: | 0_2_007A406B | |
| Source: | Mutant created: | ||
| Source: | File created: | Jump to behavior | ||
| Source: | Static PE information: | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | ReversingLabs: | ||
| Source: | Virustotal: | ||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Code function: | 0_2_007BE01E | |
| Source: | Code function: | 0_2_007CC0A0 | |
| Source: | Code function: | 0_2_007CC189 | |
| Source: | Code function: | 0_2_0080C8BE | |
| Source: | Code function: | 0_2_007C6B18 | |
| Source: | Code function: | 0_2_007EB2B3 | |
| Source: | Code function: | 0_2_007CBDAC | |
| Source: | Code function: | 0_2_007CBEC5 | |
| Source: | Code function: | 0_2_00808111 | |
| Source: | Code function: | 0_2_007BEB42 | |
| Source: | Code function: | 0_2_007C123A | |
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
Malware Analysis System Evasion | |
|---|
| Source: | API/Special instruction interceptor: | ||
| Source: | Binary or memory string: | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Window / User API: | Jump to behavior | ||
| Source: | Window / User API: | Jump to behavior | ||
| Source: | Evaded block: | graph_0-93432 | ||
| Source: | Evasive API call chain: | graph_0-94064 | ||
| Source: | API coverage: | ||
| Source: | Code function: | 0_2_007E6CA9 | |
| Source: | Code function: | 0_2_007E60DD | |
| Source: | Code function: | 0_2_007E63F9 | |
| Source: | Code function: | 0_2_007EEB60 | |
| Source: | Code function: | 0_2_007EF56F | |
| Source: | Code function: | 0_2_007EF5FA | |
| Source: | Code function: | 0_2_007F1B2F | |
| Source: | Code function: | 0_2_007F1C8A | |
| Source: | Code function: | 0_2_007F1F94 | |
| Source: | Code function: | 0_2_007BDDC0 | |
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | Code function: | 0_2_007F6AAF | |
| Source: | Code function: | 0_2_007A3D19 | |
| Source: | Code function: | 0_2_007D3920 | |
| Source: | Code function: | 0_2_007BE01E | |
| Source: | Code function: | 0_2_015618C8 | |
| Source: | Code function: | 0_2_01562F58 | |
| Source: | Code function: | 0_2_01562EF8 | |
| Source: | Code function: | 0_2_007DA66C | |
| Source: | Code function: | 0_2_007C81AC | |
| Source: | Code function: | 0_2_007C8189 | |
| Source: | Memory allocated: | Jump to behavior | ||
HIPS / PFW / Operating System Protection Evasion | |
|---|
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | Code function: | 0_2_007DB106 | |
| Source: | Code function: | 0_2_007A3D19 | |
| Source: | Code function: | 0_2_007E411C | |
| Source: | Code function: | 0_2_007E74E7 | |
| Source: | Process created: | Jump to behavior | ||
| Source: | Code function: | 0_2_007DA66C | |
| Source: | Code function: | 0_2_007E71FA | |
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Code function: | 0_2_007C65C4 | |
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Code function: | 0_2_007F091D | |
| Source: | Code function: | 0_2_0081B340 | |
| Source: | Code function: | 0_2_007D1E8E | |
| Source: | Code function: | 0_2_007BDDC0 | |
| Source: | Key value queried: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
Stealing of Sensitive Information | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
Remote Access Functionality | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | Code function: | 0_2_007F8C4F | |
| Source: | Code function: | 0_2_007F923B | |
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Gather Victim Identity Information | Acquire Infrastructure | 2 Valid Accounts | 3 Native API | 1 DLL Side-Loading | 1 Exploitation for Privilege Escalation | 11 Disable or Modify Tools | 1 OS Credential Dumping | 2 System Time Discovery | Remote Services | 1 Archive Collected Data | 2 Ingress Tool Transfer | Exfiltration Over Other Network Medium | 1 System Shutdown/Reboot |
| Credentials | Domains | Default Accounts | Scheduled Task/Job | 2 Valid Accounts | 1 DLL Side-Loading | 1 Deobfuscate/Decode Files or Information | 21 Input Capture | 1 Account Discovery | Remote Desktop Protocol | 1 Data from Local System | 11 Encrypted Channel | Exfiltration Over Bluetooth | Network Denial of Service |
| Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | 2 Valid Accounts | 3 Obfuscated Files or Information | Security Account Manager | 1 File and Directory Discovery | SMB/Windows Admin Shares | 1 Email Collection | 2 Non-Application Layer Protocol | Automated Exfiltration | Data Encrypted for Impact |
| Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | 21 Access Token Manipulation | 1 DLL Side-Loading | NTDS | 127 System Information Discovery | Distributed Component Object Model | 21 Input Capture | 13 Application Layer Protocol | Traffic Duplication | Data Destruction |
| Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | 212 Process Injection | 2 Valid Accounts | LSA Secrets | 241 Security Software Discovery | SSH | 3 Clipboard Data | Fallback Channels | Scheduled Transfer | Data Encrypted for Impact |
| Domain Properties | Botnet | Replication Through Removable Media | Scheduled Task | RC Scripts | RC Scripts | 11 Virtualization/Sandbox Evasion | Cached Domain Credentials | 11 Virtualization/Sandbox Evasion | VNC | GUI Input Capture | Multiband Communication | Data Transfer Size Limits | Service Stop |
| DNS | Web Services | External Remote Services | Systemd Timers | Startup Items | Startup Items | 21 Access Token Manipulation | DCSync | 2 Process Discovery | Windows Remote Management | Web Portal Capture | Commonly Used Port | Exfiltration Over C2 Channel | Inhibit System Recovery |
| Network Trust Dependencies | Serverless | Drive-by Compromise | Container Orchestration Job | Scheduled Task/Job | Scheduled Task/Job | 212 Process Injection | Proc Filesystem | 11 Application Window Discovery | Cloud Services | Credential API Hooking | Application Layer Protocol | Exfiltration Over Alternative Protocol | Defacement |
| Network Topology | Malvertising | Exploit Public-Facing Application | Command and Scripting Interpreter | At | At | HTML Smuggling | /etc/passwd and /etc/shadow | 1 System Owner/User Discovery | Direct Cloud VM Connections | Data Staged | Web Protocols | Exfiltration Over Symmetric Encrypted Non-C2 Protocol | Internal Defacement |
| IP Addresses | Compromise Infrastructure | Supply Chain Compromise | PowerShell | Cron | Cron | Dynamic API Resolution | Network Sniffing | 1 System Network Configuration Discovery | Shared Webroot | Local Data Staging | File Transfer Protocols | Exfiltration Over Asymmetric Encrypted Non-C2 Protocol | External Defacement |
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetThis section contains all screenshots as thumbnails, including those not shown in the slideshow.
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 71% | ReversingLabs | Win32.Trojan.AutoitInject | ||
| 70% | Virustotal | Browse | ||
| 100% | Joe Sandbox ML |
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 0% | Avira URL Cloud | safe |
| Name | IP | Active | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|---|
| reallyfreegeoip.org | 104.21.112.1 | true | false | high | |
| checkip.dyndns.com | 158.101.44.242 | true | false | high | |
| 18.31.95.13.in-addr.arpa | unknown | unknown | false | high | |
| checkip.dyndns.org | unknown | unknown | false | high |
| Name | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|
| false | high | ||
| false | high |
| Name | Source | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
| IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
|---|---|---|---|---|---|---|
| 104.21.112.1 | reallyfreegeoip.org | United States | 13335 | CLOUDFLARENETUS | false | |
| 158.101.44.242 | checkip.dyndns.com | United States | 31898 | ORACLE-BMC-31898US | false |
| Joe Sandbox version: | 42.0.0 Malachite |
| Analysis ID: | 1589073 |
| Start date and time: | 2025-01-11 09:11:42 +01:00 |
| Joe Sandbox product: | CloudBasic |
| Overall analysis duration: | 0h 7m 58s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
| Number of analysed new started processes analysed: | 6 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Sample name: | aS39AS7b0P.exerenamed because original name is a hash value |
| Original Sample Name: | de7e8561b2cf84f247a1f76a1fb4f1a53b5fd18b093d880bf563fd1b55a97d71.exe |
| Detection: | MAL |
| Classification: | mal100.troj.spyw.evad.winEXE@3/2@3/2 |
| EGA Information: |
|
| HCA Information: |
|
| Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
- Excluded IPs from analysis (whitelisted): 4.245.163.56, 13.95.31.18, 20.12.23.50, 4.175.87.197, 13.107.246.45
- Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
- Execution Graph export aborted for target RegSvcs.exe, PID 7364 because it is empty
- Not all processes where analyzed, report is missing behavior information
- Report size exceeded maximum capacity and may have missing disassembly code.
- Report size getting too big, too many NtOpenKeyEx calls found.
- Report size getting too big, too many NtQueryValueKey calls found.
