Edit tour
Windows
Analysis Report
calc.exe
Overview
General Information
| Sample name: | calc.exe |
| Analysis ID: | 1523638 |
| MD5: | 2f9fdad776d8626f2ce8625211831e91 |
| SHA1: | 21d8413eb0d60b36fc249f8025c277b557fefde3 |
| SHA256: | 9b66a8ea0f1c64965b06e7a45afbe56f2d4e6d5ef65f32446defccbebe730813 |
| Infos: |  |
 | |
Detection
| Score: | 60 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Adds a new user with administrator rights
Machine Learning detection for sample
Sigma detected: Suspicious Calculator Usage
Sigma detected: Suspicious Process Parents
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found WSH timer for Javascript or VBS script (likely evasive script)
Found evasive API chain (date check)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Potential key logger detected (key state polling based)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Add User to Local Administrators Group
Sigma detected: New User Created Via Net.EXE
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Classification
- System is w10x64
calc.exe (PID: 7856 cmdline: "C:\Users\ user\Deskt op\calc.ex e" MD5: 2F9FDAD776D8626F2CE8625211831E91) 
wscript.exe (PID: 7948 cmdline: "C:\Window s\System32 \wscript.e xe" gszpj8 rp81.jse MD5: FF00E0480075B095948000BDC66E81F0) 
net.exe (PID: 7996 cmdline: "C:\Window s\System32 \net.exe" user Local Administra tor /add MD5: 31890A7DE89936F922D44D677F681A7F) 
conhost.exe (PID: 8008 cmdline: C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - net1.exe (PID: 8084 cmdline:
C:\Windows \system32\ net1 user LocalAdmin istrator / add MD5: 2EFE6ED4C294AB8A39EB59C80813FEC1) - net.exe (PID: 8024 cmdline:
"C:\Window s\System32 \net.exe" localgroup administr ators Loca lAdministr ator /add MD5: 31890A7DE89936F922D44D677F681A7F) - conhost.exe (PID: 8040 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - net1.exe (PID: 8120 cmdline:
C:\Windows \system32\ net1 local group admi nistrators LocalAdmi nistrator /add MD5: 2EFE6ED4C294AB8A39EB59C80813FEC1) - calc.exe (PID: 8056 cmdline:
"C:\Users\ user\Deskt op\calc.ex e" MD5: 2F9FDAD776D8626F2CE8625211831E91) - wscript.exe (PID: 8184 cmdline:
"C:\Window s\System32 \wscript.e xe" 10a1DJ wqnr.jse MD5: FF00E0480075B095948000BDC66E81F0) - net.exe (PID: 7284 cmdline:
"C:\Window s\System32 \net.exe" user Local Administra tor /add MD5: 31890A7DE89936F922D44D677F681A7F) - conhost.exe (PID: 7300 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - net1.exe (PID: 7540 cmdline:
C:\Windows \system32\ net1 user LocalAdmin istrator / add MD5: 2EFE6ED4C294AB8A39EB59C80813FEC1) - net.exe (PID: 7352 cmdline:
"C:\Window s\System32 \net.exe" localgroup administr ators Loca lAdministr ator /add MD5: 31890A7DE89936F922D44D677F681A7F) - conhost.exe (PID: 7448 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - net1.exe (PID: 756 cmdline:
C:\Windows \system32\ net1 local group admi nistrators LocalAdmi nistrator /add MD5: 2EFE6ED4C294AB8A39EB59C80813FEC1) - calc.exe (PID: 7516 cmdline:
"C:\Users\ user\Deskt op\calc.ex e" MD5: 2F9FDAD776D8626F2CE8625211831E91) - wscript.exe (PID: 1196 cmdline:
"C:\Window s\System32 \wscript.e xe" Kiql0e mrm5.jse MD5: FF00E0480075B095948000BDC66E81F0) - net.exe (PID: 6848 cmdline:
"C:\Window s\System32 \net.exe" user Local Administra tor /add MD5: 31890A7DE89936F922D44D677F681A7F) - conhost.exe (PID: 3500 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - net1.exe (PID: 4540 cmdline:
C:\Windows \system32\ net1 user LocalAdmin istrator / add MD5: 2EFE6ED4C294AB8A39EB59C80813FEC1) - net.exe (PID: 3504 cmdline:
"C:\Window s\System32 \net.exe" localgroup administr ators Loca lAdministr ator /add MD5: 31890A7DE89936F922D44D677F681A7F) - conhost.exe (PID: 4472 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - net1.exe (PID: 6872 cmdline:
C:\Windows \system32\ net1 local group admi nistrators LocalAdmi nistrator /add MD5: 2EFE6ED4C294AB8A39EB59C80813FEC1) - calc.exe (PID: 6960 cmdline:
"C:\Users\ user\Deskt op\calc.ex e" MD5: 2F9FDAD776D8626F2CE8625211831E91) - wscript.exe (PID: 2548 cmdline:
"C:\Window s\System32 \wscript.e xe" mdWett qHRh.jse MD5: FF00E0480075B095948000BDC66E81F0) - net.exe (PID: 5464 cmdline:
"C:\Window s\System32 \net.exe" user Local Administra tor /add MD5: 31890A7DE89936F922D44D677F681A7F) - conhost.exe (PID: 312 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - net1.exe (PID: 1308 cmdline:
C:\Windows \system32\ net1 user LocalAdmin istrator / add MD5: 2EFE6ED4C294AB8A39EB59C80813FEC1) - net.exe (PID: 3636 cmdline:
"C:\Window s\System32 \net.exe" localgroup administr ators Loca lAdministr ator /add MD5: 31890A7DE89936F922D44D677F681A7F) - conhost.exe (PID: 1736 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - net1.exe (PID: 2060 cmdline:
C:\Windows \system32\ net1 local group admi nistrators LocalAdmi nistrator /add MD5: 2EFE6ED4C294AB8A39EB59C80813FEC1) - calc.exe (PID: 2168 cmdline:
"C:\Users\ user\Deskt op\calc.ex e" MD5: 2F9FDAD776D8626F2CE8625211831E91) - wscript.exe (PID: 3872 cmdline:
"C:\Window s\System32 \wscript.e xe" KobIIT Timt.jse MD5: FF00E0480075B095948000BDC66E81F0) - net.exe (PID: 7776 cmdline:
"C:\Window s\System32 \net.exe" user Local Administra tor /add MD5: 31890A7DE89936F922D44D677F681A7F) - conhost.exe (PID: 2464 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - net1.exe (PID: 2940 cmdline:
C:\Windows \system32\ net1 user LocalAdmin istrator / add MD5: 2EFE6ED4C294AB8A39EB59C80813FEC1) - net.exe (PID: 2340 cmdline:
"C:\Window s\System32 \net.exe" localgroup administr ators Loca lAdministr ator /add MD5: 31890A7DE89936F922D44D677F681A7F) - conhost.exe (PID: 2772 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - net1.exe (PID: 3404 cmdline:
C:\Windows \system32\ net1 local group admi nistrators LocalAdmi nistrator /add MD5: 2EFE6ED4C294AB8A39EB59C80813FEC1) - calc.exe (PID: 3272 cmdline:
"C:\Users\ user\Deskt op\calc.ex e" MD5: 2F9FDAD776D8626F2CE8625211831E91) - wscript.exe (PID: 7864 cmdline:
"C:\Window s\System32 \wscript.e xe" dLMJwK QlPv.jse MD5: FF00E0480075B095948000BDC66E81F0) - net.exe (PID: 8044 cmdline:
"C:\Window s\System32 \net.exe" user Local Administra tor /add MD5: 31890A7DE89936F922D44D677F681A7F) - conhost.exe (PID: 7964 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - net1.exe (PID: 8032 cmdline:
C:\Windows \system32\ net1 user LocalAdmin istrator / add MD5: 2EFE6ED4C294AB8A39EB59C80813FEC1) - net.exe (PID: 8112 cmdline:
"C:\Window s\System32 \net.exe" localgroup administr ators Loca lAdministr ator /add MD5: 31890A7DE89936F922D44D677F681A7F) - conhost.exe (PID: 8148 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - net1.exe (PID: 7984 cmdline:
C:\Windows \system32\ net1 local group admi nistrators LocalAdmi nistrator /add MD5: 2EFE6ED4C294AB8A39EB59C80813FEC1) - calc.exe (PID: 8028 cmdline:
"C:\Users\ user\Deskt op\calc.ex e" MD5: 2F9FDAD776D8626F2CE8625211831E91) - wscript.exe (PID: 8156 cmdline:
"C:\Window s\System32 \wscript.e xe" aw1HUl 4bYu.jse MD5: FF00E0480075B095948000BDC66E81F0) - net.exe (PID: 8160 cmdline:
"C:\Window s\System32 \net.exe" user Local Administra tor /add MD5: 31890A7DE89936F922D44D677F681A7F) - conhost.exe (PID: 8176 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
- cleanup
⊘No configs have been found
⊘No yara matches
System Summary |   |
|---|
| Source: | Author: Florian Roth (Nextron Systems): | ||
| Source: | Author: Florian Roth (Nextron Systems): | ||
| Source: | Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): | ||
| Source: | Author: Endgame, JHasenbusch (adapted to Sigma for oscd.community): | ||
| Source: | Author: Michael Haag: | ||
| Source: | Author: Michael Haag, Mark Woan (improvements), James Pemberton / @4A616D6573 / oscd.community (improvements): | ||
⊘No Suricata rule has matched
Click to jump to signature section
Show All Signature Results
AV Detection | |
|---|
| Source: | Joe Sandbox ML: | ||
| Source: | Static PE information: | ||
| Source: | Code function: | 0_2_00425639 | |
| Source: | Code function: | 0_2_004230D5 | |
| Source: | Code function: | 0_2_0041510D | |
| Source: | Code function: | 0_2_0042320D | |
| Source: | Code function: | 0_2_00426292 | |
| Source: | Code function: | 0_2_00425838 | |
| Source: | Code function: | 0_2_00422C4D | |
| Source: | Code function: | 0_2_00414E16 | |
| Source: | Code function: | 0_2_00414FFA | |
| Source: | Code function: | 7_2_00425639 | |
| Source: | Code function: | 7_2_004230D5 | |
| Source: | Code function: | 7_2_0041510D | |
| Source: | Code function: | 7_2_0042320D | |
| Source: | Code function: | 7_2_00426292 | |
| Source: | Code function: | 7_2_00425838 | |
| Source: | Code function: | 7_2_00422C4D | |
| Source: | Code function: | 7_2_00414E16 | |
| Source: | Code function: | 7_2_00414FFA | |
| Source: | Code function: | 0_2_0042A322 | |
| Source: | Code function: | 0_2_0042A4F2 | |
| Source: | Code function: | 7_2_0042A4F2 | |
| Source: | Code function: | 0_2_0042A322 | |
| Source: | Code function: | 0_2_0041111C | |
| Source: | Code function: | 0_2_004045EC | |
| Source: | Code function: | 7_2_004045EC | |
System Summary | |
|---|
| Source: | COM Object queried: | Jump to behavior | ||
| Source: | Code function: | 7_2_0040165B | |
| Source: | Code function: | 7_2_0040D33A | |
| Source: | Code function: | 0_2_00424856 | |
| Source: | Code function: | 0_2_00415C2E | |
