Edit tour
Windows
Analysis Report
test.exe
Overview
General Information
| Sample name: | test.exe |
| Analysis ID: | 1524536 |
| MD5: | 2a98009ebc2e830e2e2de723312ee8a6 |
| SHA1: | 4d767fa5085f36a9d6c8a70de8106b5e4a6a6802 |
| SHA256: | 0f28c564a6268c2f3203bf3d594cb519dde447032911eebf3b430e925a94915a |
| Infos: |  |
 | |
Detection
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
DLL reload attack detected
Multi AV Scanner detection for dropped file
Submitted sample is a known malware sample
AI detected suspicious sample
Contains functionality to inject threads in other processes
Drops executables to the windows directory (C:\Windows) and starts them
Found stalling execution ending in API Sleep call
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Machine Learning detection for sample
Writes to foreign memory regions
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query network adapater information
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Extensive use of GetProcAddress (often used to hide API calls)
Found dropped PE file which has not been started or loaded
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Classification
- System is w10x64
test.exe (PID: 6616 cmdline: "C:\Users\ user\Deskt op\test.ex e" MD5: 2A98009EBC2E830E2E2DE723312EE8A6) 
explorer.exe (PID: 984 cmdline: explorer.e xe MD5: DD6597597673F72E10C9DE7901FBA0A8) 
@AE2AF6.tmp.exe (PID: 2084 cmdline: "C:\Users\ user\AppDa ta\Local\T emp\@AE2AF 6.tmp.exe" MD5: 252EE18EB5E305056FDC9915B278656F) 
cmd.exe (PID: 4948 cmdline: C:\Windows \system32\ cmd.exe /c ""C:\User s\user\App Data\Roami ng\Temp\us er0.bat" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 428 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - WdExt.exe (PID: 6788 cmdline:
"C:\Users\ user\AppDa ta\Roaming \Microsoft \Messenger \Extension \WdExt.exe " MD5: 7942494EAC73B2B3281E4A8E94C39376) - cmd.exe (PID: 5228 cmdline:
C:\Windows \system32\ cmd.exe /c ""C:\User s\user\App Data\Roami ng\Temp\us er1.bat" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 4564 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - launch.exe (PID: 2720 cmdline:
"C:\Users\ user\AppDa ta\Roaming \Microsoft \Defender\ launch.exe " /i 6788 MD5: DAAC1781C9D22F5743ADE0CB41FEAEBF) - cmd.exe (PID: 2020 cmdline:
C:\Windows \system32\ cmd.exe /c ""C:\User s\user\App Data\Roami ng\Temp\us er2.bat" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 2084 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) 
wtmps.exe (PID: 4480 cmdline: "C:\Users\ user\AppDa ta\Local\T emp\wtmps. exe" MD5: 75C1467042B38332D1EA0298F29FB592) - mscaps.exe (PID: 6612 cmdline:
"C:\Window s\system32 \mscaps.ex e" /C:\Use rs\user\Ap pData\Loca l\Temp\wtm ps.exe MD5: 78D3C8705F8BAF7D34E6A6737D1CFA18) - cmd.exe (PID: 2140 cmdline:
C:\Windows \system32\ cmd.exe /c ""C:\User s\user\App Data\Roami ng\Temp\us er1.bat" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 7124 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - test.exe (PID: 2196 cmdline:
"C:\Users\ user\Deskt op\test.ex e" MD5: AA2C0EDAD4DE949A1347F8C6A346AAAB)
- cleanup
⊘No configs have been found
⊘No yara matches
System Summary |   |
|---|
| Source: | Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): | ||
⊘No Suricata rule has matched
Click to jump to signature section
Show All Signature Results
AV Detection | |
|---|
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | ReversingLabs: | ||
| Source: | ReversingLabs: | ||
| Source: | ReversingLabs: | ||
| Source: | ReversingLabs: | ||
| Source: | ReversingLabs: | ||
| Source: | ReversingLabs: | ||
| Source: | ReversingLabs: | ||
| Source: | ReversingLabs: | ||
| Source: | ReversingLabs: | ||
| Source: | ReversingLabs: | ||
| Source: | Integrated Neural Analysis Model: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Static PE information: | ||
| Source: | Code function: | 2_2_00401466 | |
| Source: | Code function: | 2_2_00404D6B | |
| Source: | Code function: | 11_2_004012A4 | |
| Source: | Code function: | 11_2_004034D3 | |
| Source: | Code function: | 15_2_00403177 | |
| Source: | String found in binary or memory: | ||
System Summary | |
|---|
| Source: | Dropped file: | ||
| Source: | Dropped file: | ||
| Source: | File created: | ||
| Source: | Code function: | 2_2_00404069 | |
| Source: | Code function: | 2_2_0040A8DB | |
| Source: | Code function: | 2_2_00406550 | |
| Source: | Code function: | 2_2_0040B965 | |
| Source: | Code function: | 2_2_00403D17 | |
| Source: | Code function: | 2_2_004035D5 | |
| Source: | Code function: | 2_2_004039DA | |
| Source: | Code function: | 2_2_004159BF | |
| Source: | Code function: | 2_2_0040866E | |
| Source: | Code function: | 2_2_00407E7F | |
| Source: | Code function: | 2_2_0040AECE | |
| Source: | Code function: | 2_2_004042F0 | |
| Source: | Code function: | 2_2_00410334 | |
| Source: | Code function: | 2_2_0040A3BD | |
| Source: | Code function: | 2_2_1000A69F | |
| Source: | Code function: | 3_2_00407753 | |
| Source: | Code function: | 8_2_1000A69F | |
| Source: | Code function: | 11_2_0040247F | |
| Source: | Code function: | 11_2_004074EC | |
| Source: | Code function: | 11_2_00402142 | |
| Source: | Code function: | 11_2_00401D3D | |
| Source: | Code function: | 11_2_0040C1C4 | |
| Source: | Code function: | 11_2_00404DCD | |
| Source: | Code function: | 11_2_004055BC | |
| Source: | Code function: | 11_2_00402A58 | |
| Source: | Code function: | 11_2_00407A68 | |
| Source: | Code function: | 11_2_00406FCE | |
| Source: | Code function: | 11_2_004027D1 | |
| Source: | Code function: | 11_2_0040FF99 | |
| Source: | Code function: | 11_2_1000A69F | |
| Source: | Code function: | 14_2_00407F2C | |
| Source: | Code function: | 14_2_004015A0 | |
| Source: | Code function: | 15_2_00401F70 | |
