Edit tour
Windows
Analysis Report
regsvr.exe
Overview
General Information
| Sample name: | regsvr.exe |
| Analysis ID: | 1591253 |
| MD5: | e05f460eb752d40392f1d75d75716276 |
| SHA1: | 38320c10449e636fab9c7649454b52248957ee1e |
| SHA256: | 804465598e1edc091a4ec8844cd7d8c81063ebad37339a1d646e0e0f242c5b89 |
| Infos: |  |
 | |
Detection
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
AI detected suspicious sample
Creates an autostart registry key pointing to binary in C:\Windows
Creates an undocumented autostart registry key
Creates multiple autostart registry keys
Disables the Windows registry editor (regedit)
Disables the Windows task manager (taskmgr)
Drops executables to the windows directory (C:\Windows) and starts them
Machine Learning detection for dropped file
Machine Learning detection for sample
PE file contains section with special chars
PE file has a writeable .text section
Sigma detected: Interactive AT Job
Uses schtasks.exe or at.exe to add and modify task schedules
Checks for available system drives (often done to infect USB drives)
Contains functionality for read data from the clipboard
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Entry point lies outside standard sections
Found evasive API chain (date check)
Found evasive API chain (may stop execution after checking a module file name)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May infect USB drives
May sleep (evasive loops) to hinder dynamic analysis
Modifies existing windows services
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
OS version to string mapping found (often used in BOTs)
PE file contains an invalid checksum
PE file contains sections with non-standard names
Potential key logger detected (key state polling based)
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: CurrentVersion Autorun Keys Modification
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Classification
- System is w10x64
regsvr.exe (PID: 6508 cmdline: "C:\Users\ user\Deskt op\regsvr. exe" MD5: E05F460EB752D40392F1D75D75716276) 
cmd.exe (PID: 5404 cmdline: C:\Windows \system32\ cmd.exe /C AT /delet e /yes MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 1400 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) 
at.exe (PID: 7056 cmdline: AT /delete /yes MD5: 2AE20048111861FA09B709D3CC551AD6) - cmd.exe (PID: 2812 cmdline:
C:\Windows \system32\ cmd.exe /C AT 09:00 /interacti ve /EVERY: m,t,w,th,f ,s,su C:\W indows\sys tem32\svch ost .exe MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 3620 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - at.exe (PID: 1812 cmdline:
AT 09:00 / interactiv e /EVERY:m ,t,w,th,f, s,su C:\Wi ndows\syst em32\svcho st .exe MD5: 2AE20048111861FA09B709D3CC551AD6)
- regsvr.exe (PID: 3168 cmdline:
"C:\Window s\regsvr.e xe" MD5: E05F460EB752D40392F1D75D75716276)
- cleanup
⊘No configs have been found
⊘No yara matches
System Summary |   |
|---|
| Source: | Author: E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community: | ||
| Source: | Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): | ||
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2025-01-14T20:49:09.661212+0100 | 2012200 | 1 | A Network Trojan was detected | 192.168.2.5 | 49705 | 74.6.143.25 | 80 | TCP |
| 2025-01-14T20:49:10.598364+0100 | 2012200 | 1 | A Network Trojan was detected | 192.168.2.5 | 49706 | 74.6.143.25 | 443 | TCP |
| 2025-01-14T20:49:11.678741+0100 | 2012200 | 1 | A Network Trojan was detected | 192.168.2.5 | 49707 | 87.248.119.252 | 443 | TCP |
| 2025-01-14T20:49:12.843490+0100 | 2012200 | 1 | A Network Trojan was detected | 192.168.2.5 | 49705 | 74.6.143.25 | 80 | TCP |
| 2025-01-14T20:49:13.479647+0100 | 2012200 | 1 | A Network Trojan was detected | 192.168.2.5 | 49708 | 74.6.143.25 | 443 | TCP |
| 2025-01-14T20:49:14.520787+0100 | 2012200 | 1 | A Network Trojan was detected | 192.168.2.5 | 49709 | 87.248.119.252 | 443 | TCP |
| 2025-01-14T20:49:15.186129+0100 | 2012200 | 1 | A Network Trojan was detected | 192.168.2.5 | 49710 | 87.248.119.252 | 80 | TCP |
| 2025-01-14T20:49:16.293240+0100 | 2012200 | 1 | A Network Trojan was detected | 192.168.2.5 | 49712 | 87.248.119.252 | 443 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2025-01-14T20:49:09.661212+0100 | 2803304 | 3 | Unknown Traffic | 192.168.2.5 | 49705 | 74.6.143.25 | 80 | TCP |
| 2025-01-14T20:49:12.843490+0100 | 2803304 | 3 | Unknown Traffic | 192.168.2.5 | 49705 | 74.6.143.25 | 80 | TCP |
| 2025-01-14T20:49:15.186129+0100 | 2803304 | 3 | Unknown Traffic | 192.168.2.5 | 49710 | 87.248.119.252 | 80 | TCP |
Click to jump to signature section
Show All Signature Results
AV Detection | |
|---|
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | ReversingLabs: | ||
| Source: | ReversingLabs: | ||
| Source: | ReversingLabs: | ||
| Source: | ReversingLabs: | ||
| Source: | Virustotal: | Perma Link | ||
| Source: | ReversingLabs: | |||
| Source: | Integrated Neural Analysis Model: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Static PE information: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Code function: | 0_2_0040C49D | |
| Source: | Code function: | 0_2_0040C78E | |
| Source: | Code function: | 0_2_0041DE3C | |
| Source: | Code function: | 0_2_0041E028 | |
| Source: | Code function: | 0_2_0041B572 | |
| Source: | Code function: | 0_2_0040C672 | |
| Source: | Code function: | 0_2_0041EA5E | |
| Source: | Code function: | 0_2_0041BA0A | |
| Source: | Code function: | 0_2_0041BB4D | |
| Source: | Code function: | 9_2_0040C49D | |
| Source: | Code function: | 9_2_0040C78E | |
| Source: | Code function: | 9_2_0041DE3C | |
| Source: | Code function: | 9_2_0041E028 | |
| Source: | Code function: | 9_2_0041B572 | |
| Source: | Code function: | 9_2_0040C672 | |
| Source: | Code function: | 9_2_0041EA5E | |
| Source: | Code function: | 9_2_0041BA0A | |
| Source: | Code function: | 9_2_0041BB4D | |
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | IP Address: | ||
| Source: | IP Address: | ||
| Source: | JA3 fingerprint: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | Code function: | 0_2_00422477 | |
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | DNS traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | Code function: | 0_2_0042209A | |
| Source: | Code function: | 0_2_0042209A | |
| Source: | Code function: | 9_2_0042209A | |
| Source: | Code function: | 0_2_00421EB4 | |
| Source: | Code function: | 0_2_0040853B | |
| Source: | Code function: | 0_2_00441FD7 | |
| Source: | Code function: | 9_2_00441FD7 | |
System Summary | |
|---|
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Code function: | 0_2_0041D0C8 | |
| Source: | Code function: | 0_2_0040D288 | |
| Source: | Code function: | 9_2_0040D288 | |
| Source: | File created: | Jump to behavior | ||
| Source: | File created: | Jump to behavior | ||
| Source: | File created: | Jump to behavior | ||
| Source: | File created: | Jump to behavior | ||
| Source: | File created: | Jump to behavior | ||
| Source: | File created: | Jump to behavior | ||
| Source: | File created: | Jump to behavior | ||
| Source: | File created: | Jump to behavior | ||
| Source: | File created: | Jump to behavior | ||
| Source: | Code function: | 0_2_0045A04B | |
| Source: | Code function: | 0_2_00429FD7 | |
| Source: | Code function: | 0_2_0044602C | |
| Source: | Code function: | 0_2_004500CD | |
| Source: | Code function: | 0_2_004121B3 | |
| Source: | Code function: | 0_2_0045831B | |
| Source: | Code function: | 0_2_0044F41A | |
| Source: | Code function: | 0_2_004504ED | |
| Source: | Code function: | 0_2_00461573 | |
| Source: | Code function: | 0_2_0045763A | |
| Source: | Code function: | 0_2_004646BD | |
| Source: | Code function: | 0_2_00455770 | |
| Source: | Code function: | 0_2_0044F8ED | |
| Source: | Code function: | 0_2_00445948 | |
| Source: | Code function: | 0_2_00411906 | |
| Source: | Code function: | 0_2_0044D99C | |
| Source: | Code function: | 0_2_00458AE0 | |
| Source: | Code function: | 0_2_00461AB5 | |
| Source: | Code function: | 0_2_00432BDC | |
| Source: | Code function: | 0_2_0044FCC1 | |
| Source: | Code function: | 0_2_00436CF3 | |
| Source: | Code function: | 0_2_0045BD92 | |
| Source: | Code function: | 0_2_00441FD7 | |
| Source: | Code function: | 0_2_00461FF7 | |
| Source: | Code function: | 0_2_00463FFD | |
| Source: | Code function: | 9_2_0045A04B | |
| Source: | Code function: | 9_2_00429FD7 | |
| Source: | Code function: | 9_2_0044602C | |
| Source: | Code function: | 9_2_004500CD | |
| Source: | Code function: | 9_2_004121B3 | |
| Source: | Code function: | 9_2_0045831B | |
| Source: | Code function: | 9_2_0044F41A | |
| Source: | Code function: | 9_2_004504ED | |
| Source: | Code function: | 9_2_00461573 | |
| Source: | Code function: | 9_2_0045763A | |
| Source: | Code function: | 9_2_004646BD | |
| Source: | Code function: | 9_2_00455770 | |
| Source: | Code function: | 9_2_0044F8ED | |
| Source: | Code function: | 9_2_00445948 | |
| Source: | Code function: | 9_2_00411906 | |
| Source: | Code function: | 9_2_0044D99C | |
| Source: | Code function: | 9_2_00458AE0 | |
| Source: | Code function: | 9_2_00461AB5 | |
| Source: | Code function: | 9_2_00432BDC | |
| Source: | Code function: | 9_2_0044FCC1 | |
| Source: | Code function: | 9_2_00436CF3 | |
| Source: | Code function: | 9_2_0045BD92 | |
| Source: | Code function: | 9_2_00441FD7 | |
| Source: | Code function: | 9_2_00461FF7 | |
| Source: | Code function: | 9_2_00463FFD | |
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Classification label: | ||
| Source: | Code function: | 0_2_00418B7F | |
