Windows
Analysis Report
epht1Y3TGZ.exe
Overview
General Information
Sample name: | epht1Y3TGZ.exerenamed because original name is a hash value |
Original sample name: | 25860926414bf43383246f7c773a8d6c.exe |
Analysis ID: | 1518342 |
MD5: | 25860926414bf43383246f7c773a8d6c |
SHA1: | 760390a4a14df085f4c841067f52c79409cdc93e |
SHA256: | a8e552944846a2f5e8fefea4a250046da29d74d1f58f7a868258e6ded9597958 |
Tags: | exeuser-abuse_ch |
Infos: | |
Detection
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
- System is w10x64
- epht1Y3TGZ.exe (PID: 6640 cmdline:
"C:\Users\ user\Deskt op\epht1Y3 TGZ.exe" MD5: 25860926414BF43383246F7C773A8D6C) - DZIPR.exe (PID: 6864 cmdline:
"C:\Users\ user\DZIPR .exe" MD5: EC9CE1D67F98072281015C7726FBA245) - DZIPR.exe (PID: 7008 cmdline:
C:\Users\u ser\AppDat a\Roaming\ Ruy_driver v2\DZIPR.e xe MD5: EC9CE1D67F98072281015C7726FBA245) - cmd.exe (PID: 7064 cmdline:
C:\Windows \SysWOW64\ cmd.exe MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 7044 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - explorer.exe (PID: 2336 cmdline:
C:\Windows \SysWOW64\ explorer.e xe MD5: DD6597597673F72E10C9DE7901FBA0A8)
- DZIPR.exe (PID: 7056 cmdline:
C:\Users\u ser\AppDat a\Roaming\ Ruy_driver v2\DZIPR.e xe MD5: EC9CE1D67F98072281015C7726FBA245) - cmd.exe (PID: 5568 cmdline:
C:\Windows \SysWOW64\ cmd.exe MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 744 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - explorer.exe (PID: 4280 cmdline:
C:\Windows \SysWOW64\ explorer.e xe MD5: DD6597597673F72E10C9DE7901FBA0A8)
- DZIPR.exe (PID: 764 cmdline:
"C:\Users\ user\AppDa ta\Roaming \Ruy_drive rv2\DZIPR. exe" MD5: EC9CE1D67F98072281015C7726FBA245) - cmd.exe (PID: 5296 cmdline:
C:\Windows \SysWOW64\ cmd.exe MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 5660 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - explorer.exe (PID: 6752 cmdline:
C:\Windows \SysWOW64\ explorer.e xe MD5: DD6597597673F72E10C9DE7901FBA0A8)
- cleanup
Name | Description | Attribution | Blogpost URLs | Link |
---|---|---|---|---|
Remcos, RemcosRAT | Remcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity. |
{"Version": "5.1.1 Pro", "Host:Port:Password": "fullimmersion777.com:8090:0", "Assigned name": "Back-September", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "hello.exe", "Startup value": "Disable", "Hide file": "Enable", "Mutex": "rimcsl-94LESJ", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Keylogger_Generic | Yara detected Keylogger Generic | Joe Security | ||
JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security | ||
JoeSecurity_UACBypassusingCMSTP | Yara detected UAC Bypass using CMSTP | Joe Security | ||
Windows_Trojan_Remcos_b296e965 | unknown | unknown |
| |
REMCOS_RAT_variants | unknown | unknown |
| |
Click to see the 15 entries |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_DelphiSystemParamCount | Detected Delphi use of System.ParamCount() | Joe Security | ||
JoeSecurity_Keylogger_Generic | Yara detected Keylogger Generic | Joe Security | ||
JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security | ||
JoeSecurity_UACBypassusingCMSTP | Yara detected UAC Bypass using CMSTP | Joe Security | ||
Windows_Trojan_Remcos_b296e965 | unknown | unknown |
| |
Click to see the 53 entries |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_UACBypassusingCMSTP | Yara detected UAC Bypass using CMSTP | Joe Security | ||
INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM | Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) | ditekSHen |
| |
JoeSecurity_UACBypassusingCMSTP | Yara detected UAC Bypass using CMSTP | Joe Security | ||
INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM | Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) | ditekSHen |
| |
JoeSecurity_UACBypassusingCMSTP | Yara detected UAC Bypass using CMSTP | Joe Security | ||
Click to see the 74 entries |
System Summary |
---|
Source: | Author: Furkan CALISKAN, @caliskanfurkan_, @oscd_initiative: |
Click to jump to signature section
AV Detection |
---|
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: |
Source: | Malware Configuration Extractor: |
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Source: | Integrated Neural Analysis Model: |
Source: | Joe Sandbox ML: | ||
Source: | Joe Sandbox ML: | ||
Source: | Joe Sandbox ML: |
Source: | Binary or memory string: | memstr_b1ac216d-e |
Exploits |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Source: | Static PE information: |
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: |
Source: | Code function: | 0_2_0040301A | |
Source: | Code function: | 0_2_00402B79 | |
Source: | Code function: | 1_2_6CC8748E | |
Source: | Code function: | 2_2_6C89748E | |
Source: | Code function: | 9_2_6F89748E |
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior |
Networking |
---|
Source: | URLs: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | Code function: | 1_2_6CC904EE | |
Source: | Code function: | 2_2_6C8A04EE | |
Source: | Code function: | 9_2_6F8A04EE |
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
E-Banking Fraud |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
System Summary |
---|
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: |
Source: | Code function: | 9_2_6F8A0D95 | |
Source: | Code function: | 9_2_6F8A2932 | |
Source: | Code function: | 9_2_6F89E5F6 |
Source: | File created: | Jump to behavior |
Source: | Code function: | 0_2_00404FAA | |
Source: | Code function: | 0_2_0041206B | |
Source: | Code function: | 0_2_0041022D | |
Source: | Code function: | 0_2_00411F91 | |
Source: | Code function: | 1_2_6CC85E70 | |
Source: | Code function: | 1_2_6CC863F0 | |
Source: | Code function: | 1_2_6CC85CA0 | |
Source: | Code function: | 1_2_6CCA2CBB | |
Source: | Code function: | 1_2_6CC96C6C | |
Source: | Code function: | 1_2_6CC91D85 | |
Source: | Code function: | 1_2_6CC9AE45 | |
Source: | Code function: | 1_2_6CCA3E3B | |
Source: | Code function: | 1_2_6CC95FB7 | |
Source: | Code function: | 1_2_6CCA586C | |
Source: | Code function: | 1_2_6CC96860 | |
Source: | Code function: | 1_2_6CC9648C | |
Source: | Code function: | 1_2_6CC817D0 | |
Source: | Code function: | 1_2_6CCA3743 | |
Source: | Code function: | 1_2_6CC81739 | |
Source: | Code function: | 1_2_6CC81730 | |
Source: | Code function: | 1_2_6CC9708C | |
Source: | Code function: | 1_2_6CCA31FF | |
Source: | Code function: | 2_2_6C895E70 | |
Source: | Code function: | 2_2_6C8963F0 | |
Source: | Code function: | 2_2_6C895CA0 | |
Source: | Code function: | 2_2_6C8B2CBB | |
Source: | Code function: | 2_2_6C8A6C6C | |
Source: | Code function: | 2_2_6C8A1D85 | |
Source: | Code function: | 2_2_6C8B3E3B | |
Source: | Code function: | 2_2_6C8AAE45 | |
Source: | Code function: | 2_2_6C8A5FB7 | |
Source: | Code function: | 2_2_6C8B586C | |
Source: | Code function: | 2_2_6C8A6860 | |
Source: | Code function: | 2_2_6C8A648C | |
Source: | Code function: | 2_2_6C8917D0 | |
Source: | Code function: | 2_2_6C891731 | |
Source: | Code function: | 2_2_6C891730 | |
Source: | Code function: | 2_2_6C8B3743 | |
Source: | Code function: | 2_2_6C8A708C | |
Source: | Code function: | 2_2_6C8B31FF | |
Source: | Code function: | 9_2_6F895E70 | |
Source: | Code function: | 9_2_6F8963F0 | |
Source: | Code function: | 9_2_6F8A5FB7 | |
Source: | Code function: | 9_2_6F8B3E3B | |
Source: | Code function: | 9_2_6F8AAE45 | |
Source: | Code function: | 9_2_6F8A1D85 | |
Source: | Code function: | 9_2_6F895CA0 | |
Source: | Code function: | 9_2_6F8B2CBB | |
Source: | Code function: | 9_2_6F8A6C6C | |
Source: | Code function: | 9_2_6F8B586C | |
Source: | Code function: | 9_2_6F8A6860 | |
Source: | Code function: | 9_2_6F8917D0 | |
Source: | Code function: | 9_2_6F891731 | |
Source: | Code function: | 9_2_6F891730 | |
Source: | Code function: | 9_2_6F8B3743 | |
Source: | Code function: | 9_2_6F8A648C | |
Source: | Code function: | 9_2_6F8B31FF | |
Source: | Code function: | 9_2_6F8A708C |
Source: | Dropped File: | ||
Source: | Dropped File: | ||
Source: | Dropped File: |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Static PE information: |
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: |
Source: | Classification label: |
Source: | Code function: | 0_2_00407776 |
Source: | Code function: | 0_2_0040118A |
Source: | Code function: | 0_2_004034C1 |
Source: | Code function: | 0_2_00401BDF |
Source: | File created: | Jump to behavior |
Source: | Mutant created: | ||
Source: | Mutant created: | ||
Source: | Mutant created: |
Source: | File created: | Jump to behavior |
