Edit tour
Windows
Analysis Report
yL0Hf1O27H.exe
Overview
General Information
| Sample name: | yL0Hf1O27H.exerenamed because original name is a hash value |
| Original sample name: | d7429c7ecea552403d8e9b420578f954f5bf5407996afaa36db723a0c070c4de.exe |
| Analysis ID: | 1670731 |
| MD5: | 949d9523269604db26065f002feef9ae |
| SHA1: | 3b8ae803f281ab7fc93577b79562bd7819e068bd |
| SHA256: | d7429c7ecea552403d8e9b420578f954f5bf5407996afaa36db723a0c070c4de |
| Tags: | cactusexeransomwareuser-TheRavenFile |
| Infos: |  |
 | |
Detection
Babuk
| Score: | 72 |
| Range: | 0 - 100 |
| Confidence: | 100% |
Signatures
Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Yara detected Babuk Ransomware
Deletes shadow drive data (may be related to ransomware)
Found Tor onion address
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Detected potential crypto function
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
May use bcdedit to modify the Windows boot settings
PE file contains more sections than normal
PE file contains sections with non-standard names
Program does not show much activity (idle)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Classification
- System is w10x64
yL0Hf1O27H.exe (PID: 7380 cmdline: "C:\Users\ user\Deskt op\yL0Hf1O 27H.exe" MD5: 949D9523269604DB26065F002FEEF9AE)
- cleanup
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| Babuk | Babuk Ransomware is a sophisticated ransomware compiled for several platforms. Windows and ARM for Linux are the most used compiled versions, but ESX and a 32bit old PE executable were observed over time. as well It uses an Elliptic Curve Algorithm (Montgomery Algorithm) to build the encryption keys. | No Attribution |
⊘No configs have been found
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_babuk | Yara detected Babuk Ransomware | Joe Security | ||
| JoeSecurity_babuk | Yara detected Babuk Ransomware | Joe Security | ||
| JoeSecurity_babuk | Yara detected Babuk Ransomware | Joe Security |
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_babuk | Yara detected Babuk Ransomware | Joe Security | ||
| JoeSecurity_babuk | Yara detected Babuk Ransomware | Joe Security |
⊘No Sigma rule has matched
⊘No Suricata rule has matched
- • AV Detection
- • Compliance
- • Software Vulnerabilities
- • Networking
- • Spam, unwanted Advertisements and Ransom Demands
- • System Summary
- • Data Obfuscation
- • Persistence and Installation Behavior
- • Malware Analysis System Evasion
- • Anti Debugging
Click to jump to signature section
Show All Signature Results
AV Detection |   |
|---|
| Source: | Avira: | ||
| Source: | ReversingLabs: | |||
| Source: | Virustotal: | Perma Link | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Code function: | 1_2_00EF8120 | |
Networking | |
|---|
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
Spam, unwanted Advertisements and Ransom Demands | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Code function: | 1_2_00E900B0 | |
| Source: | Code function: | 1_2_00DC8060 | |
| Source: | Code function: | 1_2_00C6C1C0 | |
| Source: | Code function: | 1_2_00D64190 | |
| Source: | Code function: | 1_2_00DCC170 | |
| Source: | Code function: | 1_2_00D1C250 | |
| Source: | Code function: | 1_2_00C88380 | |
| Source: | Code function: | 1_2_00ECC340 | |
| Source: | Code function: | 1_2_00E404C0 | |
| Source: | Code function: | 1_2_00CFC450 | |
