Edit tour
Windows
Analysis Report
hgTNnG8vjD.exe
Overview
General Information
| Sample name: | hgTNnG8vjD.exerenamed because original name is a hash value |
| Original sample name: | 9423bc1d281e52a2b42d4c4904c9ac774dcac46aa278c28fa8d0e0b949c70564.exe |
| Analysis ID: | 1589394 |
| MD5: | 42569d9b139c0093fa393444dfbea52e |
| SHA1: | 0f661a3a1b6b9c728e8949d14db45af6e4f0d103 |
| SHA256: | 9423bc1d281e52a2b42d4c4904c9ac774dcac46aa278c28fa8d0e0b949c70564 |
| Tags: | exeuser-zhuzhu0009 |
| Infos: |   |
 | |
Detection
DarkComet
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected DarkComet
AI detected suspicious sample
Allocates memory in foreign processes
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for sample
Opens the same file many times (likely Sandbox evasion)
Sample uses process hollowing technique
Sigma detected: New RUN Key Pointing to Suspicious Folder
Uses dynamic DNS services
Writes to foreign memory regions
Contains functionality for read data from the clipboard
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables driver privileges
Enables security privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
PE file contains an invalid checksum
Potential key logger detected (key state polling based)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sleep loop found (likely to delay execution)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara detected Keylogger Generic
Yara signature match
Classification
- System is w10x64
hgTNnG8vjD.exe (PID: 7472 cmdline: "C:\Users\ user\Deskt op\hgTNnG8 vjD.exe" MD5: 42569D9B139C0093FA393444DFBEA52E) 
RegSvcs.exe (PID: 7544 cmdline: "C:\Window s\Microsof t.NET\Fram ework\v2.0 .50727\Reg Svcs.exe" MD5: 3A77A4F220612FA55118FB8D7DDAE83C)
- cleanup
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| DarkComet | DarkComet is one of the most famous RATs, developed by Jean-Pierre Lesueur in 2008. After being used in the Syrian civil war in 2011, Lesuer decided to stop developing the trojan. Indeed, DarkComet is able to enable control over a compromised system through use of a simple graphic user interface. Experts think that this user friendliness is the key of its mass success. |
{"PWD": "Myhacker123", "MUTEX": "snake", "SID": "Snake-5", "FWB": "0", "NETDATA": ["kasavetia.no-ip.biz:12321", "kasavetia.no-ip.biz:45654", "eu3.no-ip.biz:45654", "eu3.no-ip.biz:12321"], "GENCODE": "Pi2UsWcM3BhH", "OFFLINEK": "1", "FTPUPLOADK": "1", "FTPHOST": "ftp.tirservicebg.com", "FTPUSER": "evil@tirservicebg.com", "FTPPASS": "262914", "FTPPORT": "21", "FTPSIZE": "1024", "FTPROOT": "/"}| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| DarkComet_2 | DarkComet | Jean-Philippe Teissier / @Jipe_ |
| |
| DarkComet_2 | DarkComet | Jean-Philippe Teissier / @Jipe_ |
| |
| JoeSecurity_Keylogger_Generic | Yara detected Keylogger Generic | Joe Security | ||
| JoeSecurity_DelphiSystemParamCount | Detected Delphi use of System.ParamCount() | Joe Security | ||
| JoeSecurity_DarkCometRat | Yara detected DarkComet | Kevin Breen <kevin@techanarchy.net> | ||
| Click to see the 109 entries | ||||
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_DelphiSystemParamCount | Detected Delphi use of System.ParamCount() | Joe Security | ||
| JoeSecurity_DarkCometRat | Yara detected DarkComet | Kevin Breen <kevin@techanarchy.net> | ||
| Windows_Trojan_Darkcomet_1df27bcc | unknown | unknown |
| |
| RAT_DarkComet | Detects DarkComet RAT | Kevin Breen <kevin@techanarchy.net> |
| |
| DarkComet_1 | DarkComet RAT | botherder https://github.com/botherder |
| |
| Click to see the 12 entries | ||||
System Summary |   |
|---|
| Source: | Author: Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing: | ||
| Source: | Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): | ||
⊘No Suricata rule has matched
Click to jump to signature section
Show All Signature Results
AV Detection | |
|---|
| Source: | Avira: | ||
| Source: | Malware Configuration Extractor: | ||
| Source: | Virustotal: | Perma Link | ||
| Source: | ReversingLabs: | |||
| Source: | Integrated Neural Analysis Model: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Static PE information: | ||
| Source: | Code function: | 0_2_00431A86 | |
| Source: | Code function: | 0_2_00452492 | |
| Source: | Code function: | 0_2_00442886 | |
| Source: | Code function: | 0_2_004788BD | |
| Source: | Code function: | 0_2_004339B6 | |
| Source: | Code function: | 0_2_0045CAFA | |
| Source: | Code function: | 0_2_0044BD27 | |
| Source: | Code function: | 0_2_0045DE8F | |
| Source: | Code function: | 0_2_0044BF8B | |
Networking | |
|---|
| Source: | DNS query: | ||
| Source: | DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | Code function: | 0_2_004422FE | |
| Source: | DNS traffic detected: | ||
| Source: | DNS traffic detected: | ||
Key, Mouse, Clipboard, Microphone and Screen Capturing | |
|---|
| Source: | Windows user hook set: | Jump to behavior | ||
| Source: | Code function: | 0_2_0045A10F | |
| Source: | Code function: | 0_2_0045A10F | |
| Source: | Code function: | 0_2_0046DC80 | |
| Source: | Code function: | 0_2_0044C37A | |
| Source: | Code function: | 0_2_0047C81C | |
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
System Summary | |
|---|
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | Code function: | 0_2_00431BE8 | |
| Source: | Code function: | 0_2_00446313 | |
| Source: | Code function: | 0_2_004333BE | |
| Source: | Code function: | 0_2_004096A0 | |
| Source: | Code function: | 0_2_0042200C | |
| Source: | Code function: | 0_2_0041A217 | |
| Source: | Code function: | 0_2_00412216 | |
| Source: | Code function: | 0_2_0042435D | |
| Source: | Code function: | 0_2_004033C0 | |
| Source: | Code function: | 0_2_0044F430 | |
| Source: | Code function: | 0_2_004125E8 | |
| Source: | Code function: | 0_2_0044663B | |
| Source: | Code function: | 0_2_00413801 | |
| Source: | Code function: | 0_2_0042096F | |
| Source: | Code function: | 0_2_004129D0 | |
| Source: | Code function: | 0_2_004119E3 | |
| Source: | Code function: | 0_2_0041C9AE | |
| Source: | Code function: | 0_2_0047EA6F | |
| Source: | Code function: | 0_2_0040FA10 | |
| Source: | Code function: | 0_2_0044EB5F | |
| Source: | Code function: | 0_2_00423C81 | |
| Source: | Code function: | 0_2_00411E78 | |
| Source: | Code function: | 0_2_00442E0C | |
| Source: | Code function: | 0_2_00420EC0 | |
| Source: | Code function: | 0_2_0044CF17 | |
| Source: | Code function: | 0_2_00444FD2 | |
| Source: | Code function: | 2_2_00402370 | |
| Source: | Code function: | 2_2_004064C0 | |
| Source: | Code function: | 2_2_0043E644 | |
| Source: | Code function: | 2_2_004389B4 | |
| Source: | Code function: | 2_2_0045EC78 | |
| Source: | Code function: | 2_2_0046ADBC | |
| Source: | Code function: | 2_2_0046797C | |
| Source: | Code function: | 2_2_00469B90 | |
| Source: | Process token adjusted: | Jump to behavior | ||
| Source: | Process token adjusted: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Static PE information: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Classification label: | ||
| Source: | Code function: | 0_2_0044AF6C | |
| Source: | Code function: | 0_2_004333BE | |
| Source: | Code function: | 0_2_00464EAE | |
| Source: | Code function: | 2_2_0048AEA8 | |
| Source: | Code function: | 0_2_0045D619 | |
| Source: | Code function: | 0_2_004755C4 | |
| Source: | Code function: | 0_2_0047839D | |
| Source: | Code function: | 0_2_0043305F | |
| Source: | File created: | Jump to behavior | ||
| Source: | Mutant created: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | Static PE information: | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | File read: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Virustotal: | ||
| Source: | ReversingLabs: | ||
| Source: | File read: | Jump to behavior | ||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Key value queried: | Jump to behavior | ||
| Source: | Window detected: | ||
| Source: | Static file information: | ||
| Source: | Code function: | 0_2_0040EBD0 | |
| Source: | Static PE information: | ||
| Source: | Code function: | 0_2_00416CC8 | |
| Source: | Code function: | 2_2_004186D9 | |
| Source: | Code function: | 2_2_0048F11D | |
| Source: | Code function: | 2_2_0048F759 | |
| Source: | Code function: | 2_2_004820BA | |
| Source: | Code function: | 2_2_0045E0D6 | |
| Source: | Code function: | 2_2_004220E1 | |
| Source: | Code function: | 2_2_00466128 | |
| Source: | Code function: | 2_2_0042E168 | |
| Source: | Code function: | 2_2_004741FE | |
| Source: | Code function: | 2_2_00404218 | |