| Source: | Code function: | 15_2_0040A13C | |
| Source: | Code function: | 15_2_004071EE | |
| Source: | Dropped File: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Static PE information: | ||
| Source: | Classification label: | ||
| Source: | Code function: | 2_2_1000180D | |
| Source: | Code function: | 14_2_00401080 | |
| Source: | File created: | Jump to behavior | ||
| Source: | Mutant created: | ||
| Source: | Mutant created: | ||
| Source: | Mutant created: | ||
| Source: | Mutant created: | ||
| Source: | File created: | Jump to behavior | ||
| Source: | Process created: | ||
| Source: | Process created: | |||
| Source: | Process created: | Jump to behavior | ||
| Source: | Static PE information: | ||
| Source: | File read: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | String found in binary or memory: | ||
| Source: | File read: | Jump to behavior | ||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | |||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | |||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Key value queried: | Jump to behavior | ||
| Source: | Static file information: | ||
| Source: | Code function: | 2_2_00402056 | |
| Source: | Static PE information: | ||
| Source: | Code function: | 0_2_0040167E | |
| Source: | Code function: | 2_2_0040C8BE | |
| Source: | Code function: | 2_2_0040D53E | |
| Source: | Code function: | 2_2_10005996 | |
| Source: | Code function: | 2_2_100053AE | |
| Source: | Code function: | 8_2_10005996 | |
| Source: | Code function: | 8_2_100053AE | |
| Source: | Code function: | 11_2_0040896E | |
| Source: | Code function: | 11_2_00409E3E | |
| Source: | Code function: | 11_2_10005996 | |
| Source: | Code function: | 11_2_100053AE | |
| Source: | Code function: | 14_2_004026FE | |
| Source: | Code function: | 15_2_004030BE | |
Persistence and Installation Behavior | |
|---|
| Source: | Executable created and started: | ||
| Source: | File created: | Jump to dropped file | ||
| Source: | File created: | Jump to dropped file | ||
| Source: | File created: | Jump to dropped file | ||
| Source: | File created: | Jump to dropped file | ||
| Source: | File created: | Jump to dropped file | ||
| Source: | File created: | Jump to dropped file | ||
| Source: | File created: | Jump to dropped file | ||
| Source: | File created: | Jump to dropped file | ||
| Source: | File created: | Jump to dropped file | ||
| Source: | File created: | Jump to dropped file | ||
| Source: | File created: | Jump to dropped file | ||
| Source: | File created: | Jump to dropped file | ||
| Source: | File created: | Jump to dropped file | ||
| Source: | Code function: | 15_2_00401D10 | |
| Source: | Registry value created or modified: | Jump to behavior | ||
| Source: | Registry value created or modified: | Jump to behavior | ||
Hooking and other Techniques for Hiding and Protection | |
|---|
| Source: | Module Loaded: | ||
| Source: | Module Loaded: | ||
| Source: | Code function: | 14_2_00401080 | |
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | |||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
Malware Analysis System Evasion | |
|---|
| Source: | Stalling execution: | ||
| Source: | Code function: | 2_2_1000180D | |
| Source: | Code function: | 2_2_00402056 | |
| Source: | Code function: | 2_2_00401CB0 | |
| Source: | Code function: | 14_2_00401D20 | |
| Source: | Code function: | 15_2_00402600 | |
| Source: | Dropped PE file which has not been started: | Jump to dropped file | ||
| Source: | Dropped PE file which has not been started: | Jump to dropped file | ||
| Source: | Dropped PE file which has not been started: | Jump to dropped file | ||
| Source: | Dropped PE file which has not been started: | Jump to dropped file | ||
| Source: | Dropped PE file which has not been started: | Jump to dropped file | ||
| Source: | Dropped PE file which has not been started: | Jump to dropped file | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Code function: | 2_2_00401466 | |
| Source: | Code function: | 2_2_00404D6B | |
| Source: | Code function: | 11_2_004012A4 | |
| Source: | Code function: | 11_2_004034D3 | |
| Source: | Code function: | 15_2_00403177 | |
| Source: | Code function: | 2_2_0040318C | |
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | API call chain: | graph_2-18953 | ||
| Source: | API call chain: | |||
| Source: | API call chain: | |||
| Source: | API call chain: | |||
| Source: | API call chain: | |||
| Source: | Process information queried: | Jump to behavior | ||
| Source: | Code function: | 2_2_1000180D | |
| Source: | Code function: | 2_2_00402056 | |
| Source: | Code function: | 2_2_00404732 | |
| Source: | Code function: | 2_2_00411746 | |
| Source: | Code function: | 2_2_00411758 | |
| Source: | Code function: | 2_2_1000BA64 | |
| Source: | Code function: | 2_2_1000BA76 | |
| Source: | Code function: | 3_2_00401179 | |
| Source: | Code function: | 3_2_00451880 | |
| Source: | Code function: | 8_2_1000BA64 | |
| Source: | Code function: | 8_2_1000BA76 | |
| Source: | Code function: | 11_2_0040C6A6 | |
| Source: | Code function: | 11_2_0040C6B8 | |
| Source: | Code function: | 11_2_1000BA64 | |
| Source: | Code function: | 11_2_1000BA76 | |
| Source: | Code function: | 14_2_00406250 | |
| Source: | Code function: | 14_2_0040623E | |
| Source: | Code function: | 14_2_00401AD0 | |
| Source: | Code function: | 15_2_00408007 | |
| Source: | Code function: | 15_2_004024A0 | |
| Source: | Code function: | 15_2_00407FF5 | |
HIPS / PFW / Operating System Protection Evasion | |
|---|
| Source: | Code function: | 15_2_00401950 | |
| Source: | Memory written: | Jump to behavior | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | |||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | |||