| Source: | Code function: | 1_2_00EC8450 | |
| Source: | Code function: | 1_2_00D24430 | |
| Source: | Code function: | 1_2_00DD0430 | |
| Source: | Code function: | 1_2_00E705A0 | |
| Source: | Code function: | 1_2_00D4C550 | |
| Source: | Code function: | 1_2_00C6851C | |
| Source: | Code function: | 1_2_00C68520 | |
| Source: | Code function: | 1_2_00E706E0 | |
| Source: | Code function: | 1_2_00D486C0 | |
| Source: | Code function: | 1_2_00D8C7A0 | |
| Source: | Code function: | 1_2_00C4C700 | |
| Source: | Code function: | 1_2_00E8C700 | |
| Source: | Code function: | 1_2_00E70860 | |
| Source: | Code function: | 1_2_00C6C980 | |
| Source: | Code function: | 1_2_00E88980 | |
| Source: | Code function: | 1_2_00C6C971 | |
| Source: | Code function: | 1_2_00E98AE0 | |
| Source: | Code function: | 1_2_00C70AF0 | |
| Source: | Code function: | 1_2_00C9CAA0 | |
| Source: | Code function: | 1_2_00C9CBE4 | |
| Source: | Code function: | 1_2_00C68B00 | |
| Source: | Code function: | 1_2_00C70CD0 | |
| Source: | Code function: | 1_2_00CA8CB4 | |
| Source: | Code function: | 1_2_00CA8C00 | |
| Source: | Code function: | 1_2_00DCCDF0 | |
| Source: | Code function: | 1_2_00CE0DB0 | |
| Source: | Code function: | 1_2_00CECED0 | |
| Source: | Code function: | 1_2_00DD0E80 | |
| Source: | Code function: | 1_2_00D28EA0 | |
| Source: | Code function: | 1_2_00E10E60 | |
| Source: | Code function: | 1_2_00CA8E57 | |
| Source: | Code function: | 1_2_00D44E20 | |
| Source: | Code function: | 1_2_00D8CE20 | |
| Source: | Code function: | 1_2_00D30F50 | |
| Source: | Code function: | 1_2_00C69068 | |
| Source: | Code function: | 1_2_00C69186 | |
| Source: | Code function: | 1_2_00C71190 | |
| Source: | Code function: | 1_2_00DA1180 | |
| Source: | Code function: | 1_2_00C6D100 | |
| Source: | Code function: | 1_2_00D1D3A0 | |
| Source: | Code function: | 1_2_00D2531D | |
| Source: | Code function: | 1_2_00CE14F0 | |
| Source: | Code function: | 1_2_00DC1440 | |
| Source: | Code function: | 1_2_00DAD460 | |
| Source: | Code function: | 1_2_00C69400 | |
| Source: | Code function: | 1_2_00CC95D0 | |
| Source: | Code function: | 1_2_00C695DB | |
| Source: | Code function: | 1_2_00D45690 | |
| Source: | Code function: | 1_2_00C6D638 | |
| Source: | Code function: | 1_2_00C717C0 | |
| Source: | Code function: | 1_2_00D497A0 | |
| Source: | Code function: | 1_2_00D458C0 | |
| Source: | Code function: | 1_2_00C698F7 | |
| Source: | Code function: | 1_2_00E118A0 | |
| Source: | Code function: | 1_2_00C9D9B0 | |
| Source: | Code function: | 1_2_00C7D920 | |
| Source: | Code function: | 1_2_00C6D930 | |
| Source: | Code function: | 1_2_00DADA00 | |
| Source: | Code function: | 1_2_00ED9A00 | |
| Source: | Code function: | 1_2_00CF9B90 | |
| Source: | Code function: | 1_2_00C69BA0 | |
| Source: | Code function: | 1_2_00D51BA0 | |
| Source: | Code function: | 1_2_00E71EF2 | |
| Source: | Code function: | 1_2_00CF9EE7 | |
| Source: | Code function: | 1_2_00C6DE83 | |
| Source: | Code function: | 1_2_00DD5FA0 | |
| Source: | Code function: | 1_2_00DAE0C0 | |
| Source: | Code function: | 1_2_00DA609A | |
| Source: | Code function: | 1_2_00EBA040 | |
| Source: | Code function: | 1_2_00D3E030 | |
| Source: | Code function: | 1_2_00C721E0 | |
| Source: | Code function: | 1_2_00DD6190 | |
| Source: | Code function: | 1_2_00DA22A0 | |