| Source: | Code function: | 2_2_0046227C | |
| Source: | Code function: | 2_2_00464229 | |
| Source: | Code function: | 2_2_00448326 | |
| Source: | Code function: | 2_2_0041639A | |
| Source: | Code function: | 2_2_0041639A | |
| Source: | Code function: | 2_2_0048E3D4 | |
| Source: | Code function: | 2_2_0046E3E5 | |
| Source: | Code function: | 2_2_004204E9 | |
| Source: | Code function: | 2_2_00408706 | |
| Source: | Code function: | 2_2_0044A750 | |
| Source: | Code function: | 2_2_00410820 | |
| Source: | Code function: | 2_2_0042E8DC | |
| Source: | Code function: | 2_2_00430968 | |
| Source: | Code function: | 2_2_0042295F | |
| Source: | Code function: | 2_2_00418935 | |
| Source: | Code function: | 2_2_0044A9F4 | |
| Source: | Code function: | 2_2_0045E9AC | |
| Source: | Code function: | 2_2_00418A55 | |
| Source: | Code function: | 2_2_00460A4B | |
| Source: | Code function: | 2_2_00432B14 | |
| Source: | Registry value created or modified: | Jump to behavior | ||
| Source: | Registry value created or modified: | Jump to behavior | ||
| Source: | Registry value created or modified: | Jump to behavior | ||
| Source: | Registry value created or modified: | Jump to behavior | ||
| Source: | Code function: | 0_2_0047A330 | |
| Source: | Code function: | 0_2_00434418 | |
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
Malware Analysis System Evasion | |
|---|
| Source: | File opened: | Jump to behavior | ||
| Source: | Window / User API: | Jump to behavior | ||
| Source: | Window / User API: | Jump to behavior | ||
| Source: | Window / User API: | Jump to behavior | ||
| Source: | API coverage: | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Last function: | ||
| Source: | Thread sleep count: | Jump to behavior | ||
| Source: | Code function: | 0_2_00431A86 | |
| Source: | Code function: | 0_2_00452492 | |
| Source: | Code function: | 0_2_00442886 | |
| Source: | Code function: | 0_2_004788BD | |
| Source: | Code function: | 0_2_004339B6 | |
| Source: | Code function: | 0_2_0045CAFA | |
| Source: | Code function: | 0_2_0044BD27 | |
| Source: | Code function: | 0_2_0045DE8F | |
| Source: | Code function: | 0_2_0044BF8B | |
| Source: | Code function: | 0_2_0040E500 | |
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | API call chain: | graph_0-87806 | ||
| Source: | API call chain: | graph_0-85540 | ||
| Source: | Process information queried: | Jump to behavior | ||
| Source: | Code function: | 0_2_0045A370 | |
| Source: | Code function: | 0_2_0040D590 | |
| Source: | Code function: | 0_2_0040EBD0 | |
| Source: | Code function: | 0_2_004238DA | |
| Source: | Code function: | 0_2_0041F250 | |
| Source: | Code function: | 0_2_0041A208 | |
| Source: | Code function: | 0_2_00417DAA | |
HIPS / PFW / Operating System Protection Evasion | |
|---|
| Source: | Memory allocated: | Jump to behavior | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | Section unmapped: | Jump to behavior | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | Code function: | 0_2_00436CD7 | |
| Source: | Code function: | 0_2_0040D590 | |
| Source: | Code function: | 0_2_00434418 | |
| Source: | Code function: | 0_2_0043333C | |
| Source: | Process created: | Jump to behavior | ||
| Source: | Code function: | 0_2_00446124 | |
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Code function: | 2_2_00406C2C | |
| Source: | Code function: | 2_2_00406D38 | |
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Code function: | 0_2_004720DB | |
| Source: | Code function: | 0_2_00472C3F | |
| Source: | Code function: | 0_2_0041E364 | |
| Source: | Code function: | 0_2_0040E500 | |
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Code function: | 0_2_004652BE | |
| Source: | Code function: | 0_2_00476619 | |
| Source: | Code function: | 0_2_0046CEF3 | |
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Gather Victim Identity Information | Acquire Infrastructure | 2 Valid Accounts | 1 Native API | 1 LSASS Driver | 1 Exploitation for Privilege Escalation | 1 Disable or Modify Tools | 121 Input Capture | 2 System Time Discovery | Remote Services | 1 Archive Collected Data | 1 Ingress Tool Transfer | Exfiltration Over Other Network Medium | 1 System Shutdown/Reboot |
| Credentials | Domains | Default Accounts | 1 Shared Modules | 1 DLL Side-Loading | 1 LSASS Driver | 1 Deobfuscate/Decode Files or Information | LSASS Memory | 1 Account Discovery | Remote Desktop Protocol | 121 Input Capture | 1 Encrypted Channel | Exfiltration Over Bluetooth | Network Denial of Service |
| Email Addresses | DNS Server | Domain Accounts | At | 2 Valid Accounts | 1 DLL Side-Loading | 2 Obfuscated Files or Information | Security Account Manager | 2 File and Directory Discovery | SMB/Windows Admin Shares | 3 Clipboard Data | 1 Non-Application Layer Protocol | Automated Exfiltration | Data Encrypted for Impact |
| Employee Names | Virtual Private Server | Local Accounts | Cron | 1 Registry Run Keys / Startup Folder | 2 Valid Accounts | 1 DLL Side-Loading | NTDS | 25 System Information Discovery | Distributed Component Object Model | Input Capture | 11 Application Layer Protocol | Traffic Duplication | Data Destruction |
| Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | 21 Access Token Manipulation | 1 Masquerading | LSA Secrets | 21 Security Software Discovery | SSH | Keylogging | Fallback Channels | Scheduled Transfer | Data Encrypted for Impact |
| Domain Properties | Botnet | Replication Through Removable Media | Scheduled Task | RC Scripts | 412 Process Injection | 2 Valid Accounts | Cached Domain Credentials | 12 Virtualization/Sandbox Evasion | VNC | GUI Input Capture | Multiband Communication | Data Transfer Size Limits | Service Stop |
| DNS | Web Services | External Remote Services | Systemd Timers | Startup Items | 1 Registry Run Keys / Startup Folder | 12 Virtualization/Sandbox Evasion | DCSync | 3 Process Discovery | Windows Remote Management | Web Portal Capture | Commonly Used Port | Exfiltration Over C2 Channel | Inhibit System Recovery |
| Network Trust Dependencies | Serverless | Drive-by Compromise | Container Orchestration Job | Scheduled Task/Job | Scheduled Task/Job | 21 Access Token Manipulation | Proc Filesystem | 11 Application Window Discovery | Cloud Services | Credential API Hooking | Application Layer Protocol | Exfiltration Over Alternative Protocol | Defacement |
| Network Topology | Malvertising | Exploit Public-Facing Application | Command and Scripting Interpreter | At | At | 412 Process Injection | /etc/passwd and /etc/shadow | 1 System Owner/User Discovery | Direct Cloud VM Connections | Data Staged | Web Protocols | Exfiltration Over Symmetric Encrypted Non-C2 Protocol | Internal Defacement |
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetThis section contains all screenshots as thumbnails, including those not shown in the slideshow.
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 46% | Virustotal | Browse | ||
| 39% | ReversingLabs | Win32.Backdoor.DarkComet | ||
| 100% | Avira | HEUR/AGEN.1321677 | ||
| 100% | Joe Sandbox ML |
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
| Name | IP | Active | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|---|
| bg.microsoft.map.fastly.net | 199.232.210.172 | true | false | high | |
| kasavetia.no-ip.biz | unknown | unknown | true | unknown | |
| eu3.no-ip.biz | unknown | unknown | true | unknown |
⊘No contacted IP infos
| Joe Sandbox version: | 42.0.0 Malachite |
| Analysis ID: | 1589394 |
| Start date and time: | 2025-01-12 07:10:12 +01:00 |
| Joe Sandbox product: | CloudBasic |
| Overall analysis duration: | 0h 7m 53s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
| Number of analysed new started processes analysed: | 7 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Sample name: | hgTNnG8vjD.exerenamed because original name is a hash value |
| Original Sample Name: | 9423bc1d281e52a2b42d4c4904c9ac774dcac46aa278c28fa8d0e0b949c70564.exe |
| Detection: | MAL |
| Classification: | mal100.troj.spyw.evad.winEXE@3/0@52/0 |
| EGA Information: |
|
| HCA Information: |
|
| Cookbook Comments: |
|
- Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
- Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
- Excluded IPs from analysis (whitelisted): 13.107.246.45, 20.109.210.53
- Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, wu-b-net.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
- Not all processes where analyzed, report is missing behavior information
- Report size exceeded maximum capacity and may have missing disassembly code.