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior |
Source: | Static PE information: |
Source: | File read: | Jump to behavior |
Source: | Key opened: | Jump to behavior |
Source: | File read: | Jump to behavior |
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior |
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior |
Source: | LNK file: |
Source: | Static file information: |
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: |
Source: | Code function: | 0_2_00406D5D |
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Code function: | 0_2_00411C4E | |
Source: | Code function: | 1_2_6CC95414 | |
Source: | Code function: | 1_2_6CC951B4 | |
Source: | Code function: | 2_2_6C8A5414 | |
Source: | Code function: | 2_2_6C8A51B4 | |
Source: | Code function: | 9_2_6F8A5414 | |
Source: | Code function: | 9_2_6F8A51B4 |
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file |
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file |
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file |
Boot Survival |
---|
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file |
Source: | File created: | Jump to behavior |
Hooking and other Techniques for Hiding and Protection |
---|
Source: | Module Loaded: | ||
Source: | Module Loaded: | ||
Source: | Module Loaded: |
Source: | Code function: | 1_2_6CC8DE29 | |
Source: | Code function: | 2_2_6C89DE29 | |
Source: | Code function: | 9_2_6F89DE29 |
Source: | Process information set: | Jump to behavior |
Malware Analysis System Evasion |
---|
Source: | API/Special instruction interceptor: | ||
Source: | API/Special instruction interceptor: | ||
Source: | API/Special instruction interceptor: | ||
Source: | API/Special instruction interceptor: | ||
Source: | API/Special instruction interceptor: |
Source: | Dropped PE file which has not been started: | Jump to dropped file | ||
Source: | Dropped PE file which has not been started: | Jump to dropped file | ||
Source: | Dropped PE file which has not been started: | Jump to dropped file |
Source: | Evasive API call chain: | graph_2-19010 | ||
Source: | Evasive API call chain: | graph_1-18627 | ||
Source: | Evasive API call chain: | graph_1-19023 | ||
Source: | Evasive API call chain: | graph_2-18614 |
Source: | API coverage: | ||
Source: | API coverage: | ||
Source: | API coverage: |
Source: | Code function: | 0_2_0040301A | |
Source: | Code function: | 0_2_00402B79 | |
Source: | Code function: | 1_2_6CC8748E | |
Source: | Code function: | 2_2_6C89748E | |
Source: | Code function: | 9_2_6F89748E |
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | API call chain: | graph_1-19025 | ||
Source: | API call chain: | graph_2-19012 | ||
Source: | API call chain: |
Source: | Process information queried: | Jump to behavior |
Source: | Code function: | 1_2_6CC93F34 |
Source: | Code function: | 0_2_00406D5D |
Source: | Code function: | 1_2_6CC85CA0 | |
Source: | Code function: | 1_2_6CC85D78 | |
Source: | Code function: | 2_2_6C895CA0 | |
Source: | Code function: | 2_2_6C895D78 | |
Source: | Code function: | 9_2_6F895D78 | |
Source: | Code function: | 9_2_6F895CA0 |
Source: | Code function: | 1_2_6CC9CE5C | |
Source: | Code function: | 1_2_6CC93F34 | |
Source: | Code function: | 1_2_6CC98034 | |
Source: | Code function: | 2_2_6C8ACE5C | |
Source: | Code function: | 2_2_6C8A3F34 | |
Source: | Code function: | 2_2_6C8A8034 | |
Source: | Code function: | 9_2_6F8A3F34 | |
Source: | Code function: | 9_2_6F8ACE5C | |
Source: | Code function: | 9_2_6F8A8034 |
HIPS / PFW / Operating System Protection Evasion |
---|
Source: | NtProtectVirtualMemory: | Jump to behavior | ||
Source: | NtProtectVirtualMemory: | Jump to behavior | ||
Source: | NtProtectVirtualMemory: | Jump to behavior | ||
Source: | NtQuerySystemInformation: | Jump to behavior | ||
Source: | NtQuerySystemInformation: | Jump to behavior | ||
Source: | NtProtectVirtualMemory: | Jump to behavior | ||
Source: | NtQuerySystemInformation: | Jump to behavior |
Source: | Memory written: | Jump to behavior | ||
Source: | Memory written: | Jump to behavior | ||
Source: | Memory written: | Jump to behavior | ||
Source: | Memory written: | Jump to behavior | ||
Source: | Memory written: | Jump to behavior | ||
Source: | Memory written: | Jump to behavior |
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior |
Source: | Memory written: | Jump to behavior | ||
Source: | Memory written: | Jump to behavior | ||
Source: | Memory written: | Jump to behavior | ||
Source: | Memory written: | Jump to behavior | ||
Source: | Memory written: | Jump to behavior | ||
Source: | Memory written: | Jump to behavior |
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior |
Source: | Code function: | 0_2_0040D72E |
Source: | Code function: | 0_2_00401F9D | |
Source: | Code function: | 1_2_6CCA4DBC | |
Source: | Code function: | 1_2_6CC889B5 | |
Source: | Code function: | 2_2_6C8B4DBC | |
Source: | Code function: | 2_2_6C8989B5 | |
Source: | Code function: | 9_2_6F8B4DBC | |
Source: | Code function: | 9_2_6F8989B5 |
Source: | Queries volume information: | Jump to behavior |
Source: | Code function: | 0_2_00401626 |
Source: | Code function: | 1_2_6CC9D72B |
Source: | Code function: | 0_2_00404FAA |
Stealing of Sensitive Information |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Remote Access Functionality |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | 1 Scheduled Task/Job | 1 Scheduled Task/Job | 311 Process Injection | 131 Masquerading | 1 Input Capture | 2 System Time Discovery | Remote Services | 1 Input Capture | 1 Encrypted Channel | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
Credentials | Domains | Default Accounts | 2 Native API | 11 DLL Side-Loading | 1 Scheduled Task/Job | 311 Process Injection | LSASS Memory | 111 Security Software Discovery | Remote Desktop Protocol | 11 Archive Collected Data | 1 Application Layer Protocol | Exfiltration Over Bluetooth | Network Denial of Service |
Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | 1 Abuse Elevation Control Mechanism | 1 Deobfuscate/Decode Files or Information | Security Account Manager | 1 Process Discovery | SMB/Windows Admin Shares | Data from Network Shared Drive | Steganography | Automated Exfiltration | Data Encrypted for Impact |
Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | 11 DLL Side-Loading | 1 Abuse Elevation Control Mechanism | NTDS | 1 Application Window Discovery | Distributed Component Object Model | Input Capture | Protocol Impersonation | Traffic Duplication | Data Destruction |
Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | 2 Obfuscated Files or Information | LSA Secrets | 3 File and Directory Discovery | SSH | Keylogging | Fallback Channels | Scheduled Transfer | Data Encrypted for Impact |
Domain Properties | Botnet | Replication Through Removable Media | Scheduled Task | RC Scripts | RC Scripts | 11 DLL Side-Loading | Cached Domain Credentials | 134 System Information Discovery | VNC | GUI Input Capture | Multiband Communication | Data Transfer Size Limits | Service Stop |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
100% | Avira | BDS/Backdoor.Gen | ||
100% | Avira | BDS/Backdoor.Gen | ||
100% | Avira | BDS/Backdoor.Gen | ||
100% | Joe Sandbox ML | |||
100% | Joe Sandbox ML | |||
100% | Joe Sandbox ML | |||
0% | ReversingLabs | |||
0% | ReversingLabs |
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | URL Reputation | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe |
Name | Malicious | Antivirus Detection | Reputation |
---|---|---|---|
true |
| unknown |
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown |
Joe Sandbox version: | 41.0.0 Charoite |
Analysis ID: | 1518342 |
Start date and time: | 2024-09-25 16:05:18 +02:00 |
Joe Sandbox product: | CloudBasic |
Overall analysis duration: | 0h 8m 51s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
Number of analysed new started processes analysed: | 19 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Sample name: | epht1Y3TGZ.exerenamed because original name is a hash value |
Original Sample Name: | 25860926414bf43383246f7c773a8d6c.exe |
Detection: | MAL |
Classification: | mal100.troj.expl.evad.winEXE@22/16@0/0 |
EGA Information: |
|
HCA Information: |
|
Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
- Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
- Not all processes where analyzed, report is missing behavior information
- Report creation exceeded maximum time and may have missing disassembly code information.