| Source: | Code function: | 7_2_00415C2E | |
| Source: | Code function: | 0_2_0043244B | |
| Source: | Code function: | 0_2_004422B6 | |
| Source: | Code function: | 0_2_00444317 | |
| Source: | Code function: | 0_2_0043A442 | |
| Source: | Code function: | 0_2_0043E46A | |
| Source: | Code function: | 0_2_004045EC | |
| Source: | Code function: | 0_2_0044E616 | |
| Source: | Code function: | 0_2_00448776 | |
| Source: | Code function: | 0_2_0044D7D4 | |
| Source: | Code function: | 0_2_00456824 | |
| Source: | Code function: | 0_2_00441961 | |
| Source: | Code function: | 0_2_00442AF9 | |
| Source: | Code function: | 0_2_00420D89 | |
| Source: | Code function: | 0_2_00421E0D | |
| Source: | Code function: | 0_2_00450F74 | |
| Source: | Code function: | 7_2_0043244B | |
| Source: | Code function: | 7_2_004422B6 | |
| Source: | Code function: | 7_2_00444317 | |
| Source: | Code function: | 7_2_0043A442 | |
| Source: | Code function: | 7_2_0043E46A | |
| Source: | Code function: | 7_2_004045EC | |
| Source: | Code function: | 7_2_0044E616 | |
| Source: | Code function: | 7_2_00448776 | |
| Source: | Code function: | 7_2_0044D7D4 | |
| Source: | Code function: | 7_2_00456824 | |
| Source: | Code function: | 7_2_00441961 | |
| Source: | Code function: | 7_2_00442AF9 | |
| Source: | Code function: | 7_2_00420D89 | |
| Source: | Code function: | 7_2_00421E0D | |
| Source: | Code function: | 7_2_00450F74 | |
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Classification label: | ||
| Source: | Code function: | 0_2_0041FE6D | |
| Source: | Code function: | 0_2_00415C2E | |
| Source: | Code function: | 7_2_00415C2E | |
| Source: | Code function: | 0_2_004240D8 | |
| Source: | Code function: | 0_2_00430DCB | |
| Source: | Code function: | 0_2_0041605B | |
| Source: | File created: | Jump to behavior | ||
| Source: | Mutant created: | ||
| Source: | Mutant created: | ||
| Source: | Mutant created: | ||
| Source: | Mutant created: | ||
| Source: | Mutant created: | ||
| Source: | Mutant created: | ||
| Source: | Mutant created: | ||
| Source: | Mutant created: | ||
| Source: | Mutant created: | ||
| Source: | Mutant created: | ||
| Source: | Mutant created: | ||
| Source: | Mutant created: | ||
| Source: | Mutant created: | ||
| Source: | File read: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | File read: | Jump to behavior | ||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Key value queried: | Jump to behavior | ||
| Source: | Window detected: | ||
| Source: | Code function: | 0_2_00439814 | |
| Source: | Code function: | 0_2_0044C084 | |
| Source: | Code function: | 0_2_0044C0AC | |
| Source: | Code function: | 0_2_00459692 | |
| Source: | Code function: | 0_2_0044D7D3 | |
| Source: | Code function: | 7_2_0044C084 | |
| Source: | Code function: | 7_2_0044C0AC | |
| Source: | Code function: | 7_2_00459692 | |
| Source: | Code function: | 7_2_0044D7D3 | |
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
Persistence and Installation Behavior | |
|---|
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Code function: | 0_2_00412196 | |
| Source: | Code function: | 0_2_00440FF0 | |
| Source: | Code function: | 7_2_00412196 | |
| Source: | Code function: | 7_2_00440FF0 | |
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Window found: | Jump to behavior | ||
| Source: | Window found: | Jump to behavior | ||
| Source: | Window found: | Jump to behavior | ||
| Source: | Window found: | |||
| Source: | Window found: | |||
| Source: | Window found: | |||
| Source: | Window found: | |||
| Source: | Evasive API call chain: | graph_0-51143 | ||
| Source: | API coverage: | ||
| Source: | API coverage: | ||
| Source: | Last function: | ||
| Source: | Last function: | ||
| Source: | Last function: | ||
| Source: | Last function: | ||
| Source: | Last function: | ||
| Source: | Last function: | ||
| Source: | Last function: | ||
| Source: | Last function: | ||
| Source: | Last function: | ||
| Source: | Last function: | ||
| Source: | Last function: | ||
| Source: | Last function: | ||
| Source: | Code function: | 0_2_00425639 | |
| Source: | Code function: | 0_2_004230D5 | |
| Source: | Code function: | 0_2_0041510D | |
| Source: | Code function: | 0_2_0042320D | |
| Source: | Code function: | 0_2_00426292 | |
| Source: | Code function: | 0_2_00425838 | |
| Source: | Code function: | 0_2_00422C4D | |
| Source: | Code function: | 0_2_00414E16 | |
| Source: | Code function: | 0_2_00414FFA | |
| Source: | Code function: | 7_2_00425639 | |
| Source: | Code function: | 7_2_004230D5 | |
| Source: | Code function: | 7_2_0041510D | |
| Source: | Code function: | 7_2_0042320D | |
| Source: | Code function: | 7_2_00426292 | |
| Source: | Code function: | 7_2_00425838 | |
| Source: | Code function: | 7_2_00422C4D | |
| Source: | Code function: | 7_2_00414E16 | |
| Source: | Code function: | 7_2_00414FFA | |
| Source: | Code function: | 0_2_0040EA76 | |
| Source: | Binary or memory string: | ||
| Source: | Code function: | 0_2_00439814 | |
| Source: | Code function: | 0_2_0040109D | |
| Source: | Code function: | 0_2_00412196 | |
| Source: | Code function: | 0_2_00415D53 | |
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Code function: | 0_2_004558FF | |
| Source: | Code function: | 7_2_004558FF | |
| Source: | Code function: | 0_2_00454555 | |
| Source: | Code function: | 0_2_0043738E | |
| Source: | Code function: | 0_2_004527E8 | |
| Source: | Code function: | 0_2_0040EA76 | |
| Source: | Key value queried: | Jump to behavior | ||
| Source: | Code function: | 0_2_0042F3BC | |
| Source: | Code function: | 0_2_0042F9C7 | |
| Source: | Code function: | 0_2_00430B6B | |
| Source: | Code function: | 7_2_0042F3BC | |
| Source: | Code function: | 7_2_0042F9C7 | |
| Source: | Code function: | 7_2_00430B6B | |
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Gather Victim Identity Information | 1 Scripting | Valid Accounts | 2 Command and Scripting Interpreter | 1 Create Account | 1 Exploitation for Privilege Escalation | 1 Masquerading | 21 Input Capture | 2 System Time Discovery | Remote Services | 21 Input Capture | 1 Encrypted Channel | Exfiltration Over Other Network Medium | 1 System Shutdown/Reboot |
| Credentials | Domains | Default Accounts | 2 Native API | 1 Scripting | 1 Access Token Manipulation | 1 Access Token Manipulation | LSASS Memory | 1 Security Software Discovery | Remote Desktop Protocol | 1 Archive Collected Data | Junk Data | Exfiltration Over Bluetooth | Network Denial of Service |
| Email Addresses | DNS Server | Domain Accounts | At | 1 DLL Side-Loading | 12 Process Injection | 12 Process Injection | Security Account Manager | 1 Process Discovery | SMB/Windows Admin Shares | 3 Clipboard Data | Steganography | Automated Exfiltration | Data Encrypted for Impact |
| Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | 1 DLL Side-Loading | 1 Deobfuscate/Decode Files or Information | NTDS | 1 Application Window Discovery | Distributed Component Object Model | Input Capture | Protocol Impersonation | Traffic Duplication | Data Destruction |
| Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | 21 Obfuscated Files or Information | LSA Secrets | 1 Account Discovery | SSH | Keylogging | Fallback Channels | Scheduled Transfer | Data Encrypted for Impact |
| Domain Properties | Botnet | Replication Through Removable Media | Scheduled Task | RC Scripts | RC Scripts | 11 Software Packing | Cached Domain Credentials | 1 System Owner/User Discovery | VNC | GUI Input Capture | Multiband Communication | Data Transfer Size Limits | Service Stop |
| DNS | Web Services | External Remote Services | Systemd Timers | Startup Items | Startup Items | 1 DLL Side-Loading | DCSync | 2 File and Directory Discovery | Windows Remote Management | Web Portal Capture | Commonly Used Port | Exfiltration Over C2 Channel | Inhibit System Recovery |
| Network Trust Dependencies | Serverless | Drive-by Compromise | Container Orchestration Job | Scheduled Task/Job | Scheduled Task/Job | Indicator Removal from Tools | Proc Filesystem | 16 System Information Discovery | Cloud Services | Credential API Hooking | Application Layer Protocol | Exfiltration Over Alternative Protocol | Defacement |
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetThis section contains all screenshots as thumbnails, including those not shown in the slideshow.
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 100% | Joe Sandbox ML |
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
| Joe Sandbox version: | 41.0.0 Charoite |
| Analysis ID: | 1523638 |
| Start date and time: | 2024-10-01 21:44:35 +02:00 |
| Joe Sandbox product: | CloudBasic |
| Overall analysis duration: | 0h 6m 24s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
| Number of analysed new started processes analysed: | 53 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Sample name: | calc.exe |
| Detection: | MAL |
| Classification: | mal60.winEXE@93/7@0/0 |
| EGA Information: |
|
| HCA Information: |
|
| Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): dllhost.exe
- Excluded IPs from analysis (whitelisted): 52.165.165.26
- Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, sls.update.microsoft.com, glb.sls.prod.dcat.dsp.trafficmanager.net