| Source: | Code function: | 0_2_0040D288 | |
| Source: | Code function: | 9_2_0040D288 | |
| Source: | Code function: | 0_2_0041C97F | |
| Source: | Code function: | 0_2_0040BCAA | |
| Source: | Code function: | 0_2_0041D215 | |
| Source: | Code function: | 0_2_0040D70C | |
| Source: | File created: | Jump to behavior | ||
| Source: | Mutant created: | ||
| Source: | Mutant created: | ||
| Source: | File created: | Jump to behavior | ||
| Source: | File read: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Virustotal: | ||
| Source: | ReversingLabs: | ||
| Source: | File read: | Jump to behavior | ||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Key value queried: | Jump to behavior | ||
| Source: | File written: | Jump to behavior | ||
| Source: | Code function: | 0_2_004053EF | |
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Code function: | 0_2_004A500D | |
| Source: | Code function: | 0_2_00455764 | |
| Source: | Code function: | 9_2_004A500D | |
| Source: | Code function: | 9_2_00455764 | |
Persistence and Installation Behavior | |
|---|
| Source: | Executable created and started: | ||
| Source: | File created: | Jump to dropped file | ||
| Source: | File created: | Jump to dropped file | ||
| Source: | File created: | Jump to dropped file | ||
| Source: | File created: | Jump to dropped file | ||
| Source: | File created: | Jump to dropped file | ||
| Source: | File created: | Jump to dropped file | ||
| Source: | File created: | Jump to dropped file | ||
Boot Survival | |
|---|
| Source: | Registry value created or modified: | Jump to behavior | ||
| Source: | Key value created or modified: | Jump to behavior | ||
| Source: | Registry value created or modified: | Jump to behavior | ||
| Source: | Registry value created or modified: | Jump to behavior | ||
| Source: | Process created: | ||
| Source: | Registry key value modified: | Jump to behavior | ||
| Source: | Registry value created or modified: | Jump to behavior | ||
| Source: | Registry value created or modified: | Jump to behavior | ||
| Source: | Registry value created or modified: | Jump to behavior | ||
| Source: | Registry value created or modified: | Jump to behavior | ||
| Source: | Registry value created or modified: | Jump to behavior | ||
| Source: | Registry value created or modified: | Jump to behavior | ||
Hooking and other Techniques for Hiding and Protection | |
|---|
| Source: | Icon embedded in binary file: | ||
| Source: | Code function: | 0_2_00409786 | |
| Source: | Code function: | 0_2_00439F63 | |
| Source: | Code function: | 9_2_00409786 | |
| Source: | Code function: | 9_2_00439F63 | |
| Source: | Registry key monitored for changes: | Jump to behavior | ||
| Source: | Registry key monitored for changes: | Jump to behavior | ||
| Source: | Evasive API call chain: | graph_9-52959 | ||
| Source: | Evasive API call chain: | graph_0-52879 | ||
| Source: | Evasive API call chain: | graph_0-51788 | ||
| Source: | Evasive API call chain: | graph_9-51906 | ||
| Source: | API coverage: | ||
| Source: | API coverage: | ||
| Source: | Thread sleep count: | Jump to behavior | ||
| Source: | Last function: | ||
| Source: | Last function: | ||
| Source: | Code function: | 0_2_0040C49D | |
| Source: | Code function: | 0_2_0040C78E | |
| Source: | Code function: | 0_2_0041DE3C | |
| Source: | Code function: | 0_2_0041E028 | |
| Source: | Code function: | 0_2_0041B572 | |
| Source: | Code function: | 0_2_0040C672 | |
| Source: | Code function: | 0_2_0041EA5E | |
| Source: | Code function: | 0_2_0041BA0A | |
| Source: | Code function: | 0_2_0041BB4D | |
| Source: | Code function: | 9_2_0040C49D | |
| Source: | Code function: | 9_2_0040C78E | |
| Source: | Code function: | 9_2_0041DE3C | |
| Source: | Code function: | 9_2_0041E028 | |
| Source: | Code function: | 9_2_0041B572 | |
| Source: | Code function: | 9_2_0040C672 | |
| Source: | Code function: | 9_2_0041EA5E | |
| Source: | Code function: | 9_2_0041BA0A | |
| Source: | Code function: | 9_2_0041BB4D | |
| Source: | Code function: | 0_2_004053EF | |
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | API call chain: | graph_0-51563 | ||
| Source: | API call chain: | graph_0-51877 | ||
| Source: | API call chain: | graph_9-51581 | ||
| Source: | API call chain: | graph_9-51982 | ||
| Source: | Process information queried: | Jump to behavior | ||
| Source: | Code function: | 0_2_004053EF | |
| Source: | Code function: | 0_2_00453C5E | |
| Source: | Code function: | 0_2_00460147 | |
| Source: | Code function: | 0_2_00460874 | |
| Source: | Code function: | 0_2_0045EA75 | |
| Source: | Code function: | 0_2_00454F21 | |
| Source: | Code function: | 9_2_00460147 | |
| Source: | Code function: | 9_2_00460874 | |
| Source: | Code function: | 9_2_0045EA75 | |
| Source: | Code function: | 9_2_00454F21 | |
| Source: | Code function: | 0_2_0040108C | |
| Source: | Code function: | 0_2_00408381 | |
| Source: | Code function: | 0_2_0040D3AB | |
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Code function: | 0_2_00461506 | |
| Source: | Code function: | 0_2_00462EED | |
| Source: | Code function: | 9_2_00462EED | |
| Source: | Code function: | 0_2_0041B7D8 | |
| Source: | Code function: | 0_2_0042ED72 | |
| Source: | Code function: | 0_2_0045D8AB | |
| Source: | Code function: | 0_2_004053EF | |
Lowering of HIPS / PFW / Operating System Security Settings | |
|---|
| Source: | Registry key created or modified: | Jump to behavior | ||
| Source: | Registry key created or modified: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Code function: | 0_2_0042754A | |
| Source: | Code function: | 0_2_00428656 | |
| Source: | Code function: | 0_2_00426F8D | |
| Source: | Code function: | 9_2_0042754A | |
| Source: | Code function: | 9_2_00428656 | |
| Source: | Code function: | 9_2_00426F8D | |
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Gather Victim Identity Information | Acquire Infrastructure | 2 Replication Through Removable Media | 3 Native API | 1 DLL Side-Loading | 1 Exploitation for Privilege Escalation | 2 Disable or Modify Tools | 21 Input Capture | 2 System Time Discovery | Remote Services | 1 Archive Collected Data | 2 Ingress Tool Transfer | Exfiltration Over Other Network Medium | 1 System Shutdown/Reboot |
| Credentials | Domains | Default Accounts | 1 Scheduled Task/Job | 1 Windows Service | 1 DLL Side-Loading | 1 Deobfuscate/Decode Files or Information | LSASS Memory | 11 Peripheral Device Discovery | Remote Desktop Protocol | 21 Input Capture | 11 Encrypted Channel | Exfiltration Over Bluetooth | Network Denial of Service |
| Email Addresses | DNS Server | Domain Accounts | At | 1 Scheduled Task/Job | 1 Access Token Manipulation | 2 Obfuscated Files or Information | Security Account Manager | 1 Account Discovery | SMB/Windows Admin Shares | 3 Clipboard Data | 2 Non-Application Layer Protocol | Automated Exfiltration | Data Encrypted for Impact |
| Employee Names | Virtual Private Server | Local Accounts | Cron | 31 Registry Run Keys / Startup Folder | 1 Windows Service | 1 Software Packing | NTDS | 3 File and Directory Discovery | Distributed Component Object Model | Input Capture | 3 Application Layer Protocol | Traffic Duplication | Data Destruction |
| Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | 12 Process Injection | 1 DLL Side-Loading | LSA Secrets | 25 System Information Discovery | SSH | Keylogging | Fallback Channels | Scheduled Transfer | Data Encrypted for Impact |
| Domain Properties | Botnet | Replication Through Removable Media | Scheduled Task | RC Scripts | 1 Scheduled Task/Job | 221 Masquerading | Cached Domain Credentials | 1 Query Registry | VNC | GUI Input Capture | Multiband Communication | Data Transfer Size Limits | Service Stop |
| DNS | Web Services | External Remote Services | Systemd Timers | Startup Items | 31 Registry Run Keys / Startup Folder | 1 Virtualization/Sandbox Evasion | DCSync | 111 Security Software Discovery | Windows Remote Management | Web Portal Capture | Commonly Used Port | Exfiltration Over C2 Channel | Inhibit System Recovery |
| Network Trust Dependencies | Serverless | Drive-by Compromise | Container Orchestration Job | Scheduled Task/Job | Scheduled Task/Job | 1 Access Token Manipulation | Proc Filesystem | 1 Virtualization/Sandbox Evasion | Cloud Services | Credential API Hooking | Application Layer Protocol | Exfiltration Over Alternative Protocol | Defacement |
| Network Topology | Malvertising | Exploit Public-Facing Application | Command and Scripting Interpreter | At | At | 12 Process Injection | /etc/passwd and /etc/shadow | 3 Process Discovery | Direct Cloud VM Connections | Data Staged | Web Protocols | Exfiltration Over Symmetric Encrypted Non-C2 Protocol | Internal Defacement |
| IP Addresses | Compromise Infrastructure | Supply Chain Compromise | PowerShell | Cron | Cron | Dynamic API Resolution | Network Sniffing | 1 Application Window Discovery | Shared Webroot | Local Data Staging | File Transfer Protocols | Exfiltration Over Asymmetric Encrypted Non-C2 Protocol | External Defacement |
| Network Security Appliances | Domains | Compromise Software Dependencies and Development Tools | AppleScript | Launchd | Launchd | Stripped Payloads | Input Capture | 1 System Owner/User Discovery | Software Deployment Tools | Remote Data Staging | Mail Protocols | Exfiltration Over Unencrypted Non-C2 Protocol | Firmware Corruption |
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetThis section contains all screenshots as thumbnails, including those not shown in the slideshow.