| Source: | Code function: | 1_2_00E6E3A0 | |
| Source: | Code function: | 1_2_00C7232C | |
| Source: | Code function: | 1_2_00CA2051 | |
| Source: | Code function: | 1_2_00E55057 | |
| Source: | Code function: | 1_2_00CA92F0 | |
| Source: | Code function: | 1_2_00CA93F8 | |
| Source: | Code function: | 1_2_00D49B70 | |
| Source: | Code function: | 1_2_00CA1E00 | |
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Classification label: | ||
| Source: | Static PE information: | ||
| Source: | ReversingLabs: | ||
| Source: | Virustotal: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | Static PE information: | ||
| Source: | Static file information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Code function: | 1_2_00F53659 | |
| Source: | Code function: | 1_2_00EC8373 | |
| Source: | Code function: | 1_2_00F28E1D | |
| Source: | Code function: | 1_2_00F10C65 | |
| Source: | Code function: | 1_2_00F10C88 | |
| Source: | Code function: | 1_2_00F2957D | |
| Source: | Code function: | 1_2_00F11A10 | |
| Source: | Code function: | 1_2_00F11A2F | |
| Source: | Code function: | 1_2_00F53659 | |
| Source: | Code function: | 1_2_00F11F80 | |
| Source: | Code function: | 1_2_00F11F9F | |
| Source: | Code function: | 1_2_00F56A06 | |
| Source: | Code function: | 1_2_00F25F5E | |
| Source: | Binary or memory string: | ||
| Source: | Thread injection, dropped files, key value created, disk infection and DNS query: | ||
| Source: | Code function: | 1_2_00E951B0 | |
| Source: | Thread injection, dropped files, key value created, disk infection and DNS query: | ||
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | 2 Command and Scripting Interpreter | 1 Bootkit | Path Interception | 1 Bootkit | OS Credential Dumping | System Service Discovery | Remote Services | 1 Archive Collected Data | 1 Encrypted Channel | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
| Credentials | Domains | Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | Boot or Logon Initialization Scripts | 1 Deobfuscate/Decode Files or Information | LSASS Memory | Application Window Discovery | Remote Desktop Protocol | Data from Removable Media | 1 Proxy | Exfiltration Over Bluetooth | Network Denial of Service |
| Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | Logon Script (Windows) | 3 Obfuscated Files or Information | Security Account Manager | Query Registry | SMB/Windows Admin Shares | Data from Network Shared Drive | Steganography | Automated Exfiltration | Data Encrypted for Impact |
| Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | 1 File Deletion | NTDS | System Network Configuration Discovery | Distributed Component Object Model | Input Capture | Protocol Impersonation | Traffic Duplication | Data Destruction |
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetThis section contains all screenshots as thumbnails, including those not shown in the slideshow.
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 69% | ReversingLabs | Win32.Ransomware.Cactus | ||
| 72% | Virustotal | Browse | ||
| 100% | Avira | TR/Redcap.qqjie |
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe |
⊘No contacted domains info
| Name | Source | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|
| false |
| unknown | ||
| false | high | |||
| true |
| unknown |
⊘No contacted IP infos
| Joe Sandbox version: | 42.0.0 Malachite |