- Not all processes where analyzed, report is missing behavior information
- Report size exceeded maximum capacity and may have missing behavior information.
- Report size exceeded maximum capacity and may have missing disassembly code.
- Report size getting too big, too many NtOpenKeyEx calls found.
- Report size getting too big, too many NtProtectVirtualMemory calls found.
- Report size getting too big, too many NtQueryValueKey calls found.
- VT rate limit hit for: calc.exe
⊘No simulations
| Process: | C:\Users\user\Desktop\calc.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 905 |
| Entropy (8bit): | 6.202615493257142 |
| Encrypted: | false |
| SSDEEP: | 24:GPGG/rOmDyEA/lgQhs9O/E0+JSaywxBv/7DiNVkvzksm5qWdB:GPGuKmDBylgQ69OsZd1/CNavVWb |
| MD5: | B4EB7F28555DDA63F591A950F2DB89D1 |
| SHA1: | 92BA2174422096A09CE506C041165564360ACCC3 |
| SHA-256: | 00C9F54DC4DEEC12DB8BA086EC347D03F978E46222D9C5EC5C6240F7AC171C5C |
| SHA-512: | 3268DE3032832A54E3251589B6D41FF43F3181E7FBC5DE6D466EA45C6DB0C8BBA6704F87954B4E28A9273067EBE20066169FF70F896A236A3F786291FB660D24 |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\Desktop\calc.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 905 |
| Entropy (8bit): | 6.202615493257142 |
| Encrypted: | false |
| SSDEEP: | 24:GPGG/rOmDyEA/lgQhs9O/E0+JSaywxBv/7DiNVkvzksm5qWdB:GPGuKmDBylgQ69OsZd1/CNavVWb |
| MD5: | B4EB7F28555DDA63F591A950F2DB89D1 |
| SHA1: | 92BA2174422096A09CE506C041165564360ACCC3 |
| SHA-256: | 00C9F54DC4DEEC12DB8BA086EC347D03F978E46222D9C5EC5C6240F7AC171C5C |
| SHA-512: | 3268DE3032832A54E3251589B6D41FF43F3181E7FBC5DE6D466EA45C6DB0C8BBA6704F87954B4E28A9273067EBE20066169FF70F896A236A3F786291FB660D24 |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\Desktop\calc.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 905 |
| Entropy (8bit): | 6.202615493257142 |
| Encrypted: | false |
| SSDEEP: | 24:GPGG/rOmDyEA/lgQhs9O/E0+JSaywxBv/7DiNVkvzksm5qWdB:GPGuKmDBylgQ69OsZd1/CNavVWb |
| MD5: | B4EB7F28555DDA63F591A950F2DB89D1 |
| SHA1: | 92BA2174422096A09CE506C041165564360ACCC3 |
| SHA-256: | 00C9F54DC4DEEC12DB8BA086EC347D03F978E46222D9C5EC5C6240F7AC171C5C |
| SHA-512: | 3268DE3032832A54E3251589B6D41FF43F3181E7FBC5DE6D466EA45C6DB0C8BBA6704F87954B4E28A9273067EBE20066169FF70F896A236A3F786291FB660D24 |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\Desktop\calc.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 905 |
| Entropy (8bit): | 6.202615493257142 |
| Encrypted: | false |
| SSDEEP: | 24:GPGG/rOmDyEA/lgQhs9O/E0+JSaywxBv/7DiNVkvzksm5qWdB:GPGuKmDBylgQ69OsZd1/CNavVWb |
| MD5: | B4EB7F28555DDA63F591A950F2DB89D1 |
| SHA1: | 92BA2174422096A09CE506C041165564360ACCC3 |
| SHA-256: | 00C9F54DC4DEEC12DB8BA086EC347D03F978E46222D9C5EC5C6240F7AC171C5C |
| SHA-512: | 3268DE3032832A54E3251589B6D41FF43F3181E7FBC5DE6D466EA45C6DB0C8BBA6704F87954B4E28A9273067EBE20066169FF70F896A236A3F786291FB660D24 |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\Desktop\calc.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 905 |
| Entropy (8bit): | 6.202615493257142 |
| Encrypted: | false |
| SSDEEP: | 24:GPGG/rOmDyEA/lgQhs9O/E0+JSaywxBv/7DiNVkvzksm5qWdB:GPGuKmDBylgQ69OsZd1/CNavVWb |
| MD5: | B4EB7F28555DDA63F591A950F2DB89D1 |
| SHA1: | 92BA2174422096A09CE506C041165564360ACCC3 |
| SHA-256: | 00C9F54DC4DEEC12DB8BA086EC347D03F978E46222D9C5EC5C6240F7AC171C5C |
| SHA-512: | 3268DE3032832A54E3251589B6D41FF43F3181E7FBC5DE6D466EA45C6DB0C8BBA6704F87954B4E28A9273067EBE20066169FF70F896A236A3F786291FB660D24 |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\Desktop\calc.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 905 |
| Entropy (8bit): | 6.202615493257142 |
| Encrypted: | false |
| SSDEEP: | 24:GPGG/rOmDyEA/lgQhs9O/E0+JSaywxBv/7DiNVkvzksm5qWdB:GPGuKmDBylgQ69OsZd1/CNavVWb |
| MD5: | B4EB7F28555DDA63F591A950F2DB89D1 |
| SHA1: | 92BA2174422096A09CE506C041165564360ACCC3 |
| SHA-256: | 00C9F54DC4DEEC12DB8BA086EC347D03F978E46222D9C5EC5C6240F7AC171C5C |
| SHA-512: | 3268DE3032832A54E3251589B6D41FF43F3181E7FBC5DE6D466EA45C6DB0C8BBA6704F87954B4E28A9273067EBE20066169FF70F896A236A3F786291FB660D24 |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\Desktop\calc.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 905 |
| Entropy (8bit): | 6.202615493257142 |
| Encrypted: | false |
| SSDEEP: | 24:GPGG/rOmDyEA/lgQhs9O/E0+JSaywxBv/7DiNVkvzksm5qWdB:GPGuKmDBylgQ69OsZd1/CNavVWb |
| MD5: | B4EB7F28555DDA63F591A950F2DB89D1 |
| SHA1: | 92BA2174422096A09CE506C041165564360ACCC3 |
| SHA-256: | 00C9F54DC4DEEC12DB8BA086EC347D03F978E46222D9C5EC5C6240F7AC171C5C |
| SHA-512: | 3268DE3032832A54E3251589B6D41FF43F3181E7FBC5DE6D466EA45C6DB0C8BBA6704F87954B4E28A9273067EBE20066169FF70F896A236A3F786291FB660D24 |
| Malicious: | false |
| Preview: |
| File type: | |
| Entropy (8bit): | 7.898423357288493 |
| TrID: |
|
| File name: | calc.exe |
| File size: | 206'377 bytes |
| MD5: | 2f9fdad776d8626f2ce8625211831e91 |
| SHA1: | 21d8413eb0d60b36fc249f8025c277b557fefde3 |
| SHA256: | 9b66a8ea0f1c64965b06e7a45afbe56f2d4e6d5ef65f32446defccbebe730813 |
| SHA512: | 2abd61c6bea7c748f81cdd18133582217bd06dd19506f13f89953f8c7bd662fc5233540b9f56c57aa94e038c674128fc46dd280e2f7db642343fc5a45da25feb |
| SSDEEP: | 6144:96LkVO8A1X2og0tEHH45Y0KTIVaTycTVDNe4oI:TMJ1X2og0MHGKT3RRwG |
| TLSH: | EE141225F3ED187CD45C8E3B071E9874D20EA6F2C2820A7E6E549ADBEC557101C7AB1D |
| File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........H+..)E..)E..)E..!,..)E.\>%..)E.\>J..)E.\>..|)E.Q!...)E...Y..)E..!...)E...(..)E.(.\..)E.Q!...)E..)D..(E.\>!..)E.>"...)E.\>...)E |
 | |
| Icon Hash: | e4d4f0d4d4d4d460 |
| Entrypoint: | 0x488080 |
| Entrypoint Section: | UPX1 |
| Digitally signed: | false |
| Imagebase: | 0x400000 |
| Subsystem: | windows gui |
| Image File Characteristics: | RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE |
| DLL Characteristics: | TERMINAL_SERVER_AWARE |
| Time Stamp: | 0x4656F23B [Fri May 25 14:27:07 2007 UTC] |
| TLS Callbacks: | |
| CLR (.Net) Version: | |
| OS Version Major: | 4 |
| OS Version Minor: | 0 |
| File Version Major: | 4 |
| File Version Minor: | 0 |
| Subsystem Version Major: | 4 |
| Subsystem Version Minor: | 0 |
| Import Hash: | fd50eeaa7137498c4740b429b41a482e |
| Instruction |
|---|
| pushad |
| mov esi, 00458000h |
| lea edi, dword ptr [esi-00057000h] |
| push edi |
| jmp 00007F300067577Dh |
| nop |
| mov al, byte ptr [esi] |
| inc esi |
| mov byte ptr [edi], al |
| inc edi |
| add ebx, ebx |
| jne 00007F3000675779h |
| mov ebx, dword ptr [esi] |
| sub esi, FFFFFFFCh |
| adc ebx, ebx |
| jc 00007F300067575Fh |
| mov eax, 00000001h |
| add ebx, ebx |
| jne 00007F3000675779h |
| mov ebx, dword ptr [esi] |
| sub esi, FFFFFFFCh |
| adc ebx, ebx |
| adc eax, eax |
| add ebx, ebx |
| jnc 00007F300067577Dh |
| jne 00007F300067579Ah |
| mov ebx, dword ptr [esi] |
| sub esi, FFFFFFFCh |
| adc ebx, ebx |
| jc 00007F3000675791h |
| dec eax |
| add ebx, ebx |
| jne 00007F3000675779h |
| mov ebx, dword ptr [esi] |
| sub esi, FFFFFFFCh |
| adc ebx, ebx |
| adc eax, eax |
| jmp 00007F3000675746h |
| add ebx, ebx |
| jne 00007F3000675779h |
| mov ebx, dword ptr [esi] |
| sub esi, FFFFFFFCh |
| adc ebx, ebx |
| adc ecx, ecx |
| jmp 00007F30006757C4h |
| xor ecx, ecx |
| sub eax, 03h |
| jc 00007F3000675783h |
| shl eax, 08h |
| mov al, byte ptr [esi] |
| inc esi |
| xor eax, FFFFFFFFh |
| je 00007F30006757E7h |
| sar eax, 1 |
| mov ebp, eax |
| jmp 00007F300067577Dh |
| add ebx, ebx |
| jne 00007F3000675779h |
| mov ebx, dword ptr [esi] |
| sub esi, FFFFFFFCh |
| adc ebx, ebx |
| jc 00007F300067573Eh |
| inc ecx |
| add ebx, ebx |
| jne 00007F3000675779h |
| mov ebx, dword ptr [esi] |
| sub esi, FFFFFFFCh |
| adc ebx, ebx |
| jc 00007F3000675730h |
| add ebx, ebx |
| jne 00007F3000675779h |
| mov ebx, dword ptr [esi] |
| sub esi, FFFFFFFCh |
| adc ebx, ebx |
| adc ecx, ecx |
| add ebx, ebx |
| jnc 00007F3000675761h |
| jne 00007F300067577Bh |
| mov ebx, dword ptr [esi] |
| sub esi, FFFFFFFCh |
| adc ebx, ebx |
| jnc 00007F3000675756h |
| add ecx, 02h |
| cmp ebp, FFFFFB00h |
| adc ecx, 02h |
| lea edx, dword ptr [edi+ebp] |
| cmp ebp, FFFFFFFCh |
| jbe 00007F3000675780h |
| mov al, byte ptr [edx] |
| Programming Language: |
|
| Name | Virtual Address | Virtual Size | Is in Section |
|---|---|---|---|
| IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IMPORT | 0x89e8c | 0x310 | .rsrc |
| IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x89000 | 0xe8c | .rsrc |
| IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IAT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
| Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
|---|---|---|---|---|---|---|---|---|---|
| UPX0 | 0x1000 | 0x57000 | 0x0 | d41d8cd98f00b204e9800998ecf8427e | False | 0 | empty | 0.0 | IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| UPX1 | 0x58000 | 0x31000 | 0x30400 | 3820b49f074de0d36c50a7babb2200ed | False | 0.9900420984455959 | data | 7.923658427357822 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .rsrc | 0x89000 | 0x2000 | 0x1200 | d8312ec9afba4f967d7c2e34b8b3e76f | False | 0.3682725694444444 | data | 4.437280170665141 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
|---|---|---|---|---|---|---|
| RT_ICON | 0x893bc | 0x2e8 | Device independent bitmap graphic, 32 x 64 x 4, image size 640 | English | Great Britain | 0.13172043010752688 |