- Report size exceeded maximum capacity and may have missing behavior information.
- Report size getting too big, too many NtOpenKeyEx calls found.
- Report size getting too big, too many NtQueryValueKey calls found.
- VT rate limit hit for: epht1Y3TGZ.exe
Time | Type | Description |
---|---|---|
10:06:52 | API Interceptor | |
15:06:35 | Autostart | |
15:06:37 | Task Scheduler | |
15:06:48 | Autostart |
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
C:\Users\user\AppData\Local\Temp\fsfj | Get hash | malicious | Remcos | Browse | ||
C:\Users\user\AppData\Local\Temp\iikbjmsy | Get hash | malicious | Remcos | Browse | ||
C:\Users\user\AppData\Local\Temp\mtdwpx | Get hash | malicious | Remcos | Browse |
Process: | C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 1234044 |
Entropy (8bit): | 7.664473031882771 |
Encrypted: | false |
SSDEEP: | 24576:El943dyt0CxCz0E00hQ1JwJp/rFNe3hJc4ydIUTjciCvH4FpY:863dGMZ0cGwJpjFNe3hJc4yl9CgpY |
MD5: | EF58D0A24D5A6DC00BD694737B1B1311 |
SHA1: | EE4BCF3C7E33A2E12F8AAB667BA3084708E7669D |
SHA-256: | 46711314276A371E344EF069513E126BF7985DE21305C224E72F71C60C8157B1 |
SHA-512: | AA336264DE202255C97BA439CFFB7DA582E8B1914F61B02580F075695D41D2AFD8CB7002C221996BBEBF238448EB44ABC90C51234FC610A605A58FEB48E77458 |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 1234044 |
Entropy (8bit): | 7.664472828261511 |
Encrypted: | false |
SSDEEP: | 24576:kl943dyt0CxCz0E00hQ1JwJp/rFNe3hJc4ydIUTjciCvH4FpY:c63dGMZ0cGwJpjFNe3hJc4yl9CgpY |
MD5: | 6860961845BE2D1B60765FE94F123046 |
SHA1: | 2E558086BCDB79B2AAAEAB90300DDD6E7F5311C2 |
SHA-256: | 7A96978DF43E62D0890CA095F4318E7FAF8B934B26592A6A1D08C26137DD2869 |
SHA-512: | 8B01D57FEDF989B49EA86D3294F909F5E648D795E06AEE93D04F7C3DB8BA7B8ABDF6F92009A56C3EB236F372EA8636028F6DBA5F16466934C8468103A045C4C4 |
Malicious: | false |
Preview: |
Process: | C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 1234044 |
Entropy (8bit): | 7.664472185998568 |
Encrypted: | false |
SSDEEP: | 24576:Jl943dyt0CxCz0E00hQ1JwJp/rFNe3hJc4ydIUTjciCvH4FpY:763dGMZ0cGwJpjFNe3hJc4yl9CgpY |
MD5: | 6DEFD53A2063A4A0C46249A25FC4FE15 |
SHA1: | E543AD180C96BCED734841B8E8BDDF1EECF9129A |
SHA-256: | 6C12E719FBBF7DA82D625130440DCC4C4AB4AA6B16D82ACC4E3618EEC6DB30E2 |
SHA-512: | 8D7244661BE6CBBC1E03E388AF35AD6CB721D49CD4ECEDA6F11BDC7FC25708E6400B7B47043CC622102686B2DB1F28EB4D2002B189984D8341783BB7F165F6F8 |
Malicious: | false |
Preview: |
Process: | C:\Windows\SysWOW64\cmd.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 500224 |
Entropy (8bit): | 6.590620352205087 |
Encrypted: | false |
SSDEEP: | 6144:bTz+c6KHYBhDc1RGJdv//NkUn+N5Bkf/0TELRvIZPjbsAOZZ7AXpcrlT4h:bTlrYw1RUh3NFn+N5WfIQIjbs/Z79T4h |
MD5: | 6CA401F82443B673FCA7D7DDB0A05357 |
SHA1: | 82E54CBDCF4E12A72A32E52E0FD03C095485B841 |
SHA-256: | 7AA4BC94F891709D5B0FF9C2F95060AEEFB5AC6EB75222F9F105E29C3965629F |
SHA-512: | A4FE6F7E935DC83D6F6C7CA5CF62AE97B2B2FFEC1E2E075CB436CEEECC2DBB27F515A8A0F6360176FE7AE4E273C413F1E922666A016C070B399DB253AA77614C |
Malicious: | true |
Yara Hits: |
|
Antivirus: |
|
Joe Sandbox View: |
|
Preview: |
Process: | C:\Windows\SysWOW64\cmd.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 500224 |
Entropy (8bit): | 6.590620352205087 |
Encrypted: | false |
SSDEEP: | 6144:bTz+c6KHYBhDc1RGJdv//NkUn+N5Bkf/0TELRvIZPjbsAOZZ7AXpcrlT4h:bTlrYw1RUh3NFn+N5WfIQIjbs/Z79T4h |
MD5: | 6CA401F82443B673FCA7D7DDB0A05357 |
SHA1: | 82E54CBDCF4E12A72A32E52E0FD03C095485B841 |
SHA-256: | 7AA4BC94F891709D5B0FF9C2F95060AEEFB5AC6EB75222F9F105E29C3965629F |
SHA-512: | A4FE6F7E935DC83D6F6C7CA5CF62AE97B2B2FFEC1E2E075CB436CEEECC2DBB27F515A8A0F6360176FE7AE4E273C413F1E922666A016C070B399DB253AA77614C |
Malicious: | true |
Yara Hits: |
|
Antivirus: |
|
Joe Sandbox View: |
|
Preview: |
Process: | C:\Windows\SysWOW64\cmd.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 500224 |
Entropy (8bit): | 6.590620352205087 |
Encrypted: | false |
SSDEEP: | 6144:bTz+c6KHYBhDc1RGJdv//NkUn+N5Bkf/0TELRvIZPjbsAOZZ7AXpcrlT4h:bTlrYw1RUh3NFn+N5WfIQIjbs/Z79T4h |
MD5: | 6CA401F82443B673FCA7D7DDB0A05357 |
SHA1: | 82E54CBDCF4E12A72A32E52E0FD03C095485B841 |
SHA-256: | 7AA4BC94F891709D5B0FF9C2F95060AEEFB5AC6EB75222F9F105E29C3965629F |
SHA-512: | A4FE6F7E935DC83D6F6C7CA5CF62AE97B2B2FFEC1E2E075CB436CEEECC2DBB27F515A8A0F6360176FE7AE4E273C413F1E922666A016C070B399DB253AA77614C |
Malicious: | true |
Yara Hits: |
|
Antivirus: |
|
Joe Sandbox View: |
|
Preview: |
Process: | C:\Windows\SysWOW64\cmd.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 887 |
Entropy (8bit): | 5.083089062214689 |
Encrypted: | false |
SSDEEP: | 12:84tYtsa4q2P4WCQ8dY//sp6OSL6/saZE2xQR5ze2jAnmrHgdc8JsrjBmV:8MYt6qCj8+s6OsC22xqVAm+nurjBm |
MD5: | B98004BE7156029147766B196D3DBE43 |
SHA1: | 19C76031B66F62FA78EBE8E804C435732E9D44BC |
SHA-256: | 80B8EAB030788EC3C55735D154802EDD4C1BCEACC9FEAA836B6F08FC36078E2A |
SHA-512: | 71D864ED03308C7AF8D7F6B2E99E181630D851B8ACBE23049E9A24B14146506B72966DA8590800D6A67DB355C976DFDAA44EC423F212B12CF3E7965192464F53 |
Malicious: | false |
Preview: |
Process: | C:\Users\user\DZIPR.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 354304 |
Entropy (8bit): | 6.005348176071358 |
Encrypted: | false |
SSDEEP: | 6144:GBy1KULDZ+B55Lj5mCcBKyWm4IVFWyTBBa:x255L1mCcBKyWDsy |
MD5: | AD28D4167571382569D2384FFD7BD2A9 |
SHA1: | EFC7534BCB1645D4056702E073519F571D8DB77B |
SHA-256: | F919A8E63EC0F2F05AC01A6CAB4088C13FBF14A38B071CFA9F710C9E069462EB |
SHA-512: | 8F28867B46DD7A801CBF70D8D7FE5F2BFB8654A417C40BA264FAF81AF8BB1A28E1A1200FDC9828A4A4C6DF0A13817055290C16F9468D311B8D8049A2439348D9 |
Malicious: | true |
Preview: |
Process: | C:\Users\user\DZIPR.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 8767704 |
Entropy (8bit): | 7.112848215947183 |
Encrypted: | false |
SSDEEP: | 196608:zoR6Nv4zX/hW/7vpqCv3wrwxd8Sr3a8i5ynKVrzzky9WD9rrBrIrrsSrCrbrCrr+:6SAzXQjkCv3wrwxd8Sr3a8i5ynKVrzzq |
MD5: | EC9CE1D67F98072281015C7726FBA245 |
SHA1: | E89B16265ACF4A251B527DDF22830F2650987263 |
SHA-256: | 9AB4145D5525AE741B80F4E66F505ABBA59ADCBE01868DFEF84FBE4450634CC1 |
SHA-512: | 21DB8F3AE325021589DE9C2489AB2CE6814722A17A92476A56147478AA9767CE5C4769169F287060CC08AD76019178BA547FCEF32074EF1AFB1926845E7158E1 |
Malicious: | true |
Yara Hits: |
|
Antivirus: |
|
Preview: |
Process: | C:\Users\user\DZIPR.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 975374 |
Entropy (8bit): | 7.888212877886324 |
Encrypted: | false |
SSDEEP: | 24576:uLAGNVG5bTGfhtqkZEgJUyAre0DnrDJLJ1IC:KTp/qkqIArtHJd1IC |
MD5: | 4649F3A4E58C6040B07F6D486C149A71 |
SHA1: | 64F8FC631C5FB4E5F6BC20C207047D8E2B500587 |
SHA-256: | 5D81CA77492946AA2CFE00349342DE8CCEB317D8649BEDBFD95992DCA885F184 |
SHA-512: | 4E1B229D30403B594E992FE0893E568161C8D901FE20461093D11159AB03B5DD410D1834BC64AC4CCC39D4F6B072946703F06EEB982D79B1C9A1B773B57013B7 |
Malicious: | false |
Preview: |
Process: | C:\Users\user\DZIPR.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 72329 |
Entropy (8bit): | 4.4816230098296295 |
Encrypted: | false |
SSDEEP: | 1536:wwBU0cfQiZJyld+smk3i92UcmUTY4bBc/UVoVJnaDa:wAU0niZJMtXi9yx84Fc/UaJnaDa |
MD5: | F125E72B3968CA233EF3C7E2F4DB34E7 |
SHA1: | 4FB34044EF18CEDBD3EDE4272C44416D3F11735C |
SHA-256: | CED30560C6C0FC15CBDBDBC0D480DCA6B41CE3183057E43B419DD6814A33DB92 |
SHA-512: | B645D1EB685A69B9CA9BBDB1F4638AF8AE151DDFB9527C423F7779971246ED60F981CE26CE8AF2FC7B63164E7C13E9C6E98A7F148831A1E59318E60E5A39F881 |
Malicious: | false |
Preview: |
Process: | C:\Users\user\Desktop\epht1Y3TGZ.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 354304 |
Entropy (8bit): | 6.005348176071358 |
Encrypted: | false |
SSDEEP: | 6144:GBy1KULDZ+B55Lj5mCcBKyWm4IVFWyTBBa:x255L1mCcBKyWDsy |
MD5: | AD28D4167571382569D2384FFD7BD2A9 |
SHA1: | EFC7534BCB1645D4056702E073519F571D8DB77B |
SHA-256: | F919A8E63EC0F2F05AC01A6CAB4088C13FBF14A38B071CFA9F710C9E069462EB |