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 97% | Virustotal | Browse | ||
| 100% | ReversingLabs | Win32.Worm.Sohanad | ||
| 100% | Avira | TR/AutoIt.CI.14 | ||
| 100% | Joe Sandbox ML |
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 100% | Avira | TR/AutoIt.CI.14 | ||
| 100% | Avira | TR/AutoIt.CI.14 | ||
| 100% | Avira | TR/AutoIt.CI.14 | ||
| 100% | Avira | TR/AutoIt.CI.14 | ||
| 100% | Joe Sandbox ML | |||
| 100% | Joe Sandbox ML | |||
| 100% | Joe Sandbox ML | |||
| 100% | Joe Sandbox ML | |||
| 100% | ReversingLabs | Win32.Worm.Sohanad | ||
| 100% | ReversingLabs | Win32.Worm.Sohanad | ||
| 100% | ReversingLabs | Win32.Worm.Sohanad | ||
| 100% | ReversingLabs | Win32.Worm.Sohanad |
⊘No Antivirus matches
⊘No Antivirus matches
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe |
| Name | IP | Active | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|---|
| me-ycpi-cf-www.g06.yahoodns.net | 87.248.119.252 | true | false | high | |
| yahoo.com | 74.6.143.25 | true | false | high | |
| www.yahoo.com | unknown | unknown | false | high |
| Name | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|
| false | high | ||
| false | high | ||
| false | high | ||
| false | high |
| Name | Source | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
| IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
|---|---|---|---|---|---|---|
| 87.248.119.252 | me-ycpi-cf-www.g06.yahoodns.net | United Kingdom | 203220 | YAHOO-DEBDE | false | |
| 74.6.143.25 | yahoo.com | United States | 26101 | YAHOO-3US | false |
| Joe Sandbox version: | 42.0.0 Malachite |
| Analysis ID: | 1591253 |
| Start date and time: | 2025-01-14 20:48:04 +01:00 |
| Joe Sandbox product: | CloudBasic |
| Overall analysis duration: | 0h 8m 24s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
| Number of analysed new started processes analysed: | 11 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Sample name: | regsvr.exe |
| Detection: | MAL |
| Classification: | mal100.evad.winEXE@12/13@2/2 |
| EGA Information: |
|
| HCA Information: |
|
| Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
- Excluded IPs from analysis (whitelisted): 13.107.246.45, 20.109.210.53, 4.245.163.56
- Excluded domains from analysis (whitelisted): ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
- Not all processes where analyzed, report is missing behavior information
- Report size exceeded maximum capacity and may have missing behavior information.
- Report size exceeded maximum capacity and may have missing disassembly code.
- Report size getting too big, too many NtOpenKeyEx calls found.
- Report size getting too big, too many NtQueryValueKey calls found.
| Time | Type | Description |
|---|---|---|
| 14:50:12 | API Interceptor | |
| 20:49:12 | Autostart | |
| 20:49:20 | Autostart | |
| 20:49:36 | Autostart | |
| 20:49:41 | Autostart | |
| 20:49:50 | Autostart |
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| 87.248.119.252 | Get hash | malicious | HTMLPhisher | Browse |
| |
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | HTMLPhisher | Browse |
| ||
| Get hash | malicious | HTMLPhisher | Browse |
| ||
| 74.6.143.25 | Get hash | malicious | Unknown | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| me-ycpi-cf-www.g06.yahoodns.net | Get hash | malicious | Unknown | Browse |
| |
| Get hash | malicious | HTMLPhisher | Browse |
| ||
| Get hash | malicious | HTMLPhisher | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | HTMLPhisher | Browse |
| ||
| Get hash | malicious | Phisher | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | HTMLPhisher | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| YAHOO-3US | Get hash | malicious | Unknown | Browse |
| |
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Mirai, Moobot | Browse |
| ||
| Get hash | malicious | Mirai, Okiru | Browse |
| ||
| Get hash | malicious | Mirai | Browse |
| ||
| YAHOO-DEBDE | Get hash | malicious | Unknown | Browse |
| |
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | HTMLPhisher | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| 37f463bf4616ecd445d4a1937da06e19 | Get hash | malicious | Unknown | Browse |
| |
| Get hash | malicious | Remcos, GuLoader | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Remcos, GuLoader | Browse |
| ||
| Get hash | malicious | Remcos, GuLoader | Browse |
| ||
| Get hash | malicious | Remcos, GuLoader | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
|
⊘No context
| Process: | C:\Users\user\Desktop\regsvr.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 300730 |
| Entropy (8bit): | 7.982780278477302 |
| Encrypted: | false |
| SSDEEP: | 6144:mnvu6X0EvMzb7nRZHHDSnrsAdTBTGj3g43sLA2mf1I5UhcVf:mvuQ0AMb/U+LgiWA7CUhcVf |
| MD5: | 05A5C685209891100860BBA7DE6E07BA |
| SHA1: | 2A2BB52DCCF5CE3C83FF805AD3E185934D78C0CC |
| SHA-256: | D2DD6B923203A6366121C6EE663BC52035C25711B44051E87FA7B8E053945EFA |
| SHA-512: | E2AF5F4CE12120E662462E85556D34A094F8EDCD25B17E25969DBBD24CBA4821A8FE90B290B8DE8DFE0A480675168EBEC0BB68734D716DA41DECAF8BAFD85060 |
| Malicious: | false |
| Reputation: | low |
| Preview: |
| Process: | C:\Windows\regsvr.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 300730 |
| Entropy (8bit): | 7.982780278477302 |
| Encrypted: | false |
| SSDEEP: | 6144:mnvu6X0EvMzb7nRZHHDSnrsAdTBTGj3g43sLA2mf1I5UhcVf:mvuQ0AMb/U+LgiWA7CUhcVf |
| MD5: | 05A5C685209891100860BBA7DE6E07BA |
| SHA1: | 2A2BB52DCCF5CE3C83FF805AD3E185934D78C0CC |
| SHA-256: | D2DD6B923203A6366121C6EE663BC52035C25711B44051E87FA7B8E053945EFA |
| SHA-512: | E2AF5F4CE12120E662462E85556D34A094F8EDCD25B17E25969DBBD24CBA4821A8FE90B290B8DE8DFE0A480675168EBEC0BB68734D716DA41DECAF8BAFD85060 |
| Malicious: | false |
| Reputation: | low |
| Preview: |
| Process: | C:\Windows\regsvr.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 765953 |
| Entropy (8bit): | 4.592914551404049 |
| Encrypted: | false |
| SSDEEP: | 6144:N3i8X7pt4Oti0BWmKWIBtOcI9SSbA+cuXhsBM7xX:N3TdtLW5WIj1YSSdFxsBSX |
| MD5: | E05F460EB752D40392F1D75D75716276 |
| SHA1: | 38320C10449E636FAB9C7649454B52248957EE1E |
| SHA-256: | 804465598E1EDC091A4EC8844CD7D8C81063EBAD37339A1D646E0E0F242C5B89 |
| SHA-512: | C7B50835A862C2E681C541DBE3E4AACC1B850896318DAE1E774E554F54B40237815A7352C12F1DBE90057643A8C7E5E547148C75EF6650F82AF948EA819DD1A0 |
| Malicious: | true |
| Antivirus: |
|
| Reputation: | low |
| Preview: |
| Process: | C:\Windows\regsvr.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 26 |
| Entropy (8bit): | 3.95006375643621 |
| Encrypted: | false |
| SSDEEP: | 3:ggPYV:rPYV |
| MD5: | 187F488E27DB4AF347237FE461A079AD |
| SHA1: | 6693BA299EC1881249D59262276A0D2CB21F8E64 |
| SHA-256: | 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309 |
| SHA-512: | 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E |
| Malicious: | true |
| Preview: |
| Process: | C:\Windows\regsvr.exe |
| File Type: | |
| Category: | modified |
| Size (bytes): | 96 |
| Entropy (8bit): | 4.357433142101641 |
| Encrypted: | false |
| SSDEEP: | 3:03BqVurVTWCsLPWTWCsj5d1iuXWiCsnAcv:Sqwr5WViTWVpiuZVv |
| MD5: | 9ECE103C47335F0CC777F1132B8D522F |
| SHA1: | 63AFA171C64F86D99DB81723E1335E960E85FA43 |
| SHA-256: | 69815D4932DDDE240CE6B1353305D2FAB58CA402E9C478452C8E37CE8A7B2AC9 |
| SHA-512: | B1AC64C71C6338BF0AB33DF938128822DA680F20D0552EDB2EDB808F1C75BAFB88467412FC8DC60ED8022A1F0C4F3FCBECB69A320EC871B3A766482F32D6EB05 |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\Desktop\regsvr.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 765953 |
| Entropy (8bit): | 4.592914551404049 |
| Encrypted: | false |
| SSDEEP: | 6144:N3i8X7pt4Oti0BWmKWIBtOcI9SSbA+cuXhsBM7xX:N3TdtLW5WIj1YSSdFxsBSX |
| MD5: | E05F460EB752D40392F1D75D75716276 |
| SHA1: | 38320C10449E636FAB9C7649454B52248957EE1E |
| SHA-256: | 804465598E1EDC091A4EC8844CD7D8C81063EBAD37339A1D646E0E0F242C5B89 |
| SHA-512: | C7B50835A862C2E681C541DBE3E4AACC1B850896318DAE1E774E554F54B40237815A7352C12F1DBE90057643A8C7E5E547148C75EF6650F82AF948EA819DD1A0 |
| Malicious: | true |
| Antivirus: |
|
| Preview: |
| Process: | C:\Users\user\Desktop\regsvr.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 26 |
| Entropy (8bit): | 3.95006375643621 |
| Encrypted: | false |
| SSDEEP: | 3:ggPYV:rPYV |
| MD5: | 187F488E27DB4AF347237FE461A079AD |
| SHA1: | 6693BA299EC1881249D59262276A0D2CB21F8E64 |
| SHA-256: | 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309 |
| SHA-512: | 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E |
| Malicious: | true |
| Preview: |
| Process: | C:\Users\user\Desktop\regsvr.exe |
| File Type: | |
| Category: | modified |
| Size (bytes): | 2 |
| Entropy (8bit): | 1.0 |
| Encrypted: | false |
| SSDEEP: | 3:V:V |
| MD5: | E0AA021E21DDDBD6D8CECEC71E9CF564 |
| SHA1: | 9CE3BD4224C8C1780DB56B4125ECF3F24BF748B7 |
| SHA-256: | 565339BC4D33D72817B583024112EB7F5CDF3E5EEF0252D6EC1B9C9A94E12BB3 |
| SHA-512: | 900110C951560EFF857B440E89CC29F529416E0E3B3D7F0AD51651BFDBD8025B91768C5ED7DB5352D1A5523354CE06CED2C42047E33A3E958A1BBA5F742DB874 |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\Desktop\regsvr.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 96 |
| Entropy (8bit): | 4.357433142101641 |
| Encrypted: | false |
| SSDEEP: | 3:03BqVurVTWCsLPWTWCsj5d1iuXWiCsnAcv:Sqwr5WViTWVpiuZVv |
| MD5: | 9ECE103C47335F0CC777F1132B8D522F |
| SHA1: | 63AFA171C64F86D99DB81723E1335E960E85FA43 |
| SHA-256: | 69815D4932DDDE240CE6B1353305D2FAB58CA402E9C478452C8E37CE8A7B2AC9 |
| SHA-512: | B1AC64C71C6338BF0AB33DF938128822DA680F20D0552EDB2EDB808F1C75BAFB88467412FC8DC60ED8022A1F0C4F3FCBECB69A320EC871B3A766482F32D6EB05 |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\Desktop\regsvr.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 765953 |
| Entropy (8bit): | 4.592914551404049 |
| Encrypted: | false |
| SSDEEP: | 6144:N3i8X7pt4Oti0BWmKWIBtOcI9SSbA+cuXhsBM7xX:N3TdtLW5WIj1YSSdFxsBSX |
| MD5: | E05F460EB752D40392F1D75D75716276 |
| SHA1: | 38320C10449E636FAB9C7649454B52248957EE1E |
| SHA-256: | 804465598E1EDC091A4EC8844CD7D8C81063EBAD37339A1D646E0E0F242C5B89 |
| SHA-512: | C7B50835A862C2E681C541DBE3E4AACC1B850896318DAE1E774E554F54B40237815A7352C12F1DBE90057643A8C7E5E547148C75EF6650F82AF948EA819DD1A0 |
| Malicious: | true |
| Antivirus: |
|
| Preview: |
| Process: | C:\Users\user\Desktop\regsvr.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 26 |
| Entropy (8bit): | 3.95006375643621 |
| Encrypted: | false |
| SSDEEP: | 3:ggPYV:rPYV |
| MD5: | 187F488E27DB4AF347237FE461A079AD |
| SHA1: | 6693BA299EC1881249D59262276A0D2CB21F8E64 |
| SHA-256: | 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309 |
| SHA-512: | 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E |
| Malicious: | true |
| Preview: |
| Process: | C:\Users\user\Desktop\regsvr.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 765953 |
| Entropy (8bit): | 4.592914551404049 |
| Encrypted: | false |
| SSDEEP: | 6144:N3i8X7pt4Oti0BWmKWIBtOcI9SSbA+cuXhsBM7xX:N3TdtLW5WIj1YSSdFxsBSX |
| MD5: | E05F460EB752D40392F1D75D75716276 |
| SHA1: | 38320C10449E636FAB9C7649454B52248957EE1E |