| RT_ICON | 0x896a8 | 0x128 | Device independent bitmap graphic, 16 x 32 x 4, image size 192 | English | Great Britain | 0.7466216216216216 |
| RT_ICON | 0x897d4 | 0x128 | Device independent bitmap graphic, 16 x 32 x 4, image size 192 | English | Great Britain | 0.3885135135135135 |
| RT_MENU | 0x828f0 | 0x50 | data | English | Great Britain | 1.1375 |
| RT_DIALOG | 0x82940 | 0xfc | data | English | Great Britain | 1.0436507936507937 |
| RT_STRING | 0x82a40 | 0x598 | data | English | Great Britain | 1.0076815642458101 |
| RT_STRING | 0x82fd8 | 0x690 | data | English | Great Britain | 1.006547619047619 |
| RT_STRING | 0x83668 | 0x4ce | OpenPGP Public Key Version 4, Created Fri Jun 29 18:33:11 2035, Unknown Algorithm (0xf3); Public Subkey | English | Great Britain | 1.0089430894308944 |
| RT_STRING | 0x83b38 | 0x5fa | data | English | Great Britain | 1.00718954248366 |
| RT_STRING | 0x84138 | 0x572 | data | English | Great Britain | 1.0078909612625537 |
| RT_STRING | 0x846b0 | 0x428 | data | English | Great Britain | 1.0103383458646618 |
| RT_GROUP_ICON | 0x89900 | 0x14 | data | English | Great Britain | 1.15 |
| RT_GROUP_ICON | 0x89918 | 0x14 | data | English | Great Britain | 1.15 |
| RT_GROUP_ICON | 0x89930 | 0x14 | data | English | Great Britain | 1.25 |
| RT_VERSION | 0x89948 | 0x19c | data | English | Great Britain | 0.5533980582524272 |
| RT_MANIFEST | 0x89ae8 | 0x3a3 | XML 1.0 document, ASCII text, with CRLF line terminators | English | Great Britain | 0.4790547798066595 |
| DLL | Import |
|---|---|
| KERNEL32.DLL | LoadLibraryA, GetProcAddress, VirtualProtect, VirtualAlloc, VirtualFree, ExitProcess |
| ADVAPI32.dll | RegCloseKey |
| COMCTL32.dll | ImageList_Remove |
| comdlg32.dll | GetSaveFileNameW |
| GDI32.dll | LineTo |
| MPR.dll | WNetUseConnectionW |
| ole32.dll | CoInitialize |
| OLEAUT32.dll | GetActiveObject |
| SHELL32.dll | DragFinish |
| USER32.dll | GetDC |
| VERSION.dll | VerQueryValueW |
| WINMM.dll | timeGetTime |
| WSOCK32.dll | listen |
| Language of compilation system | Country where language is spoken | Map |
|---|---|---|
| English | Great Britain |  |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library Node⊘No network behavior found
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
| Target ID: | 0 |
| Start time: | 15:45:29 |
| Start date: | 01/10/2024 |
| Path: | C:\Users\user\Desktop\calc.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x400000 |
| File size: | 206'377 bytes |
| MD5 hash: | 2F9FDAD776D8626F2CE8625211831E91 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | low |
| Has exited: | true |
| Target ID: | 2 |
| Start time: | 15:45:29 |
| Start date: | 01/10/2024 |
| Path: | C:\Windows\SysWOW64\wscript.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0xbb0000 |
| File size: | 147'456 bytes |
| MD5 hash: | FF00E0480075B095948000BDC66E81F0 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 3 |
| Start time: | 15:45:30 |
| Start date: | 01/10/2024 |
| Path: | C:\Windows\SysWOW64\net.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x70000 |
| File size: | 47'104 bytes |
| MD5 hash: | 31890A7DE89936F922D44D677F681A7F |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 4 |
| Start time: | 15:45:30 |
| Start date: | 01/10/2024 |
| Path: | C:\Windows\System32\conhost.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff6ee680000 |
| File size: | 862'208 bytes |
| MD5 hash: | 0D698AF330FD17BEE3BF90011D49251D |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 5 |
| Start time: | 15:45:30 |
| Start date: | 01/10/2024 |
| Path: | C:\Windows\SysWOW64\net.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x70000 |
| File size: | 47'104 bytes |
| MD5 hash: | 31890A7DE89936F922D44D677F681A7F |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 6 |
| Start time: | 15:45:30 |
| Start date: | 01/10/2024 |
| Path: | C:\Windows\System32\conhost.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff6ee680000 |
| File size: | 862'208 bytes |
| MD5 hash: | 0D698AF330FD17BEE3BF90011D49251D |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 7 |
| Start time: | 15:45:30 |
| Start date: | 01/10/2024 |
| Path: | C:\Users\user\Desktop\calc.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x400000 |
| File size: | 206'377 bytes |
| MD5 hash: | 2F9FDAD776D8626F2CE8625211831E91 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | low |
| Has exited: | true |
| Target ID: | 8 |
| Start time: | 15:45:30 |
| Start date: | 01/10/2024 |
| Path: | C:\Windows\SysWOW64\net1.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x200000 |
| File size: | 139'776 bytes |
| MD5 hash: | 2EFE6ED4C294AB8A39EB59C80813FEC1 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 9 |
| Start time: | 15:45:30 |
| Start date: | 01/10/2024 |
| Path: | C:\Windows\SysWOW64\net1.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x200000 |
| File size: | 139'776 bytes |
| MD5 hash: | 2EFE6ED4C294AB8A39EB59C80813FEC1 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 10 |
| Start time: | 15:45:30 |
| Start date: | 01/10/2024 |
| Path: | C:\Windows\SysWOW64\wscript.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0xbb0000 |
| File size: | 147'456 bytes |
| MD5 hash: | FF00E0480075B095948000BDC66E81F0 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 11 |
| Start time: | 15:45:31 |
| Start date: | 01/10/2024 |
| Path: | C:\Windows\SysWOW64\net.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x70000 |
| File size: | 47'104 bytes |
| MD5 hash: | 31890A7DE89936F922D44D677F681A7F |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 12 |
| Start time: | 15:45:31 |
| Start date: | 01/10/2024 |
| Path: | C:\Windows\System32\conhost.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff6ee680000 |
| File size: | 862'208 bytes |
| MD5 hash: | 0D698AF330FD17BEE3BF90011D49251D |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 13 |
| Start time: | 15:45:31 |
| Start date: | 01/10/2024 |
| Path: | C:\Windows\SysWOW64\net.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x70000 |
| File size: | 47'104 bytes |
| MD5 hash: | 31890A7DE89936F922D44D677F681A7F |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 14 |
| Start time: | 15:45:31 |
| Start date: | 01/10/2024 |
| Path: | C:\Windows\System32\conhost.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff6ee680000 |
| File size: | 862'208 bytes |
| MD5 hash: | 0D698AF330FD17BEE3BF90011D49251D |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | true |
| Target ID: | 15 |
| Start time: | 15:45:31 |
| Start date: | 01/10/2024 |
| Path: | C:\Users\user\Desktop\calc.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x400000 |
| File size: | 206'377 bytes |
| MD5 hash: | 2F9FDAD776D8626F2CE8625211831E91 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | true |
| Target ID: | 16 |
| Start time: | 15:45:31 |
| Start date: | 01/10/2024 |
| Path: | C:\Windows\SysWOW64\net1.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x200000 |
| File size: | 139'776 bytes |
| MD5 hash: | 2EFE6ED4C294AB8A39EB59C80813FEC1 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | true |
| Target ID: | 17 |
| Start time: | 15:45:31 |
| Start date: | 01/10/2024 |
| Path: | C:\Windows\SysWOW64\net1.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x200000 |
| File size: | 139'776 bytes |
| MD5 hash: | 2EFE6ED4C294AB8A39EB59C80813FEC1 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | true |
| Target ID: | 18 |
| Start time: | 15:45:31 |
| Start date: | 01/10/2024 |
| Path: | C:\Windows\SysWOW64\wscript.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0xbb0000 |
| File size: | 147'456 bytes |
| MD5 hash: | FF00E0480075B095948000BDC66E81F0 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | true |
| Target ID: | 19 |
| Start time: | 15:45:32 |
| Start date: | 01/10/2024 |
| Path: | C:\Windows\SysWOW64\net.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x70000 |
| File size: | 47'104 bytes |
| MD5 hash: | 31890A7DE89936F922D44D677F681A7F |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | true |
| Target ID: | 20 |
| Start time: | 15:45:32 |
| Start date: | 01/10/2024 |
| Path: | C:\Windows\System32\conhost.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff6ee680000 |
| File size: | 862'208 bytes |
| MD5 hash: | 0D698AF330FD17BEE3BF90011D49251D |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | true |
| Target ID: | 21 |
| Start time: | 15:45:32 |
| Start date: | 01/10/2024 |
| Path: | C:\Windows\SysWOW64\net.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x70000 |
| File size: | 47'104 bytes |
| MD5 hash: | 31890A7DE89936F922D44D677F681A7F |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | true |
| Target ID: | 22 |
| Start time: | 15:45:32 |
| Start date: | 01/10/2024 |
| Path: | C:\Windows\System32\conhost.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff6ee680000 |
| File size: | 862'208 bytes |
| MD5 hash: | 0D698AF330FD17BEE3BF90011D49251D |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | true |
| Target ID: | 23 |
| Start time: | 15:45:32 |
| Start date: | 01/10/2024 |
| Path: | C:\Users\user\Desktop\calc.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x400000 |
| File size: | 206'377 bytes |
| MD5 hash: | 2F9FDAD776D8626F2CE8625211831E91 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | true |
| Target ID: | 24 |
| Start time: | 15:45:32 |