| Source: | Code function: | 2_2_0040B8D2 | |
| Source: | Code function: | 2_2_00402056 | |
| Source: | Code function: | 2_2_00412794 | |
| Source: | Code function: | 2_2_0040318C | |
| Source: | Code function: | 3_2_0043B9C0 | |
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Gather Victim Identity Information | 1 Scripting | Valid Accounts | 2 Command and Scripting Interpreter | 1 Scripting | 311 Process Injection | 121 Masquerading | OS Credential Dumping | 2 System Time Discovery | Remote Services | 1 Archive Collected Data | 1 Encrypted Channel | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
| Credentials | Domains | Default Accounts | 1 Native API | 1 Registry Run Keys / Startup Folder | 1 Registry Run Keys / Startup Folder | 11 Virtualization/Sandbox Evasion | LSASS Memory | 121 Security Software Discovery | Remote Desktop Protocol | Data from Removable Media | Junk Data | Exfiltration Over Bluetooth | Network Denial of Service |
| Email Addresses | DNS Server | Domain Accounts | At | 11 DLL Side-Loading | 11 DLL Side-Loading | 311 Process Injection | Security Account Manager | 11 Virtualization/Sandbox Evasion | SMB/Windows Admin Shares | Data from Network Shared Drive | Steganography | Automated Exfiltration | Data Encrypted for Impact |
| Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | 1 Deobfuscate/Decode Files or Information | NTDS | 2 Process Discovery | Distributed Component Object Model | Input Capture | Protocol Impersonation | Traffic Duplication | Data Destruction |
| Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | 2 Obfuscated Files or Information | LSA Secrets | 1 Account Discovery | SSH | Keylogging | Fallback Channels | Scheduled Transfer | Data Encrypted for Impact |
| Domain Properties | Botnet | Replication Through Removable Media | Scheduled Task | RC Scripts | RC Scripts | 11 DLL Side-Loading | Cached Domain Credentials | 1 System Owner/User Discovery | VNC | GUI Input Capture | Multiband Communication | Data Transfer Size Limits | Service Stop |
| DNS | Web Services | External Remote Services | Systemd Timers | Startup Items | Startup Items | Compile After Delivery | DCSync | 1 System Network Configuration Discovery | Windows Remote Management | Web Portal Capture | Commonly Used Port | Exfiltration Over C2 Channel | Inhibit System Recovery |
| Network Trust Dependencies | Serverless | Drive-by Compromise | Container Orchestration Job | Scheduled Task/Job | Scheduled Task/Job | Indicator Removal from Tools | Proc Filesystem | 2 File and Directory Discovery | Cloud Services | Credential API Hooking | Application Layer Protocol | Exfiltration Over Alternative Protocol | Defacement |
| Network Topology | Malvertising | Exploit Public-Facing Application | Command and Scripting Interpreter | At | At | HTML Smuggling | /etc/passwd and /etc/shadow | 4 System Information Discovery | Direct Cloud VM Connections | Data Staged | Web Protocols | Exfiltration Over Symmetric Encrypted Non-C2 Protocol | Internal Defacement |
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetThis section contains all screenshots as thumbnails, including those not shown in the slideshow.
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 100% | Avira | TR/Drop.Daws.awfy | ||
| 100% | Joe Sandbox ML |
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 100% | Avira | TR/Rogue.kdv.685680 | ||
| 100% | Avira | TR/Spy.Agent.auk | ||
| 100% | Avira | TR/Spy.Agent.auh | ||
| 100% | Avira | TR/Crypt.FKM.1350 | ||
| 100% | Avira | BDS/Fynloski.IG | ||
| 100% | Avira | TR/Spy.Agent.aul | ||
| 100% | Avira | TR/Drop.Daws.awfy | ||
| 100% | Avira | TR/PSW.Agent.pzuba | ||
| 100% | Avira | TR/Spy.Agent.rddod | ||
| 100% | Avira | BDS/Nanocore.MG | ||
| 100% | Avira | BDS/Fynloski.BA | ||
| 100% | Joe Sandbox ML | |||
| 100% | Joe Sandbox ML | |||
| 100% | Joe Sandbox ML | |||
| 100% | Joe Sandbox ML | |||
| 100% | Joe Sandbox ML | |||
| 100% | Joe Sandbox ML | |||
| 100% | ReversingLabs | Win32.Infostealer.BZub | ||
| 100% | ReversingLabs | Win32.Worm.Faedevour | ||
| 91% | ReversingLabs | Win32.Worm.Faedevour | ||
| 92% | ReversingLabs | Win32.Worm.Faedevour | ||
| 100% | ReversingLabs | Win32.Worm.Faedevour | ||
| 96% | ReversingLabs | Win32.Worm.Faedevour | ||
| 87% | ReversingLabs | Win32.Worm.Faedevour | ||
| 92% | ReversingLabs | Win32.Worm.Faedevour | ||
| 88% | ReversingLabs | Win32.Worm.Faedevour | ||
| 0% | ReversingLabs | |||
| 100% | ReversingLabs | Win32.Worm.Faedevour |
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
⊘No contacted domains info
| Name | Source | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|
| false | unknown |
⊘No contacted IP infos
| Joe Sandbox version: | 41.0.0 Charoite |
| Analysis ID: | 1524536 |
| Start date and time: | 2024-10-02 23:23:48 +02:00 |
| Joe Sandbox product: | CloudBasic |
| Overall analysis duration: | 0h 6m 58s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
| Number of analysed new started processes analysed: | 20 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Sample name: | test.exe |
| Detection: | MAL |
| Classification: | mal100.evad.winEXE@35/29@0/0 |
| EGA Information: |
|
| HCA Information: |
|
| Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
- Excluded IPs from analysis (whitelisted): 20.72.235.82
- Excluded domains from analysis (whitelisted): redir.update.msft.com.trafficmanager.net, ocsp.digicert.com, slscr.update.microsoft.com, windowsupdate.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
- Execution Graph export aborted for target test.exe, PID 2196 because there are no executed function
- Not all processes where analyzed, report is missing behavior information
- Report size exceeded maximum capacity and may have missing behavior information.