- Report size getting too big, too many NtCreateFile calls found.
- Report size getting too big, too many NtDeviceIoControlFile calls found.
- Report size getting too big, too many NtQueryValueKey calls found.
| Time | Type | Description |
|---|---|---|
| 01:11:40 | API Interceptor | |
| 06:11:11 | Autostart | |
| 06:11:19 | Autostart |
⊘No context
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| bg.microsoft.map.fastly.net | Get hash | malicious | HTMLPhisher | Browse |
| |
| Get hash | malicious | Strela Downloader | Browse |
| ||
| Get hash | malicious | Strela Downloader | Browse |
| ||
| Get hash | malicious | Strela Downloader | Browse |
| ||
| Get hash | malicious | Strela Downloader | Browse |
| ||
| Get hash | malicious | Strela Downloader | Browse |
| ||
| Get hash | malicious | Strela Downloader | Browse |
| ||
| Get hash | malicious | Strela Downloader | Browse |
| ||
| Get hash | malicious | Strela Downloader | Browse |
| ||
| Get hash | malicious | Strela Downloader | Browse |
|
⊘No context
⊘No context
⊘No context
⊘No created / dropped files found
| File type: | |
| Entropy (8bit): | 7.697733512706755 |
| TrID: |
|
| File name: | hgTNnG8vjD.exe |
| File size: | 1'779'958 bytes |
| MD5: | 42569d9b139c0093fa393444dfbea52e |
| SHA1: | 0f661a3a1b6b9c728e8949d14db45af6e4f0d103 |
| SHA256: | 9423bc1d281e52a2b42d4c4904c9ac774dcac46aa278c28fa8d0e0b949c70564 |
| SHA512: | a88369d7bacea297de1c5a6c9a795624d5d0c0a7a883d86c38919824bf97dcbd847f53aa411ab9e8ff82ead72b918f5c5e014dd0b1db9ee8f1b63bb69d267ee3 |
| SSDEEP: | 49152:7JZoQrbTFZY1iaCfnJxpCJOj6ToF1QtrOr10Z/GX:7trbTA1G4OeU4tk0ZOX |
| TLSH: | C0850222B5C65075C2B333B19E7AF7AA9A3D79360332D2DB27C81D714EA05412B39763 |
| File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........................1b.......P.).....Q.......y.......i..........}....N.......d.......`.......m.......g.....Rich............PE..L.. |
 | |
| Icon Hash: | 1733312925935517 |
| Entrypoint: | 0x4165c1 |
| Entrypoint Section: | .text |
| Digitally signed: | false |
| Imagebase: | 0x400000 |
| Subsystem: | windows gui |
| Image File Characteristics: | RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE |
| DLL Characteristics: | TERMINAL_SERVER_AWARE |
| Time Stamp: | 0x4F25BAEC [Sun Jan 29 21:32:28 2012 UTC] |
| TLS Callbacks: | |
| CLR (.Net) Version: | |
| OS Version Major: | 5 |
| OS Version Minor: | 0 |
| File Version Major: | 5 |
| File Version Minor: | 0 |
| Subsystem Version Major: | 5 |
| Subsystem Version Minor: | 0 |
| Import Hash: | d3bf8a7746a8d1ee8f6e5960c3f69378 |
| Instruction |
|---|
| call 00007F55F91ABABBh |
| jmp 00007F55F91A292Eh |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| push ebp |
| mov ebp, esp |
| push edi |
| push esi |
| mov esi, dword ptr [ebp+0Ch] |
| mov ecx, dword ptr [ebp+10h] |
| mov edi, dword ptr [ebp+08h] |
| mov eax, ecx |
| mov edx, ecx |
| add eax, esi |
| cmp edi, esi |
| jbe 00007F55F91A2AAAh |
| cmp edi, eax |
| jc 00007F55F91A2C46h |
| cmp ecx, 00000080h |
| jc 00007F55F91A2ABEh |
| cmp dword ptr [004A9724h], 00000000h |
| je 00007F55F91A2AB5h |
| push edi |
| push esi |
| and edi, 0Fh |
| and esi, 0Fh |
| cmp edi, esi |
| pop esi |
| pop edi |
| jne 00007F55F91A2AA7h |
| jmp 00007F55F91A2E82h |
| test edi, 00000003h |
| jne 00007F55F91A2AB6h |
| shr ecx, 02h |
| and edx, 03h |
| cmp ecx, 08h |
| jc 00007F55F91A2ACBh |
| rep movsd |
| jmp dword ptr [00416740h+edx*4] |
| mov eax, edi |
| mov edx, 00000003h |
| sub ecx, 04h |
| jc 00007F55F91A2AAEh |
| and eax, 03h |
| add ecx, eax |
| jmp dword ptr [00416654h+eax*4] |
| jmp dword ptr [00416750h+ecx*4] |
| nop |
| jmp dword ptr [004166D4h+ecx*4] |
| nop |
| inc cx |
| add byte ptr [eax-4BFFBE9Ah], dl |
| inc cx |
| add byte ptr [ebx], ah |
| ror dword ptr [edx-75F877FAh], 1 |
| inc esi |
| add dword ptr [eax+468A0147h], ecx |
| add al, cl |
| jmp 00007F55FB61B2A7h |
| add esi, 03h |
| add edi, 03h |
| cmp ecx, 08h |
| jc 00007F55F91A2A6Eh |
| rep movsd |
| jmp dword ptr [00000000h+edx*4] |
| Programming Language: |
|
| Name | Virtual Address | Virtual Size | Is in Section |
|---|---|---|---|
| IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IMPORT | 0x8d41c | 0x154 | .rdata |
| IMAGE_DIRECTORY_ENTRY_RESOURCE | 0xab000 | 0x9328 | .rsrc |
| IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IAT | 0x82000 | 0x844 | .rdata |
| IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
| Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
|---|---|---|---|---|---|---|---|---|---|
| .text | 0x1000 | 0x8061c | 0x80800 | 61ffce4768976fa0dd2a8f6a97b1417a | False | 0.5583182605787937 | data | 6.684690148171278 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
| .rdata | 0x82000 | 0xdfc0 | 0xe000 | 0354bc5f2376b5e9a4a3ba38b682dff1 | False | 0.36085728236607145 | data | 4.799741132252136 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .data | 0x90000 | 0x1a758 | 0x6800 | 8033f5a38941b4685bc2299e78f31221 | False | 0.15324519230769232 | data | 2.1500715391677487 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .rsrc | 0xab000 | 0x9328 | 0x9400 | 495451d7eb8326bd9fa2714869ea6de8 | False | 0.49002322635135137 | data | 5.541804843154628 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
|---|---|---|---|---|---|---|
| RT_ICON | 0xab5c8 | 0x128 | Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors | English | Great Britain | 0.3277027027027027 |
| RT_ICON | 0xab6f0 | 0x128 | Device independent bitmap graphic, 16 x 32 x 4, image size 192 | English | Great Britain | 0.7466216216216216 |
| RT_ICON | 0xab818 | 0x128 | Device independent bitmap graphic, 16 x 32 x 4, image size 192 | English | Great Britain | 0.3885135135135135 |
| RT_ICON | 0xab940 | 0x668 | Device independent bitmap graphic, 48 x 96 x 4, image size 1152 | English | Great Britain | 0.48109756097560974 |
| RT_ICON | 0xabfa8 | 0x2e8 | Device independent bitmap graphic, 32 x 64 x 4, image size 512 | English | Great Britain | 0.5672043010752689 |
| RT_ICON | 0xac290 | 0x128 | Device independent bitmap graphic, 16 x 32 x 4, image size 128 | English | Great Britain | 0.6418918918918919 |
| RT_ICON | 0xac3b8 | 0xea8 | Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors | English | Great Britain | 0.7044243070362474 |
| RT_ICON | 0xad260 | 0x8a8 | Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors | English | Great Britain | 0.8077617328519856 |
| RT_ICON | 0xadb08 | 0x568 | Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors | English | Great Britain | 0.5903179190751445 |
| RT_ICON | 0xae070 | 0x25a8 | Device independent bitmap graphic, 48 x 96 x 32, image size 9600 | English | Great Britain | 0.5503112033195021 |
| RT_ICON | 0xb0618 | 0x10a8 | Device independent bitmap graphic, 32 x 64 x 32, image size 4224 | English | Great Britain | 0.6050656660412758 |
| RT_ICON | 0xb16c0 | 0x468 | Device independent bitmap graphic, 16 x 32 x 32, image size 1088 | English | Great Britain | 0.7553191489361702 |
| RT_MENU | 0xb1b28 | 0x50 | data | English | Great Britain | 0.9 |
| RT_DIALOG | 0xb1b78 | 0xfc | data | English | Great Britain | 0.6507936507936508 |
| RT_STRING | 0xb1c78 | 0x530 | data | English | Great Britain | 0.33960843373493976 |
| RT_STRING | 0xb21a8 | 0x690 | data | English | Great Britain | 0.26964285714285713 |
| RT_STRING | 0xb2838 | 0x4d0 | data | English | Great Britain | 0.36363636363636365 |
| RT_STRING | 0xb2d08 | 0x5fc | data | English | Great Britain | 0.3087467362924282 |
| RT_STRING | 0xb3308 | 0x65c | data | English | Great Britain | 0.34336609336609336 |
| RT_STRING | 0xb3968 | 0x388 | data | English | Great Britain | 0.377212389380531 |
| RT_STRING | 0xb3cf0 | 0x158 | Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0 | English | United States | 0.502906976744186 |
| RT_GROUP_ICON | 0xb3e48 | 0x84 | data | English | Great Britain | 0.6439393939393939 |
| RT_GROUP_ICON | 0xb3ed0 | 0x14 | data | English | Great Britain | 1.15 |
| RT_GROUP_ICON | 0xb3ee8 | 0x14 | data | English | Great Britain | 1.25 |
| RT_GROUP_ICON | 0xb3f00 | 0x14 | data | English | Great Britain | 1.25 |
| RT_VERSION | 0xb3f18 | 0x19c | data | English | Great Britain | 0.5339805825242718 |
| RT_MANIFEST | 0xb40b8 | 0x26c | ASCII text, with CRLF line terminators | English | United States | 0.5145161290322581 |
| DLL | Import |
|---|---|
| WSOCK32.dll | __WSAFDIsSet, setsockopt, ntohs, recvfrom, sendto, htons, select, listen, WSAStartup, bind, closesocket, connect, socket, send, WSACleanup, ioctlsocket, accept, WSAGetLastError, inet_addr, gethostbyname, gethostname, recv |
| VERSION.dll | VerQueryValueW, GetFileVersionInfoW, GetFileVersionInfoSizeW |
| WINMM.dll | timeGetTime, waveOutSetVolume, mciSendStringW |
| COMCTL32.dll | ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, ImageList_ReplaceIcon, ImageList_Create, InitCommonControlsEx, ImageList_Destroy |
| MPR.dll | WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W, WNetUseConnectionW |