| Start date: | 01/10/2024 |
| Path: | C:\Windows\SysWOW64\net1.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x200000 |
| File size: | 139'776 bytes |
| MD5 hash: | 2EFE6ED4C294AB8A39EB59C80813FEC1 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | true |
| Target ID: | 25 |
| Start time: | 15:45:32 |
| Start date: | 01/10/2024 |
| Path: | C:\Windows\SysWOW64\net1.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x200000 |
| File size: | 139'776 bytes |
| MD5 hash: | 2EFE6ED4C294AB8A39EB59C80813FEC1 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | true |
| Target ID: | 26 |
| Start time: | 15:45:33 |
| Start date: | 01/10/2024 |
| Path: | C:\Windows\SysWOW64\wscript.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0xbb0000 |
| File size: | 147'456 bytes |
| MD5 hash: | FF00E0480075B095948000BDC66E81F0 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | true |
| Target ID: | 27 |
| Start time: | 15:45:34 |
| Start date: | 01/10/2024 |
| Path: | C:\Windows\SysWOW64\net.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x70000 |
| File size: | 47'104 bytes |
| MD5 hash: | 31890A7DE89936F922D44D677F681A7F |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | true |
| Target ID: | 28 |
| Start time: | 15:45:34 |
| Start date: | 01/10/2024 |
| Path: | C:\Windows\System32\conhost.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff6ee680000 |
| File size: | 862'208 bytes |
| MD5 hash: | 0D698AF330FD17BEE3BF90011D49251D |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | true |
| Target ID: | 29 |
| Start time: | 15:45:34 |
| Start date: | 01/10/2024 |
| Path: | C:\Windows\SysWOW64\net.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x70000 |
| File size: | 47'104 bytes |
| MD5 hash: | 31890A7DE89936F922D44D677F681A7F |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | true |
| Target ID: | 30 |
| Start time: | 15:45:34 |
| Start date: | 01/10/2024 |
| Path: | C:\Windows\System32\conhost.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff6ee680000 |
| File size: | 862'208 bytes |
| MD5 hash: | 0D698AF330FD17BEE3BF90011D49251D |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | true |
| Target ID: | 31 |
| Start time: | 15:45:34 |
| Start date: | 01/10/2024 |
| Path: | C:\Windows\SysWOW64\net1.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x200000 |
| File size: | 139'776 bytes |
| MD5 hash: | 2EFE6ED4C294AB8A39EB59C80813FEC1 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | true |
| Target ID: | 32 |
| Start time: | 15:45:34 |
| Start date: | 01/10/2024 |
| Path: | C:\Users\user\Desktop\calc.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x400000 |
| File size: | 206'377 bytes |
| MD5 hash: | 2F9FDAD776D8626F2CE8625211831E91 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | true |
| Target ID: | 33 |
| Start time: | 15:45:34 |
| Start date: | 01/10/2024 |
| Path: | C:\Windows\SysWOW64\net1.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x200000 |
| File size: | 139'776 bytes |
| MD5 hash: | 2EFE6ED4C294AB8A39EB59C80813FEC1 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | true |
| Target ID: | 34 |
| Start time: | 15:45:34 |
| Start date: | 01/10/2024 |
| Path: | C:\Windows\SysWOW64\wscript.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0xbb0000 |
| File size: | 147'456 bytes |
| MD5 hash: | FF00E0480075B095948000BDC66E81F0 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | true |
| Target ID: | 35 |
| Start time: | 15:45:35 |
| Start date: | 01/10/2024 |
| Path: | C:\Windows\SysWOW64\net.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x70000 |
| File size: | 47'104 bytes |
| MD5 hash: | 31890A7DE89936F922D44D677F681A7F |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | true |
| Target ID: | 36 |
| Start time: | 15:45:35 |
| Start date: | 01/10/2024 |
| Path: | C:\Windows\System32\conhost.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff6ee680000 |
| File size: | 862'208 bytes |
| MD5 hash: | 0D698AF330FD17BEE3BF90011D49251D |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | true |
| Target ID: | 37 |
| Start time: | 15:45:35 |
| Start date: | 01/10/2024 |
| Path: | C:\Windows\SysWOW64\net.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x70000 |
| File size: | 47'104 bytes |
| MD5 hash: | 31890A7DE89936F922D44D677F681A7F |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | true |
| Target ID: | 38 |
| Start time: | 15:45:35 |
| Start date: | 01/10/2024 |
| Path: | C:\Windows\System32\conhost.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff6ee680000 |
| File size: | 862'208 bytes |
| MD5 hash: | 0D698AF330FD17BEE3BF90011D49251D |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | true |
| Target ID: | 39 |
| Start time: | 15:45:35 |
| Start date: | 01/10/2024 |
| Path: | C:\Users\user\Desktop\calc.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x400000 |
| File size: | 206'377 bytes |
| MD5 hash: | 2F9FDAD776D8626F2CE8625211831E91 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | true |
| Target ID: | 40 |
| Start time: | 15:45:35 |
| Start date: | 01/10/2024 |
| Path: | C:\Windows\SysWOW64\net1.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x200000 |
| File size: | 139'776 bytes |
| MD5 hash: | 2EFE6ED4C294AB8A39EB59C80813FEC1 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | true |
| Target ID: | 41 |
| Start time: | 15:45:35 |
| Start date: | 01/10/2024 |
| Path: | C:\Windows\SysWOW64\net1.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x200000 |
| File size: | 139'776 bytes |
| MD5 hash: | 2EFE6ED4C294AB8A39EB59C80813FEC1 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | true |
| Target ID: | 42 |
| Start time: | 15:45:36 |
| Start date: | 01/10/2024 |
| Path: | C:\Windows\SysWOW64\wscript.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0xbb0000 |
| File size: | 147'456 bytes |
| MD5 hash: | FF00E0480075B095948000BDC66E81F0 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | true |
| Target ID: | 43 |
| Start time: | 15:45:36 |
| Start date: | 01/10/2024 |
| Path: | C:\Windows\SysWOW64\net.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x70000 |
| File size: | 47'104 bytes |
| MD5 hash: | 31890A7DE89936F922D44D677F681A7F |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | true |
| Target ID: | 44 |
| Start time: | 15:45:36 |
| Start date: | 01/10/2024 |
| Path: | C:\Windows\System32\conhost.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff6ee680000 |
| File size: | 862'208 bytes |
| MD5 hash: | 0D698AF330FD17BEE3BF90011D49251D |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | true |
| Target ID: | 45 |
| Start time: | 15:45:36 |
| Start date: | 01/10/2024 |
| Path: | C:\Windows\SysWOW64\net.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x70000 |
| File size: | 47'104 bytes |
| MD5 hash: | 31890A7DE89936F922D44D677F681A7F |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | true |
| Target ID: | 46 |
| Start time: | 15:45:36 |
| Start date: | 01/10/2024 |
| Path: | C:\Windows\System32\conhost.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff6ee680000 |
| File size: | 862'208 bytes |
| MD5 hash: | 0D698AF330FD17BEE3BF90011D49251D |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | true |
| Target ID: | 47 |
| Start time: | 15:45:36 |
| Start date: | 01/10/2024 |
| Path: | C:\Users\user\Desktop\calc.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x400000 |
| File size: | 206'377 bytes |
| MD5 hash: | 2F9FDAD776D8626F2CE8625211831E91 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | true |
| Target ID: | 48 |
| Start time: | 15:45:36 |
| Start date: | 01/10/2024 |
| Path: | C:\Windows\SysWOW64\net1.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x200000 |
| File size: | 139'776 bytes |
| MD5 hash: | 2EFE6ED4C294AB8A39EB59C80813FEC1 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | true |
| Target ID: | 49 |
| Start time: | 15:45:36 |
| Start date: | 01/10/2024 |
| Path: | C:\Windows\SysWOW64\net1.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x200000 |
| File size: | 139'776 bytes |
| MD5 hash: | 2EFE6ED4C294AB8A39EB59C80813FEC1 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | true |
| Target ID: | 50 |
| Start time: | 15:45:37 |
| Start date: | 01/10/2024 |
| Path: | C:\Windows\SysWOW64\wscript.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0xbb0000 |
| File size: | 147'456 bytes |
| MD5 hash: | FF00E0480075B095948000BDC66E81F0 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | true |
| Target ID: | 51 |
| Start time: | 15:45:37 |
| Start date: | 01/10/2024 |
| Path: | C:\Windows\SysWOW64\net.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x70000 |
| File size: | 47'104 bytes |
| MD5 hash: | 31890A7DE89936F922D44D677F681A7F |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | true |
| Target ID: | 52 |
| Start time: | 15:45:37 |
| Start date: | 01/10/2024 |
| Path: | C:\Windows\System32\conhost.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff6ee680000 |
| File size: | 862'208 bytes |
| MD5 hash: | 0D698AF330FD17BEE3BF90011D49251D |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | true |
Execution Graph
| Execution Coverage: | 4.8% |
| Dynamic/Decrypted Code Coverage: | 0% |
| Signature Coverage: | 10.7% |
| Total number of Nodes: | 1881 |
| Total number of Limit Nodes: | 23 |