SHA-512: | 8F28867B46DD7A801CBF70D8D7FE5F2BFB8654A417C40BA264FAF81AF8BB1A28E1A1200FDC9828A4A4C6DF0A13817055290C16F9468D311B8D8049A2439348D9 |
Malicious: | true |
Preview: |
Process: | C:\Users\user\Desktop\epht1Y3TGZ.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 8767704 |
Entropy (8bit): | 7.112848215947183 |
Encrypted: | false |
SSDEEP: | 196608:zoR6Nv4zX/hW/7vpqCv3wrwxd8Sr3a8i5ynKVrzzky9WD9rrBrIrrsSrCrbrCrr+:6SAzXQjkCv3wrwxd8Sr3a8i5ynKVrzzq |
MD5: | EC9CE1D67F98072281015C7726FBA245 |
SHA1: | E89B16265ACF4A251B527DDF22830F2650987263 |
SHA-256: | 9AB4145D5525AE741B80F4E66F505ABBA59ADCBE01868DFEF84FBE4450634CC1 |
SHA-512: | 21DB8F3AE325021589DE9C2489AB2CE6814722A17A92476A56147478AA9767CE5C4769169F287060CC08AD76019178BA547FCEF32074EF1AFB1926845E7158E1 |
Malicious: | true |
Yara Hits: |
|
Antivirus: |
|
Preview: |
Process: | C:\Users\user\Desktop\epht1Y3TGZ.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 975374 |
Entropy (8bit): | 7.888212877886324 |
Encrypted: | false |
SSDEEP: | 24576:uLAGNVG5bTGfhtqkZEgJUyAre0DnrDJLJ1IC:KTp/qkqIArtHJd1IC |
MD5: | 4649F3A4E58C6040B07F6D486C149A71 |
SHA1: | 64F8FC631C5FB4E5F6BC20C207047D8E2B500587 |
SHA-256: | 5D81CA77492946AA2CFE00349342DE8CCEB317D8649BEDBFD95992DCA885F184 |
SHA-512: | 4E1B229D30403B594E992FE0893E568161C8D901FE20461093D11159AB03B5DD410D1834BC64AC4CCC39D4F6B072946703F06EEB982D79B1C9A1B773B57013B7 |
Malicious: | false |
Preview: |
Process: | C:\Users\user\Desktop\epht1Y3TGZ.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 72329 |
Entropy (8bit): | 4.4816230098296295 |
Encrypted: | false |
SSDEEP: | 1536:wwBU0cfQiZJyld+smk3i92UcmUTY4bBc/UVoVJnaDa:wAU0niZJMtXi9yx84Fc/UaJnaDa |
MD5: | F125E72B3968CA233EF3C7E2F4DB34E7 |
SHA1: | 4FB34044EF18CEDBD3EDE4272C44416D3F11735C |
SHA-256: | CED30560C6C0FC15CBDBDBC0D480DCA6B41CE3183057E43B419DD6814A33DB92 |
SHA-512: | B645D1EB685A69B9CA9BBDB1F4638AF8AE151DDFB9527C423F7779971246ED60F981CE26CE8AF2FC7B63164E7C13E9C6E98A7F148831A1E59318E60E5A39F881 |
Malicious: | false |
Preview: |
Process: | C:\Windows\SysWOW64\cmd.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 280 |
Entropy (8bit): | 3.5772984365087783 |
Encrypted: | false |
SSDEEP: | 6:PRZi8fcRKUEZglJPZOjzkjTtPjgsW2YRZuy0lbo8lZP1:PRcmcRKMJs0jzvYRQVs0Zt |
MD5: | D0F4475729B019BBFFDAA36502E5843E |
SHA1: | D9771DD87515EA0B8A3C332E8FB7162C69940CD3 |
SHA-256: | 09C1D502A1ABA5A0E4491661DD6B02C9C480BB847262F4164F7871DA58FC92A8 |
SHA-512: | 3920E4A4257F684E5BF16F16E049CBFBB0EFDFA53AABEB1286DEB899FD1AE2559B91A50BCA91803F5CBA3D5B67BFC40BB9956D45FCB6B7739FB83DA5E926D138 |
Malicious: | false |
Preview: |
File type: | |
Entropy (8bit): | 7.988259707956486 |
TrID: |
|
File name: | epht1Y3TGZ.exe |
File size: | 4'809'996 bytes |
MD5: | 25860926414bf43383246f7c773a8d6c |
SHA1: | 760390a4a14df085f4c841067f52c79409cdc93e |
SHA256: | a8e552944846a2f5e8fefea4a250046da29d74d1f58f7a868258e6ded9597958 |
SHA512: | 61825ef1b03f5516f2820faae3dad01911054debb714b2162fd28cdc7c26199eb6174eddb3e48a4b200c350a083a561a58bd2724496fcb71e87d4492e2ec5a07 |
SSDEEP: | 98304:+pbYDHaUeRG/GnYDievJRVrQo4QGB0s53+sTH7/93veWGLRHHk:+pbu9e+qYDiQf1hfGWsBVb/rGLhE |
TLSH: | 382633423350A0F6CAB8CAB36F2ED7D182B1E7B557112F4B418A1E272D536D6471B2CB |
File Content Preview: | MZ`.....................@...................................`...........!..L.!Require Windows..$PE..L...~.&L.....................................0....@..........................0.......3.......................................P............................. |
Icon Hash: | d292fcd8f2f2fe1c |
Entrypoint: | 0x411def |
Entrypoint Section: | .text |
Digitally signed: | false |
Imagebase: | 0x400000 |
Subsystem: | windows gui |
Image File Characteristics: | RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE |
DLL Characteristics: | |
Time Stamp: | 0x4C26F87E [Sun Jun 27 07:06:38 2010 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 4 |
OS Version Minor: | 0 |
File Version Major: | 4 |
File Version Minor: | 0 |
Subsystem Version Major: | 4 |
Subsystem Version Minor: | 0 |
Import Hash: | b5a014d7eeb4c2042897567e1288a095 |
Instruction |
---|
push ebp |
mov ebp, esp |
push FFFFFFFFh |
push 00414C50h |
push 00411F80h |
mov eax, dword ptr fs:[00000000h] |
push eax |
mov dword ptr fs:[00000000h], esp |
sub esp, 68h |
push ebx |
push esi |
push edi |
mov dword ptr [ebp-18h], esp |
xor ebx, ebx |
mov dword ptr [ebp-04h], ebx |
push 00000002h |
call dword ptr [00413184h] |
pop ecx |
or dword ptr [00419924h], FFFFFFFFh |
or dword ptr [00419928h], FFFFFFFFh |
call dword ptr [00413188h] |
mov ecx, dword ptr [0041791Ch] |
mov dword ptr [eax], ecx |
call dword ptr [0041318Ch] |
mov ecx, dword ptr [00417918h] |
mov dword ptr [eax], ecx |
mov eax, dword ptr [00413190h] |
mov eax, dword ptr [eax] |
mov dword ptr [00419920h], eax |
call 00007F994CC45702h |
cmp dword ptr [00417710h], ebx |
jne 00007F994CC455EEh |
push 00411F78h |
call dword ptr [00413194h] |
pop ecx |
call 00007F994CC456D4h |
push 00417048h |
push 00417044h |
call 00007F994CC456BFh |
mov eax, dword ptr [00417914h] |
mov dword ptr [ebp-6Ch], eax |
lea eax, dword ptr [ebp-6Ch] |
push eax |
push dword ptr [00417910h] |
lea eax, dword ptr [ebp-64h] |
push eax |
lea eax, dword ptr [ebp-70h] |
push eax |
lea eax, dword ptr [ebp-60h] |
push eax |
call dword ptr [0041319Ch] |
push 00417040h |
push 00417000h |
call 00007F994CC4568Ch |
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x150dc | 0xb4 | .rdata |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x1a000 | 0x18d04 | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x13000 | 0x310 | .rdata |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|---|
.text | 0x1000 | 0x11317 | 0x11400 | 797279c5ab1a163aed1f2a528f9fe3ce | False | 0.6174988677536232 | data | 6.576987441854239 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
.rdata | 0x13000 | 0x30ea | 0x3200 | 1359639b02bcb8f0a8743e6ead1c0030 | False | 0.43828125 | data | 5.549434098115495 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.data | 0x17000 | 0x292c | 0x800 | 9415c9c8dea3245d6d73c23393e27d8e | False | 0.431640625 | data | 3.6583182363171756 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.rsrc | 0x1a000 | 0x18d04 | 0x18e00 | 9dee09854e79aa987e5336a4defda540 | False | 0.2433358197236181 | data | 5.382874846103129 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
---|---|---|---|---|---|---|
RT_ICON | 0x1a1f0 | 0x468 | Device independent bitmap graphic, 16 x 32 x 32, image size 1088 | Russian | Russia | 0.6781914893617021 |
RT_ICON | 0x1a658 | 0x10a8 | Device independent bitmap graphic, 32 x 64 x 32, image size 4224 | Russian | Russia | 0.47068480300187615 |
RT_ICON | 0x1b700 | 0x25a8 | Device independent bitmap graphic, 48 x 96 x 32, image size 9600 | Russian | Russia | 0.41161825726141077 |
RT_ICON | 0x1dca8 | 0x4228 | Device independent bitmap graphic, 64 x 128 x 32, image size 16896 | Russian | Russia | 0.3213863958431743 |
RT_ICON | 0x21ed0 | 0x10828 | Device independent bitmap graphic, 128 x 256 x 32, image size 67584 | Russian | Russia | 0.1865609842659411 |
RT_GROUP_ICON | 0x326f8 | 0x4c | data | Russian | Russia | 0.7763157894736842 |
RT_VERSION | 0x32744 | 0x350 | data | English | United States | 0.47523584905660377 |
RT_MANIFEST | 0x32a94 | 0x270 | ASCII text, with very long lines (624), with no line terminators | English | United States | 0.5144230769230769 |
DLL | Import |
---|---|
COMCTL32.dll | |