| Analysis ID: | 1670731 |
| Start date and time: | 2025-04-22 06:59:19 +02:00 |
| Joe Sandbox product: | CloudBasic |
| Overall analysis duration: | 0h 5m 10s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 134, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
| Number of analysed new started processes analysed: | 8 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Sample name: | yL0Hf1O27H.exerenamed because original name is a hash value |
| Original Sample Name: | d7429c7ecea552403d8e9b420578f954f5bf5407996afaa36db723a0c070c4de.exe |
| Detection: | MAL |
| Classification: | mal72.rans.evad.winEXE@1/0@0/0 |
| EGA Information: | Failed |
| HCA Information: |
|
| Cookbook Comments: |
|
- Exclude process from analysis
(whitelisted): MpCmdRun.exe, d llhost.exe, WMIADAP.exe, SIHCl ient.exe, conhost.exe, svchost .exe - Excluded IPs from analysis (wh
itelisted): 184.29.183.29, 4.2 45.163.56 - Excluded domains from analysis
(whitelisted): fs.microsoft.c om, slscr.update.microsoft.com , ctldl.windowsupdate.com, pro d.fs.microsoft.com.akadns.net, fs-wildcard.microsoft.com.edg ekey.net, fs-wildcard.microsof t.com.edgekey.net.globalredir. akadns.net, e16604.dscf.akamai edge.net, c.pki.goog, fe3cr.de livery.mp.microsoft.com - Execution Graph export aborted
for target yL0Hf1O27H.exe, PI D 7380 because there are no ex ecuted function - Not all processes where analyz
ed, report is missing behavior information
⊘No simulations
⊘No context
⊘No context
⊘No context
⊘No context
⊘No context
⊘No created / dropped files found
| File type: | |
| Entropy (8bit): | 6.275073606733335 |
| TrID: |
|
| File name: | yL0Hf1O27H.exe |
| File size: | 8'084'112 bytes |
| MD5: | 949d9523269604db26065f002feef9ae |
| SHA1: | 3b8ae803f281ab7fc93577b79562bd7819e068bd |
| SHA256: | d7429c7ecea552403d8e9b420578f954f5bf5407996afaa36db723a0c070c4de |
| SHA512: | 2c767b499b82e5c25906cb160f9a0dcf8e91271eb47e44c6310a57c9e64869f8cf0549905ecd2f0367d9a62ab8ffbb4370f2688c3f0a849fe8ea6e2b45102d4c |
| SSDEEP: | 196608:i+SsoXyngTDzFC38qMXu1Yd6Bym+xKNMvI+VZtazrN:JPODO/IQj+VZtazB |
| TLSH: | 70862B56E64B0CF5EDD377B0918BE33F9734AD20CA76DFB7EA088515A8232C1291A711 |
| File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....aFd.0[............(..3..hJ..0............3...@..........................._...........@... .......................K.M.. |
 | |
| Icon Hash: | 90cececece8e8eb0 |
| Entrypoint: | 0x4013f0 |
| Entrypoint Section: | .text |
| Digitally signed: | false |
| Imagebase: | 0x400000 |
| Subsystem: | windows cui |
| Image File Characteristics: | EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, 32BIT_MACHINE |
| DLL Characteristics: | DYNAMIC_BASE, NX_COMPAT |
| Time Stamp: | 0x644661F4 [Mon Apr 24 11:03:16 2023 UTC] |
| TLS Callbacks: | 0x665d90, 0x665d40, 0x67e060 |
| CLR (.Net) Version: | |
| OS Version Major: | 4 |
| OS Version Minor: | 0 |
| File Version Major: | 4 |
| File Version Minor: | 0 |
| Subsystem Version Major: | 4 |
| Subsystem Version Minor: | 0 |
| Import Hash: | 344364e8f3e5d0fec38a8e27a4a1ebee |
| Instruction |
|---|
| mov dword ptr [008BC3F4h], 00000000h |
| jmp 00007FF9BCC73166h |
| nop |
| sub esp, 1Ch |
| mov eax, dword ptr [esp+20h] |
| mov dword ptr [esp], eax |
| call 00007FF9BCEED49Eh |
| cmp eax, 01h |
| sbb eax, eax |
| add esp, 1Ch |
| ret |
| nop |
| nop |
| nop |
| nop |
| nop |
| nop |
| nop |
| nop |
| push ebp |