Graph
Function 00439814 Relevance: 60.4, APIs: 11, Strings: 23, Instructions: 893libraryloaderCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00425639 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 117fileCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00430DCB Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 250comCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043244B Relevance: .6, Instructions: 624COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040127D Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 76windowregistryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040165B Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 131windowCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00404205 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 49registrywindowclipboardCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040F71A Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 164registryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0044ADFD Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 13libraryloaderCOMMONLIBRARYCODE
Download Yara Rule
Control-flow Graph
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00455359 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 247fileCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00455BA1 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 247fileCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0041629F Relevance: 7.5, APIs: 5, Instructions: 32serviceCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00401904 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0044FF81 Relevance: 6.2, APIs: 4, Instructions: 168fileCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00414E97 Relevance: 4.6, APIs: 3, Instructions: 75COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00442C1C Relevance: 3.1, APIs: 2, Instructions: 85COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00449C88 Relevance: 3.0, APIs: 2, Instructions: 35memoryCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00449A38 Relevance: 3.0, APIs: 2, Instructions: 34memoryCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0044E07D Relevance: 3.0, APIs: 2, Instructions: 26memoryCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00416168 Relevance: 3.0, APIs: 2, Instructions: 23COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0044FD57 Relevance: 2.6, APIs: 2, Instructions: 52COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00443162 Relevance: 1.6, APIs: 1, Instructions: 138COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004129C0 Relevance: 1.5, APIs: 1, Instructions: 33windowCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00414E55 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043138D Relevance: 1.3, APIs: 1, Instructions: 24COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00413E1F Relevance: 1.3, APIs: 1, Instructions: 20COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004045EC Relevance: 127.5, APIs: 68, Strings: 4, Instructions: 1483windowfileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00412196 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 120keyboardthreadwindowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00415C2E Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 64shutdownCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043A442 Relevance: 20.5, Strings: 16, Instructions: 542COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004527E8 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 212timeCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0041510D Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 163filestringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00424856 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 112fileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00420D89 Relevance: 16.3, APIs: 8, Strings: 1, Instructions: 516sleepCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00422C4D Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 210timefileCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004230D5 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 107fileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0041605B Relevance: 12.1, APIs: 8, Instructions: 92COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042F3BC Relevance: 9.1, APIs: 6, Instructions: 77networkCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00426292 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120filesleepCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00430B6B Relevance: 7.7, APIs: 5, Instructions: 226comCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00440FF0 Relevance: 7.6, APIs: 5, Instructions: 57windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00425838 Relevance: 4.6, APIs: 3, Instructions: 117fileCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00414E16 Relevance: 4.5, APIs: 3, Instructions: 21fileCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00444317 Relevance: 3.8, Strings: 1, Instructions: 2537COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00421E0D Relevance: 3.3, APIs: 2, Instructions: 273COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042320D Relevance: 3.0, APIs: 2, Instructions: 46fileCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0041FE6D Relevance: 3.0, APIs: 2, Instructions: 15windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00448776 Relevance: 1.9, Strings: 1, Instructions: 611COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004558FF Relevance: 1.5, APIs: 1, Instructions: 26COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043738E Relevance: 1.5, APIs: 1, Instructions: 7COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004422B6 Relevance: .6, Instructions: 646COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00456824 Relevance: .4, Instructions: 357COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043E46A Relevance: .3, Instructions: 342COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0044D7D4 Relevance: .1, Instructions: 77COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00438A4D Relevance: 63.5, APIs: 34, Strings: 2, Instructions: 474filepipeprocessCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040D33A Relevance: 54.5, APIs: 29, Strings: 2, Instructions: 294windowCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405B07 Relevance: 51.2, APIs: 34, Instructions: 239COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00407A0B Relevance: 51.2, APIs: 28, Strings: 1, Instructions: 472windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042C822 Relevance: 40.6, APIs: 19, Strings: 4, Instructions: 300windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040667C Relevance: 35.3, APIs: 18, Strings: 2, Instructions: 279windowtimeCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00441086 Relevance: 31.8, APIs: 16, Strings: 2, Instructions: 348windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040B005 Relevance: 31.7, APIs: 12, Strings: 6, Instructions: 205windowlibraryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043BC56 Relevance: 26.7, APIs: 10, Strings: 5, Instructions: 448registryCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004530C8 Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 117fileCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004545BB Relevance: 26.3, APIs: 7, Strings: 8, Instructions: 99COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0044C499 Relevance: 26.3, APIs: 8, Strings: 7, Instructions: 71libraryloadermemoryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00412E32 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 208windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00418B39 Relevance: 21.4, APIs: 11, Strings: 1, Instructions: 399timeCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00430763 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 138registryshareCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00455EDD Relevance: 21.1, APIs: 6, Strings: 6, Instructions: 90libraryloaderCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043936F Relevance: 19.9, APIs: 13, Instructions: 361COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042ED85 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 212networkmemoryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004126BC Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 169windowsleepCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004305B5 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 143registryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004108E0 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 128keyboardCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004149FA Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 80sleeptimewindowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004301FC Relevance: 18.2, APIs: 12, Instructions: 193COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040E741 Relevance: 18.2, APIs: 12, Instructions: 168COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00430474 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 108registryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040D7FC Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 80windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00456097 