- Report size exceeded maximum capacity and may have missing disassembly code.
- Report size getting too big, too many NtOpenKeyEx calls found.
- Report size getting too big, too many NtQueryValueKey calls found.
- Report size getting too big, too many NtReadVirtualMemory calls found.
- Report size getting too big, too many NtSetInformationFile calls found.
- VT rate limit hit for: test.exe
| Time | Type | Description |
|---|---|---|
| 17:24:49 | API Interceptor | |
| 22:24:50 | Autostart | |
| 22:25:11 | Autostart |
⊘No context
⊘No context
⊘No context
⊘No context
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| C:\Users\user\AppData\Local\Temp\wtmps.exe | Get hash | malicious | Unknown | Browse | ||
| Get hash | malicious | Unknown | Browse | |||
| Get hash | malicious | Unknown | Browse | |||
| Get hash | malicious | Unknown | Browse | |||
| Get hash | malicious | Unknown | Browse | |||
| Get hash | malicious | Unknown | Browse | |||
| Get hash | malicious | Unknown | Browse | |||
| Get hash | malicious | Unknown | Browse | |||
| Get hash | malicious | Unknown | Browse | |||
| Get hash | malicious | Unknown | Browse |
| Process: | C:\Windows\SysWOW64\mscaps.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 406 |
| Entropy (8bit): | 5.350477861599205 |
| Encrypted: | false |
| SSDEEP: | 6:oWAGVISs4KHunXwBFq7+fAmvIHcDNeEc7vyx07WmnN/9udXiIP+KHuH1jIy4EE+h:lDVE45nXwu74Awq7sfeuh+KOVjiEE+hn |
| MD5: | 37512BCC96B2C0C0CF0AD1ED8CFAE5CD |
| SHA1: | EDF7F17CE28E1C4C82207CAB8CA77F2056EA545C |
| SHA-256: | 27E678BF5DC82219D6EDD744F0B82567A26E40F8A9DCD6487205E13058E3ED1F |
| SHA-512: | 6D4252AB5AA441A76CE2127224FEFCB221259AB4D39F06437B269BD6BFDAAE009C8F34E9603EC734159553BC9F1359BDD70316CD426D73B171A9F17C41077641 |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\SysWOW64\explorer.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 1797699 |
| Entropy (8bit): | 7.976046783043414 |
| Encrypted: | false |
| SSDEEP: | 24576:OXdVtTj2i64T+jdxQCfgOFD3WSwd2QtBBw6xxhVxQtmibjOhZaiRu/4oMaop0UNd:mbTChxKCnFnQXBbrtgb/iQvu0UHO9y |
| MD5: | 252EE18EB5E305056FDC9915B278656F |
| SHA1: | D4B1AC5389C7DE600CC7B63DF4F8DF545565A18A |
| SHA-256: | B74969A67DF1BA88F4D93AF98D65898EDD91539AD4C7A74CB1102CB0D6E1CAA5 |
| SHA-512: | 8772F4C8844B4D75280EB86F238AE3CA551CC5E67419077751E547654BB768D11B7BB2C04971AD0D6EE137761CB0F362BFDCE55870A946A54E8BC0DA5E388C93 |
| Malicious: | true |
| Antivirus: |
|
| Preview: |
| Process: | C:\Users\user\AppData\Local\Temp\@AE2AF6.tmp.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 896 |
| Entropy (8bit): | 4.700288873450408 |
| Encrypted: | false |
| SSDEEP: | 24:keK+DeK+DeK+DeK+DeK+DeK+DeK+DeK+DeK+DeK+DeK+DeK+DeK+DeK+DeK+DeKD:d1q1q1q1q1q1q1q1q1q1q1q1q1q1q1qo |
| MD5: | BE49EE9D1B6DA594241CE3B7432C5D64 |
| SHA1: | D81E68B9BF84258AF2E6B5595C4F5C8D53B9C901 |
| SHA-256: | DB66D62796AE12BF459E514F27BB1A0D416D804365F44E8EC53DD760E3F7B8B8 |
| SHA-512: | 0C15D8D86E0DFCCBCECD50B3DD5906F8F5B7C52511128D01BE82B394CCB08ED85A486A101BBB5D992A688D1E62F21FDA712DAEF1BF3A5ECBA9AAD152E47562F5 |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\AppData\Local\Temp\@AE2AF6.tmp.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 620 |
| Entropy (8bit): | 4.7002729531161505 |
| Encrypted: | false |
| SSDEEP: | 12:kvmNKzuXDvmNKzuXDvmNKzuXDvmNKzuXDvmNKzuXDvmNKzuXDvmNKzuXDvmNKzum:keK+DeK+DeK+DeK+DeK+DeK+DeK+DeKT |
| MD5: | 1D713C403B1DA202F059FCA73E0E6C61 |
| SHA1: | BA91DFDC9786177C0F6CB0ED2F324FFB1DD1F050 |
| SHA-256: | FB2BF10E6A64C014A8DB3F0DEA7E1B795B36632E4EDC532A2422975802632B0A |
| SHA-512: | E88F3C0FA520EBC9B982B5404025E6484A9BED925D889915250797B1592CCD8B4218428BB8A0CAF0685BCCA5584E05151EC2F7FAF105347AFC94E1A955E4BC01 |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\AppData\Local\Temp\@AE2AF6.tmp.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 1796415 |
| Entropy (8bit): | 4.70043971812567 |
| Encrypted: | false |
| SSDEEP: | 96:/yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyp:F |
| MD5: | 6354B0F69E2257A69F01F15C2624B294 |