| mov ebp, esp |
| push edi |
| push esi |
| push ebx |
| sub esp, 1Ch |
| mov dword ptr [esp], 00743000h |
| call dword ptr [008BE6E0h] |
| sub esp, 04h |
| test eax, eax |
| je 00007FF9BCC73475h |
| mov ebx, eax |
| mov dword ptr [esp], 00743000h |
| call dword ptr [008BE74Ch] |
| mov edi, dword ptr [008BE6F0h] |
| sub esp, 04h |
| mov dword ptr [0088A020h], eax |
| mov dword ptr [esp+04h], 00743013h |
| mov dword ptr [esp], ebx |
| call edi |
| sub esp, 08h |
| mov esi, eax |
| mov dword ptr [esp+04h], 00743029h |
| mov dword ptr [esp], ebx |
| call edi |
| sub esp, 08h |
| mov dword ptr [0073F000h], eax |
| test esi, esi |
| je 00007FF9BCC73413h |
| mov dword ptr [esp+04h], 0088A024h |
| mov dword ptr [esp], 007DF104h |
| call esi |
| mov dword ptr [esp], 004014C0h |
| call 00007FF9BCC73363h |
| lea esp, dword ptr [ebp-0Ch] |
| pop ebx |
| pop esi |
| pop edi |
| pop ebp |
| ret |
| lea esi, dword ptr [esi+00000000h] |
| mov eax, 0066B220h |
| mov esi, 0000AF90h |
| Name | Virtual Address | Virtual Size | Is in Section |
|---|---|---|---|
| IMAGE_DIRECTORY_ENTRY_EXPORT | 0x4bd000 | 0x4d | .edata |
| IMAGE_DIRECTORY_ENTRY_IMPORT | 0x4be000 | 0x2304 | .idata |
| IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x4c3000 | 0x4e8 | .rsrc |
| IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_TLS | 0x3cd528 | 0x18 | .rdata |
| IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IAT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
| Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
|---|---|---|---|---|---|---|---|---|---|
| .text | 0x1000 | 0x33dd40 | 0x33de00 | de8e875dbba6089a6a1d0944c5f4fea6 | unknown | unknown | unknown | unknown | IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
| .data | 0x33f000 | 0x3188 | 0x3200 | 97dcabd4a3ca1a2d8f1f0dbdb0bd7721 | False | 0.1665625 | data | 2.0682827788461497 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .rdata | 0x343000 | 0x9ba4c | 0x9bc00 | c1bcacf47e8739936b40547c9a184d1e | False | 0.36762013443017655 | data | 5.847910705763334 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| /4 | 0x3df000 | 0xaa554 | 0xaa600 | bca9143bf5e45cb88f90dd44dc3bb63b | False | 0.24266037692589876 | data | 5.033942301268186 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .bss | 0x48a000 | 0x32f98 | 0x0 | d41d8cd98f00b204e9800998ecf8427e | False | 0 | empty | 0.0 | IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .edata | 0x4bd000 | 0x4d | 0x200 | 5bcebc800d6f8df5fcc8874feb25220f | False | 0.14453125 | data | 0.918401894725534 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .idata | 0x4be000 | 0x2304 | 0x2400 | ee1fe391dcdaac2d82858b6aece55d00 | False | 0.2935112847222222 | data | 4.931852064447922 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .CRT | 0x4c1000 | 0x34 | 0x200 | 4398feed3d23c035e5c37b420d75a208 | False | 0.0703125 | data | 0.2843074176589459 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .tls | 0x4c2000 | 0x8 | 0x200 | bf619eac0cdf3f68d496ea9344137e8b | False | 0.02734375 | data | 0.0 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .rsrc | 0x4c3000 | 0x4e8 | 0x600 | 37f97129e05dacfda285dbb6b670b569 | False | 0.3326822916666667 | data | 4.780177654284121 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .reloc | 0x4c4000 | 0x1c51c | 0x1c600 | 3ea448a42cabbf825d5fb9bd37a9581d | False | 0.0011615501101321585 | data | 0.0 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