KERNEL32.dll | GetFileAttributesW, CreateDirectoryW, WriteFile, GetStdHandle, VirtualFree, GetModuleHandleW, GetProcAddress, LoadLibraryA, LockResource, LoadResource, SizeofResource, FindResourceExA, MulDiv, GlobalFree, GlobalAlloc, lstrcmpiA, GetSystemDefaultLCID, GetSystemDefaultUILanguage, GetUserDefaultUILanguage, MultiByteToWideChar, GetLocaleInfoW, lstrlenA, lstrcmpiW, GetEnvironmentVariableW, lstrcmpW, GlobalMemoryStatusEx, VirtualAlloc, WideCharToMultiByte, ExpandEnvironmentStringsW, RemoveDirectoryW, FindClose, FindNextFileW, DeleteFileW, FindFirstFileW, SetThreadLocale, GetLocalTime, GetSystemTimeAsFileTime, lstrlenW, GetTempPathW, SetEnvironmentVariableW, CloseHandle, CreateFileW, GetDriveTypeW, SetCurrentDirectoryW, GetModuleFileNameW, GetCommandLineW, GetVersionExW, CreateEventW, SetEvent, ResetEvent, InitializeCriticalSection, TerminateThread, ResumeThread, SuspendThread, IsBadReadPtr, LocalFree, lstrcpyW, FormatMessageW, GetSystemDirectoryW, DeleteCriticalSection, GetFileSize, SetFilePointer, ReadFile, SetFileTime, SetEndOfFile, EnterCriticalSection, LeaveCriticalSection, WaitForMultipleObjects, GetModuleHandleA, SystemTimeToFileTime, GetLastError, CreateThread, WaitForSingleObject, GetExitCodeThread, Sleep, SetLastError, SetFileAttributesW, GetDiskFreeSpaceExW, lstrcatW, ExitProcess, CompareFileTime, GetStartupInfoA |
USER32.dll | CharUpperW, EndDialog, DestroyWindow, KillTimer, ReleaseDC, DispatchMessageW, GetMessageW, SetTimer, CreateWindowExW, ScreenToClient, GetWindowRect, wsprintfW, GetParent, GetSystemMenu, EnableMenuItem, EnableWindow, MessageBeep, LoadIconW, LoadImageW, wvsprintfW, IsWindow, DefWindowProcW, CallWindowProcW, DrawIconEx, DialogBoxIndirectParamW, GetWindow, ClientToScreen, GetDC, DrawTextW, ShowWindow, SystemParametersInfoW, SetFocus, SetWindowLongW, GetSystemMetrics, GetClientRect, GetDlgItem, GetKeyState, MessageBoxA, wsprintfA, SetWindowTextW, GetSysColor, GetWindowTextLengthW, GetWindowTextW, GetClassNameA, GetWindowLongW, GetMenu, SetWindowPos, CopyImage, SendMessageW, GetWindowDC |
GDI32.dll | GetCurrentObject, StretchBlt, SetStretchBltMode, CreateCompatibleBitmap, SelectObject, CreateCompatibleDC, GetObjectW, GetDeviceCaps, DeleteObject, CreateFontIndirectW, DeleteDC |
SHELL32.dll | SHGetFileInfoW, SHBrowseForFolderW, SHGetPathFromIDListW, SHGetMalloc, ShellExecuteExW, SHGetSpecialFolderPathW, ShellExecuteW |
ole32.dll | CoInitialize, CreateStreamOnHGlobal, CoCreateInstance |
OLEAUT32.dll | VariantClear, OleLoadPicture, SysAllocString |
MSVCRT.dll | __set_app_type, __p__fmode, __p__commode, _adjust_fdiv, __setusermatherr, _initterm, __getmainargs, _acmdln, exit, _XcptFilter, _exit, ??1type_info@@UAE@XZ, _onexit, __dllonexit, _CxxThrowException, _beginthreadex, _EH_prolog, memset, _wcsnicmp, strncmp, malloc, memmove, _wtol, memcpy, free, memcmp, _purecall, ??2@YAPAXI@Z, ??3@YAXPAX@Z, _except_handler3, _controlfp |
Language of compilation system | Country where language is spoken | Map |
---|---|---|
Russian | Russia | |
English | United States |
Click to jump to process
Click to jump to process
Click to jump to process
Target ID: | 0 |
Start time: | 10:06:14 |
Start date: | 25/09/2024 |
Path: | C:\Users\user\Desktop\epht1Y3TGZ.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x400000 |
File size: | 4'809'996 bytes |
MD5 hash: | 25860926414BF43383246F7C773A8D6C |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Yara matches: |
|
Reputation: | low |
Has exited: | true |
Target ID: | 1 |
Start time: | 10:06:15 |
Start date: | 25/09/2024 |
Path: | C:\Users\user\DZIPR.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x400000 |
File size: | 8'767'704 bytes |
MD5 hash: | EC9CE1D67F98072281015C7726FBA245 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Yara matches: |
|
Antivirus matches: |
|
Reputation: | low |
Has exited: | true |
Target ID: | 2 |
Start time: | 10:06:17 |
Start date: | 25/09/2024 |
Path: | C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x400000 |
File size: | 8'767'704 bytes |
MD5 hash: | EC9CE1D67F98072281015C7726FBA245 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Yara matches: |
|
Antivirus matches: |
|
Reputation: | low |
Has exited: | true |
Target ID: | 3 |
Start time: | 10:06:18 |
Start date: | 25/09/2024 |
Path: | C:\Windows\SysWOW64\cmd.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x240000 |
File size: | 236'544 bytes |
MD5 hash: | D0FCE3AFA6AA1D58CE9FA336CC2B675B |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Yara matches: |
|
Reputation: | high |
Has exited: | true |
Target ID: | 4 |
Start time: | 10:06:18 |
Start date: | 25/09/2024 |
Path: | C:\Windows\System32\conhost.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff7699e0000 |
File size: | 862'208 bytes |
MD5 hash: | 0D698AF330FD17BEE3BF90011D49251D |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Target ID: | 9 |
Start time: | 10:06:37 |
Start date: | 25/09/2024 |
Path: | C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x400000 |
File size: | 8'767'704 bytes |
MD5 hash: | EC9CE1D67F98072281015C7726FBA245 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | low |
Has exited: | true |
Target ID: | 10 |
Start time: | 10:06:39 |
Start date: | 25/09/2024 |
Path: | C:\Windows\SysWOW64\cmd.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x240000 |
File size: | 236'544 bytes |
MD5 hash: | D0FCE3AFA6AA1D58CE9FA336CC2B675B |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Yara matches: |
|
Reputation: | high |
Has exited: | true |
Target ID: | 11 |
Start time: | 10:06:39 |
Start date: | 25/09/2024 |
Path: | C:\Windows\System32\conhost.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff7699e0000 |
File size: | 862'208 bytes |
MD5 hash: | 0D698AF330FD17BEE3BF90011D49251D |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Target ID: | 12 |
Start time: | 10:06:45 |
Start date: | 25/09/2024 |
Path: | C:\Windows\SysWOW64\explorer.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x1f0000 |
File size: | 4'514'184 bytes |
MD5 hash: | DD6597597673F72E10C9DE7901FBA0A8 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Yara matches: |
|
Reputation: | moderate |
Has exited: | true |
Target ID: | 13 |
Start time: | 10:06:56 |
Start date: | 25/09/2024 |
Path: | C:\Windows\SysWOW64\explorer.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x1f0000 |
File size: | 4'514'184 bytes |
MD5 hash: | DD6597597673F72E10C9DE7901FBA0A8 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Yara matches: |
|
Reputation: | moderate |
Has exited: | true |
Target ID: | 14 |
Start time: | 10:06:57 |
Start date: | 25/09/2024 |
Path: | C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x400000 |
File size: | 8'767'704 bytes |
MD5 hash: | EC9CE1D67F98072281015C7726FBA245 |
Has elevated privileges: | false |
Has administrator privileges: | false |
Programmed in: | C, C++ or other language |
Reputation: | low |
Has exited: | true |
Target ID: | 15 |
Start time: | 10:06:57 |
Start date: | 25/09/2024 |
Path: | C:\Windows\SysWOW64\cmd.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x240000 |
File size: | 236'544 bytes |
MD5 hash: | D0FCE3AFA6AA1D58CE9FA336CC2B675B |
Has elevated privileges: | false |
Has administrator privileges: | false |
Programmed in: | C, C++ or other language |
Yara matches: |
|
Reputation: | high |
Has exited: | true |
Target ID: | 16 |
Start time: | 10:06:57 |
Start date: | 25/09/2024 |
Path: | C:\Windows\System32\conhost.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff7699e0000 |
File size: | 862'208 bytes |
MD5 hash: | 0D698AF330FD17BEE3BF90011D49251D |
Has elevated privileges: | false |
Has administrator privileges: | false |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Target ID: | 17 |
Start time: | 10:07:13 |
Start date: | 25/09/2024 |
Path: | C:\Windows\SysWOW64\explorer.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x1f0000 |
File size: | 4'514'184 bytes |
MD5 hash: | DD6597597673F72E10C9DE7901FBA0A8 |
Has elevated privileges: | false |
Has administrator privileges: | false |
Programmed in: | C, C++ or other language |
Yara matches: |
|
Reputation: | moderate |
Has exited: | true |
Execution Graph