| SHA1: | B36C8CA0B00405373AAF1C65F61BE60BEF267225 |
| SHA-256: | A7651F484533E1C5B6D7235E0C129A450188341014D6FFCFFE8F7D633C0F4344 |
| SHA-512: | 961DC74DD338DC0499B37D3CF1908226BD1841B3E43558E70448083C8D3EC77BCB5682AE0B28659987AD9B915DD2200AC05F09A04E3CFE7B1E0137A61269A69F |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\AppData\Local\Temp\@AE2AF6.tmp.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 907 |
| Entropy (8bit): | 7.774852528796053 |
| Encrypted: | false |
| SSDEEP: | 12:yVcca7jUJ6J4rDayFMdNWjx3V3aHn8aH4WjjKdP9e2J2i0odDwRlLiWicTvZNX+e:3U4JJogNWV3VKre9P2iP5ipZsG |
| MD5: | C833778DEC21525FD7622C02BD6CCCAF |
| SHA1: | 300C4611EE736FB33A82E5EDEB1BFF18B760235B |
| SHA-256: | 41ED4FD4CCB449E108E99E25F0E7BA192A3DA0FD5A82C32468DD04D99A22B857 |
| SHA-512: | 85C60D074E13E2ECCAA456AD5915FE5CC0264A6ED3DB9914AA73FF34A7307B5D7A1F1FD7879FFC7B9C276F7CD6AE89DBF3956D26A424ED9B3A9BAEB49B2AD807 |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 1053442 |
| Entropy (8bit): | 4.700439718141092 |
| Encrypted: | false |
| SSDEEP: | 96:/yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyK:O |
| MD5: | DF2C63605573C2398D796370C11CB26C |
| SHA1: | EFBA97E2184BA3941EDB008FCC61D8873B2B1653 |
| SHA-256: | 07FFCDE2097D0AF67464907FEC6A4079B92DA11583013BAE7D3313FA32312FE8 |
| SHA-512: | D9726E33FCFA96415CC906BDB1B0E53EBA674EAF30ED77D41D245C1C59AA53E222246F691D82FA3A45F049FBF23D441768F9DA21370E489232770AD5AE91D32F |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 235266 |
| Entropy (8bit): | 4.70043971626439 |
| Encrypted: | false |
| SSDEEP: | 96:/yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyq:u |
| MD5: | 6F90E1169D19DFDE14D6F753F06C862B |
| SHA1: | E9BCA93C68D7DF73D000F4A6E6EB73A343682AC5 |
| SHA-256: | 70A392389AECD0F58251E72C3FD7E9159F481061D14209FF8708A0FD9FF584DC |
| SHA-512: | F0C898222E9578C01EBE1BEFAC27A3FB68D8FB6E76C7D1DEC7A8572C1AA3201BACF1E69AA63859E95606790CF09962BCF7DC33B770A6846BED5BD7DED957B0B3 |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 123650 |
| Entropy (8bit): | 4.700439712479302 |
| Encrypted: | false |
| SSDEEP: | 96:/yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy:u |
| MD5: | F558C76B0376AF9273717FA24D99EBBF |
| SHA1: | F84BCECE5C6138B62EF94E9D668CF26178EE14CC |
| SHA-256: | 01631353726DC51BCEA311DBC012572CF96775E516B1C79A2DE572EF15954B7A |
| SHA-512: | 2092D1E126D0420FEC5FC0311D6B99762506563F4890E4049E48E2D87DDE5AC3E2E2ECC986AB305DE2C6CEB619F18879A69A815D3241CCF8140BC5EA00C6768D |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 129282 |
| Entropy (8bit): | 4.700439711235807 |
| Encrypted: | false |
| SSDEEP: | 96:/yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyK:u |
| MD5: | 02AE22335713A8F6D6ADF80BF418202B |
| SHA1: | 4C40C11F43DF761B92A5745F85A799DB7B389215 |
| SHA-256: | AE5697F849FA48DB6D3D13455C224FCF6CEB0602A1E8AC443E211DD0F32D50F4 |
| SHA-512: | 727D16102BFC768535B52A37E4E7B5D894F5DAA268D220DF108382C36DCCE063AFDBC31FD495A7A61305263EC4CD7E92713D894FAA35B585C0B379217A1D929C |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 91394 |
| Entropy (8bit): | 4.700439710541972 |
| Encrypted: | false |
| SSDEEP: | 96:/yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyS:O |
| MD5: | 09203A9741B91F3A9ED01C82DCB8778D |
| SHA1: | 13E6F3FB169CD6AA5E4D450417A7E15665A2E140 |
| SHA-256: | 63149AD45DB380F5DD15F65D9CEB2611D53A0A66E022483BEE4CE2FF7D2610E2 |
| SHA-512: | 9E9E6FE0DD713417D0E28BA787CF862D55ECDA9EE9F3DF1EADA144657F6A3B6ADA1984FD05A3FFFCD597A9715383225A8E40B6E5D0D8D39EC0D3A64B8DEA9846 |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 102146 |
| Entropy (8bit): | 4.7004397081852405 |
| Encrypted: | false |
| SSDEEP: | 96:/yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyq:u |
| MD5: | 9A27BFB55DD768AE81CA8716DB2DA343 |
| SHA1: | 55DA0F4282BD838F72F435A5D4D24AC15B04482B |
| SHA-256: | 5EC8093EF5939D1ABCE1C576097B584FB600B94AD767C1DA897F7CB7F0063D26 |