| SHA-256: | 804465598E1EDC091A4EC8844CD7D8C81063EBAD37339A1D646E0E0F242C5B89 |
| SHA-512: | C7B50835A862C2E681C541DBE3E4AACC1B850896318DAE1E774E554F54B40237815A7352C12F1DBE90057643A8C7E5E547148C75EF6650F82AF948EA819DD1A0 |
| Malicious: | true |
| Antivirus: |
|
| Preview: |
| Process: | C:\Users\user\Desktop\regsvr.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 26 |
| Entropy (8bit): | 3.95006375643621 |
| Encrypted: | false |
| SSDEEP: | 3:ggPYV:rPYV |
| MD5: | 187F488E27DB4AF347237FE461A079AD |
| SHA1: | 6693BA299EC1881249D59262276A0D2CB21F8E64 |
| SHA-256: | 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309 |
| SHA-512: | 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E |
| Malicious: | true |
| Preview: |
| File type: | |
| Entropy (8bit): | 4.592914551404049 |
| TrID: |
|
| File name: | regsvr.exe |
| File size: | 765'953 bytes |
| MD5: | e05f460eb752d40392f1d75d75716276 |
| SHA1: | 38320c10449e636fab9c7649454b52248957ee1e |
| SHA256: | 804465598e1edc091a4ec8844cd7d8c81063ebad37339a1d646e0e0f242c5b89 |
| SHA512: | c7b50835a862c2e681c541dbe3e4aacc1b850896318dae1e774e554f54b40237815a7352c12f1dbe90057643a8c7e5e547148c75ef6650f82af948ea819dd1a0 |
| SSDEEP: | 6144:N3i8X7pt4Oti0BWmKWIBtOcI9SSbA+cuXhsBM7xX:N3TdtLW5WIj1YSSdFxsBSX |
| TLSH: | 5AF4D002612BF5E4E82C8C76294730FA1BC56D615E0FEE25705DBF3738762E4AD0A52B |
| File Content Preview: | MZ......................@....... ....................................!..L.!This program cannot be run in DOS mode....$........$.qVE."VE."VE."..."TE."q.."bE."q..".E.".J."_E.".J."ME."VE.".D."q.."oE."q.."sE."q.."WE."q.."WE."RichVE."....................... |
 | |
| Icon Hash: | 25ced24e627e1e01 |
| Entrypoint: | 0x4a5000 |
| Entrypoint Section: | .vc++ |
| Digitally signed: | false |
| Imagebase: | 0x400000 |
| Subsystem: | windows gui |
| Image File Characteristics: | RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE |
| DLL Characteristics: | TERMINAL_SERVER_AWARE |
| Time Stamp: | 0x47493EAA [Sun Nov 25 09:21:46 2007 UTC] |
| TLS Callbacks: | |
| CLR (.Net) Version: | |
| OS Version Major: | 4 |
| OS Version Minor: | 0 |
| File Version Major: | 4 |
| File Version Minor: | 0 |
| Subsystem Version Major: | 4 |
| Subsystem Version Minor: | 0 |
| Import Hash: | 7d580e3bc0d56dc97c988e38179b1756 |
| Instruction |
|---|
| nop |
| pushad |
| call 00007F3C58D593E8h |
| jmp 00007F3C9E3298D0h |
| push ebp |
| ret |
| call 00007F3C58D593E6h |
| jmp 00007F3C58D5943Fh |
| mov ebx, FFFFFFEDh |
| add ebx, ebp |
| sub ebx, 000A5000h |
| cmp dword ptr [ebp+00000422h], 00000000h |
| mov dword ptr [ebp+00000422h], ebx |
| jne 00007F3C58D5974Bh |
| lea eax, dword ptr [ebp+0000042Eh] |
| push eax |
| call dword ptr [ebp+00000F4Dh] |
| mov dword ptr [ebp+00000426h], eax |
| mov edi, eax |
| lea ebx, dword ptr [ebp+5Eh] |
| push ebx |
| push eax |
| call dword ptr [ebp+00000F49h] |
| mov dword ptr [ebp+0000054Dh], eax |
| lea ebx, dword ptr [ebp+6Bh] |
| push ebx |
| push edi |
| call dword ptr [ebp+00000F49h] |
| mov dword ptr [ebp+00000551h], eax |
| lea eax, dword ptr [ebp+77h] |
| jmp eax |
| push esi |
| imul esi, dword ptr [edx+74h], 416C6175h |
| insb |
| insb |
| outsd |
| arpl word ptr [eax], ax |
| push esi |
| imul esi, dword ptr [edx+74h], 466C6175h |
| jc 00007F3C58D59447h |
| add byte ptr [ebx+0005319Dh], cl |
| add byte ptr [ebx], cl |
| Programming Language: |
|
| Name | Virtual Address | Virtual Size | Is in Section |
|---|---|---|---|
| IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IMPORT | 0xa5fac | 0x2c8 | .vc++ |
| IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x8f000 | 0x15ed0 | .rsrc |
| IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BASERELOC | 0xa5f54 | 0x8 | .vc++ |
| IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IAT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x100000 |
| Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
|---|---|---|---|---|---|---|---|---|---|
| .text | 0x1000 | 0x66000 | 0x30400 | d9d97730b6ccc9fb116199255d493c78 | False | 0.9984820272020726 | data | 7.998539298621614 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .rdata | 0x67000 | 0xf000 | 0x4400 | 05a7ad5d0679e42057520ca594660a3f | False | 1.0009191176470589 | data | 7.986857792277237 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .data | 0x76000 | 0x19000 | 0xc00 | 97fce54178d4c14f5b98ce73426c45f2 | False | 0.9879557291666666 | data | 7.874420644458337 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .rsrc | 0x8f000 | 0x16000 | 0x1000 | bb7bc224d4567eb4333742fbea5652ef | False | 0.674072265625 | data | 6.330193660679065 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .vc++ | 0xa5000 | 0x15000 | 0x14a00 | f1b8ac7590e3f4b823bcec760edf4975 | False | 0.21271306818181818 | data | 5.103013094701391 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .adata | 0xba000 | 0x1000 | 0x0 | d41d8cd98f00b204e9800998ecf8427e | False | 0 | empty | 0.0 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .vsp | 0xbb000 | 0x96dc | 0x9800 | 31e14c04c60244fdc3737cc73a13aacd | False | 0.0015419407894736842 | data | 0.0 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
|---|---|---|---|---|---|---|
| RT_ICON | 0xb92c8 | 0x668 | Device independent bitmap graphic, 48 x 96 x 4, image size 0 | English | Great Britain | 0.11036585365853659 |
| RT_ICON | 0xb8fe0 | 0x2e8 | Device independent bitmap graphic, 32 x 64 x 4, image size 0 | English | Great Britain | 0.1827956989247312 |
| RT_ICON | 0xb8eb8 | 0x128 | Device independent bitmap graphic, 16 x 32 x 4, image size 0 | English | Great Britain | 0.4222972972972973 |
| RT_ICON | 0xb8010 | 0xea8 | Device independent bitmap graphic, 48 x 96 x 8, image size 0 | English | Great Britain | 0.2867803837953092 |
| RT_ICON | 0xb7768 | 0x8a8 | Device independent bitmap graphic, 32 x 64 x 8, image size 0 | English | Great Britain | 0.35965703971119134 |
| RT_ICON | 0xb70a0 | 0x6c8 | Device independent bitmap graphic, 24 x 48 x 8, image size 0 | English | Great Britain | 0.4216589861751152 |
| RT_ICON | 0xb6b38 | 0x568 | Device independent bitmap graphic, 16 x 32 x 8, image size 0 | English | Great Britain | 0.42846820809248554 |
| RT_ICON | 0xb4590 | 0x25a8 | Device independent bitmap graphic, 48 x 96 x 32, image size 0 | English | Great Britain | 0.2020746887966805 |
| RT_ICON | 0xb34e8 | 0x10a8 | Device independent bitmap graphic, 32 x 64 x 32, image size 0 | English | Great Britain | 0.2976078799249531 |
| RT_ICON | 0xb33c0 | 0x128 | Device independent bitmap graphic, 16 x 32 x 4, image size 192 | English | Great Britain | 0.7466216216216216 |
| RT_ICON | 0xb3298 | 0x128 | Device independent bitmap graphic, 16 x 32 x 4, image size 192 | English | Great Britain | 0.3885135135135135 |
| RT_ICON | 0xb2910 | 0x988 | Device independent bitmap graphic, 24 x 48 x 32, image size 0 | English | Great Britain | 0.4262295081967213 |
| RT_ICON | 0xb24a8 | 0x468 | Device independent bitmap graphic, 16 x 32 x 32, image size 0 | English | Great Britain | 0.350177304964539 |
| RT_ICON | 0xaf800 | 0x2ca8 | Device independent bitmap graphic, 96 x 192 x 8, image size 0 | English | Great Britain | 0.3191042687193842 |
| RT_ICON | 0xa6358 | 0x94a8 | Device independent bitmap graphic, 96 x 192 x 32, image size 0 | English | Great Britain | 0.10074626865671642 |
| RT_MENU | 0xa2b40 | 0x40 | empty | English | Great Britain | 0 |
| RT_DIALOG | 0xa2b80 | 0xf0 | empty | English | Great Britain | 0 |
| RT_STRING | 0xa2c70 | 0x588 | empty | English | Great Britain | 0 |
| RT_STRING | 0xa31f8 | 0x690 | empty | English | Great Britain | 0 |
| RT_STRING | 0xa3888 | 0x4ce | empty | English | Great Britain | 0 |
| RT_STRING | 0xa3d58 | 0x604 | empty | English | Great Britain | 0 |
| RT_STRING | 0xa435c | 0x65e | empty | English | Great Britain | 0 |
| RT_STRING | 0xa49bc | 0x430 | empty | English | Great Britain | 0 |
| RT_GROUP_ICON | 0xa629c | 0xbc | data | English | Great Britain | 0.6223404255319149 |
| RT_GROUP_ICON | 0xa6288 | 0x14 | data | English | Great Britain | 1.25 |
| RT_GROUP_ICON | 0xa6274 | 0x14 | data | English | Great Britain | 1.25 |
| DLL | Import |
|---|---|
| kernel32.dll | GetProcAddress, GetModuleHandleA, LoadLibraryA |
| advapi32.dll | RegEnumValueW |
| comctl32.dll | ImageList_EndDrag |
| comdlg32.dll | GetSaveFileNameW |
| gdi32.dll | MoveToEx |
| mpr.dll | WNetUseConnectionW |
| ole32.dll | OleSetContainedObject |
| oleaut32.dll | LoadRegTypeLib |
| shell32.dll | DragQueryPoint |
| user32.dll | GetWindowTextLengthW |
| version.dll | GetFileVersionInfoSizeW |
| winmm.dll | waveOutSetVolume |
| wsock32.dll | __WSAFDIsSet |
| Language of compilation system | Country where language is spoken | Map |
|---|---|---|
| English | Great Britain |  |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library Node| Timestamp | SID | Signature | Severity | Source IP | Source Port | Dest IP | Dest Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2025-01-14T20:49:09.661212+0100 | 2803304 | ETPRO MALWARE Common Downloader Header Pattern HCa | 3 | 192.168.2.5 | 49705 | 74.6.143.25 | 80 | TCP |
| 2025-01-14T20:49:09.661212+0100 | 2012200 | ET MALWARE Possible Worm W32.Svich or Other Infection Request for setting.doc | 1 | 192.168.2.5 | 49705 | 74.6.143.25 | 80 | TCP |
| 2025-01-14T20:49:10.598364+0100 | 2012200 | ET MALWARE Possible Worm W32.Svich or Other Infection Request for setting.doc | 1 | 192.168.2.5 | 49706 | 74.6.143.25 | 443 | TCP |
| 2025-01-14T20:49:11.678741+0100 | 2012200 | ET MALWARE Possible Worm W32.Svich or Other Infection Request for setting.doc | 1 | 192.168.2.5 | 49707 | 87.248.119.252 | 443 | TCP |
| 2025-01-14T20:49:12.843490+0100 | 2803304 | ETPRO MALWARE Common Downloader Header Pattern HCa | 3 | 192.168.2.5 | 49705 | 74.6.143.25 | 80 | TCP |
| 2025-01-14T20:49:12.843490+0100 | 2012200 | ET MALWARE Possible Worm W32.Svich or Other Infection Request for setting.doc | 1 | 192.168.2.5 | 49705 | 74.6.143.25 | 80 | TCP |
| 2025-01-14T20:49:13.479647+0100 | 2012200 | ET MALWARE Possible Worm W32.Svich or Other Infection Request for setting.doc | 1 | 192.168.2.5 | 49708 | 74.6.143.25 | 443 | TCP |
| 2025-01-14T20:49:14.520787+0100 | 2012200 | ET MALWARE Possible Worm W32.Svich or Other Infection Request for setting.doc | 1 | 192.168.2.5 | 49709 | 87.248.119.252 | 443 | TCP |
| 2025-01-14T20:49:15.186129+0100 | 2803304 | ETPRO MALWARE Common Downloader Header Pattern HCa | 3 | 192.168.2.5 | 49710 | 87.248.119.252 | 80 | TCP |
| 2025-01-14T20:49:15.186129+0100 | 2012200 | ET MALWARE Possible Worm W32.Svich or Other Infection Request for setting.doc | 1 | 192.168.2.5 | 49710 | 87.248.119.252 | 80 | TCP |
| 2025-01-14T20:49:16.293240+0100 | 2012200 | ET MALWARE Possible Worm W32.Svich or Other Infection Request for setting.doc | 1 | 192.168.2.5 | 49712 | 87.248.119.252 | 443 | TCP |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Jan 14, 2025 20:49:09.168083906 CET | 49705 | 80 | 192.168.2.5 | 74.6.143.25 |
| Jan 14, 2025 20:49:09.173027039 CET | 80 | 49705 | 74.6.143.25 | 192.168.2.5 |
| Jan 14, 2025 20:49:09.173119068 CET | 49705 | 80 | 192.168.2.5 | 74.6.143.25 |