Execution Coverage: | 17.4% |
Dynamic/Decrypted Code Coverage: | 0% |
Signature Coverage: | 25.9% |
Total number of Nodes: | 1473 |
Total number of Limit Nodes: | 20 |
Graph
Function 00404FAA Relevance: 250.2, APIs: 103, Strings: 39, Instructions: 1671keyboardsynchronizationwindowCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00401626 Relevance: 22.8, APIs: 15, Instructions: 304COMMON
Control-flow Graph
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0040301A Relevance: 7.5, APIs: 5, Instructions: 45COMMON
Control-flow Graph
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0040118A Relevance: 3.0, APIs: 2, Instructions: 42windowCOMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00401B37 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 47timewindowCOMMON
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00410CD0 Relevance: 7.5, APIs: 1, Strings: 4, Instructions: 23COMMONLIBRARYCODE
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00402844 Relevance: 6.4, APIs: 5, Instructions: 118stringCOMMON
Control-flow Graph
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0040150B Relevance: 6.1, APIs: 4, Instructions: 100synchronizationthreadCOMMON
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00401986 Relevance: 6.0, APIs: 4, Instructions: 27COMMON
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0040ADC3 Relevance: 4.5, APIs: 3, Instructions: 35COMMON
Control-flow Graph
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0040C9FC Relevance: 3.2, APIs: 2, Instructions: 184COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0040A62F Relevance: 3.1, APIs: 2, Instructions: 135COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0040112B Relevance: 3.0, APIs: 2, Instructions: 42COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004022B0 Relevance: 3.0, APIs: 2, Instructions: 34COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0040D9F0 Relevance: 3.0, APIs: 2, Instructions: 30COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0040ECED Relevance: 3.0, APIs: 2, Instructions: 24memoryCOMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0040E73A Relevance: 2.5, APIs: 2, Instructions: 34COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0040A7DE Relevance: 1.6, APIs: 1, Instructions: 74COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0040120B Relevance: 1.5, APIs: 1, Instructions: 28COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0040DA56 Relevance: 1.5, APIs: 1, Instructions: 23fileCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0040DB97 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0040653F Relevance: 1.5, APIs: 1, Instructions: 19COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0040CC59 Relevance: 1.5, APIs: 1, Instructions: 18COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0040DADC Relevance: 1.5, APIs: 1, Instructions: 18fileCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0040DB6A Relevance: 1.5, APIs: 1, Instructions: 9timeCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0040D89F Relevance: 1.3, APIs: 1, Instructions: 70COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0040F42D Relevance: 1.3, APIs: 1, Instructions: 25COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00402F6C Relevance: 1.3, APIs: 1, Instructions: 17COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0040D985 Relevance: 1.3, APIs: 1, Instructions: 16COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004024C4 Relevance: 1.3, APIs: 1, Instructions: 12memoryCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00401B1F Relevance: 1.3, APIs: 1, Instructions: 5COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0040F3FC Relevance: 1.3, APIs: 1, Instructions: 4COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004034C1 Relevance: 37.0, APIs: 20, Strings: 1, Instructions: 290comCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00401F9D Relevance: 33.4, APIs: 16, Strings: 3, Instructions: 150stringCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00401BDF Relevance: 26.3, APIs: 11, Strings: 4, Instructions: 85libraryloaderCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00406D5D Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 39libraryloaderCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0041022D Relevance: .5, Instructions: 501COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0041206B Relevance: .1, Instructions: 70COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00411F91 Relevance: .1, Instructions: 70COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0040D72E Relevance: .0, Instructions: 28COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00404AFF Relevance: 36.9, APIs: 14, Strings: 7, Instructions: 144fileCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00404603 Relevance: 35.2, APIs: 3, Strings: 17, Instructions: 207stringCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00402DC0 Relevance: 35.1, APIs: 16, Strings: 4, Instructions: 123windowlibrarystringCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00401DF3 Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 120windowcommemoryCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00403093 Relevance: 26.5, APIs: 10, Strings: 5, Instructions: 244stringCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00406A47 Relevance: 24.3, APIs: 16, Instructions: 270COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0040677A Relevance: 13.5, APIs: 9, Instructions: 47windowCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00406DB2 Relevance: 12.1, APIs: 8, Instructions: 69COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0040695E Relevance: 12.1, APIs: 8, Instructions: 68COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00407B33 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 102windowCOMMON
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0040408B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 96stringCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0040755F Relevance: 10.6, APIs: 7, Instructions: 63timethreadinjectionCOMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00401000 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 44stringCOMMON
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004021ED Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 39libraryloaderCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00402185 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 13libraryloaderCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004021B9 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00402A69 Relevance: 6.1, APIs: 4, Instructions: 101COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00403F85 Relevance: 6.1, APIs: 4, Instructions: 66COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00401A85 Relevance: 6.1, APIs: 4, Instructions: 65COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00407FA5 Relevance: 6.1, APIs: 4, Instructions: 57COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004067ED Relevance: 6.1, APIs: 4, Instructions: 56COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0040748A Relevance: 6.1, APIs: 4, Instructions: 55COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004027C7 Relevance: 6.1, APIs: 4, Instructions: 53COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00403AB1 Relevance: 6.0, APIs: 4, Instructions: 41COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0040702A Relevance: 6.0, APIs: 4, Instructions: 34windowCOMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00401BA3 Relevance: 6.0, APIs: 4, Instructions: 28COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Execution Graph
Execution Coverage: | 2.9% |
Dynamic/Decrypted Code Coverage: | 0% |
Signature Coverage: | 1.6% |
Total number of Nodes: | 1730 |