| SHA-512: | D9BB49D2F282ED09C351A1D8EB2540781E6A7FB39265473FD59D146BFC162F27A4AB1405301ED7395C12929A80551A399437D7D794D7AC48650E9037B60EB69C |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 176386 |
| Entropy (8bit): | 4.700439717028234 |
| Encrypted: | false |
| SSDEEP: | 96:/yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyK:u |
| MD5: | 2634FA3A332C297711CB59D43F54FFCE |
| SHA1: | 8E2B68D0EE4E792EFB1945BA86ECEB87F07087D2 |
| SHA-256: | 27C945CCB84AA024F1F063701327E829A7EF3A7EDE4A43B2FEBBB1DDDBDF8740 |
| SHA-512: | 84E4799B9B18A7CC7BE685C793A9B4FB135EA331D1D235FE823E1D7091130F131AB2FBAD1DA4DEA795E82547AA16B00F4E2A9FAAA96CB522D795F9ABFDA2FC53 |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 282624 |
| Entropy (8bit): | 4.700439717346398 |
| Encrypted: | false |
| SSDEEP: | 96:/yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyX:T |
| MD5: | E07C6A9E595F045FADC463DFDA44AB16 |
| SHA1: | E6B199272ADE02613F2003C365A4CB1487431E23 |
| SHA-256: | D2FA6F9686386A92253A9C5EA25ACE702A111483540B60C1300789235CEA7FDC |
| SHA-512: | F3C630AE8381B99519AEEADBC2918810E7FB09A909F73EE6C46F4E9D3CF8C5051A5CF763DB6A775D6CD8713CCF95A63B18DF9ED756FA28276E8D7AB6A47F2CBF |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 282624 |
| Entropy (8bit): | 7.055084803288937 |
| Encrypted: | false |
| SSDEEP: | 6144:Xaz/zwzFEN3MmUGvSQagFwDeSv3BU9T4/XGOUYM/mVz:Iz8qamFVa1D69T4RMmVz |
| MD5: | 75C1467042B38332D1EA0298F29FB592 |
| SHA1: | F92EA770C2DDB04CF0D20914578E4C482328F0F8 |
| SHA-256: | 3B20C853D4CA23240CD338B8CAB16F1027C540DDFE9C4FFDCA1624D2F923B373 |
| SHA-512: | 5C47C59AD222E2597CCDF2C100853C48F022E933F44C279154346EACF9E7E6F54214ADA541D43A10424035F160B56131AAB206C11512A9FD6EA614FBD3160AA0 |
| Malicious: | true |
| Antivirus: |
|
| Joe Sandbox View: |
|
| Preview: |
| Process: | C:\Users\user\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 102146 |
| Entropy (8bit): | 6.672724217779346 |
| Encrypted: | false |
| SSDEEP: | 1536:AfVMTLl0+j+R3S6CVaTqifclr7MB3tY0ZHp8FkK4+3IOqFnToIfwCBztSoRa6A:Fl67CVgBbNEfZqtTBfwCptSw/A |
| MD5: | F1C9F4A1F92588AEB82BE5D2D4C2C730 |
| SHA1: | 3DC5A017B15BA74FAE2342937380905BF7E8FBD5 |
| SHA-256: | D3A46F71AA7467920B16B64C9D17EAF6C4E147F41CD1390DCCFF01E4A81F8DFA |
| SHA-512: | 6171E740CE318D8FC35C92663684F2C35E7B5374C9A8CE6F4DC1C28C9AE62064F9CF44116266C650089BD5A3D328E87F9BDBD63AC1123E0A33CE52A1D21CFFAD |
| Malicious: | true |
| Antivirus: |
|
| Preview: |
| Process: | C:\Users\user\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 123650 |
| Entropy (8bit): | 6.665333125659156 |
| Encrypted: | false |
| SSDEEP: | 3072:PWFWnu/0NPlE+qoytTBf+28aVytl34iQA:PW8nlQ+RytTBV2J |
| MD5: | 1FCC5B3ED6BC76D70CFA49D051E0DFF6 |
| SHA1: | 3FFA43EFDC893A57DCAD3D45C9B14980DD52EB58 |
| SHA-256: | B0C0C49EED934E6D2ED990913D4C71108F6104352D23F72D3EF0A3EF4074D92E |
| SHA-512: | 8769438AACC26F0A720926F419A2564813DEE2F526B2DBB7A3F57D587DC385612BF5780F4E39CE2149DE5FB4C1AF839DCC099F3D77387989E16D2BC76C6DE929 |
| Malicious: | true |
| Antivirus: |
|
| Preview: |
| Process: | C:\Users\user\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 176386 |
| Entropy (8bit): | 7.467006043338271 |
| Encrypted: | false |
| SSDEEP: | 3072:ng2TyMj3tEcWMkc5tTBfZOVxtDH2g3zd3jceABCODJRCyA:n7xqcWxc5tTBsJWKFGUOfCl |
| MD5: | DAAC1781C9D22F5743ADE0CB41FEAEBF |
| SHA1: | E2549EEEEA42A6892B89D354498FCAA8FFD9CAC4 |
| SHA-256: | 6A7093440420306CF7DE53421A67AF8A1094771E0AAB9535ACBD748D08ED766C |
| SHA-512: | 190A7D5291E20002F996EDF1E04456BFDFF8B7B2F4EF113178BD42A9E5FD89FE6D410AE2C505DE0358C4F53F9654AC1CAAA8634665AFA6D9691640DD4EE86160 |
| Malicious: | true |
| Antivirus: |
|
| Preview: |
| Process: | C:\Users\user\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 1053442 |
| Entropy (8bit): | 7.383233334811567 |
| Encrypted: | false |
| SSDEEP: | 24576:XitBcqPTSNCs8Fm6nQbkkcCZIkj3tTkgbGqt/dKcMM1Wy/:SIqriCsmm6nYqkjdTkgSqNdKcMs/ |
| MD5: | 2D9DF706D1857434FCAA014DF70D1C66 |
| SHA1: | 75A65DD394941CD78234EE100D68C8D2F53F77C6 |
| SHA-256: | 126593B3672E6985FE4E4903D656040E16A69264FAF91B1A416EF00565E17E7C |