| Jan 14, 2025 20:49:09.175412893 CET | 49705 | 80 | 192.168.2.5 | 74.6.143.25 |
| Jan 14, 2025 20:49:09.180188894 CET | 80 | 49705 | 74.6.143.25 | 192.168.2.5 |
| Jan 14, 2025 20:49:09.661051989 CET | 80 | 49705 | 74.6.143.25 | 192.168.2.5 |
| Jan 14, 2025 20:49:09.661211967 CET | 49705 | 80 | 192.168.2.5 | 74.6.143.25 |
| Jan 14, 2025 20:49:09.734637022 CET | 49706 | 443 | 192.168.2.5 | 74.6.143.25 |
| Jan 14, 2025 20:49:09.734685898 CET | 443 | 49706 | 74.6.143.25 | 192.168.2.5 |
| Jan 14, 2025 20:49:09.734756947 CET | 49706 | 443 | 192.168.2.5 | 74.6.143.25 |
| Jan 14, 2025 20:49:09.871505976 CET | 49706 | 443 | 192.168.2.5 | 74.6.143.25 |
| Jan 14, 2025 20:49:09.871539116 CET | 443 | 49706 | 74.6.143.25 | 192.168.2.5 |
| Jan 14, 2025 20:49:10.372716904 CET | 443 | 49706 | 74.6.143.25 | 192.168.2.5 |
| Jan 14, 2025 20:49:10.372818947 CET | 49706 | 443 | 192.168.2.5 | 74.6.143.25 |
| Jan 14, 2025 20:49:10.480051994 CET | 49706 | 443 | 192.168.2.5 | 74.6.143.25 |
| Jan 14, 2025 20:49:10.480078936 CET | 443 | 49706 | 74.6.143.25 | 192.168.2.5 |
| Jan 14, 2025 20:49:10.480385065 CET | 443 | 49706 | 74.6.143.25 | 192.168.2.5 |
| Jan 14, 2025 20:49:10.480447054 CET | 49706 | 443 | 192.168.2.5 | 74.6.143.25 |
| Jan 14, 2025 20:49:10.483031034 CET | 49706 | 443 | 192.168.2.5 | 74.6.143.25 |
| Jan 14, 2025 20:49:10.527323008 CET | 443 | 49706 | 74.6.143.25 | 192.168.2.5 |
| Jan 14, 2025 20:49:10.598402977 CET | 443 | 49706 | 74.6.143.25 | 192.168.2.5 |
| Jan 14, 2025 20:49:10.598473072 CET | 49706 | 443 | 192.168.2.5 | 74.6.143.25 |
| Jan 14, 2025 20:49:10.598500013 CET | 443 | 49706 | 74.6.143.25 | 192.168.2.5 |
| Jan 14, 2025 20:49:10.598532915 CET | 443 | 49706 | 74.6.143.25 | 192.168.2.5 |
| Jan 14, 2025 20:49:10.598541021 CET | 49706 | 443 | 192.168.2.5 | 74.6.143.25 |
| Jan 14, 2025 20:49:10.598576069 CET | 49706 | 443 | 192.168.2.5 | 74.6.143.25 |
| Jan 14, 2025 20:49:10.601852894 CET | 49706 | 443 | 192.168.2.5 | 74.6.143.25 |
| Jan 14, 2025 20:49:10.601869106 CET | 443 | 49706 | 74.6.143.25 | 192.168.2.5 |
| Jan 14, 2025 20:49:10.623267889 CET | 49707 | 443 | 192.168.2.5 | 87.248.119.252 |
| Jan 14, 2025 20:49:10.623352051 CET | 443 | 49707 | 87.248.119.252 | 192.168.2.5 |
| Jan 14, 2025 20:49:10.623433113 CET | 49707 | 443 | 192.168.2.5 | 87.248.119.252 |
| Jan 14, 2025 20:49:10.623825073 CET | 49707 | 443 | 192.168.2.5 | 87.248.119.252 |
| Jan 14, 2025 20:49:10.623853922 CET | 443 | 49707 | 87.248.119.252 | 192.168.2.5 |
| Jan 14, 2025 20:49:11.376279116 CET | 443 | 49707 | 87.248.119.252 | 192.168.2.5 |
| Jan 14, 2025 20:49:11.376358032 CET | 49707 | 443 | 192.168.2.5 | 87.248.119.252 |
| Jan 14, 2025 20:49:11.377079010 CET | 443 | 49707 | 87.248.119.252 | 192.168.2.5 |
| Jan 14, 2025 20:49:11.377135992 CET | 49707 | 443 | 192.168.2.5 | 87.248.119.252 |
| Jan 14, 2025 20:49:11.383271933 CET | 49707 | 443 | 192.168.2.5 | 87.248.119.252 |
| Jan 14, 2025 20:49:11.383301020 CET | 443 | 49707 | 87.248.119.252 | 192.168.2.5 |
| Jan 14, 2025 20:49:11.383590937 CET | 443 | 49707 | 87.248.119.252 | 192.168.2.5 |
| Jan 14, 2025 20:49:11.383647919 CET | 49707 | 443 | 192.168.2.5 | 87.248.119.252 |
| Jan 14, 2025 20:49:11.384053946 CET | 49707 | 443 | 192.168.2.5 | 87.248.119.252 |
| Jan 14, 2025 20:49:11.427347898 CET | 443 | 49707 | 87.248.119.252 | 192.168.2.5 |
| Jan 14, 2025 20:49:11.678796053 CET | 443 | 49707 | 87.248.119.252 | 192.168.2.5 |
| Jan 14, 2025 20:49:11.679020882 CET | 443 | 49707 | 87.248.119.252 | 192.168.2.5 |
| Jan 14, 2025 20:49:11.679106951 CET | 49707 | 443 | 192.168.2.5 | 87.248.119.252 |
| Jan 14, 2025 20:49:11.679107904 CET | 49707 | 443 | 192.168.2.5 | 87.248.119.252 |
| Jan 14, 2025 20:49:11.682960033 CET | 49707 | 443 | 192.168.2.5 | 87.248.119.252 |
| Jan 14, 2025 20:49:11.682984114 CET | 443 | 49707 | 87.248.119.252 | 192.168.2.5 |
| Jan 14, 2025 20:49:12.730628014 CET | 49705 | 80 | 192.168.2.5 | 74.6.143.25 |
| Jan 14, 2025 20:49:12.735402107 CET | 80 | 49705 | 74.6.143.25 | 192.168.2.5 |
| Jan 14, 2025 20:49:12.843327999 CET | 80 | 49705 | 74.6.143.25 | 192.168.2.5 |
| Jan 14, 2025 20:49:12.843489885 CET | 49705 | 80 | 192.168.2.5 | 74.6.143.25 |
| Jan 14, 2025 20:49:12.851675987 CET | 49708 | 443 | 192.168.2.5 | 74.6.143.25 |
| Jan 14, 2025 20:49:12.851783037 CET | 443 | 49708 | 74.6.143.25 | 192.168.2.5 |
| Jan 14, 2025 20:49:12.851902962 CET | 49708 | 443 | 192.168.2.5 | 74.6.143.25 |
| Jan 14, 2025 20:49:12.852379084 CET | 49708 | 443 | 192.168.2.5 | 74.6.143.25 |
| Jan 14, 2025 20:49:12.852415085 CET | 443 | 49708 | 74.6.143.25 | 192.168.2.5 |
| Jan 14, 2025 20:49:13.349868059 CET | 443 | 49708 | 74.6.143.25 | 192.168.2.5 |
| Jan 14, 2025 20:49:13.349920988 CET | 49708 | 443 | 192.168.2.5 | 74.6.143.25 |
| Jan 14, 2025 20:49:13.350982904 CET | 49708 | 443 | 192.168.2.5 | 74.6.143.25 |
| Jan 14, 2025 20:49:13.350992918 CET | 443 | 49708 | 74.6.143.25 | 192.168.2.5 |
| Jan 14, 2025 20:49:13.351330996 CET | 49708 | 443 | 192.168.2.5 | 74.6.143.25 |
| Jan 14, 2025 20:49:13.351335049 CET | 443 | 49708 | 74.6.143.25 | 192.168.2.5 |
| Jan 14, 2025 20:49:13.479660034 CET | 443 | 49708 | 74.6.143.25 | 192.168.2.5 |
| Jan 14, 2025 20:49:13.479737997 CET | 49708 | 443 | 192.168.2.5 | 74.6.143.25 |
| Jan 14, 2025 20:49:13.479775906 CET | 443 | 49708 | 74.6.143.25 | 192.168.2.5 |
| Jan 14, 2025 20:49:13.479793072 CET | 443 | 49708 | 74.6.143.25 | 192.168.2.5 |
| Jan 14, 2025 20:49:13.479818106 CET | 49708 | 443 | 192.168.2.5 | 74.6.143.25 |
| Jan 14, 2025 20:49:13.479851007 CET | 49708 | 443 | 192.168.2.5 | 74.6.143.25 |
| Jan 14, 2025 20:49:13.480848074 CET | 49708 | 443 | 192.168.2.5 | 74.6.143.25 |
| Jan 14, 2025 20:49:13.480865002 CET | 443 | 49708 | 74.6.143.25 | 192.168.2.5 |
| Jan 14, 2025 20:49:13.488673925 CET | 49709 | 443 | 192.168.2.5 | 87.248.119.252 |
| Jan 14, 2025 20:49:13.488725901 CET | 443 | 49709 | 87.248.119.252 | 192.168.2.5 |
| Jan 14, 2025 20:49:13.488801956 CET | 49709 | 443 | 192.168.2.5 | 87.248.119.252 |
| Jan 14, 2025 20:49:13.489131927 CET | 49709 | 443 | 192.168.2.5 | 87.248.119.252 |
| Jan 14, 2025 20:49:13.489145994 CET | 443 | 49709 | 87.248.119.252 | 192.168.2.5 |
| Jan 14, 2025 20:49:14.212496996 CET | 443 | 49709 | 87.248.119.252 | 192.168.2.5 |
| Jan 14, 2025 20:49:14.212662935 CET | 49709 | 443 | 192.168.2.5 | 87.248.119.252 |
| Jan 14, 2025 20:49:14.213720083 CET | 49709 | 443 | 192.168.2.5 | 87.248.119.252 |
| Jan 14, 2025 20:49:14.213741064 CET | 443 | 49709 | 87.248.119.252 | 192.168.2.5 |
| Jan 14, 2025 20:49:14.214036942 CET | 49709 | 443 | 192.168.2.5 | 87.248.119.252 |
| Jan 14, 2025 20:49:14.214049101 CET | 443 | 49709 | 87.248.119.252 | 192.168.2.5 |
| Jan 14, 2025 20:49:14.520792007 CET | 443 | 49709 | 87.248.119.252 | 192.168.2.5 |
| Jan 14, 2025 20:49:14.520914078 CET | 443 | 49709 | 87.248.119.252 | 192.168.2.5 |
| Jan 14, 2025 20:49:14.520987034 CET | 49709 | 443 | 192.168.2.5 | 87.248.119.252 |
| Jan 14, 2025 20:49:14.521023035 CET | 49709 | 443 | 192.168.2.5 | 87.248.119.252 |
| Jan 14, 2025 20:49:14.522979021 CET | 49709 | 443 | 192.168.2.5 | 87.248.119.252 |
| Jan 14, 2025 20:49:14.523005009 CET | 443 | 49709 | 87.248.119.252 | 192.168.2.5 |
| Jan 14, 2025 20:49:14.546408892 CET | 49710 | 80 | 192.168.2.5 | 87.248.119.252 |
| Jan 14, 2025 20:49:14.551460028 CET | 80 | 49710 | 87.248.119.252 | 192.168.2.5 |
| Jan 14, 2025 20:49:14.551563978 CET | 49710 | 80 | 192.168.2.5 | 87.248.119.252 |
| Jan 14, 2025 20:49:14.551749945 CET | 49710 | 80 | 192.168.2.5 | 87.248.119.252 |
| Jan 14, 2025 20:49:14.556554079 CET | 80 | 49710 | 87.248.119.252 | 192.168.2.5 |
| Jan 14, 2025 20:49:15.186063051 CET | 80 | 49710 | 87.248.119.252 | 192.168.2.5 |
| Jan 14, 2025 20:49:15.186129093 CET | 49710 | 80 | 192.168.2.5 | 87.248.119.252 |
| Jan 14, 2025 20:49:15.187129974 CET | 49712 | 443 | 192.168.2.5 | 87.248.119.252 |
| Jan 14, 2025 20:49:15.187192917 CET | 443 | 49712 | 87.248.119.252 | 192.168.2.5 |
| Jan 14, 2025 20:49:15.187275887 CET | 49712 | 443 | 192.168.2.5 | 87.248.119.252 |
| Jan 14, 2025 20:49:15.187540054 CET | 49712 | 443 | 192.168.2.5 | 87.248.119.252 |
| Jan 14, 2025 20:49:15.187556982 CET | 443 | 49712 | 87.248.119.252 | 192.168.2.5 |
| Jan 14, 2025 20:49:15.920939922 CET | 443 | 49712 | 87.248.119.252 | 192.168.2.5 |
| Jan 14, 2025 20:49:15.921080112 CET | 49712 | 443 | 192.168.2.5 | 87.248.119.252 |
| Jan 14, 2025 20:49:16.002023935 CET | 49712 | 443 | 192.168.2.5 | 87.248.119.252 |
| Jan 14, 2025 20:49:16.002048969 CET | 443 | 49712 | 87.248.119.252 | 192.168.2.5 |
| Jan 14, 2025 20:49:16.002289057 CET | 49712 | 443 | 192.168.2.5 | 87.248.119.252 |
| Jan 14, 2025 20:49:16.002294064 CET | 443 | 49712 | 87.248.119.252 | 192.168.2.5 |
| Jan 14, 2025 20:49:16.293260098 CET | 443 | 49712 | 87.248.119.252 | 192.168.2.5 |
| Jan 14, 2025 20:49:16.293401957 CET | 443 | 49712 | 87.248.119.252 | 192.168.2.5 |
| Jan 14, 2025 20:49:16.293427944 CET | 49712 | 443 | 192.168.2.5 | 87.248.119.252 |
| Jan 14, 2025 20:49:16.293459892 CET | 49712 | 443 | 192.168.2.5 | 87.248.119.252 |
| Jan 14, 2025 20:49:16.294964075 CET | 49712 | 443 | 192.168.2.5 | 87.248.119.252 |
| Jan 14, 2025 20:49:16.294987917 CET | 443 | 49712 | 87.248.119.252 | 192.168.2.5 |
| Jan 14, 2025 20:49:23.127676964 CET | 80 | 49705 | 74.6.143.25 | 192.168.2.5 |
| Jan 14, 2025 20:49:23.127743006 CET | 49705 | 80 | 192.168.2.5 | 74.6.143.25 |
| Jan 14, 2025 20:50:46.084965944 CET | 80 | 49710 | 87.248.119.252 | 192.168.2.5 |
| Jan 14, 2025 20:50:46.087183952 CET | 49710 | 80 | 192.168.2.5 | 87.248.119.252 |
| Jan 14, 2025 20:50:59.197695017 CET | 49710 | 80 | 192.168.2.5 | 87.248.119.252 |
| Jan 14, 2025 20:50:59.197783947 CET | 49705 | 80 | 192.168.2.5 | 74.6.143.25 |
| Jan 14, 2025 20:50:59.202625036 CET | 80 | 49710 | 87.248.119.252 | 192.168.2.5 |
| Jan 14, 2025 20:50:59.541534901 CET | 49705 | 80 | 192.168.2.5 | 74.6.143.25 |
| Jan 14, 2025 20:51:00.244671106 CET | 49705 | 80 | 192.168.2.5 | 74.6.143.25 |
| Jan 14, 2025 20:51:01.541603088 CET | 49705 | 80 | 192.168.2.5 | 74.6.143.25 |
| Jan 14, 2025 20:51:04.041594028 CET | 49705 | 80 | 192.168.2.5 | 74.6.143.25 |
| Jan 14, 2025 20:51:08.932244062 CET | 49705 | 80 | 192.168.2.5 | 74.6.143.25 |
| Jan 14, 2025 20:51:18.541594028 CET | 49705 | 80 | 192.168.2.5 | 74.6.143.25 |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Jan 14, 2025 20:49:09.129997015 CET | 56537 | 53 | 192.168.2.5 | 1.1.1.1 |
| Jan 14, 2025 20:49:09.136773109 CET | 53 | 56537 | 1.1.1.1 | 192.168.2.5 |
| Jan 14, 2025 20:49:10.614804983 CET | 52485 | 53 | 192.168.2.5 | 1.1.1.1 |
| Jan 14, 2025 20:49:10.622229099 CET | 53 | 52485 | 1.1.1.1 | 192.168.2.5 |
| Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|
| Jan 14, 2025 20:49:09.129997015 CET | 192.168.2.5 | 1.1.1.1 | 0xcb0 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Jan 14, 2025 20:49:10.614804983 CET | 192.168.2.5 | 1.1.1.1 | 0x436f | Standard query (0) | A (IP address) | IN (0x0001) | false |
| Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|---|---|
| Jan 14, 2025 20:49:09.136773109 CET | 1.1.1.1 | 192.168.2.5 | 0xcb0 | No error (0) | 74.6.143.25 | A (IP address) | IN (0x0001) | false | ||