- Report size getting too big, too many NtReadVirtualMemory calls found.
| Time | Type | Description |
|---|---|---|
| 03:12:37 | API Interceptor |
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| 104.21.112.1 | Get hash | malicious | FormBook | Browse |
| |
| Get hash | malicious | FormBook | Browse |
| ||
| Get hash | malicious | FormBook | Browse |
| ||
| Get hash | malicious | FormBook | Browse |
| ||
| Get hash | malicious | DCRat, PureLog Stealer, zgRAT | Browse |
| ||
| Get hash | malicious | CMSBrute | Browse |
| ||
| 158.101.44.242 | Get hash | malicious | DarkTortilla, Snake Keylogger, VIP Keylogger | Browse |
| |
| Get hash | malicious | MassLogger RAT | Browse |
| ||
| Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | DarkTortilla, Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | MassLogger RAT | Browse |
| ||
| Get hash | malicious | MassLogger RAT, PureLog Stealer | Browse |
| ||
| Get hash | malicious | MassLogger RAT, PureLog Stealer | Browse |
| ||
| Get hash | malicious | Snake Keylogger | Browse |
| ||
| Get hash | malicious | GuLoader | Browse |
| ||
| Get hash | malicious | PureLog Stealer, Snake Keylogger, VIP Keylogger | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| checkip.dyndns.com | Get hash | malicious | MassLogger RAT | Browse |
| |
| Get hash | malicious | Snake Keylogger | Browse |
| ||
| Get hash | malicious | MassLogger RAT | Browse |
| ||
| Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | MassLogger RAT | Browse |
| ||
| Get hash | malicious | GuLoader, MassLogger RAT | Browse |
| ||
| Get hash | malicious | Snake Keylogger | Browse |
| ||
| Get hash | malicious | MassLogger RAT | Browse |
| ||
| Get hash | malicious | GuLoader, MassLogger RAT | Browse |
| ||
| Get hash | malicious | GuLoader, MassLogger RAT | Browse |
| ||
| reallyfreegeoip.org | Get hash | malicious | MassLogger RAT | Browse |
| |
| Get hash | malicious | Snake Keylogger | Browse |
| ||
| Get hash | malicious | MassLogger RAT | Browse |
| ||
| Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | MassLogger RAT | Browse |
| ||
| Get hash | malicious | GuLoader, MassLogger RAT | Browse |
| ||
| Get hash | malicious | Snake Keylogger | Browse |
| ||
| Get hash | malicious | MassLogger RAT | Browse |
| ||
| Get hash | malicious | GuLoader, MassLogger RAT | Browse |
| ||
| Get hash | malicious | GuLoader, MassLogger RAT | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| ORACLE-BMC-31898US | Get hash | malicious | MassLogger RAT | Browse |
| |
| Get hash | malicious | Snake Keylogger | Browse |
| ||
| Get hash | malicious | MassLogger RAT | Browse |
| ||
| Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | Snake Keylogger | Browse |
| ||
| Get hash | malicious | MassLogger RAT | Browse |
| ||
| Get hash | malicious | GuLoader, MassLogger RAT | Browse |
| ||
| Get hash | malicious | GuLoader, MassLogger RAT | Browse |
| ||
| Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | DarkTortilla, Snake Keylogger, VIP Keylogger | Browse |
| ||
| CLOUDFLARENETUS | Get hash | malicious | MassLogger RAT | Browse |
| |
| Get hash | malicious | Snake Keylogger | Browse |
| ||
| Get hash | malicious | StormKitty | Browse |
| ||
| Get hash | malicious | AgentTesla | Browse |
| ||
| Get hash | malicious | MassLogger RAT | Browse |
| ||
| Get hash | malicious | FormBook | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | XWorm | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| 54328bd36c14bd82ddaa0c04b25ed9ad | Get hash | malicious | MassLogger RAT | Browse |
| |
| Get hash | malicious | Snake Keylogger | Browse |
| ||
| Get hash | malicious | MassLogger RAT | Browse |
| ||
| Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | MassLogger RAT | Browse |
| ||
| Get hash | malicious | GuLoader, MassLogger RAT | Browse |
| ||
| Get hash | malicious | Snake Keylogger | Browse |
| ||
| Get hash | malicious | MassLogger RAT | Browse |
| ||
| Get hash | malicious | GuLoader, MassLogger RAT | Browse |
| ||
| Get hash | malicious | GuLoader, MassLogger RAT | Browse |
|
⊘No context
| Process: | C:\Users\user\Desktop\aS39AS7b0P.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 88964 |
| Entropy (8bit): | 7.894440044316975 |
| Encrypted: | false |
| SSDEEP: | 1536:XcyMgxxM8wvHTremAcAOT217UuVRamiYlVO7k0zLXZpMoaIXV5F:XLxi/73Fq1iZYlVOrXE83F |
| MD5: | 172B0CA42FD98669A39C0340E7E4D32D |
| SHA1: | D24880FD0F34199B96495503464A1A3A64C463C0 |
| SHA-256: | C08E9EF93553ACF96F6E348FC81A4A5012BF23AFA2BA2965008B4CA57892F528 |
| SHA-512: | BC98219E385C814A7BD5F4D75CE15541445DBCAD124F42FA8C9E4AD4196B703C383D01BF290C8B5EAEF7B17A81C2362F419D2220722322581612A6FD0C8ADB1C |
| Malicious: | false |
| Reputation: | low |
| Preview: |
| Process: | C:\Users\user\Desktop\aS39AS7b0P.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 133632 |
| Entropy (8bit): | 6.911280006088806 |
| Encrypted: | false |
| SSDEEP: | 3072:LNMCqaQDDi4ien8lpn35aIq/HzHP5Dfy32UJIRWI:5MCqJDqBT35YjjJ |
| MD5: | D55209F113CBF203F0226993DFB8B0B3 |
| SHA1: | 7D3A01B3885A1E91BD0F3465B718326EF8AD33D0 |
| SHA-256: | F14DD55537E0C3BC3358610F7305351CBD8AC05CC1A81772653FDB8B81B1CE17 |
| SHA-512: | 5FB50860677A083BE7F476D508C5CB5D34885C58F66A5E99C1CDDED410196BA5C9D9BA9C8F50E263629595E976255DF5BC409C055F0A0CE423E076872D709C0C |
| Malicious: | false |
| Reputation: | low |
| Preview: |
| File type: | |
| Entropy (8bit): | 6.890678571997542 |
| TrID: |
|
| File name: | aS39AS7b0P.exe |
| File size: | 1'025'536 bytes |
| MD5: | 10f089d7b9e39a47f1ba6e9ca2086d25 |
| SHA1: | 9fd173cf8141ed645d09cf87ccd569994c926eff |
| SHA256: | de7e8561b2cf84f247a1f76a1fb4f1a53b5fd18b093d880bf563fd1b55a97d71 |
| SHA512: | 2e7ad3ef6f8bc4ab620974450e85eb96307952a118c36637b653a3330d495f87c8c88f1c07e33117b130501761ddd42273897f62c083396058b3a2c0b931080a |
| SSDEEP: | 24576:4tb20pkaCqT5TBWgNQ7aq93uFD82aSx6A:BVg5tQ7aqaTaa5 |
| TLSH: | F225BF1373DE8361C3B25273BA65B741AEBF782506B1F56B2FD4093DE920122521EA73 |
| File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........d..............'.a.....H.k.....H.h.....H.i......}%......}5...............~.......k.......o.......1.......j.....Rich........... |
 | |
| Icon Hash: | aaf3e3e3938382a0 |
| Entrypoint: | 0x425f74 |
| Entrypoint Section: | .text |
| Digitally signed: | false |
| Imagebase: | 0x400000 |
| Subsystem: | windows gui |
| Image File Characteristics: | EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE |
| DLL Characteristics: | DYNAMIC_BASE, TERMINAL_SERVER_AWARE |
| Time Stamp: | 0x6748F70D [Thu Nov 28 23:04:45 2024 UTC] |
| TLS Callbacks: | |
| CLR (.Net) Version: | |
| OS Version Major: | 5 |
| OS Version Minor: | 1 |
| File Version Major: | 5 |
| File Version Minor: | 1 |
| Subsystem Version Major: | 5 |
| Subsystem Version Minor: | 1 |
| Import Hash: | 3d95adbf13bbe79dc24dccb401c12091 |
| Instruction |
|---|
| call 00007EFEC8F52F3Fh |
| jmp 00007EFEC8F45F54h |
| int3 |
| int3 |
| push edi |
| push esi |
| mov esi, dword ptr [esp+10h] |
| mov ecx, dword ptr [esp+14h] |
| mov edi, dword ptr [esp+0Ch] |
| mov eax, ecx |
| mov edx, ecx |
| add eax, esi |
| cmp edi, esi |
| jbe 00007EFEC8F460DAh |
| cmp edi, eax |
| jc 00007EFEC8F4643Eh |
| bt dword ptr [004C0158h], 01h |
| jnc 00007EFEC8F460D9h |
| rep movsb |
| jmp 00007EFEC8F463ECh |
| cmp ecx, 00000080h |
| jc 00007EFEC8F462A4h |
| mov eax, edi |
| xor eax, esi |
| test eax, 0000000Fh |
| jne 00007EFEC8F460E0h |
| bt dword ptr [004BA370h], 01h |
| jc 00007EFEC8F465B0h |
| bt dword ptr [004C0158h], 00000000h |
| jnc 00007EFEC8F4627Dh |
| test edi, 00000003h |
| jne 00007EFEC8F4628Eh |
| test esi, 00000003h |
| jne 00007EFEC8F4626Dh |
| bt edi, 02h |
| jnc 00007EFEC8F460DFh |
| mov eax, dword ptr [esi] |
| sub ecx, 04h |
| lea esi, dword ptr [esi+04h] |
| mov dword ptr [edi], eax |
| lea edi, dword ptr [edi+04h] |
| bt edi, 03h |
| jnc 00007EFEC8F460E3h |
| movq xmm1, qword ptr [esi] |
| sub ecx, 08h |
| lea esi, dword ptr [esi+08h] |
| movq qword ptr [edi], xmm1 |
| lea edi, dword ptr [edi+08h] |
| test esi, 00000007h |
| je 00007EFEC8F46135h |
| bt esi, 03h |
| jnc 00007EFEC8F46188h |
| movdqa xmm1, dqword ptr [esi+00h] |
| Programming Language: |
|
| Name | Virtual Address | Virtual Size | Is in Section |
|---|---|---|---|
| IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IMPORT | 0xb7004 | 0x17c | .rdata |
| IMAGE_DIRECTORY_ENTRY_RESOURCE | 0xc4000 | 0x31404 | .rsrc |
| IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BASERELOC | 0xf6000 | 0x6c4c | .reloc |
| IMAGE_DIRECTORY_ENTRY_DEBUG | 0x8d8d0 | 0x1c | .rdata |
| IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0xb2730 | 0x40 | .rdata |
| IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IAT | 0x8d000 | 0x860 | .rdata |
| IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
| Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
|---|---|---|---|---|---|---|---|---|---|
| .text | 0x1000 | 0x8b54f | 0x8b600 | f437a6545e938612764dbb0a314376fc | False | 0.5699499019058296 | data | 6.680413749210956 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