| WININET.dll | InternetReadFile, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetConnectW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetQueryOptionW, InternetQueryDataAvailable |
| PSAPI.DLL | EnumProcesses, GetModuleBaseNameW, GetProcessMemoryInfo, EnumProcessModules |
| USERENV.dll | CreateEnvironmentBlock, DestroyEnvironmentBlock, UnloadUserProfile, LoadUserProfileW |
| KERNEL32.dll | HeapAlloc, Sleep, GetCurrentThreadId, RaiseException, MulDiv, GetVersionExW, GetSystemInfo, InterlockedIncrement, InterlockedDecrement, WideCharToMultiByte, lstrcpyW, MultiByteToWideChar, lstrlenW, lstrcmpiW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, DeleteFileW, FindNextFileW, MoveFileW, CopyFileW, CreateDirectoryW, RemoveDirectoryW, GetProcessHeap, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetLocalTime, CompareStringW, DeleteCriticalSection, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSectionAndSpinCount, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, GetTempPathW, GetTempFileNameW, VirtualFree, FormatMessageW, GetExitCodeProcess, SetErrorMode, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, DeviceIoControl, SetFileAttributesW, GetShortPathNameW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetCurrentThread, GetProcessIoCounters, CreateProcessW, SetPriorityClass, LoadLibraryW, VirtualAlloc, LoadLibraryExW, HeapFree, WaitForSingleObject, CreateThread, DuplicateHandle, GetLastError, CloseHandle, GetCurrentProcess, GetProcAddress, LoadLibraryA, FreeLibrary, GetModuleFileNameW, GetFullPathNameW, SetCurrentDirectoryW, IsDebuggerPresent, GetCurrentDirectoryW, ExitProcess, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetTimeFormatW, GetDateFormatW, GetCommandLineW, GetStartupInfoW, IsProcessorFeaturePresent, HeapSize, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStringTypeW, HeapCreate, SetHandleCount, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, LCMapStringW, RtlUnwind, SetFilePointer, GetTimeZoneInformation, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetTickCount, HeapReAlloc, WriteConsoleW, SetEndOfFile, SetSystemPowerState, SetEnvironmentVariableA |
| USER32.dll | GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, ReleaseCapture, SetCapture, WindowFromPoint, LoadImageW, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, CheckMenuRadioItem, SetWindowPos, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, TranslateMessage, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, GetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, MessageBoxW, DefWindowProcW, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, GetMenuItemID, DispatchMessageW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, PeekMessageW, UnregisterHotKey, CharLowerBuffW, keybd_event, MonitorFromRect, GetWindowThreadProcessId |
| GDI32.dll | DeleteObject, AngleArc, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, StrokePath, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, GetDeviceCaps, MoveToEx, DeleteDC, GetPixel, CreateDCW, Ellipse, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, LineTo |
| COMDLG32.dll | GetSaveFileNameW, GetOpenFileNameW |
| ADVAPI32.dll | RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegCreateKeyExW, GetUserNameW, RegConnectRegistryW, CloseServiceHandle, UnlockServiceDatabase, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, InitializeSecurityDescriptor, InitializeAcl, GetLengthSid, CopySid, LogonUserW, LockServiceDatabase, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, GetAce, AddAce, SetSecurityDescriptorDacl, RegOpenKeyExW, RegQueryValueExW, AdjustTokenPrivileges, InitiateSystemShutdownExW, OpenSCManagerW, RegCloseKey |
| SHELL32.dll | DragQueryPoint, ShellExecuteExW, SHGetFolderPathW, DragQueryFileW, SHEmptyRecycleBinW, SHBrowseForFolderW, SHFileOperationW, SHGetPathFromIDListW, SHGetDesktopFolder, SHGetMalloc, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish |
| ole32.dll | OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CLSIDFromString, StringFromGUID2, CoInitialize, CoUninitialize, CoCreateInstance, CreateStreamOnHGlobal, CoTaskMemAlloc, CoTaskMemFree, ProgIDFromCLSID, OleInitialize, CreateBindCtx, CLSIDFromProgID, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket, OleUninitialize, IIDFromString |
| OLEAUT32.dll | VariantChangeType, VariantCopyInd, DispCallFunc, CreateStdDispatch, CreateDispTypeInfo, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SysStringLen, SafeArrayAllocData, GetActiveObject, QueryPathOfRegTypeLib, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysAllocString, VariantCopy, VariantClear, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, OleLoadPicture, SafeArrayAccessData, VariantInit |
| Language of compilation system | Country where language is spoken | Map |
|---|---|---|
| English | Great Britain |  |
| English | United States |  |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library Node| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Jan 12, 2025 07:11:11.032500982 CET | 53778 | 53 | 192.168.2.9 | 1.1.1.1 |
| Jan 12, 2025 07:11:11.041121006 CET | 53 | 53778 | 1.1.1.1 | 192.168.2.9 |
| Jan 12, 2025 07:11:11.460659981 CET | 64032 | 53 | 192.168.2.9 | 1.1.1.1 |
| Jan 12, 2025 07:11:11.469599009 CET | 53 | 64032 | 1.1.1.1 | 192.168.2.9 |
| Jan 12, 2025 07:11:15.960539103 CET | 49784 | 53 | 192.168.2.9 | 1.1.1.1 |
| Jan 12, 2025 07:11:15.970261097 CET | 53 | 49784 | 1.1.1.1 | 192.168.2.9 |
| Jan 12, 2025 07:11:16.585747957 CET | 57741 | 53 | 192.168.2.9 | 1.1.1.1 |
| Jan 12, 2025 07:11:16.599122047 CET | 53 | 57741 | 1.1.1.1 | 192.168.2.9 |
| Jan 12, 2025 07:11:20.913794994 CET | 50586 | 53 | 192.168.2.9 | 1.1.1.1 |
| Jan 12, 2025 07:11:20.922000885 CET | 53 | 50586 | 1.1.1.1 | 192.168.2.9 |
| Jan 12, 2025 07:11:21.554433107 CET | 53807 | 53 | 192.168.2.9 | 1.1.1.1 |
| Jan 12, 2025 07:11:21.563051939 CET | 53 | 53807 | 1.1.1.1 | 192.168.2.9 |
| Jan 12, 2025 07:11:25.851231098 CET | 57854 | 53 | 192.168.2.9 | 1.1.1.1 |
| Jan 12, 2025 07:11:25.859534979 CET | 53 | 57854 | 1.1.1.1 | 192.168.2.9 |
| Jan 12, 2025 07:11:26.491812944 CET | 55862 | 53 | 192.168.2.9 | 1.1.1.1 |
| Jan 12, 2025 07:11:26.500015974 CET | 53 | 55862 | 1.1.1.1 | 192.168.2.9 |
| Jan 12, 2025 07:11:30.773225069 CET | 56708 | 53 | 192.168.2.9 | 1.1.1.1 |
| Jan 12, 2025 07:11:30.782426119 CET | 53 | 56708 | 1.1.1.1 | 192.168.2.9 |
| Jan 12, 2025 07:11:32.007514000 CET | 56966 | 53 | 192.168.2.9 | 1.1.1.1 |
| Jan 12, 2025 07:11:32.016103029 CET | 53 | 56966 | 1.1.1.1 | 192.168.2.9 |
| Jan 12, 2025 07:11:35.710527897 CET | 54015 | 53 | 192.168.2.9 | 1.1.1.1 |
| Jan 12, 2025 07:11:35.720642090 CET | 53 | 54015 | 1.1.1.1 | 192.168.2.9 |
| Jan 12, 2025 07:11:36.945127964 CET | 63580 | 53 | 192.168.2.9 | 1.1.1.1 |
| Jan 12, 2025 07:11:36.954858065 CET | 53 | 63580 | 1.1.1.1 | 192.168.2.9 |
| Jan 12, 2025 07:11:40.616965055 CET | 51449 | 53 | 192.168.2.9 | 1.1.1.1 |
| Jan 12, 2025 07:11:40.625731945 CET | 53 | 51449 | 1.1.1.1 | 192.168.2.9 |
| Jan 12, 2025 07:11:41.851394892 CET | 54383 | 53 | 192.168.2.9 | 1.1.1.1 |
| Jan 12, 2025 07:11:41.859895945 CET | 53 | 54383 | 1.1.1.1 | 192.168.2.9 |
| Jan 12, 2025 07:11:45.601264000 CET | 64154 | 53 | 192.168.2.9 | 1.1.1.1 |
| Jan 12, 2025 07:11:45.609204054 CET | 53 | 64154 | 1.1.1.1 | 192.168.2.9 |
| Jan 12, 2025 07:11:46.543889999 CET | 56303 | 53 | 192.168.2.9 | 1.1.1.1 |
| Jan 12, 2025 07:11:46.552405119 CET | 53 | 56303 | 1.1.1.1 | 192.168.2.9 |
| Jan 12, 2025 07:11:50.913865089 CET | 50438 | 53 | 192.168.2.9 | 1.1.1.1 |
| Jan 12, 2025 07:11:50.921987057 CET | 53 | 50438 | 1.1.1.1 | 192.168.2.9 |
| Jan 12, 2025 07:11:51.820496082 CET | 60524 | 53 | 192.168.2.9 | 1.1.1.1 |
| Jan 12, 2025 07:11:51.829123020 CET | 53 | 60524 | 1.1.1.1 | 192.168.2.9 |
| Jan 12, 2025 07:11:55.820090055 CET | 54019 | 53 | 192.168.2.9 | 1.1.1.1 |
| Jan 12, 2025 07:11:55.828764915 CET | 53 | 54019 | 1.1.1.1 | 192.168.2.9 |
| Jan 12, 2025 07:11:56.570074081 CET | 62084 | 53 | 192.168.2.9 | 1.1.1.1 |
| Jan 12, 2025 07:11:56.579430103 CET | 53 | 62084 | 1.1.1.1 | 192.168.2.9 |
| Jan 12, 2025 07:12:00.554683924 CET | 57864 | 53 | 192.168.2.9 | 1.1.1.1 |
| Jan 12, 2025 07:12:00.563114882 CET | 53 | 57864 | 1.1.1.1 | 192.168.2.9 |
| Jan 12, 2025 07:12:01.523149967 CET | 50956 | 53 | 192.168.2.9 | 1.1.1.1 |
| Jan 12, 2025 07:12:01.532073975 CET | 53 | 50956 | 1.1.1.1 | 192.168.2.9 |
| Jan 12, 2025 07:12:05.523181915 CET | 62190 | 53 | 192.168.2.9 | 1.1.1.1 |
| Jan 12, 2025 07:12:05.530647039 CET | 53 | 62190 | 1.1.1.1 | 192.168.2.9 |
| Jan 12, 2025 07:12:06.460491896 CET | 57716 | 53 | 192.168.2.9 | 1.1.1.1 |
| Jan 12, 2025 07:12:06.467693090 CET | 53 | 57716 | 1.1.1.1 | 192.168.2.9 |
| Jan 12, 2025 07:12:10.523225069 CET | 58818 | 53 | 192.168.2.9 | 1.1.1.1 |
| Jan 12, 2025 07:12:10.531938076 CET | 53 | 58818 | 1.1.1.1 | 192.168.2.9 |
| Jan 12, 2025 07:12:11.476340055 CET | 65202 | 53 | 192.168.2.9 | 1.1.1.1 |