Relevance: 16.8, APIs: 11, Instructions: 309COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00453588 Relevance: 16.6, APIs: 11, Instructions: 150COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00442E86 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 236fileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00402257 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 83windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040205D Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 82windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00406DD9 Relevance: 15.2, APIs: 10, Instructions: 152COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00422EA1 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 191timeCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0041FAEE Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 134windowCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040ACC5 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 113windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00408346 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 94windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004028E7 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 80windowCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040F96A Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 65windowCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00457A2F Relevance: 13.8, APIs: 9, Instructions: 299COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00450BDA Relevance: 13.7, APIs: 9, Instructions: 196COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043CB9B Relevance: 13.6, APIs: 9, Instructions: 70fileCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00401DB3 Relevance: 13.6, APIs: 9, Instructions: 64sleepkeyboardwindowCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004133AD Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 123windowCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0041FCD4 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 116windowCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004159F1 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 70networkCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00412B78 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 68windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00455946 Relevance: 12.2, APIs: 8, Instructions: 177COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00406535 Relevance: 12.1, APIs: 8, Instructions: 116COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00417905 Relevance: 12.0, APIs: 8, Instructions: 33COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004092FB Relevance: 10.9, APIs: 7, Instructions: 428COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040BBDB Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 120windowCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040B7B2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80windowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040B225 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 68windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00414469 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 52windowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00412305 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51fileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0044C2B2 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 37threadCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043C7EA Relevance: 9.2, APIs: 6, Instructions: 219fileCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004236D5 Relevance: 9.2, APIs: 6, Instructions: 188COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00454706 Relevance: 9.2, APIs: 6, Instructions: 168COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00453BD4 Relevance: 9.1, APIs: 6, Instructions: 145COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00440AA4 Relevance: 9.1, APIs: 6, Instructions: 118windowCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040B6AE Relevance: 9.1, APIs: 6, Instructions: 93windowCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040CE65 Relevance: 9.1, APIs: 6, Instructions: 93COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004536F2 Relevance: 9.1, APIs: 6, Instructions: 67COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00411E91 Relevance: 9.1, APIs: 6, Instructions: 56sleepCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040CBFD Relevance: 9.1, APIs: 6, Instructions: 54COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040EF2E Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 222libraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00402148 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 92windowCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040B89C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 92windowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040EE82 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 55libraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0044AEC1 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 53COMMONLIBRARYCODE
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00409CDF Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 46windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00454432 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 29libraryloaderCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004551AD Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 13libraryloaderCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00454A84 Relevance: 7.7, APIs: 5, Instructions: 184COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0044DA7D Relevance: 7.7, APIs: 5, Instructions: 166COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0044D560 Relevance: 7.7, APIs: 5, Instructions: 151COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00426415 Relevance: 7.6, APIs: 5, Instructions: 116COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00417AB2 Relevance: 7.6, APIs: 5, Instructions: 108sleepCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0044C70C Relevance: 7.6, APIs: 5, Instructions: 99COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0044D99A Relevance: 7.6, APIs: 5, Instructions: 92memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00406CF6 Relevance: 7.6, APIs: 5, Instructions: 86windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040850D Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040CCF8 Relevance: 7.6, APIs: 5, Instructions: 69COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0041553B Relevance: 7.6, APIs: 5, Instructions: 68COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042F316 Relevance: 7.6, APIs: 5, Instructions: 66networkCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040D713 Relevance: 7.6, APIs: 5, Instructions: 56windowCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00415F9F Relevance: 7.6, APIs: 5, Instructions: 54sleepCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0041255C Relevance: 7.5, APIs: 5, Instructions: 39COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040D6BD Relevance: 7.5, APIs: 5, Instructions: 37windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040CC87 Relevance: 7.5, APIs: 5, Instructions: 34COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004137E9 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 175windowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004246CD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 141fileCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0041352C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 112windowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004155D8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 102filestringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040ABEC Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 83windowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040B37A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 77windowlibraryCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040AA6D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 71windowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004042C8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 70windowCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040B2D8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61windowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00408A31 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46windowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043004A Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00430071 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00430023 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004300E6 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004120F8 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00430098 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004300BF Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00416372 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004163C0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004163E7 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00416399 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043B451 