| /14 | 0x4e1000 | 0x14c8 | 0x1600 | 249521a502388e36a4acdf97858d47fe | False | 0.3719815340909091 | data | 3.2801834758309116 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
| /29 | 0x4e3000 | 0xc835a | 0xc8400 | 6a6433299f883d52ed9917969a1fdb86 | False | 0.2935722436797753 | data | 5.9997540760384895 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
| /41 | 0x5ac000 | 0xc4a5 | 0xc600 | 660ec4d16a58a4ec19c2fa58b64151de | False | 0.23413825757575757 | data | 4.941835405504148 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
| /55 | 0x5b9000 | 0x169e6 | 0x16a00 | 80b5e10b82c34f95e54329010eb7f076 | False | 0.46527537983425415 | data | 5.272478874040008 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
| /67 | 0x5d0000 | 0x2e71 | 0x3000 | 0a2ba93231e68bdf6755b85e8418a13c | False | 0.2574055989583333 | data | 4.520856658947095 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
| /78 | 0x5d3000 | 0x82a3 | 0x8400 | 9cacc14b2468550aedc1d748e55515df | False | 0.09605823863636363 | data | 4.957577458563776 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
| /94 | 0x5dc000 | 0x12c11 | 0x12e00 | 947b9bb889f25b772560f71e8b113be4 | False | 0.5016556291390728 | data | 5.99632915100097 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
| /110 | 0x5ef000 | 0x15a1 | 0x1600 | 71cc9aeecfff579c84c265ae2b67d97c | False | 0.6695667613636364 | data | 6.085548381673256 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
| Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
|---|---|---|---|---|---|---|
| RT_MANIFEST | 0x4c3058 | 0x48f | XML 1.0 document, ASCII text | 0.40102827763496146 |
| DLL | Import |
|---|---|
| KERNEL32.DLL | AcquireSRWLockExclusive, AcquireSRWLockShared, AddVectoredExceptionHandler, CloseHandle, ConvertFiberToThread, ConvertThreadToFiberEx, CopyFileW, CreateDirectoryW, CreateEventA, CreateFiberEx, CreateFileW, CreateHardLinkW, CreateMutexW, CreateProcessW, CreateSemaphoreA, CreateToolhelp32Snapshot, DeleteCriticalSection, DeleteFiber, DeleteFileW, DuplicateHandle, EnterCriticalSection, FindClose, FindFirstFileW, FindFirstVolumeW, FindNextFileW, FindNextVolumeW, FindVolumeClose, FormatMessageA, FormatMessageW, FreeLibrary, GetACP, GetConsoleMode, GetConsoleWindow, GetCurrentProcess, GetCurrentProcessId, GetCurrentThread, GetCurrentThreadId, GetDiskFreeSpaceExW, GetDriveTypeW, GetEnvironmentVariableW, GetFileAttributesW, GetFileInformationByHandle, GetFileSizeEx, GetFileType, GetFullPathNameW, GetHandleInformation, GetLastError, GetLogicalDriveStringsW, GetModuleFileNameA, GetModuleFileNameW, GetModuleHandleA, GetModuleHandleExA, GetModuleHandleExW, GetModuleHandleW, GetProcAddress, GetProcessAffinityMask, GetProcessHeap, GetProcessId, GetStdHandle, GetSystemDirectoryA, GetSystemInfo, GetSystemTimeAsFileTime, GetTempPathW, GetThreadContext, GetThreadPriority, GetTickCount64, GetVersion, GetVolumeInformationW, HeapAlloc, HeapFree, InitializeCriticalSection, InitializeSRWLock, IsDBCSLeadByteEx, IsDebuggerPresent, IsProcessorFeaturePresent, K32GetProcessImageFileNameW, LeaveCriticalSection, LoadLibraryA, LoadLibraryW, LocalAlloc, LocalFree, MoveFileExW, MultiByteToWideChar, OpenProcess, OutputDebugStringA, Process32NextW, RaiseException, ReadConsoleA, ReadConsoleW, ReleaseSRWLockExclusive, ReleaseSRWLockShared, ReleaseSemaphore, RemoveDirectoryW, RemoveVectoredExceptionHandler, ResetEvent, ResumeThread, SetConsoleMode, SetEndOfFile, SetEvent, SetFileAttributesW, SetFilePointer, SetLastError, SetProcessAffinityMask, SetThreadContext, SetThreadPriority, SetUnhandledExceptionFilter, Sleep, SuspendThread, SwitchToFiber, TerminateProcess, TlsAlloc, TlsFree, TlsGetValue, TlsSetValue, TryEnterCriticalSection, VirtualAlloc, VirtualFree, VirtualLock, VirtualProtect, VirtualQuery, WaitForMultipleObjects, WaitForSingleObject, WideCharToMultiByte, WriteFile |
| ADVAPI32.dll | AddAccessDeniedAce, AllocateAndInitializeSid, CloseServiceHandle, ControlService, CryptAcquireContextW, CryptGenRandom, CryptReleaseContext, DeregisterEventSource, InitializeAcl, OpenSCManagerA, OpenServiceA, RegisterEventSourceW, ReportEventW, SetSecurityInfo |
| msvcrt.dll | __getmainargs, __initenv, __mb_cur_max, __p__commode, __p__fmode, __set_app_type, __setusermatherr, _amsg_exit, _beginthreadex, _cexit, _close, _close, _endthreadex, _errno, _exit, _fdopen, _filelengthi64, _fileno, _fileno, _findclose, _fstat64, _get_osfhandle, _initterm, _iob, _lock, _lseek, _lseeki64, _onexit, _open, _read, _read, _setjmp3, _setmode, _snwprintf, _stat, _strdup, _strdup, _strtoi64, _telli64, _strtoui64, _ultoa, _unlock, _vsnprintf, _vsnwprintf, _wchdir, _wchmod, _wfindfirst, _wfindnext, _wfopen, _wfullpath, _wgetcwd, _wmkdir, _wopen, _wremove, _wrename, _write, _write, _wstat64, _wsystem, _wutime, abort, atoi, calloc, clearerr, clock, exit, fclose, feof, ferror, fflush, fgetpos, fgets, fopen, fprintf, fputc, fputs, fputwc, fread, free, fseek, fsetpos, ftell, fwprintf, fwrite, getc, getenv, getwc, gmtime, isspace, iswctype, localtime, isxdigit, localeconv, longjmp, malloc, memchr, memcpy, memmove, memset, memcmp, printf, putc, putwc, qsort, raise, realloc, remove, setlocale, setvbuf, signal, sprintf, strcat, strchr, strcmp, strcoll, strcpy, strcspn, strerror, strftime, strlen, strncmp, strncpy, strrchr, strspn, strstr, strtol, strtoul, strxfrm, time, tolower, towlower, towupper, ungetc, ungetwc, vfprintf, wcscat, wcscmp, wcscoll, wcscpy, wcsftime, wcslen, wcsncmp, wcsstr, wcstol, wcstombs, wcsxfrm |
| RstrtMgr.DLL | RmEndSession, RmGetList, RmRegisterResources, RmShutdown, RmStartSession |
| SHELL32.dll | IsUserAnAdmin, StrStrIW |
| USER32.dll | GetProcessWindowStation, GetUserObjectInformationW, MessageBoxW, ShowWindow |
| WS2_32.dll | gethostbyaddr, getservbyname, getservbyport, htonl, htons, inet_addr, inet_ntoa |
| WSOCK32.DLL | WSACleanup, WSAGetLastError, WSASetLastError, WSAStartup, accept, bind, closesocket, connect, gethostbyname, getsockname, getsockopt, ioctlsocket, listen, ntohs, recv, select, send, setsockopt, shutdown, socket |
| Name | Ordinal | Address |
|---|---|---|
| OPENSSL_Applink | 1 | 0x40540d |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library Node⊘No network behavior found
Click to jump to process
Click to jump to process
| Target ID: | 1 |
| Start time: | 01:00:23 |
| Start date: | 22/04/2025 |
| Path: | C:\Users\user\Desktop\yL0Hf1O27H.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0xc20000 |
| File size: | 8'084'112 bytes |
| MD5 hash: | 949D9523269604DB26065F002FEEF9AE |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Yara matches: |
|
| Reputation: | low |
| Has exited: | false |
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