| .rdata | 0x8d000 | 0x2cc42 | 0x2ce00 | 827ffd24759e8e420890ecf164be989e | False | 0.330464397632312 | data | 5.770192333189168 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .data | 0xba000 | 0x9d54 | 0x6200 | e0a519f8e3a35fae0d9c2cfd5a4bacfc | False | 0.16402264030612246 | data | 2.002691099965349 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .rsrc | 0xc4000 | 0x31404 | 0x31600 | debc4edffaada9ca914e25066cbda521 | False | 0.8654519382911392 | data | 7.73769908027459 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .reloc | 0xf6000 | 0xa474 | 0xa600 | 0bc98f8631ef0bde830a7f83bb06ff08 | False | 0.5017884036144579 | data | 5.245426654116355 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
| Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
|---|---|---|---|---|---|---|
| RT_ICON | 0xc45a8 | 0x128 | Device independent bitmap graphic, 16 x 32 x 4, image size 192 | English | Great Britain | 0.7466216216216216 |
| RT_ICON | 0xc46d0 | 0x128 | Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors | English | Great Britain | 0.3277027027027027 |
| RT_ICON | 0xc47f8 | 0x128 | Device independent bitmap graphic, 16 x 32 x 4, image size 192 | English | Great Britain | 0.3885135135135135 |
| RT_ICON | 0xc4920 | 0x2e8 | Device independent bitmap graphic, 32 x 64 x 4, image size 0 | English | Great Britain | 0.3333333333333333 |
| RT_ICON | 0xc4c08 | 0x128 | Device independent bitmap graphic, 16 x 32 x 4, image size 0 | English | Great Britain | 0.5 |
| RT_ICON | 0xc4d30 | 0xea8 | Device independent bitmap graphic, 48 x 96 x 8, image size 0 | English | Great Britain | 0.2835820895522388 |
| RT_ICON | 0xc5bd8 | 0x8a8 | Device independent bitmap graphic, 32 x 64 x 8, image size 0 | English | Great Britain | 0.37906137184115524 |
| RT_ICON | 0xc6480 | 0x568 | Device independent bitmap graphic, 16 x 32 x 8, image size 0 | English | Great Britain | 0.23699421965317918 |
| RT_ICON | 0xc69e8 | 0x25a8 | Device independent bitmap graphic, 48 x 96 x 32, image size 0 | English | Great Britain | 0.13858921161825727 |
| RT_ICON | 0xc8f90 | 0x10a8 | Device independent bitmap graphic, 32 x 64 x 32, image size 0 | English | Great Britain | 0.25070356472795496 |
| RT_ICON | 0xca038 | 0x468 | Device independent bitmap graphic, 16 x 32 x 32, image size 0 | English | Great Britain | 0.3173758865248227 |
| RT_MENU | 0xca4a0 | 0x50 | data | English | Great Britain | 0.9 |
| RT_STRING | 0xca4f0 | 0x594 | data | English | Great Britain | 0.3333333333333333 |
| RT_STRING | 0xcaa84 | 0x68a | data | English | Great Britain | 0.2747909199522103 |
| RT_STRING | 0xcb110 | 0x490 | data | English | Great Britain | 0.3715753424657534 |
| RT_STRING | 0xcb5a0 | 0x5fc | data | English | Great Britain | 0.3087467362924282 |
| RT_STRING | 0xcbb9c | 0x65c | data | English | Great Britain | 0.34336609336609336 |
| RT_STRING | 0xcc1f8 | 0x466 | data | English | Great Britain | 0.3605683836589698 |
| RT_STRING | 0xcc660 | 0x158 | Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0 | English | Great Britain | 0.502906976744186 |
| RT_RCDATA | 0xcc7b8 | 0x28709 | data | 1.000368266310877 | ||
| RT_GROUP_ICON | 0xf4ec4 | 0x76 | data | English | Great Britain | 0.6610169491525424 |
| RT_GROUP_ICON | 0xf4f3c | 0x14 | data | English | Great Britain | 1.25 |
| RT_GROUP_ICON | 0xf4f50 | 0x14 | data | English | Great Britain | 1.15 |
| RT_GROUP_ICON | 0xf4f64 | 0x14 | data | English | Great Britain | 1.25 |
| RT_VERSION | 0xf4f78 | 0xdc | data | English | Great Britain | 0.6181818181818182 |
| RT_MANIFEST | 0xf5054 | 0x3b0 | ASCII text, with CRLF line terminators | English | Great Britain | 0.5116525423728814 |
| DLL | Import |
|---|---|
| WSOCK32.dll | __WSAFDIsSet, recv, send, setsockopt, ntohs, recvfrom, select, WSAStartup, htons, accept, listen, bind, closesocket, connect, WSACleanup, ioctlsocket, sendto, WSAGetLastError, inet_addr, gethostbyname, gethostname, socket |
| VERSION.dll | GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW |
| WINMM.dll | timeGetTime, waveOutSetVolume, mciSendStringW |
| COMCTL32.dll | ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, ImageList_Create, InitCommonControlsEx, ImageList_ReplaceIcon |
| MPR.dll | WNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W |
| WININET.dll | InternetReadFile, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetConnectW, InternetQueryDataAvailable |
| PSAPI.DLL | GetProcessMemoryInfo |
| IPHLPAPI.DLL | IcmpCreateFile, IcmpCloseHandle, IcmpSendEcho |
| USERENV.dll | UnloadUserProfile, DestroyEnvironmentBlock, CreateEnvironmentBlock, LoadUserProfileW |
| UxTheme.dll | IsThemeActive |
| KERNEL32.dll | HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetCurrentThread, FindNextFileW, MoveFileW, CopyFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, DeleteCriticalSection, WaitForSingleObject, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, GetShortPathNameW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, SetPriorityClass, LoadLibraryW, VirtualAlloc, CloseHandle, GetLastError, GetFullPathNameW, SetCurrentDirectoryW, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, RaiseException, InitializeCriticalSectionAndSpinCount, InterlockedDecrement, InterlockedIncrement, CreateThread, DuplicateHandle, EnterCriticalSection, GetCurrentProcess, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, HeapSize, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, SetFilePointer, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, HeapReAlloc, WriteConsoleW, SetEndOfFile, DeleteFileW, SetEnvironmentVariableA |
| USER32.dll | SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, DrawMenuBar, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, MonitorFromRect, LoadImageW, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, CopyImage, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, UnregisterHotKey, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, DeleteMenu, PeekMessageW, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, CharLowerBuffW, GetWindowTextW |
| GDI32.dll | SetPixel, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, StrokePath, GetDeviceCaps, CloseFigure, LineTo, AngleArc, CreateCompatibleBitmap, CreateCompatibleDC, MoveToEx, Ellipse, PolyDraw, BeginPath, SelectObject, StretchBlt, GetDIBits, DeleteDC, GetPixel, CreateDCW, GetStockObject, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, EndPath |
| COMDLG32.dll | GetSaveFileNameW, GetOpenFileNameW |
| ADVAPI32.dll | GetAclInformation, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegCreateKeyExW, GetUserNameW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, InitiateSystemShutdownExW, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, SetSecurityDescriptorDacl, AddAce, GetAce |
| SHELL32.dll | DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish |
| ole32.dll | CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket |
| OLEAUT32.dll | RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, UnRegisterTypeLib, SafeArrayCreateVector, SysAllocString, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, OleLoadPicture, QueryPathOfRegTypeLib, VariantCopy, VariantClear, CreateDispTypeInfo, CreateStdDispatch, DispCallFunc, VariantChangeType, SafeArrayAllocDescriptorEx, VariantInit |
| Language of compilation system | Country where language is spoken | Map |
|---|---|---|
| English | Great Britain |  |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library Node| Timestamp | SID | Signature | Severity | Source IP | Source Port | Dest IP | Dest Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2025-01-11T09:12:37.633234+0100 | 2803274 | ETPRO MALWARE Common Downloader Header Pattern UH | 2 | 192.168.2.4 | 49730 | 158.101.44.242 | 80 | TCP |
| 2025-01-11T09:12:38.726915+0100 | 2803274 | ETPRO MALWARE Common Downloader Header Pattern UH | 2 | 192.168.2.4 | 49730 | 158.101.44.242 | 80 | TCP |
| 2025-01-11T09:12:39.326128+0100 | 2803305 | ETPRO MALWARE Common Downloader Header Pattern H | 3 | 192.168.2.4 | 49732 | 104.21.112.1 | 443 | TCP |
| 2025-01-11T09:12:40.105937+0100 | 2803274 | ETPRO MALWARE Common Downloader Header Pattern UH | 2 | 192.168.2.4 | 49733 | 158.101.44.242 | 80 | TCP |
| 2025-01-11T09:12:46.406487+0100 | 2803305 | ETPRO MALWARE Common Downloader Header Pattern H | 3 | 192.168.2.4 | 49742 | 104.21.112.1 | 443 | TCP |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Jan 11, 2025 09:12:36.844780922 CET | 49730 | 80 | 192.168.2.4 | 158.101.44.242 |
| Jan 11, 2025 09:12:36.849675894 CET | 80 | 49730 | 158.101.44.242 | 192.168.2.4 |
| Jan 11, 2025 09:12:36.849751949 CET | 49730 | 80 | 192.168.2.4 | 158.101.44.242 |
| Jan 11, 2025 09:12:36.850209951 CET | 49730 | 80 | 192.168.2.4 | 158.101.44.242 |
| Jan 11, 2025 09:12:36.854978085 CET | 80 | 49730 | 158.101.44.242 | 192.168.2.4 |
| Jan 11, 2025 09:12:37.414777040 CET | 80 | 49730 | 158.101.44.242 | 192.168.2.4 |
| Jan 11, 2025 09:12:37.422501087 CET | 49730 | 80 | 192.168.2.4 | 158.101.44.242 |
| Jan 11, 2025 09:12:37.427403927 CET | 80 | 49730 | 158.101.44.242 | 192.168.2.4 |