| Jan 12, 2025 07:12:11.484965086 CET | 53 | 65202 | 1.1.1.1 | 192.168.2.9 |
| Jan 12, 2025 07:12:15.460844994 CET | 65484 | 53 | 192.168.2.9 | 1.1.1.1 |
| Jan 12, 2025 07:12:15.469279051 CET | 53 | 65484 | 1.1.1.1 | 192.168.2.9 |
| Jan 12, 2025 07:12:16.491864920 CET | 61775 | 53 | 192.168.2.9 | 1.1.1.1 |
| Jan 12, 2025 07:12:16.500611067 CET | 53 | 61775 | 1.1.1.1 | 192.168.2.9 |
| Jan 12, 2025 07:12:20.460582972 CET | 52399 | 53 | 192.168.2.9 | 1.1.1.1 |
| Jan 12, 2025 07:12:20.470036030 CET | 53 | 52399 | 1.1.1.1 | 192.168.2.9 |
| Jan 12, 2025 07:12:21.479729891 CET | 58576 | 53 | 192.168.2.9 | 1.1.1.1 |
| Jan 12, 2025 07:12:21.488456964 CET | 53 | 58576 | 1.1.1.1 | 192.168.2.9 |
| Jan 12, 2025 07:12:25.461544991 CET | 57233 | 53 | 192.168.2.9 | 1.1.1.1 |
| Jan 12, 2025 07:12:25.470385075 CET | 53 | 57233 | 1.1.1.1 | 192.168.2.9 |
| Jan 12, 2025 07:12:26.460678101 CET | 54135 | 53 | 192.168.2.9 | 1.1.1.1 |
| Jan 12, 2025 07:12:26.469707012 CET | 53 | 54135 | 1.1.1.1 | 192.168.2.9 |
| Jan 12, 2025 07:12:30.460496902 CET | 62383 | 53 | 192.168.2.9 | 1.1.1.1 |
| Jan 12, 2025 07:12:30.468992949 CET | 53 | 62383 | 1.1.1.1 | 192.168.2.9 |
| Jan 12, 2025 07:12:31.460515976 CET | 52563 | 53 | 192.168.2.9 | 1.1.1.1 |
| Jan 12, 2025 07:12:31.469276905 CET | 53 | 52563 | 1.1.1.1 | 192.168.2.9 |
| Jan 12, 2025 07:12:35.460438013 CET | 60212 | 53 | 192.168.2.9 | 1.1.1.1 |
| Jan 12, 2025 07:12:35.469578028 CET | 53 | 60212 | 1.1.1.1 | 192.168.2.9 |
| Jan 12, 2025 07:12:36.460725069 CET | 54328 | 53 | 192.168.2.9 | 1.1.1.1 |
| Jan 12, 2025 07:12:36.469320059 CET | 53 | 54328 | 1.1.1.1 | 192.168.2.9 |
| Jan 12, 2025 07:12:40.460751057 CET | 65477 | 53 | 192.168.2.9 | 1.1.1.1 |
| Jan 12, 2025 07:12:40.468609095 CET | 53 | 65477 | 1.1.1.1 | 192.168.2.9 |
| Jan 12, 2025 07:12:41.460735083 CET | 62275 | 53 | 192.168.2.9 | 1.1.1.1 |
| Jan 12, 2025 07:12:41.467952013 CET | 53 | 62275 | 1.1.1.1 | 192.168.2.9 |
| Jan 12, 2025 07:12:45.711544037 CET | 57827 | 53 | 192.168.2.9 | 1.1.1.1 |
| Jan 12, 2025 07:12:45.720774889 CET | 53 | 57827 | 1.1.1.1 | 192.168.2.9 |
| Jan 12, 2025 07:12:46.460680962 CET | 57030 | 53 | 192.168.2.9 | 1.1.1.1 |
| Jan 12, 2025 07:12:46.468111992 CET | 53 | 57030 | 1.1.1.1 | 192.168.2.9 |
| Jan 12, 2025 07:12:50.460522890 CET | 63679 | 53 | 192.168.2.9 | 1.1.1.1 |
| Jan 12, 2025 07:12:50.469788074 CET | 53 | 63679 | 1.1.1.1 | 192.168.2.9 |
| Jan 12, 2025 07:12:51.460541010 CET | 58835 | 53 | 192.168.2.9 | 1.1.1.1 |
| Jan 12, 2025 07:12:51.469377995 CET | 53 | 58835 | 1.1.1.1 | 192.168.2.9 |
| Jan 12, 2025 07:12:55.460855961 CET | 63724 | 53 | 192.168.2.9 | 1.1.1.1 |
| Jan 12, 2025 07:12:55.469090939 CET | 53 | 63724 | 1.1.1.1 | 192.168.2.9 |
| Jan 12, 2025 07:12:56.461005926 CET | 50967 | 53 | 192.168.2.9 | 1.1.1.1 |
| Jan 12, 2025 07:12:56.469233036 CET | 53 | 50967 | 1.1.1.1 | 192.168.2.9 |
| Jan 12, 2025 07:13:00.460949898 CET | 52384 | 53 | 192.168.2.9 | 1.1.1.1 |
| Jan 12, 2025 07:13:00.469588995 CET | 53 | 52384 | 1.1.1.1 | 192.168.2.9 |
| Jan 12, 2025 07:13:01.461560965 CET | 57941 | 53 | 192.168.2.9 | 1.1.1.1 |
| Jan 12, 2025 07:13:01.470452070 CET | 53 | 57941 | 1.1.1.1 | 192.168.2.9 |
| Jan 12, 2025 07:13:05.502003908 CET | 53189 | 53 | 192.168.2.9 | 1.1.1.1 |
| Jan 12, 2025 07:13:05.510554075 CET | 53 | 53189 | 1.1.1.1 | 192.168.2.9 |
| Jan 12, 2025 07:13:06.462879896 CET | 55634 | 53 | 192.168.2.9 | 1.1.1.1 |
| Jan 12, 2025 07:13:06.471136093 CET | 53 | 55634 | 1.1.1.1 | 192.168.2.9 |
| Jan 12, 2025 07:13:10.460505962 CET | 52001 | 53 | 192.168.2.9 | 1.1.1.1 |
| Jan 12, 2025 07:13:10.469372988 CET | 53 | 52001 | 1.1.1.1 | 192.168.2.9 |
| Jan 12, 2025 07:13:11.460959911 CET | 58910 | 53 | 192.168.2.9 | 1.1.1.1 |
| Jan 12, 2025 07:13:11.469872952 CET | 53 | 58910 | 1.1.1.1 | 192.168.2.9 |
| Jan 12, 2025 07:13:19.585838079 CET | 64191 | 53 | 192.168.2.9 | 1.1.1.1 |
| Jan 12, 2025 07:13:19.593051910 CET | 53 | 64191 | 1.1.1.1 | 192.168.2.9 |
| Jan 12, 2025 07:13:20.007695913 CET | 50134 | 53 | 192.168.2.9 | 1.1.1.1 |
| Jan 12, 2025 07:13:20.015003920 CET | 53 | 50134 | 1.1.1.1 | 192.168.2.9 |
| Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|
| Jan 12, 2025 07:11:11.032500982 CET | 192.168.2.9 | 1.1.1.1 | 0xbc0b | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Jan 12, 2025 07:11:11.460659981 CET | 192.168.2.9 | 1.1.1.1 | 0x10a0 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Jan 12, 2025 07:11:15.960539103 CET | 192.168.2.9 | 1.1.1.1 | 0xe0a6 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Jan 12, 2025 07:11:16.585747957 CET | 192.168.2.9 | 1.1.1.1 | 0xb36 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Jan 12, 2025 07:11:20.913794994 CET | 192.168.2.9 | 1.1.1.1 | 0xc26e | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Jan 12, 2025 07:11:21.554433107 CET | 192.168.2.9 | 1.1.1.1 | 0x850 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Jan 12, 2025 07:11:25.851231098 CET | 192.168.2.9 | 1.1.1.1 | 0xe8c5 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Jan 12, 2025 07:11:26.491812944 CET | 192.168.2.9 | 1.1.1.1 | 0xbb7b | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Jan 12, 2025 07:11:30.773225069 CET | 192.168.2.9 | 1.1.1.1 | 0xbe05 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Jan 12, 2025 07:11:32.007514000 CET | 192.168.2.9 | 1.1.1.1 | 0xa53f | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Jan 12, 2025 07:11:35.710527897 CET | 192.168.2.9 | 1.1.1.1 | 0xe628 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Jan 12, 2025 07:11:36.945127964 CET | 192.168.2.9 | 1.1.1.1 | 0x45a9 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Jan 12, 2025 07:11:40.616965055 CET | 192.168.2.9 | 1.1.1.1 | 0x54a6 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Jan 12, 2025 07:11:41.851394892 CET | 192.168.2.9 | 1.1.1.1 | 0xad78 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Jan 12, 2025 07:11:45.601264000 CET | 192.168.2.9 | 1.1.1.1 | 0x2640 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Jan 12, 2025 07:11:46.543889999 CET | 192.168.2.9 | 1.1.1.1 | 0x8b4 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Jan 12, 2025 07:11:50.913865089 CET | 192.168.2.9 | 1.1.1.1 | 0x8daf | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Jan 12, 2025 07:11:51.820496082 CET | 192.168.2.9 | 1.1.1.1 | 0xf560 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Jan 12, 2025 07:11:55.820090055 CET | 192.168.2.9 | 1.1.1.1 | 0x3c5e | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Jan 12, 2025 07:11:56.570074081 CET | 192.168.2.9 | 1.1.1.1 | 0xc6bf | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Jan 12, 2025 07:12:00.554683924 CET | 192.168.2.9 | 1.1.1.1 | 0xc95c | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Jan 12, 2025 07:12:01.523149967 CET | 192.168.2.9 | 1.1.1.1 | 0xc585 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Jan 12, 2025 07:12:05.523181915 CET | 192.168.2.9 | 1.1.1.1 | 0xa2e6 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Jan 12, 2025 07:12:06.460491896 CET | 192.168.2.9 | 1.1.1.1 | 0x9543 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Jan 12, 2025 07:12:10.523225069 CET | 192.168.2.9 | 1.1.1.1 | 0xef8 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Jan 12, 2025 07:12:11.476340055 CET | 192.168.2.9 | 1.1.1.1 | 0xcbfa | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Jan 12, 2025 07:12:15.460844994 CET | 192.168.2.9 | 1.1.1.1 | 0xc8c7 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Jan 12, 2025 07:12:16.491864920 CET | 192.168.2.9 | 1.1.1.1 | 0x8963 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Jan 12, 2025 07:12:20.460582972 CET | 192.168.2.9 | 1.1.1.1 | 0x91d7 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Jan 12, 2025 07:12:21.479729891 CET | 192.168.2.9 | 1.1.1.1 | 0x441b | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Jan 12, 2025 07:12:25.461544991 CET | 192.168.2.9 | 1.1.1.1 | 0xeb3 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Jan 12, 2025 07:12:26.460678101 CET | 192.168.2.9 | 1.1.1.1 | 0x61cb | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Jan 12, 2025 07:12:30.460496902 CET | 192.168.2.9 | 1.1.1.1 | 0xad3a | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Jan 12, 2025 07:12:31.460515976 CET | 192.168.2.9 | 1.1.1.1 | 0x4a57 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Jan 12, 2025 07:12:35.460438013 CET | 192.168.2.9 | 1.1.1.1 | 0x530b | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Jan 12, 2025 07:12:36.460725069 CET | 192.168.2.9 | 1.1.1.1 | 0x7b7d | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Jan 12, 2025 07:12:40.460751057 CET | 192.168.2.9 | 1.1.1.1 | 0x4156 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Jan 12, 2025 07:12:41.460735083 CET | 192.168.2.9 | 1.1.1.1 | 0x7b72 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Jan 12, 2025 07:12:45.711544037 CET | 192.168.2.9 | 1.1.1.1 | 0xd433 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Jan 12, 2025 07:12:46.460680962 CET | 192.168.2.9 | 1.1.1.1 | 0xf75f | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Jan 12, 2025 07:12:50.460522890 CET | 192.168.2.9 | 1.1.1.1 | 0xcd50 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Jan 12, 2025 07:12:51.460541010 CET | 192.168.2.9 | 1.1.1.1 | 0x1814 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Jan 12, 2025 07:12:55.460855961 CET | 192.168.2.9 | 1.1.1.1 | 0xab38 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Jan 12, 2025 07:12:56.461005926 CET | 192.168.2.9 | 1.1.1.1 | 0x4a2a | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Jan 12, 2025 07:13:00.460949898 CET | 192.168.2.9 | 1.1.1.1 | 0x1c98 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Jan 12, 2025 07:13:01.461560965 CET | 192.168.2.9 | 1.1.1.1 | 0x528b | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Jan 12, 2025 07:13:05.502003908 CET | 192.168.2.9 | 1.1.1.1 | 0xe49d | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Jan 12, 2025 07:13:06.462879896 CET | 192.168.2.9 | 1.1.1.1 | 0xce41 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Jan 12, 2025 07:13:10.460505962 CET | 192.168.2.9 | 1.1.1.1 | 0xf20e | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Jan 12, 2025 07:13:11.460959911 CET | 192.168.2.9 | 1.1.1.1 | 0xe0eb | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Jan 12, 2025 07:13:19.585838079 CET | 192.168.2.9 | 1.1.1.1 | 0x3752 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Jan 12, 2025 07:13:20.007695913 CET | 192.168.2.9 | 1.1.1.1 | 0x59ad | Standard query (0) | A (IP address) | IN (0x0001) | false |
| Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|---|---|
| Jan 12, 2025 07:12:26.063739061 CET | 1.1.1.1 | 192.168.2.9 | 0x6c1a | No error (0) | 199.232.210.172 | A (IP address) | IN (0x0001) | false | ||
| Jan 12, 2025 07:12:26.063739061 CET | 1.1.1.1 | 192.168.2.9 | 0x6c1a | No error (0) | 199.232.214.172 | A (IP address) | IN (0x0001) | false |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
| Target ID: | 0 |
| Start time: | 01:11:07 |
| Start date: | 12/01/2025 |
| Path: | C:\Users\user\Desktop\hgTNnG8vjD.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x400000 |
| File size: | 1'779'958 bytes |
| MD5 hash: | 42569D9B139C0093FA393444DFBEA52E |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Yara matches: |
|
| Reputation: | low |
| Has exited: | false |
| Target ID: | 2 |
| Start time: | 01:11:09 |
| Start date: | 12/01/2025 |
| Path: | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0xae0000 |
| File size: | 32'768 bytes |
| MD5 hash: | 3A77A4F220612FA55118FB8D7DDAE83C |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | Borland Delphi |
| Yara matches: |
|
| Reputation: | moderate |
| Has exited: | false |
Execution Graph
| Execution Coverage: | 3.8% |
| Dynamic/Decrypted Code Coverage: | 0% |
| Signature Coverage: | 9.1% |
| Total number of Nodes: | 2000 |
| Total number of Limit Nodes: | 50 |
Graph
Function 004096A0 Relevance: 33.9, APIs: 21, Instructions: 2413COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040D590 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 144windowCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00431A86 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 139fileCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040EBD0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004091E0 Relevance: 44.6, APIs: 22, Strings: 3, Instructions: 837windowsleepCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0046B9D7 Relevance: 40.7, APIs: 17, Strings: 6, Instructions: 415registryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004528BD Relevance: 19.7, APIs: 13, Instructions: 173COMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00410490 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 56windowregistryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00410390 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 76windowregistryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00401100 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136windowtimeregistryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040E4C0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 79registryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004577E9 Relevance: 9.2, APIs: 6, Instructions: 217COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040F250 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 66registryCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004102B0 Relevance: 7.6, APIs: 5, Instructions: 87COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00475077 Relevance: 4.9, APIs: 3, Instructions: 390COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004684DC Relevance: 4.8, APIs: 3, Instructions: 337COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00429B7D Relevance: 4.7, APIs: 3, Instructions: 201COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00475300 Relevance: 4.6, APIs: 3, Instructions: 141COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00443A87 Relevance: 4.6, APIs: 3, Instructions: 65windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043213D Relevance: 4.5, APIs: 3, Instructions: 38COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00409519 Relevance: 4.5, APIs: 3, Instructions: 31windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040AFA0 Relevance: 3.3, APIs: 2, Instructions: 258COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040C1F0 Relevance: 3.2, APIs: 2, Instructions: 156COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00467AC4 Relevance: 3.1, APIs: 2, Instructions: 130COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040F760 Relevance: 3.1, APIs: 2, Instructions: 92COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040D6B0 Relevance: 3.1, APIs: 2, Instructions: 74COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00414FE2 Relevance: 3.0, APIs: 2, Instructions: 26COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040B400 Relevance: 1.6, APIs: 1, Instructions: 117COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00402F00 Relevance: 1.6, APIs: 1, Instructions: 104COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00402780 Relevance: 1.6, APIs: 1, Instructions: 101COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00408F40 Relevance: 1.6, APIs: 1, Instructions: 71COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0046F3C1 Relevance: 1.6, APIs: 1, Instructions: 66COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0045C9A0 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00428905 Relevance: 1.5, APIs: 1, Instructions: 39COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042A1BE Relevance: 1.5, APIs: 1, Instructions: 36COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042D3A0 Relevance: 1.5, APIs: 1, Instructions: 36COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00443D19 Relevance: 1.5, APIs: 1, Instructions: 36COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004287CA Relevance: 1.5, APIs: 1, Instructions: 35COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00433998 Relevance: 1.5, APIs: 1, Instructions: 15COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004149C2 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0047C81C Relevance: 74.2, APIs: 40, Strings: 2, Instructions: 674windowkeyboardCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00434418 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 133keyboardthreadwindowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00446313 Relevance: 37.0, APIs: 17, Strings: 4, Instructions: 234processCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004788BD Relevance: 28.2, APIs: 13, Strings: 3, Instructions: 217timefileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004720DB Relevance: 21.4, APIs: 11, Strings: 1, Instructions: 377timeCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00442886 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 135fileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004333BE Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 86shutdownCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00446124 Relevance: 16.7, APIs: 11, Instructions: 182COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043305F Relevance: 16.6, APIs: 11, Instructions: 122COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0045A10F Relevance: 16.6, APIs: 11, Instructions: 120clipboardmemoryCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00452492 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 128filesleepCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0041A208 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 58COMMONLIBRARYCODE