Total number of Limit Nodes: | 25 |
Graph
Control-flow Graph
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6CC85CA0 Relevance: 3.4, APIs: 2, Instructions: 353COMMON
Control-flow Graph
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6CC85E70 Relevance: 1.5, APIs: 1, Instructions: 248memoryCOMMON
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6CC8BC4E Relevance: 16.6, APIs: 11, Instructions: 106memoryCOMMONLIBRARYCODE
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6CC86750 Relevance: 1.6, APIs: 1, Instructions: 109fileCOMMON
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6CC862D0 Relevance: 1.6, APIs: 1, Instructions: 97fileCOMMON
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6CC860F0 Relevance: 1.5, APIs: 1, Instructions: 33fileCOMMON
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6CC9A6F4 Relevance: 1.5, APIs: 1, Instructions: 20memoryCOMMONLIBRARYCODE
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6CC889B5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 73libraryCOMMON
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6CC8DE29 Relevance: 4.5, APIs: 3, Instructions: 38COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6CC85D78 Relevance: .1, Instructions: 83COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6CC88BDF Relevance: 31.7, APIs: 14, Strings: 4, Instructions: 159libraryloaderCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6CC8DCCE Relevance: 29.8, APIs: 8, Strings: 9, Instructions: 82libraryloaderCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6CC8FBD6 Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 175windowCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6CC9A11F Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 57libraryloaderCOMMONLIBRARYCODE
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6CC884DA Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 60libraryloaderCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6CC8A59C Relevance: 17.5, APIs: 5, Strings: 5, Instructions: 28libraryloaderCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6CC81C00 Relevance: 13.7, APIs: 9, Instructions: 159fileCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6CC8BE0D Relevance: 13.6, APIs: 9, Instructions: 96memoryCOMMONLIBRARYCODE
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6CC881FA Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 117threadwindowCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6CC8CD66 Relevance: 12.0, APIs: 8, Instructions: 39COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6CC9020C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 104windowCOMMON
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6CC8A200 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 101registryCOMMON
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6CC8A082 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 86registryCOMMON
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6CC8D07E Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 66registryCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6CC8BEAE Relevance: 10.6, APIs: 7, Instructions: 51memoryCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6CC8CA77 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44libraryloaderCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6CC8CD20 Relevance: 10.5, APIs: 7, Instructions: 30COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6CC8815A Relevance: 9.1, APIs: 6, Instructions: 69COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6CC8DB5C Relevance: 9.0, APIs: 6, Instructions: 46COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6CC896DA Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 94windowCOMMON
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6CC85670 Relevance: 7.6, APIs: 5, Instructions: 77stringCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6CC8DA11 Relevance: 7.6, APIs: 5, Instructions: 55stringCOMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6CC94618 Relevance: 7.5, APIs: 5, Instructions: 44memoryCOMMONLIBRARYCODE
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6CC9140F Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 43libraryloaderCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6CC9C7C3 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42COMMONLIBRARYCODE
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6CC9ED77 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6CC87D71 Relevance: 6.1, APIs: 4, Instructions: 131timeCOMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6CC88EC9 Relevance: 6.1, APIs: 4, Instructions: 57threadCOMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6CC91D07 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6CC86A83 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6CC87287 Relevance: 6.1, APIs: 4, Instructions: 52COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6CC90F8D Relevance: 6.0, APIs: 4, Instructions: 50COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6CC903CF Relevance: 6.0, APIs: 4, Instructions: 49COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6CC9C53C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMONLIBRARYCODE
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Execution Graph
Execution Coverage: | 3% |
Dynamic/Decrypted Code Coverage: | 0% |
Signature Coverage: | 0% |
Total number of Nodes: | 1679 |
Total number of Limit Nodes: | 23 |
Graph
Control-flow Graph
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C895CA0 Relevance: 3.4, APIs: 2, Instructions: 353COMMON
Control-flow Graph
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C895E70 Relevance: 1.5, APIs: 1, Instructions: 248memoryCOMMON
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C89BC4E Relevance: 16.6, APIs: 11, Instructions: 106memoryCOMMONLIBRARYCODE
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C896750 Relevance: 1.6, APIs: 1, Instructions: 109fileCOMMON
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C8962D0 Relevance: 1.6, APIs: 1, Instructions: 97fileCOMMON
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C8960F0 Relevance: 1.5, APIs: 1, Instructions: 33fileCOMMON
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C8AA6F4 Relevance: 1.5, APIs: 1, Instructions: 20memoryCOMMONLIBRARYCODE
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C8989B5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 73libraryCOMMON
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C898BDF Relevance: 31.7, APIs: 14, Strings: 4, Instructions: 159libraryloaderCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C89DCCE Relevance: 29.8, APIs: 8, Strings: 9, Instructions: 82libraryloaderCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C89FBD6 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 175windowCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C8AA11F Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 57libraryloaderCOMMONLIBRARYCODE
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C8984DA Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 60libraryloaderCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C89A59C Relevance: 17.5, APIs: 5, Strings: 5, Instructions: 28libraryloaderCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C891C00 Relevance: 13.7, APIs: 9, Instructions: 159fileCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C89BE0D Relevance: 13.6, APIs: 9, Instructions: 96memoryCOMMONLIBRARYCODE
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C8981FA Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 117threadwindowCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C89A200 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 101registryCOMMON