| Jan 14, 2025 20:49:09.136773109 CET | 1.1.1.1 | 192.168.2.5 | 0xcb0 | No error (0) | 98.137.11.163 | A (IP address) | IN (0x0001) | false | ||
| Jan 14, 2025 20:49:09.136773109 CET | 1.1.1.1 | 192.168.2.5 | 0xcb0 | No error (0) | 74.6.143.26 | A (IP address) | IN (0x0001) | false | ||
| Jan 14, 2025 20:49:09.136773109 CET | 1.1.1.1 | 192.168.2.5 | 0xcb0 | No error (0) | 74.6.231.21 | A (IP address) | IN (0x0001) | false | ||
| Jan 14, 2025 20:49:09.136773109 CET | 1.1.1.1 | 192.168.2.5 | 0xcb0 | No error (0) | 98.137.11.164 | A (IP address) | IN (0x0001) | false | ||
| Jan 14, 2025 20:49:09.136773109 CET | 1.1.1.1 | 192.168.2.5 | 0xcb0 | No error (0) | 74.6.231.20 | A (IP address) | IN (0x0001) | false | ||
| Jan 14, 2025 20:49:10.622229099 CET | 1.1.1.1 | 192.168.2.5 | 0x436f | No error (0) | me-ycpi-cf-www.g06.yahoodns.net | CNAME (Canonical name) | IN (0x0001) | false | ||
| Jan 14, 2025 20:49:10.622229099 CET | 1.1.1.1 | 192.168.2.5 | 0x436f | No error (0) | 87.248.119.252 | A (IP address) | IN (0x0001) | false | ||
| Jan 14, 2025 20:49:10.622229099 CET | 1.1.1.1 | 192.168.2.5 | 0x436f | No error (0) | 87.248.119.251 | A (IP address) | IN (0x0001) | false |
|
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 0 | 192.168.2.5 | 49705 | 74.6.143.25 | 80 | 6508 | C:\Users\user\Desktop\regsvr.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| Jan 14, 2025 20:49:09.175412893 CET | 71 | OUT | |
| Jan 14, 2025 20:49:09.661051989 CET | 287 | IN | |
| Jan 14, 2025 20:49:12.730628014 CET | 71 | OUT | |
| Jan 14, 2025 20:49:12.843327999 CET | 287 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 1 | 192.168.2.5 | 49710 | 87.248.119.252 | 80 | 6508 | C:\Users\user\Desktop\regsvr.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| Jan 14, 2025 20:49:14.551749945 CET | 75 | OUT | |
| Jan 14, 2025 20:49:15.186063051 CET | 245 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 0 | 192.168.2.5 | 49706 | 74.6.143.25 | 443 | 6508 | C:\Users\user\Desktop\regsvr.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2025-01-14 19:49:10 UTC | 95 | OUT | |
| 2025-01-14 19:49:10 UTC | 439 | IN | |
| 2025-01-14 19:49:10 UTC | 8 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 1 | 192.168.2.5 | 49707 | 87.248.119.252 | 443 | 6508 | C:\Users\user\Desktop\regsvr.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2025-01-14 19:49:11 UTC | 99 | OUT | |
| 2025-01-14 19:49:11 UTC | 1200 | IN | |
| 2025-01-14 19:49:11 UTC | 2 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 2 | 192.168.2.5 | 49708 | 74.6.143.25 | 443 | 6508 | C:\Users\user\Desktop\regsvr.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2025-01-14 19:49:13 UTC | 95 | OUT | |
| 2025-01-14 19:49:13 UTC | 439 | IN | |
| 2025-01-14 19:49:13 UTC | 8 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 3 | 192.168.2.5 | 49709 | 87.248.119.252 | 443 | 6508 | C:\Users\user\Desktop\regsvr.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2025-01-14 19:49:14 UTC | 99 | OUT | |
| 2025-01-14 19:49:14 UTC | 1200 | IN | |
| 2025-01-14 19:49:14 UTC | 2 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 4 | 192.168.2.5 | 49712 | 87.248.119.252 | 443 | 6508 | C:\Users\user\Desktop\regsvr.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2025-01-14 19:49:15 UTC | 99 | OUT | |
| 2025-01-14 19:49:16 UTC | 1200 | IN | |
| 2025-01-14 19:49:16 UTC | 2 | IN |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
| Target ID: | 0 |
| Start time: | 14:49:07 |
| Start date: | 14/01/2025 |
| Path: | C:\Users\user\Desktop\regsvr.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x400000 |
| File size: | 765'953 bytes |
| MD5 hash: | E05F460EB752D40392F1D75D75716276 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | low |
| Has exited: | false |
| Target ID: | 1 |
| Start time: | 14:49:07 |
| Start date: | 14/01/2025 |
| Path: | C:\Windows\SysWOW64\cmd.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x790000 |
| File size: | 236'544 bytes |
| MD5 hash: | D0FCE3AFA6AA1D58CE9FA336CC2B675B |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 3 |
| Start time: | 14:49:07 |
| Start date: | 14/01/2025 |
| Path: | C:\Windows\System32\conhost.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff6d64d0000 |
| File size: | 862'208 bytes |
| MD5 hash: | 0D698AF330FD17BEE3BF90011D49251D |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 4 |
| Start time: | 14:49:07 |
| Start date: | 14/01/2025 |
| Path: | C:\Windows\SysWOW64\at.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0xc40000 |
| File size: | 25'088 bytes |
| MD5 hash: | 2AE20048111861FA09B709D3CC551AD6 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | moderate |
| Has exited: | true |
| Target ID: | 5 |
| Start time: | 14:49:08 |
| Start date: | 14/01/2025 |
| Path: | C:\Windows\SysWOW64\cmd.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x790000 |
| File size: | 236'544 bytes |
| MD5 hash: | D0FCE3AFA6AA1D58CE9FA336CC2B675B |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 6 |
| Start time: | 14:49:08 |
| Start date: | 14/01/2025 |
| Path: | C:\Windows\System32\conhost.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff6d64d0000 |
| File size: | 862'208 bytes |
| MD5 hash: | 0D698AF330FD17BEE3BF90011D49251D |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 7 |
| Start time: | 14:49:08 |
| Start date: | 14/01/2025 |
| Path: | C:\Windows\SysWOW64\at.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0xc40000 |
| File size: | 25'088 bytes |
| MD5 hash: | 2AE20048111861FA09B709D3CC551AD6 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | moderate |
| Has exited: | true |
| Target ID: | 9 |
| Start time: | 14:49:36 |
| Start date: | 14/01/2025 |
| Path: | C:\Windows\regsvr.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x400000 |
| File size: | 765'953 bytes |
| MD5 hash: | E05F460EB752D40392F1D75D75716276 |
| Has elevated privileges: | false |
| Has administrator privileges: | false |
| Programmed in: | C, C++ or other language |
| Antivirus matches: |
|
| Reputation: | low |
| Has exited: | false |
Execution Graph
| Execution Coverage: | 6% |
| Dynamic/Decrypted Code Coverage: | 0% |
| Signature Coverage: | 10.2% |
| Total number of Nodes: | 2000 |
| Total number of Limit Nodes: | 35 |
Graph
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040C78E Relevance: 33.4, APIs: 18, Strings: 1, Instructions: 178filestringCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040108C Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 151windowCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0041DE3C Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 121fileCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004053EF Relevance: 19.5, APIs: 9, Strings: 2, Instructions: 215libraryloaderCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00418B7F Relevance: 3.0, APIs: 2, Instructions: 28windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00429FD7 Relevance: .6, Instructions: 550COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00430850 Relevance: 68.7, APIs: 38, Strings: 1, Instructions: 486filepipeprocessCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00412C71 Relevance: 37.0, APIs: 20, Strings: 1, Instructions: 235filetimeCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00434645 Relevance: 33.6, APIs: 14, Strings: 5, Instructions: 363registryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0046233D Relevance: 30.6, APIs: 20, Instructions: 602fileCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004060C8 Relevance: 24.7, APIs: 10, Strings: 4, Instructions: 165registryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004535F2 Relevance: 19.8, APIs: 13, Instructions: 296COMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00422D64 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 165libraryloadernetworkCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004012BA Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 59windowregistryCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004016E5 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 146windowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004018E6 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 104windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040D99A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 32serviceCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00422C6A Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 83networkCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0045328D Relevance: 7.6, APIs: 5, Instructions: 73threadCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040CBF6 Relevance: 7.6, APIs: 5, Instructions: 68COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00450D38 Relevance: 7.5, APIs: 5, Instructions: 44memoryCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0045A6ED Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 57COMMONLIBRARYCODE
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0045320D Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38threadCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00453219 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 34threadCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004531D8 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 33threadCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00427955 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00401A43 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00401902 Relevance: 6.1, APIs: 4, Instructions: 96COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00418C78 Relevance: 6.1, APIs: 4, Instructions: 72windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00418F7B Relevance: 4.6, APIs: 3, Instructions: 62sleepCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00409B18 Relevance: 4.6, APIs: 3, Instructions: 50windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0041A38C Relevance: 3.1, APIs: 2, Instructions: 58COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00421BA8 Relevance: 3.1, APIs: 2, Instructions: 54networkCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00457C57 Relevance: 3.0, APIs: 2, Instructions: 28memoryCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0045DF97 Relevance: 3.0, APIs: 2, Instructions: 18COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0041A2F7 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00437A84 Relevance: 1.6, APIs: 1, Instructions: 50COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00441FD7 Relevance: 138.1, APIs: 73, Strings: 5, Instructions: 1600windowfileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00409786 Relevance: 42.1, APIs: 23, Strings: 1, Instructions: 117threadkeyboardwindowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0041B572 Relevance: 28.2, APIs: 13, Strings: 3, Instructions: 210timefileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0041B7D8 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 185timeCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0041D0C8 