| Jan 11, 2025 09:12:37.577548027 CET | 80 | 49730 | 158.101.44.242 | 192.168.2.4 |
| Jan 11, 2025 09:12:37.633234024 CET | 49730 | 80 | 192.168.2.4 | 158.101.44.242 |
| Jan 11, 2025 09:12:37.834789038 CET | 49731 | 443 | 192.168.2.4 | 104.21.112.1 |
| Jan 11, 2025 09:12:37.834903955 CET | 443 | 49731 | 104.21.112.1 | 192.168.2.4 |
| Jan 11, 2025 09:12:37.834983110 CET | 49731 | 443 | 192.168.2.4 | 104.21.112.1 |
| Jan 11, 2025 09:12:37.847100973 CET | 49731 | 443 | 192.168.2.4 | 104.21.112.1 |
| Jan 11, 2025 09:12:37.847146988 CET | 443 | 49731 | 104.21.112.1 | 192.168.2.4 |
| Jan 11, 2025 09:12:38.312516928 CET | 443 | 49731 | 104.21.112.1 | 192.168.2.4 |
| Jan 11, 2025 09:12:38.312746048 CET | 49731 | 443 | 192.168.2.4 | 104.21.112.1 |
| Jan 11, 2025 09:12:38.320393085 CET | 49731 | 443 | 192.168.2.4 | 104.21.112.1 |
| Jan 11, 2025 09:12:38.320442915 CET | 443 | 49731 | 104.21.112.1 | 192.168.2.4 |
| Jan 11, 2025 09:12:38.320966005 CET | 443 | 49731 | 104.21.112.1 | 192.168.2.4 |
| Jan 11, 2025 09:12:38.367552042 CET | 49731 | 443 | 192.168.2.4 | 104.21.112.1 |
| Jan 11, 2025 09:12:38.399884939 CET | 49731 | 443 | 192.168.2.4 | 104.21.112.1 |
| Jan 11, 2025 09:12:38.443339109 CET | 443 | 49731 | 104.21.112.1 | 192.168.2.4 |
| Jan 11, 2025 09:12:38.508663893 CET | 443 | 49731 | 104.21.112.1 | 192.168.2.4 |
| Jan 11, 2025 09:12:38.508755922 CET | 443 | 49731 | 104.21.112.1 | 192.168.2.4 |
| Jan 11, 2025 09:12:38.508819103 CET | 49731 | 443 | 192.168.2.4 | 104.21.112.1 |
| Jan 11, 2025 09:12:38.516622066 CET | 49731 | 443 | 192.168.2.4 | 104.21.112.1 |
| Jan 11, 2025 09:12:38.521152020 CET | 49730 | 80 | 192.168.2.4 | 158.101.44.242 |
| Jan 11, 2025 09:12:38.526182890 CET | 80 | 49730 | 158.101.44.242 | 192.168.2.4 |
| Jan 11, 2025 09:12:38.676266909 CET | 80 | 49730 | 158.101.44.242 | 192.168.2.4 |
| Jan 11, 2025 09:12:38.692755938 CET | 49732 | 443 | 192.168.2.4 | 104.21.112.1 |
| Jan 11, 2025 09:12:38.692820072 CET | 443 | 49732 | 104.21.112.1 | 192.168.2.4 |
| Jan 11, 2025 09:12:38.692882061 CET | 49732 | 443 | 192.168.2.4 | 104.21.112.1 |
| Jan 11, 2025 09:12:38.693734884 CET | 49732 | 443 | 192.168.2.4 | 104.21.112.1 |
| Jan 11, 2025 09:12:38.693758965 CET | 443 | 49732 | 104.21.112.1 | 192.168.2.4 |
| Jan 11, 2025 09:12:38.726914883 CET | 49730 | 80 | 192.168.2.4 | 158.101.44.242 |
| Jan 11, 2025 09:12:39.174813986 CET | 443 | 49732 | 104.21.112.1 | 192.168.2.4 |
| Jan 11, 2025 09:12:39.177077055 CET | 49732 | 443 | 192.168.2.4 | 104.21.112.1 |
| Jan 11, 2025 09:12:39.177103996 CET | 443 | 49732 | 104.21.112.1 | 192.168.2.4 |
| Jan 11, 2025 09:12:39.325695038 CET | 443 | 49732 | 104.21.112.1 | 192.168.2.4 |
| Jan 11, 2025 09:12:39.325784922 CET | 443 | 49732 | 104.21.112.1 | 192.168.2.4 |
| Jan 11, 2025 09:12:39.325858116 CET | 49732 | 443 | 192.168.2.4 | 104.21.112.1 |
| Jan 11, 2025 09:12:39.326459885 CET | 49732 | 443 | 192.168.2.4 | 104.21.112.1 |
| Jan 11, 2025 09:12:39.331264019 CET | 49730 | 80 | 192.168.2.4 | 158.101.44.242 |
| Jan 11, 2025 09:12:39.332811117 CET | 49733 | 80 | 192.168.2.4 | 158.101.44.242 |
| Jan 11, 2025 09:12:39.336322069 CET | 80 | 49730 | 158.101.44.242 | 192.168.2.4 |
| Jan 11, 2025 09:12:39.336407900 CET | 49730 | 80 | 192.168.2.4 | 158.101.44.242 |
| Jan 11, 2025 09:12:39.337642908 CET | 80 | 49733 | 158.101.44.242 | 192.168.2.4 |
| Jan 11, 2025 09:12:39.337711096 CET | 49733 | 80 | 192.168.2.4 | 158.101.44.242 |
| Jan 11, 2025 09:12:39.337857008 CET | 49733 | 80 | 192.168.2.4 | 158.101.44.242 |
| Jan 11, 2025 09:12:39.342662096 CET | 80 | 49733 | 158.101.44.242 | 192.168.2.4 |
| Jan 11, 2025 09:12:40.105669022 CET | 80 | 49733 | 158.101.44.242 | 192.168.2.4 |
| Jan 11, 2025 09:12:40.105937004 CET | 49733 | 80 | 192.168.2.4 | 158.101.44.242 |
| Jan 11, 2025 09:12:40.107420921 CET | 49734 | 443 | 192.168.2.4 | 104.21.112.1 |
| Jan 11, 2025 09:12:40.107470989 CET | 443 | 49734 | 104.21.112.1 | 192.168.2.4 |
| Jan 11, 2025 09:12:40.107532978 CET | 49734 | 443 | 192.168.2.4 | 104.21.112.1 |
| Jan 11, 2025 09:12:40.109420061 CET | 49734 | 443 | 192.168.2.4 | 104.21.112.1 |
| Jan 11, 2025 09:12:40.109430075 CET | 443 | 49734 | 104.21.112.1 | 192.168.2.4 |
| Jan 11, 2025 09:12:40.110963106 CET | 80 | 49733 | 158.101.44.242 | 192.168.2.4 |
| Jan 11, 2025 09:12:40.111032963 CET | 49733 | 80 | 192.168.2.4 | 158.101.44.242 |
| Jan 11, 2025 09:12:40.584470034 CET | 443 | 49734 | 104.21.112.1 | 192.168.2.4 |
| Jan 11, 2025 09:12:40.602602959 CET | 49734 | 443 | 192.168.2.4 | 104.21.112.1 |
| Jan 11, 2025 09:12:40.602617979 CET | 443 | 49734 | 104.21.112.1 | 192.168.2.4 |
| Jan 11, 2025 09:12:40.724941969 CET | 443 | 49734 | 104.21.112.1 | 192.168.2.4 |
| Jan 11, 2025 09:12:40.725025892 CET | 443 | 49734 | 104.21.112.1 | 192.168.2.4 |
| Jan 11, 2025 09:12:40.725063086 CET | 49734 | 443 | 192.168.2.4 | 104.21.112.1 |
| Jan 11, 2025 09:12:40.800718069 CET | 49734 | 443 | 192.168.2.4 | 104.21.112.1 |
| Jan 11, 2025 09:12:40.817008972 CET | 49735 | 80 | 192.168.2.4 | 158.101.44.242 |
| Jan 11, 2025 09:12:40.821959019 CET | 80 | 49735 | 158.101.44.242 | 192.168.2.4 |
| Jan 11, 2025 09:12:40.822067022 CET | 49735 | 80 | 192.168.2.4 | 158.101.44.242 |
| Jan 11, 2025 09:12:40.822304964 CET | 49735 | 80 | 192.168.2.4 | 158.101.44.242 |
| Jan 11, 2025 09:12:40.827089071 CET | 80 | 49735 | 158.101.44.242 | 192.168.2.4 |
| Jan 11, 2025 09:12:41.388544083 CET | 80 | 49735 | 158.101.44.242 | 192.168.2.4 |
| Jan 11, 2025 09:12:41.390280008 CET | 49736 | 443 | 192.168.2.4 | 104.21.112.1 |
| Jan 11, 2025 09:12:41.390338898 CET | 443 | 49736 | 104.21.112.1 | 192.168.2.4 |
| Jan 11, 2025 09:12:41.390403032 CET | 49736 | 443 | 192.168.2.4 | 104.21.112.1 |
| Jan 11, 2025 09:12:41.390748978 CET | 49736 | 443 | 192.168.2.4 | 104.21.112.1 |
| Jan 11, 2025 09:12:41.390763044 CET | 443 | 49736 | 104.21.112.1 | 192.168.2.4 |
| Jan 11, 2025 09:12:41.430109978 CET | 49735 | 80 | 192.168.2.4 | 158.101.44.242 |
| Jan 11, 2025 09:12:41.848004103 CET | 443 | 49736 | 104.21.112.1 | 192.168.2.4 |
| Jan 11, 2025 09:12:41.850482941 CET | 49736 | 443 | 192.168.2.4 | 104.21.112.1 |
| Jan 11, 2025 09:12:41.850516081 CET | 443 | 49736 | 104.21.112.1 | 192.168.2.4 |
| Jan 11, 2025 09:12:41.998613119 CET | 443 | 49736 | 104.21.112.1 | 192.168.2.4 |
| Jan 11, 2025 09:12:41.998788118 CET | 443 | 49736 | 104.21.112.1 | 192.168.2.4 |
| Jan 11, 2025 09:12:41.998850107 CET | 49736 | 443 | 192.168.2.4 | 104.21.112.1 |
| Jan 11, 2025 09:12:41.999300957 CET | 49736 | 443 | 192.168.2.4 | 104.21.112.1 |
| Jan 11, 2025 09:12:42.003773928 CET | 49735 | 80 | 192.168.2.4 | 158.101.44.242 |
| Jan 11, 2025 09:12:42.004713058 CET | 49737 | 80 | 192.168.2.4 | 158.101.44.242 |
| Jan 11, 2025 09:12:42.011266947 CET | 80 | 49737 | 158.101.44.242 | 192.168.2.4 |
| Jan 11, 2025 09:12:42.011341095 CET | 49737 | 80 | 192.168.2.4 | 158.101.44.242 |
| Jan 11, 2025 09:12:42.011534929 CET | 49737 | 80 | 192.168.2.4 | 158.101.44.242 |
| Jan 11, 2025 09:12:42.015094042 CET | 80 | 49735 | 158.101.44.242 | 192.168.2.4 |
| Jan 11, 2025 09:12:42.015149117 CET | 49735 | 80 | 192.168.2.4 | 158.101.44.242 |
| Jan 11, 2025 09:12:42.017307997 CET | 80 | 49737 | 158.101.44.242 | 192.168.2.4 |
| Jan 11, 2025 09:12:42.886188030 CET | 80 | 49737 | 158.101.44.242 | 192.168.2.4 |
| Jan 11, 2025 09:12:42.887815952 CET | 49738 | 443 | 192.168.2.4 | 104.21.112.1 |
| Jan 11, 2025 09:12:42.887867928 CET | 443 | 49738 | 104.21.112.1 | 192.168.2.4 |
| Jan 11, 2025 09:12:42.887938976 CET | 49738 | 443 | 192.168.2.4 | 104.21.112.1 |
| Jan 11, 2025 09:12:42.888228893 CET | 49738 | 443 | 192.168.2.4 | 104.21.112.1 |
| Jan 11, 2025 09:12:42.888242006 CET | 443 | 49738 | 104.21.112.1 | 192.168.2.4 |
| Jan 11, 2025 09:12:42.930099964 CET | 49737 | 80 | 192.168.2.4 | 158.101.44.242 |
| Jan 11, 2025 09:12:43.364010096 CET | 443 | 49738 | 104.21.112.1 | 192.168.2.4 |
| Jan 11, 2025 09:12:43.365909100 CET | 49738 | 443 | 192.168.2.4 | 104.21.112.1 |
| Jan 11, 2025 09:12:43.365936041 CET | 443 | 49738 | 104.21.112.1 | 192.168.2.4 |
| Jan 11, 2025 09:12:43.504307985 CET | 443 | 49738 | 104.21.112.1 | 192.168.2.4 |
| Jan 11, 2025 09:12:43.504465103 CET | 443 | 49738 | 104.21.112.1 | 192.168.2.4 |
| Jan 11, 2025 09:12:43.504555941 CET | 49738 | 443 | 192.168.2.4 | 104.21.112.1 |
| Jan 11, 2025 09:12:43.505206108 CET | 49738 | 443 | 192.168.2.4 | 104.21.112.1 |
| Jan 11, 2025 09:12:43.509161949 CET | 49737 | 80 | 192.168.2.4 | 158.101.44.242 |
| Jan 11, 2025 09:12:43.510119915 CET | 49739 | 80 | 192.168.2.4 | 158.101.44.242 |
| Jan 11, 2025 09:12:43.514302015 CET | 80 | 49737 | 158.101.44.242 | 192.168.2.4 |
| Jan 11, 2025 09:12:43.514403105 CET | 49737 | 80 | 192.168.2.4 | 158.101.44.242 |
| Jan 11, 2025 09:12:43.514982939 CET | 80 | 49739 | 158.101.44.242 | 192.168.2.4 |
| Jan 11, 2025 09:12:43.515072107 CET | 49739 | 80 | 192.168.2.4 | 158.101.44.242 |
| Jan 11, 2025 09:12:43.515218019 CET | 49739 | 80 | 192.168.2.4 | 158.101.44.242 |
| Jan 11, 2025 09:12:43.520042896 CET | 80 | 49739 | 158.101.44.242 | 192.168.2.4 |
| Jan 11, 2025 09:12:44.619976997 CET | 80 | 49739 | 158.101.44.242 | 192.168.2.4 |