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C89A082 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 86registryCOMMON
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C89D07E Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 66registryCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C89BEAE Relevance: 10.6, APIs: 7, Instructions: 51memoryCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C89CA77 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44libraryloaderCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C89CD20 Relevance: 10.5, APIs: 7, Instructions: 30COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C895670 Relevance: 7.6, APIs: 5, Instructions: 77stringCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C89815A Relevance: 7.6, APIs: 5, Instructions: 69COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C89DA11 Relevance: 7.6, APIs: 5, Instructions: 55stringCOMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C89DB5C Relevance: 7.5, APIs: 5, Instructions: 46COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C8A4618 Relevance: 7.5, APIs: 5, Instructions: 44memoryCOMMONLIBRARYCODE
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C8996DA Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 94windowCOMMON
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C8A140F Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 43libraryloaderCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C8AC7C3 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42COMMONLIBRARYCODE
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C8AED77 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C897D71 Relevance: 6.1, APIs: 4, Instructions: 131timeCOMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C898EC9 Relevance: 6.1, APIs: 4, Instructions: 57threadCOMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C8A1D07 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C896A83 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C897287 Relevance: 6.1, APIs: 4, Instructions: 52COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C8A0F8D Relevance: 6.0, APIs: 4, Instructions: 50COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C8A03CF Relevance: 6.0, APIs: 4, Instructions: 49COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C89CD66 Relevance: 6.0, APIs: 4, Instructions: 39COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C8A020C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 104windowCOMMON
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6C8AC53C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMONLIBRARYCODE
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6F895CA0 Relevance: 3.4, APIs: 2, Instructions: 353COMMON
Control-flow Graph
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6F895E70 Relevance: 1.5, APIs: 1, Instructions: 248memoryCOMMON
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6F89BC4E Relevance: 16.6, APIs: 11, Instructions: 106memoryCOMMONLIBRARYCODE
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6F896750 Relevance: 1.6, APIs: 1, Instructions: 109fileCOMMON
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6F8962D0 Relevance: 1.6, APIs: 1, Instructions: 97fileCOMMON
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6F8960F0 Relevance: 1.5, APIs: 1, Instructions: 33fileCOMMON
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6F8AA6F4 Relevance: 1.5, APIs: 1, Instructions: 20memoryCOMMONLIBRARYCODE
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6F8989B5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 73libraryCOMMON
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6F89E5F6 Relevance: 3.0, APIs: 2, Instructions: 28nativeCOMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6F8A0D95 Relevance: 1.5, APIs: 1, Instructions: 31COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6F898BDF Relevance: 31.7, APIs: 14, Strings: 4, Instructions: 159libraryloaderCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6F89DCCE Relevance: 29.8, APIs: 8, Strings: 9, Instructions: 82libraryloaderCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6F89FBD6 Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 175windowCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6F8AA11F Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 57libraryloaderCOMMONLIBRARYCODE
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6F8984DA Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 60libraryloaderCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6F89A59C Relevance: 17.5, APIs: 5, Strings: 5, Instructions: 28libraryloaderCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6F891C00 Relevance: 13.7, APIs: 9, Instructions: 159fileCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6F89BE0D Relevance: 13.6, APIs: 9, Instructions: 96memoryCOMMONLIBRARYCODE
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6F8981FA Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 117threadwindowCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6F89CD66 Relevance: 12.0, APIs: 8, Instructions: 39COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6F8A020C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 104windowCOMMON
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6F89A200 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 101registryCOMMON
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6F89A082 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 86registryCOMMON
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6F89D07E Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 66registryCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6F89BEAE Relevance: 10.6, APIs: 7, Instructions: 51memoryCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6F89CA77 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44libraryloaderCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6F89CD20 Relevance: 10.5, APIs: 7, Instructions: 30COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6F89815A Relevance: 9.1, APIs: 6, Instructions: 69COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6F89DB5C Relevance: 9.0, APIs: 6, Instructions: 46COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6F8996DA Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 94windowCOMMON
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6F895670 Relevance: 7.6, APIs: 5, Instructions: 77stringCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6F89DA11 Relevance: 7.6, APIs: 5, Instructions: 55stringCOMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6F8A4618 Relevance: 7.5, APIs: 5, Instructions: 44memoryCOMMONLIBRARYCODE
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6F8A140F Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 43libraryloaderCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6F8AC7C3 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42COMMONLIBRARYCODE
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6F8AED77 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6F897D71 Relevance: 6.1, APIs: 4, Instructions: 131timeCOMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6F898EC9 Relevance: 6.1, APIs: 4, Instructions: 57threadCOMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6F8A1D07 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6F896A83 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6F897287 Relevance: 6.1, APIs: 4, Instructions: 52COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6F8A0F8D Relevance: 6.0, APIs: 4, Instructions: 50COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6F8A03CF Relevance: 6.0, APIs: 4, Instructions: 49COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6F8AC53C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMONLIBRARYCODE
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|