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 98fileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040D288 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 65shutdownCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0041BA0A Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 112fileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040C672 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 90fileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040D70C Relevance: 16.6, APIs: 11, Instructions: 92COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00426F8D Relevance: 9.1, APIs: 6, Instructions: 75networkCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0041EA5E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 117filesleepCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00428656 Relevance: 7.7, APIs: 5, Instructions: 220comCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00439F63 Relevance: 7.6, APIs: 5, Instructions: 59windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0041E028 Relevance: 4.6, APIs: 3, Instructions: 132fileCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0041C97F Relevance: 4.6, APIs: 3, Instructions: 98COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0041BB4D Relevance: 3.0, APIs: 2, Instructions: 47fileCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004121B3 Relevance: 2.1, APIs: 1, Instructions: 610COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0044D99C Relevance: 2.0, Strings: 1, Instructions: 703COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00411906 Relevance: 1.6, APIs: 1, Instructions: 77COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042ED72 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00408381 Relevance: 1.5, APIs: 1, Instructions: 6keyboardCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0045EA75 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00436CF3 Relevance: .4, Instructions: 432COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004504ED Relevance: .4, Instructions: 384COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004500CD Relevance: .4, Instructions: 378COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0044FCC1 Relevance: .4, Instructions: 361COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0044F8ED Relevance: .4, Instructions: 351COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00423CE0 Relevance: 67.0, APIs: 34, Strings: 4, Instructions: 477filecommemoryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00443668 Relevance: 54.5, APIs: 29, Strings: 2, Instructions: 293windowCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043B281 Relevance: 51.2, APIs: 34, Instructions: 247COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00438922 Relevance: 51.2, APIs: 7, Strings: 22, Instructions: 497windowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043F7AE Relevance: 42.4, APIs: 22, Strings: 2, Instructions: 445windowCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040A4BD Relevance: 42.4, APIs: 20, Strings: 4, Instructions: 386windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00424395 Relevance: 40.5, APIs: 19, Strings: 4, Instructions: 280windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00406424 Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 120windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004228EF Relevance: 35.3, APIs: 16, Strings: 4, Instructions: 308libraryloaderCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00439FF5 Relevance: 33.6, APIs: 16, Strings: 3, Instructions: 321windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043BACC Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 287windowtimeCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004551E3 Relevance: 33.4, APIs: 15, Strings: 4, Instructions: 156fileCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00431175 Relevance: 31.9, APIs: 21, Instructions: 412COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00440787 Relevance: 31.7, APIs: 15, Strings: 3, Instructions: 205windowlibraryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00454D93 Relevance: 29.9, APIs: 12, Strings: 5, Instructions: 109libraryloadermemoryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00406339 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 65windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004394AC Relevance: 24.8, APIs: 3, Strings: 11, Instructions: 341windowCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00460668 Relevance: 24.7, APIs: 8, Strings: 6, Instructions: 164libraryloaderCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00410321 Relevance: 23.1, APIs: 12, Strings: 1, Instructions: 395timeCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00407EE7 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 133keyboardCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004027D1 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 75windowCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040A1D1 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 68windowCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040BE51 Relevance: 19.7, APIs: 13, Instructions: 180COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00409D4F Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 170windowsleepCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004280C5 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 140registryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042826C Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 130registryshareCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00427F88 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 106registryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040C0FE Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 80sleeptimewindowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004050F6 Relevance: 18.2, APIs: 12, Instructions: 170COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043C28D Relevance: 18.2, APIs: 12, Instructions: 156COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040D0AA Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 70networkCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00454ABB Relevance: 17.5, APIs: 6, Strings: 4, Instructions: 49libraryloaderCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004288DC Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 251comCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040B0F2 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 170windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040A282 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 120windowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00402263 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 79windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00402090 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 78windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0041991A Relevance: 14.4, APIs: 7, Strings: 1, Instructions: 429sleepCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0041835A Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 302comCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405841 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 226libraryloaderCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00441336 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 129windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040CC93 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 110filestringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043DA04 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 94windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00409980 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 79libraryfileloaderCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043ACC5 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 53registrywindowclipboardCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040BB27 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0041BBF4 Relevance: 13.8, APIs: 9, Instructions: 291COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0045B0D3 Relevance: 13.7, APIs: 9, Instructions: 186COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040EC0D Relevance: 13.6, APIs: 9, Instructions: 91COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00435523 Relevance: 13.6, APIs: 9, Instructions: 70fileCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00401E83 Relevance: 13.6, APIs: 9, Instructions: 57sleepkeyboardwindowCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040AC7F Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 133windowCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00440441 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 112windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043B988 Relevance: 12.1, APIs: 8, Instructions: 115COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00443B45 Relevance: 12.1, APIs: 8, Instructions: 66windowCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040EFEE Relevance: 12.0, APIs: 8, Instructions: 33COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0044432D Relevance: 10.7, APIs: 7, Instructions: 227COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00435158 Relevance: 10.7, APIs: 7, Instructions: 221fileCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00425D61 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 160sleepCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00454227 Relevance: 10.7, APIs: 7, Instructions: 158COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040DD6B Relevance: 10.6, APIs: 7, Instructions: 129timeCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00440EF7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 79windowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004409A6 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 63windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0045492A Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 36libraryloaderCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004549A1 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 36libraryloaderCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043EA4A Relevance: 9.4, APIs: 6, Instructions: 419windowCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00459D25 Relevance: 9.2, APIs: 6, Instructions: 250COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004399A1 Relevance: 9.1, APIs: 6, Instructions: 131windowCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00440DF3 Relevance: 9.1, APIs: 6, Instructions: 93windowCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00444601 Relevance: 9.0, APIs: 6, Instructions: 46COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00402165 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 91windowCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00440FE7 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 91windowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00409F5A Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73windowCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004526CD Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 70threadCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00452641 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 43threadCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00443C20 Relevance: 7.8, APIs: 5, Instructions: 258windowCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004303AA Relevance: 7.7, APIs: 5, Instructions: 234COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0041CF2E Relevance: 7.6, APIs: 5, Instructions: 142fileCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040F19F Relevance: 7.6, APIs: 5, Instructions: 110sleepCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0041EBD6 Relevance: 7.6, APIs: 5, Instructions: 110COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043C199 Relevance: 7.6, APIs: 5, Instructions: 87windowCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004446D9 Relevance: 7.6, APIs: 5, Instructions: 62COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00426EF4 Relevance: 7.6, APIs: 5, Instructions: 60networkCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00443A5A Relevance: 7.6, APIs: 5, Instructions: 56windowCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00409903 Relevance: 7.6, APIs: 5, Instructions: 55fileCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004094DB Relevance: 7.6, APIs: 5, Instructions: 52sleepCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040D649 Relevance: 7.6, APIs: 5, Instructions: 51sleepCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004439EF Relevance: 7.5, APIs: 5, Instructions: 45windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004449FB Relevance: 7.5, APIs: 5, Instructions: 30COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0044466F Relevance: 7.5, APIs: 5, Instructions: 26COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00402E26 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040AE17 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 112windowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00440371 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78windowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00440AE3 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 74windowlibraryCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043AD9E Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 70windowCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00440203 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004034C8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00440A4D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58windowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0046143D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 57COMMONLIBRARYCODE
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004057BB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 57libraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0046592F Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 48COMMONLIBRARYCODE
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043E196 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 45windowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004278F3 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 16libraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004279F2 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 16libraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00427A25 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 16libraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00409AE0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 16libraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00427AB6 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 16libraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040576F Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043A8CD Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043A8FC Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00427926 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043A92B Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004279C3 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040D9E9 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040DA47 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00427A58 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040DA76 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040DA18 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040DAD4 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00427AE9 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00427A87 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040DAA5 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00427B47 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00427B76 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00427B18 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0041ED66 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00433D7C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0041ED08 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0041ED37 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00433DDA Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00433DAB Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0045FB41 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 13libraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040E2B5 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042799C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00431A91 Relevance: 6.2, APIs: 4, Instructions: 187COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00402BE7 Relevance: 6.1, APIs: 4, Instructions: 136windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004284B9 Relevance: 6.1, APIs: 4, Instructions: 122COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043D761 Relevance: 6.1, APIs: 4, Instructions: 120COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043C049 Relevance: 6.1, APIs: 4, Instructions: 113COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00443EEE Relevance: 6.1, APIs: 4, Instructions: 99COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043B51A Relevance: 6.1, APIs: 4, Instructions: 88windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043DBDD Relevance: 6.1, APIs: 4, Instructions: 82windowCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00404290 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040263F Relevance: 6.1, APIs: 4, Instructions: 68windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00427054 Relevance: 6.1, APIs: 4, Instructions: 65networkCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004447A1 Relevance: 6.1, APIs: 4, Instructions: 61COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00444946 Relevance: 6.1, APIs: 4, Instructions: 61COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040C077 Relevance: 6.1, APIs: 4, Instructions: 51synchronizationthreadwindowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043F415 Relevance: 6.0, APIs: 4, Instructions: 46windowCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040D921 Relevance: 6.0, APIs: 4, Instructions: 46COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00454B7A Relevance: 6.0, APIs: 4, Instructions: 45threadCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043AC55 Relevance: 6.0, APIs: 4, Instructions: 42COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043B00D Relevance: 6.0, APIs: 4, Instructions: 39processCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004445AF Relevance: 6.0, APIs: 4, Instructions: 26COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0041C1FB Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 175shareCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00441224 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 90windowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0044015C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59windowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043FEB1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 53windowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040200D Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00401F15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 48windowCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00401F92 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47windowCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042DC99 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34windowCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00422413 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32sleepCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004355BA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 29windowCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040EBA0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040EB54 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 27windowCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040E27C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21windowCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405AA7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21windowCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0041A21D Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 20windowCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043A453 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 17windowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043A41D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 17windowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042DC0D Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 16windowCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042DD54 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 16windowCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004525D4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15threadCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00401D3C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 14windowCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00407480 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 9windowCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00441FB5 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 9windowCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Execution Graph
| Execution Coverage: | 5.5% |
| Dynamic/Decrypted Code Coverage: | 0% |
| Signature Coverage: | 0% |
| Total number of Nodes: | 2000 |
| Total number of Limit Nodes: | 49 |
Graph
Function 004060C8 Relevance: 24.7, APIs: 10, Strings: 4, Instructions: 165registryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040108C Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 151windowCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004012BA Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 59windowregistryCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0041A2F7 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|