| Jan 11, 2025 09:12:44.621962070 CET | 49740 | 443 | 192.168.2.4 | 104.21.112.1 |
| Jan 11, 2025 09:12:44.622011900 CET | 443 | 49740 | 104.21.112.1 | 192.168.2.4 |
| Jan 11, 2025 09:12:44.622091055 CET | 49740 | 443 | 192.168.2.4 | 104.21.112.1 |
| Jan 11, 2025 09:12:44.622446060 CET | 49740 | 443 | 192.168.2.4 | 104.21.112.1 |
| Jan 11, 2025 09:12:44.622456074 CET | 443 | 49740 | 104.21.112.1 | 192.168.2.4 |
| Jan 11, 2025 09:12:44.664480925 CET | 49739 | 80 | 192.168.2.4 | 158.101.44.242 |
| Jan 11, 2025 09:12:45.077501059 CET | 443 | 49740 | 104.21.112.1 | 192.168.2.4 |
| Jan 11, 2025 09:12:45.100056887 CET | 49740 | 443 | 192.168.2.4 | 104.21.112.1 |
| Jan 11, 2025 09:12:45.100090981 CET | 443 | 49740 | 104.21.112.1 | 192.168.2.4 |
| Jan 11, 2025 09:12:45.226089954 CET | 443 | 49740 | 104.21.112.1 | 192.168.2.4 |
| Jan 11, 2025 09:12:45.226188898 CET | 443 | 49740 | 104.21.112.1 | 192.168.2.4 |
| Jan 11, 2025 09:12:45.226267099 CET | 49740 | 443 | 192.168.2.4 | 104.21.112.1 |
| Jan 11, 2025 09:12:45.227229118 CET | 49740 | 443 | 192.168.2.4 | 104.21.112.1 |
| Jan 11, 2025 09:12:45.231831074 CET | 49739 | 80 | 192.168.2.4 | 158.101.44.242 |
| Jan 11, 2025 09:12:45.233226061 CET | 49741 | 80 | 192.168.2.4 | 158.101.44.242 |
| Jan 11, 2025 09:12:45.236877918 CET | 80 | 49739 | 158.101.44.242 | 192.168.2.4 |
| Jan 11, 2025 09:12:45.236953020 CET | 49739 | 80 | 192.168.2.4 | 158.101.44.242 |
| Jan 11, 2025 09:12:45.238171101 CET | 80 | 49741 | 158.101.44.242 | 192.168.2.4 |
| Jan 11, 2025 09:12:45.238245964 CET | 49741 | 80 | 192.168.2.4 | 158.101.44.242 |
| Jan 11, 2025 09:12:45.238359928 CET | 49741 | 80 | 192.168.2.4 | 158.101.44.242 |
| Jan 11, 2025 09:12:45.243160963 CET | 80 | 49741 | 158.101.44.242 | 192.168.2.4 |
| Jan 11, 2025 09:12:45.800664902 CET | 80 | 49741 | 158.101.44.242 | 192.168.2.4 |
| Jan 11, 2025 09:12:45.802840948 CET | 49742 | 443 | 192.168.2.4 | 104.21.112.1 |
| Jan 11, 2025 09:12:45.802891016 CET | 443 | 49742 | 104.21.112.1 | 192.168.2.4 |
| Jan 11, 2025 09:12:45.802962065 CET | 49742 | 443 | 192.168.2.4 | 104.21.112.1 |
| Jan 11, 2025 09:12:45.803257942 CET | 49742 | 443 | 192.168.2.4 | 104.21.112.1 |
| Jan 11, 2025 09:12:45.803268909 CET | 443 | 49742 | 104.21.112.1 | 192.168.2.4 |
| Jan 11, 2025 09:12:45.851985931 CET | 49741 | 80 | 192.168.2.4 | 158.101.44.242 |
| Jan 11, 2025 09:12:46.257689953 CET | 443 | 49742 | 104.21.112.1 | 192.168.2.4 |
| Jan 11, 2025 09:12:46.259660959 CET | 49742 | 443 | 192.168.2.4 | 104.21.112.1 |
| Jan 11, 2025 09:12:46.259695053 CET | 443 | 49742 | 104.21.112.1 | 192.168.2.4 |
| Jan 11, 2025 09:12:46.406589985 CET | 443 | 49742 | 104.21.112.1 | 192.168.2.4 |
| Jan 11, 2025 09:12:46.406764030 CET | 443 | 49742 | 104.21.112.1 | 192.168.2.4 |
| Jan 11, 2025 09:12:46.406848907 CET | 49742 | 443 | 192.168.2.4 | 104.21.112.1 |
| Jan 11, 2025 09:12:46.407371998 CET | 49742 | 443 | 192.168.2.4 | 104.21.112.1 |
| Jan 11, 2025 09:12:46.410914898 CET | 49741 | 80 | 192.168.2.4 | 158.101.44.242 |
| Jan 11, 2025 09:12:46.412306070 CET | 49743 | 80 | 192.168.2.4 | 158.101.44.242 |
| Jan 11, 2025 09:12:46.415944099 CET | 80 | 49741 | 158.101.44.242 | 192.168.2.4 |
| Jan 11, 2025 09:12:46.416028976 CET | 49741 | 80 | 192.168.2.4 | 158.101.44.242 |
| Jan 11, 2025 09:12:46.417206049 CET | 80 | 49743 | 158.101.44.242 | 192.168.2.4 |
| Jan 11, 2025 09:12:46.417294025 CET | 49743 | 80 | 192.168.2.4 | 158.101.44.242 |
| Jan 11, 2025 09:12:46.417385101 CET | 49743 | 80 | 192.168.2.4 | 158.101.44.242 |
| Jan 11, 2025 09:12:46.422225952 CET | 80 | 49743 | 158.101.44.242 | 192.168.2.4 |
| Jan 11, 2025 09:12:46.980377913 CET | 80 | 49743 | 158.101.44.242 | 192.168.2.4 |
| Jan 11, 2025 09:12:46.982361078 CET | 49744 | 443 | 192.168.2.4 | 104.21.112.1 |
| Jan 11, 2025 09:12:46.982417107 CET | 443 | 49744 | 104.21.112.1 | 192.168.2.4 |
| Jan 11, 2025 09:12:46.982485056 CET | 49744 | 443 | 192.168.2.4 | 104.21.112.1 |
| Jan 11, 2025 09:12:46.982840061 CET | 49744 | 443 | 192.168.2.4 | 104.21.112.1 |
| Jan 11, 2025 09:12:46.982855082 CET | 443 | 49744 | 104.21.112.1 | 192.168.2.4 |
| Jan 11, 2025 09:12:47.024389029 CET | 49743 | 80 | 192.168.2.4 | 158.101.44.242 |
| Jan 11, 2025 09:12:47.447220087 CET | 443 | 49744 | 104.21.112.1 | 192.168.2.4 |
| Jan 11, 2025 09:12:47.449145079 CET | 49744 | 443 | 192.168.2.4 | 104.21.112.1 |
| Jan 11, 2025 09:12:47.449208021 CET | 443 | 49744 | 104.21.112.1 | 192.168.2.4 |
| Jan 11, 2025 09:12:47.596441984 CET | 443 | 49744 | 104.21.112.1 | 192.168.2.4 |
| Jan 11, 2025 09:12:47.596621037 CET | 443 | 49744 | 104.21.112.1 | 192.168.2.4 |
| Jan 11, 2025 09:12:47.596687078 CET | 49744 | 443 | 192.168.2.4 | 104.21.112.1 |
| Jan 11, 2025 09:12:47.597085953 CET | 49744 | 443 | 192.168.2.4 | 104.21.112.1 |
| Jan 11, 2025 09:13:08.860529900 CET | 64920 | 53 | 192.168.2.4 | 162.159.36.2 |
| Jan 11, 2025 09:13:08.865489006 CET | 53 | 64920 | 162.159.36.2 | 192.168.2.4 |
| Jan 11, 2025 09:13:08.865597963 CET | 64920 | 53 | 192.168.2.4 | 162.159.36.2 |
| Jan 11, 2025 09:13:08.870527983 CET | 53 | 64920 | 162.159.36.2 | 192.168.2.4 |
| Jan 11, 2025 09:13:09.333472013 CET | 64920 | 53 | 192.168.2.4 | 162.159.36.2 |
| Jan 11, 2025 09:13:09.338532925 CET | 53 | 64920 | 162.159.36.2 | 192.168.2.4 |
| Jan 11, 2025 09:13:09.338591099 CET | 64920 | 53 | 192.168.2.4 | 162.159.36.2 |
| Jan 11, 2025 09:13:51.980356932 CET | 80 | 49743 | 158.101.44.242 | 192.168.2.4 |
| Jan 11, 2025 09:13:51.980683088 CET | 49743 | 80 | 192.168.2.4 | 158.101.44.242 |
| Jan 11, 2025 09:14:26.993218899 CET | 49743 | 80 | 192.168.2.4 | 158.101.44.242 |
| Jan 11, 2025 09:14:26.998085976 CET | 80 | 49743 | 158.101.44.242 | 192.168.2.4 |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Jan 11, 2025 09:12:36.827387094 CET | 64905 | 53 | 192.168.2.4 | 1.1.1.1 |
| Jan 11, 2025 09:12:36.834822893 CET | 53 | 64905 | 1.1.1.1 | 192.168.2.4 |
| Jan 11, 2025 09:12:37.824960947 CET | 52733 | 53 | 192.168.2.4 | 1.1.1.1 |
| Jan 11, 2025 09:12:37.833573103 CET | 53 | 52733 | 1.1.1.1 | 192.168.2.4 |
| Jan 11, 2025 09:13:08.859894991 CET | 53 | 55347 | 162.159.36.2 | 192.168.2.4 |
| Jan 11, 2025 09:13:09.363558054 CET | 59134 | 53 | 192.168.2.4 | 1.1.1.1 |
| Jan 11, 2025 09:13:09.371042013 CET | 53 | 59134 | 1.1.1.1 | 192.168.2.4 |
| Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|
| Jan 11, 2025 09:12:36.827387094 CET | 192.168.2.4 | 1.1.1.1 | 0x69b8 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Jan 11, 2025 09:12:37.824960947 CET | 192.168.2.4 | 1.1.1.1 | 0xbe23 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Jan 11, 2025 09:13:09.363558054 CET | 192.168.2.4 | 1.1.1.1 | 0x2c86 | Standard query (0) | PTR (Pointer record) | IN (0x0001) | false |
| Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|---|---|
| Jan 11, 2025 09:12:36.834822893 CET | 1.1.1.1 | 192.168.2.4 | 0x69b8 | No error (0) | checkip.dyndns.com | CNAME (Canonical name) | IN (0x0001) | false | ||
| Jan 11, 2025 09:12:36.834822893 CET | 1.1.1.1 | 192.168.2.4 | 0x69b8 | No error (0) | 158.101.44.242 | A (IP address) | IN (0x0001) | false | ||
| Jan 11, 2025 09:12:36.834822893 CET | 1.1.1.1 | 192.168.2.4 | 0x69b8 | No error (0) | 193.122.6.168 | A (IP address) | IN (0x0001) | false | ||
| Jan 11, 2025 09:12:36.834822893 CET | 1.1.1.1 | 192.168.2.4 | 0x69b8 | No error (0) | 132.226.8.169 | A (IP address) | IN (0x0001) | false | ||
| Jan 11, 2025 09:12:36.834822893 CET | 1.1.1.1 | 192.168.2.4 | 0x69b8 | No error (0) | 193.122.130.0 | A (IP address) | IN (0x0001) | false | ||
| Jan 11, 2025 09:12:36.834822893 CET | 1.1.1.1 | 192.168.2.4 | 0x69b8 | No error (0) | 132.226.247.73 | A (IP address) | IN (0x0001) | false | ||
| Jan 11, 2025 09:12:37.833573103 CET | 1.1.1.1 | 192.168.2.4 | 0xbe23 | No error (0) | 104.21.112.1 | A (IP address) | IN (0x0001) | false | ||
| Jan 11, 2025 09:12:37.833573103 CET | 1.1.1.1 | 192.168.2.4 | 0xbe23 | No error (0) | 104.21.16.1 | A (IP address) | IN (0x0001) | false | ||
| Jan 11, 2025 09:12:37.833573103 CET | 1.1.1.1 | 192.168.2.4 | 0xbe23 | No error (0) | 104.21.64.1 | A (IP address) | IN (0x0001) | false | ||
| Jan 11, 2025 09:12:37.833573103 CET | 1.1.1.1 | 192.168.2.4 | 0xbe23 | No error (0) | 104.21.80.1 | A (IP address) | IN (0x0001) | false | ||
| Jan 11, 2025 09:12:37.833573103 CET | 1.1.1.1 | 192.168.2.4 | 0xbe23 | No error (0) | 104.21.48.1 | A (IP address) | IN (0x0001) | false | ||
| Jan 11, 2025 09:12:37.833573103 CET | 1.1.1.1 | 192.168.2.4 | 0xbe23 | No error (0) | 104.21.96.1 | A (IP address) | IN (0x0001) | false | ||
| Jan 11, 2025 09:12:37.833573103 CET | 1.1.1.1 | 192.168.2.4 | 0xbe23 | No error (0) | 104.21.32.1 | A (IP address) | IN (0x0001) | false | ||
| Jan 11, 2025 09:13:09.371042013 CET | 1.1.1.1 | 192.168.2.4 | 0x2c86 | Name error (3) | none | none | PTR (Pointer record) | IN (0x0001) | false |
|
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 0 | 192.168.2.4 | 49730 | 158.101.44.242 | 80 | 7364 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| Jan 11, 2025 09:12:36.850209951 CET | 151 | OUT | |
| Jan 11, 2025 09:12:37.414777040 CET | 321 | IN | |