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0041640E Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00416435 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004124CB Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004124F2 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004265CA Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004265F1 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004265A3 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004418D4 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004418FB Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040D903 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042FD05 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042FE76 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040EE00 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040EE27 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042FEC4 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042FEEB Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042FE9D Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042FF60 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042FF12 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042FF39 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042FFD5 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042FFFC Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042FF87 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042FFAE Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00403AB0 Relevance: 6.1, APIs: 4, Instructions: 148COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004080B0 Relevance: 6.1, APIs: 4, Instructions: 119COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00406BB2 Relevance: 6.1, APIs: 4, Instructions: 119COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004309C0 Relevance: 6.1, APIs: 4, Instructions: 114COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004509A2 Relevance: 6.1, APIs: 4, Instructions: 113COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040C4BD Relevance: 6.1, APIs: 4, Instructions: 102COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00457BDC Relevance: 6.1, APIs: 4, Instructions: 93COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00450CF4 Relevance: 6.1, APIs: 4, Instructions: 93COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405D95 Relevance: 6.1, APIs: 4, Instructions: 91windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042F490 Relevance: 6.1, APIs: 4, Instructions: 71networkCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042003A Relevance: 6.1, APIs: 4, Instructions: 70windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0044B66E Relevance: 6.1, APIs: 4, Instructions: 69threadCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00403C97 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0044AFC4 Relevance: 6.1, APIs: 4, Instructions: 65threadCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0044E459 Relevance: 6.1, APIs: 4, Instructions: 57memoryCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00414971 Relevance: 6.1, APIs: 4, Instructions: 51synchronizationthreadwindowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040418F Relevance: 6.0, APIs: 4, Instructions: 44COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00457312 Relevance: 6.0, APIs: 4, Instructions: 38COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00412C29 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 121windowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0045705F Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 109fileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040B435 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 92windowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040BACF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 90windowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040A9BE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040A701 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 57windowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00402FF7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00401FC4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 54windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00401EA6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00401F36 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042A895 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32sleepCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00441486 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 17windowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004414BC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 17windowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004144F7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 8windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Execution Graph
| Execution Coverage: | 4.8% |
| Dynamic/Decrypted Code Coverage: | 0% |
| Signature Coverage: | 1.7% |
| Total number of Nodes: | 1887 |
| Total number of Limit Nodes: | 22 |
Graph
Function 00425639 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 117fileCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040165B Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 131nativewindowCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00439814 Relevance: 60.4, APIs: 11, Strings: 23, Instructions: 893libraryloaderCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040127D Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 76windowregistryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00404205 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 49registrywindowclipboardCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00430DCB Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 250comCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040F71A Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 164registryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0044ADFD Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 13libraryloaderCOMMONLIBRARYCODE
Download Yara Rule
Control-flow Graph
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00455359 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 247fileCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00455BA1 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 247fileCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0041629F Relevance: 7.5, APIs: 5, Instructions: 32serviceCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00401904 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0044FF81 Relevance: 6.2, APIs: 4, Instructions: 168fileCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00414E97 Relevance: 4.6, APIs: 3, Instructions: 75COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00442C1C Relevance: 3.1, APIs: 2, Instructions: 85COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00449C88 Relevance: 3.0, APIs: 2, Instructions: 35memoryCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00449A38 Relevance: 3.0, APIs: 2, Instructions: 34memoryCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0044E07D Relevance: 3.0, APIs: 2, Instructions: 26memoryCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00416168 Relevance: 3.0, APIs: 2, Instructions: 23COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0044FD57 Relevance: 2.6, APIs: 2, Instructions: 52COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00443162 Relevance: 1.6, APIs: 1, Instructions: 138COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004129C0 Relevance: 1.5, APIs: 1, Instructions: 33windowCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00414E55 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043138D Relevance: 1.3, APIs: 1, Instructions: 24COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00413E1F Relevance: 1.3, APIs: 1, Instructions: 20COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004230D5 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 107fileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00441086 Relevance: 35.3, APIs: 18, Strings: 2, Instructions: 348windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040B005 Relevance: 31.7, APIs: 12, Strings: 6, Instructions: 205windowlibraryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004530C8 Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 117fileCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040205D Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 82windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0041605B Relevance: 12.1, APIs: 8, Instructions: 92COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040D03A Relevance: 7.5, APIs: 5, Instructions: 30COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043004A Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00430071 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00430023 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004300E6 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004120F8 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042003A Relevance: 6.1, APIs: 4, Instructions: 70windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0045705F Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 109fileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|