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0047A330 Relevance: 7.6, APIs: 5, Instructions: 71windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0045CAFA Relevance: 4.6, APIs: 3, Instructions: 130fileCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004339B6 Relevance: 4.5, APIs: 3, Instructions: 28fileCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0047EA6F Relevance: 2.0, APIs: 1, Instructions: 502COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00436CD7 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00472C3F Relevance: 1.5, APIs: 1, Instructions: 7COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0041F250 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040FA10 Relevance: .6, Instructions: 607COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004129D0 Relevance: .4, Instructions: 355COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004125E8 Relevance: .3, Instructions: 349COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00412216 Relevance: .3, Instructions: 332COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004594E9 Relevance: 79.2, APIs: 41, Strings: 4, Instructions: 490filewindowcomCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004417BF Relevance: 49.8, APIs: 33, Instructions: 275COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004590BD Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 291windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00430737 Relevance: 43.6, APIs: 29, Instructions: 108COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004565B2 Relevance: 40.5, APIs: 20, Strings: 3, Instructions: 291windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00471BC9 Relevance: 35.3, APIs: 18, Strings: 2, Instructions: 313windowtimeCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00455A89 Relevance: 31.9, APIs: 21, Instructions: 395COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00452AC7 Relevance: 31.8, APIs: 21, Instructions: 343COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00417C20 Relevance: 29.9, APIs: 12, Strings: 5, Instructions: 109libraryloadermemoryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004341E6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 91windowCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0046A07E Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 253windowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00468B0E Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 207windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00460879 Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 136windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0046163E Relevance: 21.3, APIs: 11, Strings: 1, Instructions: 294windowtimeCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0045FD57 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 227windowsleepCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004313CA Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00432A10 Relevance: 21.1, APIs: 14, Instructions: 140timeCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004551F5 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 115windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00433493 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 84networkCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00445BE4 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 77windowCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00443B61 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 99sleepwindowtimeCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00454014 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 93windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00467C8E Relevance: 18.3, APIs: 12, Instructions: 310COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004357B7 Relevance: 18.2, APIs: 12, Instructions: 184COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00433784 Relevance: 18.1, APIs: 12, Instructions: 119COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0046CB5F Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 304comCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004718BA Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 147windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00458651 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 135registryshareCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00470B6C Relevance: 16.6, APIs: 11, Instructions: 125COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004542ED Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 271libraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0046C5FA Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 208comCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004710F1 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 157windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004505F0 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 147windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00469BF3 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 88windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0045DC4C Relevance: 15.2, APIs: 10, Instructions: 190COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004485CB Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 109windowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0047679F Relevance: 13.8, APIs: 9, Instructions: 307COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004561DA Relevance: 13.7, APIs: 9, Instructions: 164COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00441165 Relevance: 13.6, APIs: 9, Instructions: 142COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00432704 Relevance: 13.5, APIs: 9, Instructions: 42COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0045EA0F Relevance: 12.6, APIs: 6, Strings: 1, Instructions: 325timeCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004091B0 Relevance: 12.6, APIs: 6, Strings: 1, Instructions: 324sleepCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0044AA86 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 174networkCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0045FBAC Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 147windowCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0044BBD2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 105filestringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00434034 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 49windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0041793C Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 40COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0046822A Relevance: 12.3, APIs: 8, Instructions: 267COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0044B489 Relevance: 12.1, APIs: 8, Instructions: 102fileCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00415214 Relevance: 12.1, APIs: 8, Instructions: 66threadCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0044734F Relevance: 10.7, APIs: 7, Instructions: 210COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0044982A Relevance: 10.6, APIs: 7, Instructions: 135COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00448AB2 Relevance: 10.6, APIs: 7, Instructions: 98windowCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00450B7C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00455531 Relevance: 10.6, APIs: 7, Instructions: 75windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0041F6F9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 68COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00436C6E Relevance: 10.5, APIs: 7, Instructions: 49threadCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043028B Relevance: 9.3, APIs: 6, Instructions: 255COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00444BFC Relevance: 9.2, APIs: 6, Instructions: 163COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00451B42 Relevance: 9.1, APIs: 6, Instructions: 144memoryCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00447BA8 Relevance: 9.1, APIs: 6, Instructions: 119COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0044900D Relevance: 9.1, APIs: 6, Instructions: 111windowCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00440A0D Relevance: 9.1, APIs: 6, Instructions: 111windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00448804 Relevance: 9.1, APIs: 6, Instructions: 92windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00441078 Relevance: 9.1, APIs: 6, Instructions: 86COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00471A38 Relevance: 9.1, APIs: 6, Instructions: 79windowCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00455616 Relevance: 9.1, APIs: 6, Instructions: 78windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0044389A Relevance: 9.1, APIs: 6, Instructions: 76COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00455168 Relevance: 9.1, APIs: 6, Instructions: 75windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004552FA Relevance: 9.1, APIs: 6, Instructions: 72windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004556C8 Relevance: 9.1, APIs: 6, Instructions: 67windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004331A2 Relevance: 9.1, APIs: 6, Instructions: 64sleepCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004555A8 Relevance: 9.1, APIs: 6, Instructions: 61windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00447275 Relevance: 9.0, APIs: 6, Instructions: 50COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0044CC51 Relevance: 9.0, APIs: 6, Instructions: 50COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0044B63B Relevance: 9.0, APIs: 6, Instructions: 40synchronizationthreadCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004151BB Relevance: 9.0, APIs: 6, Instructions: 29threadCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0045F790 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 216windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00448480 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 107windowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00469CDB Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 100windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00401B80 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 91windowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00461554 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 74windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00462A31 Relevance: 7.7, APIs: 5, Instructions: 227COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004757A7 Relevance: 7.7, APIs: 5, Instructions: 220COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0047D40F Relevance: 7.6, APIs: 5, Instructions: 120sleepCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0045C3C1 Relevance: 7.6, APIs: 5, Instructions: 118COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00436A0B Relevance: 7.6, APIs: 5, Instructions: 103COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00449555 Relevance: 7.6, APIs: 5, Instructions: 96windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004478AC Relevance: 7.6, APIs: 5, Instructions: 96windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004479A0 Relevance: 7.6, APIs: 5, Instructions: 96COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00447BF1 Relevance: 7.6, APIs: 5, Instructions: 95COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004487EA Relevance: 7.6, APIs: 5, Instructions: 89COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004550FC Relevance: 7.6, APIs: 5, Instructions: 78COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00445870 Relevance: 7.6, APIs: 5, Instructions: 78windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004653C8 Relevance: 7.6, APIs: 5, Instructions: 72networkCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0044719B Relevance: 7.6, APIs: 5, Instructions: 70COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00434582 Relevance: 7.6, APIs: 5, Instructions: 61sleepCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004556A0 Relevance: 7.5, APIs: 5, Instructions: 45windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004555ED Relevance: 7.5, APIs: 5, Instructions: 43windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00455607 Relevance: 7.5, APIs: 5, Instructions: 42windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004151AF Relevance: 7.5, APIs: 5, Instructions: 22threadCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043659E Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 162windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0044A856 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 122networkCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0045FA41 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 120windowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00434B02 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 108libraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00450ACC Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 74windowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004496E9 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55windowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004312CC Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004312FE Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043129A Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00430C7F Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00479500 Relevance: 6.2, APIs: 4, Instructions: 162memoryCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0046993E Relevance: 6.1, APIs: 4, Instructions: 149windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004499DB Relevance: 6.1, APIs: 4, Instructions: 145COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0041415F Relevance: 6.1, APIs: 4, Instructions: 130COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00441672 Relevance: 6.1, APIs: 4, Instructions: 116windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0045D1AF Relevance: 6.1, APIs: 4, Instructions: 103fileCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0045039B Relevance: 6.1, APIs: 4, Instructions: 102COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00442A83 Relevance: 6.1, APIs: 4, Instructions: 87windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0047438B Relevance: 6.1, APIs: 4, Instructions: 83COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004494A5 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0046888B Relevance: 6.1, APIs: 4, Instructions: 80COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0047A26A Relevance: 6.1, APIs: 4, Instructions: 78COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00434CC9 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 75stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0046D402 Relevance: 6.1, APIs: 4, Instructions: 73networkCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00448C3C Relevance: 6.1, APIs: 4, Instructions: 72windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00458A61 Relevance: 6.1, APIs: 4, Instructions: 71networkCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004368A0 Relevance: 6.1, APIs: 4, Instructions: 69windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004301F8 Relevance: 6.1, APIs: 4, Instructions: 57windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00443C87 Relevance: 6.1, APIs: 4, Instructions: 57synchronizationthreadwindowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00430B87 Relevance: 6.1, APIs: 4, Instructions: 53COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00433908 Relevance: 6.0, APIs: 4, Instructions: 50COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00434963 Relevance: 6.0, APIs: 4, Instructions: 46COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0041F584 Relevance: 6.0, APIs: 4, Instructions: 41COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004556BE Relevance: 6.0, APIs: 4, Instructions: 40windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0044B5E8 Relevance: 6.0, APIs: 4, Instructions: 37COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004472F1 Relevance: 6.0, APIs: 4, Instructions: 35COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00472B63 Relevance: 6.0, APIs: 4, Instructions: 27COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00472BB2 Relevance: 6.0, APIs: 4, Instructions: 27COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0041514D Relevance: 6.0, APIs: 4, Instructions: 16threadCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00467215 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 181shareCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004667E1 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 114networkCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0044835A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 99windowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00451006 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 75windowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00451321 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 73windowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00476CA4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72sleepCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00465225 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 61networkCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0044256C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59networkCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004560F2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36windowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00442651 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22networkCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00441BE8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 17windowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00441C20 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 17windowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004370C3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 8windowCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|