| Jan 11, 2025 09:12:37.422501087 CET | 127 | OUT | |
| Jan 11, 2025 09:12:37.577548027 CET | 321 | IN | |
| Jan 11, 2025 09:12:38.521152020 CET | 127 | OUT | |
| Jan 11, 2025 09:12:38.676266909 CET | 321 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 1 | 192.168.2.4 | 49733 | 158.101.44.242 | 80 | 7364 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| Jan 11, 2025 09:12:39.337857008 CET | 127 | OUT | |
| Jan 11, 2025 09:12:40.105669022 CET | 321 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 2 | 192.168.2.4 | 49735 | 158.101.44.242 | 80 | 7364 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| Jan 11, 2025 09:12:40.822304964 CET | 151 | OUT | |
| Jan 11, 2025 09:12:41.388544083 CET | 321 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 3 | 192.168.2.4 | 49737 | 158.101.44.242 | 80 | 7364 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| Jan 11, 2025 09:12:42.011534929 CET | 151 | OUT | |
| Jan 11, 2025 09:12:42.886188030 CET | 321 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 4 | 192.168.2.4 | 49739 | 158.101.44.242 | 80 | 7364 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| Jan 11, 2025 09:12:43.515218019 CET | 151 | OUT | |
| Jan 11, 2025 09:12:44.619976997 CET | 321 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 5 | 192.168.2.4 | 49741 | 158.101.44.242 | 80 | 7364 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| Jan 11, 2025 09:12:45.238359928 CET | 151 | OUT | |
| Jan 11, 2025 09:12:45.800664902 CET | 321 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 6 | 192.168.2.4 | 49743 | 158.101.44.242 | 80 | 7364 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| Jan 11, 2025 09:12:46.417385101 CET | 151 | OUT | |
| Jan 11, 2025 09:12:46.980377913 CET | 321 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 0 | 192.168.2.4 | 49731 | 104.21.112.1 | 443 | 7364 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2025-01-11 08:12:38 UTC | 85 | OUT | |
| 2025-01-11 08:12:38 UTC | 855 | IN | |
| 2025-01-11 08:12:38 UTC | 362 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 1 | 192.168.2.4 | 49732 | 104.21.112.1 | 443 | 7364 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2025-01-11 08:12:39 UTC | 61 | OUT | |
| 2025-01-11 08:12:39 UTC | 855 | IN | |
| 2025-01-11 08:12:39 UTC | 362 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 2 | 192.168.2.4 | 49734 | 104.21.112.1 | 443 | 7364 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2025-01-11 08:12:40 UTC | 85 | OUT | |
| 2025-01-11 08:12:40 UTC | 859 | IN | |
| 2025-01-11 08:12:40 UTC | 362 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 3 | 192.168.2.4 | 49736 | 104.21.112.1 | 443 | 7364 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2025-01-11 08:12:41 UTC | 85 | OUT | |
| 2025-01-11 08:12:41 UTC | 865 | IN | |
| 2025-01-11 08:12:41 UTC | 362 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 4 | 192.168.2.4 | 49738 | 104.21.112.1 | 443 | 7364 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2025-01-11 08:12:43 UTC | 85 | OUT | |
| 2025-01-11 08:12:43 UTC | 853 | IN | |
| 2025-01-11 08:12:43 UTC | 362 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 5 | 192.168.2.4 | 49740 | 104.21.112.1 | 443 | 7364 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2025-01-11 08:12:45 UTC | 85 | OUT | |
| 2025-01-11 08:12:45 UTC | 861 | IN | |
| 2025-01-11 08:12:45 UTC | 362 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 6 | 192.168.2.4 | 49742 | 104.21.112.1 | 443 | 7364 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2025-01-11 08:12:46 UTC | 61 | OUT | |
| 2025-01-11 08:12:46 UTC | 857 | IN | |
| 2025-01-11 08:12:46 UTC | 362 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 7 | 192.168.2.4 | 49744 | 104.21.112.1 | 443 | 7364 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2025-01-11 08:12:47 UTC | 85 | OUT | |
| 2025-01-11 08:12:47 UTC | 853 | IN | |
| 2025-01-11 08:12:47 UTC | 362 | IN |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
| Target ID: | 0 |
| Start time: | 03:12:34 |
| Start date: | 11/01/2025 |
| Path: | C:\Users\user\Desktop\aS39AS7b0P.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x7a0000 |
| File size: | 1'025'536 bytes |
| MD5 hash: | 10F089D7B9E39A47F1BA6E9CA2086D25 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Yara matches: |
|
| Reputation: | low |
| Has exited: | true |
| Target ID: | 1 |
| Start time: | 03:12:35 |
| Start date: | 11/01/2025 |
| Path: | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x310000 |
| File size: | 45'984 bytes |
| MD5 hash: | 9D352BC46709F0CB5EC974633A0C3C94 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Yara matches: |
|
| Reputation: | high |
| Has exited: | false |
Execution Graph
| Execution Coverage: | 3.7% |
| Dynamic/Decrypted Code Coverage: | 1% |
| Signature Coverage: | 4% |
| Total number of Nodes: | 1960 |
| Total number of Limit Nodes: | 169 |
Graph
Control-flow Graph
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007A3D19 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 151windowCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007BDDC0 Relevance: 10.7, APIs: 7, Instructions: 175COMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007E6CA9 Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007AE8D0 Relevance: 49.8, APIs: 24, Strings: 4, Instructions: 816windowsleeptimeCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007D5C78 Relevance: 47.9, APIs: 26, Strings: 1, Instructions: 626fileCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007A3F53 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53windowregistryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007EBFA4 Relevance: 18.3, APIs: 12, Instructions: 316fileCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007A3742 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151windowtimeregistryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007A3E6E Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 66windowregistryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 01562048 Relevance: 10.7, APIs: 7, Instructions: 239fileCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007A49FB Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 73registryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 01561E08 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 148fileCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007A51AF Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88windowCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007BD298 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58registryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007EC396 Relevance: 6.2, APIs: 4, Instructions: 154COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007FF8AE Relevance: 4.9, APIs: 3, Instructions: 385COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007A4FFC Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007C395C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007EBB64 Relevance: 4.5, APIs: 3, Instructions: 22COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007A2322 Relevance: 3.9, APIs: 3, Instructions: 159COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007A3A0F Relevance: 3.1, APIs: 2, Instructions: 59COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007BF4EA Relevance: 3.0, APIs: 2, Instructions: 43COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007C2957 Relevance: 1.6, APIs: 1, Instructions: 135COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007BED18 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00819A75 Relevance: 1.6, APIs: 1, Instructions: 88COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007A41A9 Relevance: 1.6, APIs: 1, Instructions: 63libraryCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00819B45 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007A39DB Relevance: 1.5, APIs: 1, Instructions: 41COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007C2AAE Relevance: 1.5, APIs: 1, Instructions: 35COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007A4252 Relevance: 1.5, APIs: 1, Instructions: 28COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007A40A7 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007EBCF4 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 01561CF8 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0080F7FF Relevance: 74.1, APIs: 40, Strings: 2, Instructions: 630windowkeyboardCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0080AACE Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 574windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007BEB42 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007E60DD Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 174filestringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007EF5FA Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 278timefileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007F1B2F Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 118fileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007F1C8A Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 111fileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007F091D Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 185timeCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007A6F07 Relevance: 18.4, Strings: 14, Instructions: 883COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007E63F9 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 89fileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007F6D07 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007E79D3 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 58shutdownCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007F8C4F Relevance: 9.1, APIs: 6, Instructions: 83networkCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007E6532 Relevance: 9.1, APIs: 6, Instructions: 71processCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007EEB60 Relevance: 7.6, APIs: 5, Instructions: 125fileCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00808111 Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007A9B60 Relevance: 7.3, Strings: 5, Instructions: 1055COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007BE01E Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007E13CA Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 560stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007BB11F Relevance: 4.9, APIs: 3, Instructions: 377COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007EE1FD Relevance: 4.6, APIs: 3, Instructions: 72COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007DB134 Relevance: 4.6, APIs: 3, Instructions: 67COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007E6606 Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007E71FA Relevance: 4.5, APIs: 3, Instructions: 42memoryCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007EF56F Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007ECE7A Relevance: 3.0, APIs: 2, Instructions: 30windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007DAB84 Relevance: 3.0, APIs: 2, Instructions: 22COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007A77B0 Relevance: 2.6, APIs: 1, Instructions: 1076COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007B3B70 Relevance: 2.2, Strings: 1, Instructions: 903COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007CD1B9 Relevance: 2.1, APIs: 1, Instructions: 645COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007A96C0 Relevance: 2.1, APIs: 1, Instructions: 573COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007D038E Relevance: 1.8, APIs: 1, Instructions: 294COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007EB6CC Relevance: 1.6, APIs: 1, Instructions: 71COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007E74E7 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007DB106 Relevance: 1.5, APIs: 1, Instructions: 18COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0081B340 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007C8189 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007B3200 Relevance: 1.0, Instructions: 986COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007AE3B0 Relevance: .5, Instructions: 540COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007A93F0 Relevance: .5, Instructions: 531COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007AAF50 Relevance: .5, Instructions: 514COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007C02A4 Relevance: .3, Instructions: 345COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007C06D9 Relevance: .3, Instructions: 341COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007BFA57 Relevance: .3, Instructions: 323COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 01563068 Relevance: .1, Instructions: 92COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 01562F58 Relevance: .0, Instructions: 35COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 01562EF8 Relevance: .0, Instructions: 35COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 015618C8 Relevance: .0, Instructions: 6COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007FA2A9 Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 490filecommemoryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0080D285 Relevance: 49.8, APIs: 33, Instructions: 260COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007BB8FD Relevance: 49.5, APIs: 27, Strings: 1, Instructions: 491windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0080B6C4 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 400windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0080764F Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007BA856 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 285windowtimeCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00803639 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00806BC9 Relevance: 26.5, APIs: 2, Strings: 13, Instructions: 281windowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007DCF50 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007F79B0 Relevance: 25.6, APIs: 17, Instructions: 109COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0080CE58 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0080F351 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 178windowfileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007EAAF8 Relevance: 23.1, APIs: 11, Strings: 2, Instructions: 374timeCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0080716A Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 244windowCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0080E4F5 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 199windowlibraryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007E26BC Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 137windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007ED0B8 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 101fileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0080EEEB Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007F9DC1 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 159windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007DA14D Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 127registryshareCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007E25B5 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 74windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007E778F Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007F02EE Relevance: 18.3, APIs: 12, Instructions: 282comCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007DED02 Relevance: 18.2, APIs: 12, Instructions: 174COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007BB73E Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007BB40A Relevance: 18.1, APIs: 12, Instructions: 131COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007E690B Relevance: 18.1, APIs: 12, Instructions: 113COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0080A1B6 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007E6F02 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 72networkCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007C500E Relevance: 16.8, APIs: 11, Instructions: 257COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007FADAE Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007F8107 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007DB907 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007DB9F0 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 80windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007DBAD7 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 71windowCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007FB2A9 Relevance: 15.3, APIs: 10, Instructions: 324fileCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007CACB3 Relevance: 15.2, APIs: 10, Instructions: 219COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007BCB8D Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 185windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007F45C4 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 133networkCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007FB644 Relevance: 13.9, APIs: 9, Instructions: 432COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0080B33A Relevance: 13.7, APIs: 9, Instructions: 167COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007BEA69 Relevance: 13.6, APIs: 9, Instructions: 135COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00809A75 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 142windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007E5819 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007EA729 Relevance: 12.3, APIs: 8, Instructions: 317COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007E6B49 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 46windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00808ECC Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007BAE78 Relevance: 10.7, APIs: 7, Instructions: 218COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007E7DB1 Relevance: 10.6, APIs: 7, Instructions: 137timeCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00808FC8 Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007E08AF Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007E0986 Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0080A2C8 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007BCCCD Relevance: 9.3, APIs: 6, Instructions: 253COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 008084DE Relevance: 9.2, APIs: 6, Instructions: 152windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007E4AC2 Relevance: 9.1, APIs: 6, Instructions: 136windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007BABF5 Relevance: 9.1, APIs: 6, Instructions: 113COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0080E397 Relevance: 9.1, APIs: 6, Instructions: 108windowCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007E98BA Relevance: 9.1, APIs: 6, Instructions: 100fileCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007F9B45 Relevance: 9.1, APIs: 6, Instructions: 99COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007DAF64 Relevance: 9.1, APIs: 6, Instructions: 73processCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0080EBF6 Relevance: 9.0, APIs: 6, Instructions: 49COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007DE19B Relevance: 9.0, APIs: 6, Instructions: 48COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007C7B47 Relevance: 9.0, APIs: 6, Instructions: 45threadCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007E9AD5 Relevance: 9.0, APIs: 6, Instructions: 44COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007E9A20 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007E5347 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 180windowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007E0213 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007E5007 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007DB80A Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007F43E2 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 85networkCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 008090E2 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007E9568 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78filepipeCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007E9634 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78filepipeCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007DC9E0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 67windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00801945 Relevance: 7.7, APIs: 5, Instructions: 232COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007E1C9A Relevance: 7.7, APIs: 5, Instructions: 158COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0080CCF7 Relevance: 7.6, APIs: 5, Instructions: 129COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007F1206 Relevance: 7.6, APIs: 5, Instructions: 127COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007DDBBF Relevance: 7.6, APIs: 5, Instructions: 87windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007DBC77 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007E6318 Relevance: 7.6, APIs: 5, Instructions: 80COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007F8B95 Relevance: 7.6, APIs: 5, Instructions: 71networkCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007F8420 Relevance: 7.6, APIs: 5, Instructions: 69COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007BAF83 Relevance: 7.6, APIs: 5, Instructions: 67COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007C217F Relevance: 7.6, APIs: 5, Instructions: 61threadCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007DABBB Relevance: 7.5, APIs: 5, Instructions: 48memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007E7A58 Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007D9ABF Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007DAA62 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007DAAC3 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007BB0AB Relevance: 7.5, APIs: 5, Instructions: 29COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007DC189 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0080A0D6 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0080A88A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 88windowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 008099A5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0080A409 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007C2287 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 24libraryloaderCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007C235C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00802205 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007A42F6 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007A434B Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007E0564 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007E0539 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007FECC8 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007FBADD Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00803BDB Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007D9B30 Relevance: 6.3, APIs: 4, Instructions: 306COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007FAA84 Relevance: 6.3, APIs: 4, Instructions: 268COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007D91CC Relevance: 6.2, APIs: 4, Instructions: 201memoryCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0080C4D7 Relevance: 6.1, APIs: 4, Instructions: 137COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007DC410 Relevance: 6.1, APIs: 4, Instructions: 130windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007EE698 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0080B544 Relevance: 6.1, APIs: 4, Instructions: 108COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0080D7DE Relevance: 6.1, APIs: 4, Instructions: 105windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00807CA5 Relevance: 6.1, APIs: 4, Instructions: 93COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0080F1D7 Relevance: 6.1, APIs: 4, Instructions: 80windowCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007F431C Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007F8A7F Relevance: 6.1, APIs: 4, Instructions: 69networkCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00808A37 Relevance: 6.1, APIs: 4, Instructions: 69COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007E0AA6 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007E6713 Relevance: 6.1, APIs: 4, Instructions: 64fileCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007DB1CC Relevance: 6.1, APIs: 4, Instructions: 63memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007DB478 Relevance: 6.1, APIs: 4, Instructions: 58windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007BB55D Relevance: 6.1, APIs: 4, Instructions: 56COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007E732B Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007BD17C Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0080E32E Relevance: 6.0, APIs: 4, Instructions: 40processCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0080EA6A Relevance: 6.0, APIs: 4, Instructions: 31COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007DB0CD Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007BB47D Relevance: 6.0, APIs: 4, Instructions: 22COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0081B29A Relevance: 6.0, APIs: 4, Instructions: 20COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0081B2AE Relevance: 6.0, APIs: 4, Instructions: 19COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007BBCC9 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 143sleepCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0080A76A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96windowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007F5180 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96networkCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007E5157 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 87windowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 008093CF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00809617 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007E5262 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62windowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007F4D9F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 61networkCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007FA82C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52networkCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007DB781 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007DB67D Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007DB700 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 48windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007DA631 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00808698 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 008086CC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|