| SHA-512: | BC476A3AAF54323F1E77BB5EFFC05C407A1034A42B495DA3A374F2253002BA948929EBAAAF52A5204095AA0D66C740F5A2828E2FD3C46749544580966024CACC |
| Malicious: | true |
| Antivirus: |
|
| Preview: |
| Process: | C:\Users\user\AppData\Local\Temp\@AE2AF6.tmp.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 1799318 |
| Entropy (8bit): | 7.975944248689045 |
| Encrypted: | false |
| SSDEEP: | 24576:OXdVtTj2i64T+jdxQCfgOFD3WSwd2QtBBw6xxhVxQtmibjOhZaiRu/4oMaop0UNN:mbTChxKCnFnQXBbrtgb/iQvu0UHO9I |
| MD5: | 7942494EAC73B2B3281E4A8E94C39376 |
| SHA1: | 88C3CD0A88E1C93CFFEEE72D372B1D79144F35AC |
| SHA-256: | B9818299D1719F7DE6F22CE1F67AE8D3CB5770C945DE5746AE502656FE112984 |
| SHA-512: | 8C22BD07628CFB865A72E44E2F271A1158BBBD250D9CD8356187648C08FD37974A0EAFF341D06ACBB4EECD217BC6B837489BFE4E3A0A301A183DC8FBBA5A36CD |
| Malicious: | true |
| Antivirus: |
|
| Preview: |
| Process: | C:\Users\user\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 91394 |
| Entropy (8bit): | 6.654533417168698 |
| Encrypted: | false |
| SSDEEP: | 1536:h5QmUNtCKcKcyR2zh5Te2D6grD5Z3MIOKFnToIf+VHutHaA:hItC42zhlGgrXCKtTBf+VOtHaA |
| MD5: | 6A9461F260EBB2556B8AE1D0BA93858A |
| SHA1: | 01E14B87B69DCE8272D84669F44F81D685DCF7C5 |
| SHA-256: | 0B059565160C180DF60470349770A6DD225981A8051639385BB49D33D2A73632 |
| SHA-512: | 263041E149A2E7CD95C16A614175179B5E1FEA8ECA137AAC02D903B45F107AD1C9467A3E790408CACA7250B0CB83DA77AA73887239F25B7B93B221CFFC02772B |
| Malicious: | true |
| Antivirus: |
|
| Preview: |
| Process: | C:\Users\user\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 129282 |
| Entropy (8bit): | 6.621412156936795 |
| Encrypted: | false |
| SSDEEP: | 3072:h3Qj8Ajn/VzK9fmfiCunng05hlOytTBfitzImtw+FU16DA:h3Qjtz/qf1Cung05hlOytTBN+Fqb |
| MD5: | D0C9ADA173DA923EFABB53D5A9B28D54 |
| SHA1: | 0CEFE568D2A06BD44FE9DFAB65B1E27BD34DEF11 |
| SHA-256: | AD01AB517CF1C9F5D30B3EA749C91C5C8FC613E771D25287483023D2066E1523 |
| SHA-512: | 6919CA6D0EB94402B470EF131362AA1FD35BE994161B857FABF4A7ACA7710A757BF490AD6E2F8B5618B53E9BF3390638A9340642035E6A71EA4EEDC94E403E27 |
| Malicious: | true |
| Antivirus: |
|
| Preview: |
| Process: | C:\Users\user\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 235266 |
| Entropy (8bit): | 6.653536540157241 |
| Encrypted: | false |
| SSDEEP: | 6144:/fbIMsWVgui7vKbeDb2J1dZSbgOtTBpkFqAcURC:X3xu7vKiDb2nnegOtTnkFDC |
| MD5: | FFFA05401511AD2A89283C52D0C86472 |
| SHA1: | 99A9FBCAC39B9522D1D628620B69C4CD7CC110F1 |
| SHA-256: | 41A712FD2111C5DDEC6FE58A29C80F19923CC72E88B4508D5A3DAEB236DDF1B8 |
| SHA-512: | 468B9B50B342D0DEBBF81E37983C600E171BD35AB38680F495A8F52D8476735876E2329228D009F2631356E99770371740F97D77235383DB3E00F7ECD12DB6B3 |
| Malicious: | true |
| Antivirus: |
|
| Preview: |
| Process: | C:\Users\user\AppData\Local\Temp\@AE2AF6.tmp.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 129 |
| Entropy (8bit): | 4.660429712853706 |
| Encrypted: | false |
| SSDEEP: | 3:I5Pt+kiEaKC5Sufoms+L4AHSvKZOt+kiEaKC595Ytzvn:INwknaZ5SuMcyvKowknaZ5bsDn |
| MD5: | 5838B249DFFF3C4BCF6094F52325FB83 |
| SHA1: | 7FB503ACAC1BF4BD0AFCDB4ED0A432CD9314422B |
| SHA-256: | ECED495D7F070597196A9C2C800EC4B3A0901F2E40F919A230460DB54C79A352 |
| SHA-512: | D65D77AD5BF90DD7C32E0CC1E2E8DD711D682FBB46E3411034E6534EE884DDC6017CDDC846B31B89A2DA2CE7E4A216B6B96BA06E6C1C5EF74B751937AD2D5A54 |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\AppData\Local\Temp\@AE2AF6.tmp.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 126 |
| Entropy (8bit): | 4.8419035287667 |
| Encrypted: | false |
| SSDEEP: | 3:I5Pt+kiEaKC5SufhADu25U4AHwMF3vBkZOt+kiEaKC595YGjn:INwknaZ5SuJmv5U49wBkowknaZ5bJjn |
| MD5: | 5EAC731C619F72CF9DF1C72A2D734BE7 |
| SHA1: | DBD3300B67E578DF5CE04B6A125478BB9718D252 |
| SHA-256: | 03E35825C4136DCCCF6E8BE6A919686A435736872DE16229304150EB47C25796 |
| SHA-512: | 371A96D779D79756DA96C31888C5CE467D906B6ABE37824B8D714539AEF96487D31B57AA1FF46F3EF37B26374097F17FADC715506E35A9DF0D556EEA948CA4D0 |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\AppData\Roaming\Microsoft\Defender\launch.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 102 |
| Entropy (8bit): | 4.594912323903514 |
| Encrypted: | false |
| SSDEEP: | 3:I5Pt+kiE2J5xAI8JlovKZOt+kiEaKC595YM+vn:INwkn23f8JyvKowknaZ5bEn |
| MD5: | 777A79CAA1236D029E5BB4C6577A1373 |
| SHA1: | 181B61AB20B758E96304781BB503753948054499 |
| SHA-256: | 575C47B3B66AA387BCBF9526B701F9455249EA114CD7C6574128EC5AAD2C30B6 |
| SHA-512: | 36FFE4EFB594DD2A518405E82A0CA39F901AB2FD81B5A2E7C99218DAB5A02C0157017072A1CB66351583573CC76AFB0126FB0151DF09F7EA6D9B95465622DD65 |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\AppData\Local\Temp\@AE2AF6.tmp.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 397728 |
| Entropy (8bit): | 4.700439717593888 |
| Encrypted: | false |
| SSDEEP: | 96:/yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyz:/ |
| MD5: | E1E47695A0B98432911311352B63EAED |
| SHA1: | 836142E550301E0FC13C1A047AAE5A2F4481D7CD |
| SHA-256: | C67ED34D9254B31E611EE830125C3F2572A1E686F82DEB69E1580FB9A4614CD0 |
| SHA-512: | DA49234EE2E1D8F9956BA59D4A49FE04D3AB154F5DD60CF7A6C72E9D42DEFE8A4B0AEB38845444FE3A8D9C80976467D2101F7C992A48F98F6A9317D0E61CA961 |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\SysWOW64\explorer.exe |
| File Type: | |
| Category: | modified |
| Size (bytes): | 809472 |
| Entropy (8bit): | 6.4977514182547225 |
| Encrypted: | false |
| SSDEEP: | 12288:8OorOSUTlyRQJok8n3edtG6bV2MEJi099ifVpiLngVqzw8s/KdWGd7rSfjLtVpRT:0OJTI+JL8n3YG6bVDZNUzY55Z |
| MD5: | AA2C0EDAD4DE949A1347F8C6A346AAAB |
| SHA1: | 81D420887F3D87EAD91CA7A4BAFE827D9409BFD9 |
| SHA-256: | 5B516BF84FA5FD2E4159EDCF70916AD775E71257790FF70B2D39A487D0F9DCA1 |
| SHA-512: | 351BF8D28D8EA78FA34A9F3BE413F21458336AB4BDE2BE3DFB3744575B61DDC70C30162FBDD892E864730D9FAC76A06BD923A58250356000AEDC8FF4979035EE |
| Malicious: | true |
| Antivirus: |
|
| Preview: |
| Process: | C:\Users\user\AppData\Local\Temp\wtmps.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 204800 |
| Entropy (8bit): | 7.357970003886077 |
| Encrypted: | false |
| SSDEEP: | 3072:34LGpbMkFAIk2GOytDDE1wYa+6NjQYryupFsjzuoAxWhZWkZu4pUBRrwCP8T:FbnDk2HcMZYQYcSovhc7AAcCPe |
| MD5: | 78D3C8705F8BAF7D34E6A6737D1CFA18 |
| SHA1: | 9F09E248A29311DBEEFAE9D85937B13DA042A010 |
| SHA-256: | 2C4C9EC8E9291BA5C73F641AF2E0C3E1BBD257AC40D9FB9D3FAAB7CEBC978905 |
| SHA-512: | 9A3C3175276DA58F1BC8D1138E63238C8D8CCFBFA1A8A1338E88525ECA47F8D745158BB34396B7C3F25E4296BE5F45A71781DA33AD0BBDF7AD88A9C305B85609 |
| Malicious: | true |
| Antivirus: |
|
| Preview: |
| File type: | |
| Entropy (8bit): | 7.703447785090587 |
| TrID: |
|
| File name: | test.exe |
| File size: | 2'614'323 bytes |
| MD5: | 2a98009ebc2e830e2e2de723312ee8a6 |
| SHA1: | 4d767fa5085f36a9d6c8a70de8106b5e4a6a6802 |
| SHA256: | 0f28c564a6268c2f3203bf3d594cb519dde447032911eebf3b430e925a94915a |
| SHA512: | af07aeb62940d7fd562b759f2ca09a42a0955fc880793f2d153fc5bbfa529507dcfe4682ecbfef8cea1aa4c1a83c2b9d3641501c41626925e22abeeb76d3b7c5 |
| SSDEEP: | 49152:5OJTDJA3+OW5ZOxbTChxKCnFnQXBbrtgb/iQvu0UHO9z:5OJvJAux5ZOx6hxvWbrtUTrUHO9z |
| TLSH: | 74C5D119FA01D474EF1B85B203C6EE7A56362D304A17CC47F9902E2855B3EB779E1B22 |
| File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........[....................J.......................................Rich............PE..L...c{TO................................... |
 | |
| Icon Hash: | 89a4b2e5e5cc9cd5 |
| Entrypoint: | 0x40167f |
| Entrypoint Section: | .text |
| Digitally signed: | false |
| Imagebase: | 0x400000 |
| Subsystem: | windows gui |
| Image File Characteristics: | RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE |
| DLL Characteristics: | |
| Time Stamp: | 0x4F547B63 [Mon Mar 5 08:37:55 2012 UTC] |
| TLS Callbacks: | |
| CLR (.Net) Version: | |
| OS Version Major: | 4 |
| OS Version Minor: | 0 |
| File Version Major: | 4 |
| File Version Minor: | 0 |
| Subsystem Version Major: | 4 |
| Subsystem Version Minor: | 0 |
| Import Hash: | 730073214094cd328547bf1f72289752 |
| Instruction |
|---|
| push ebp |
| mov ebp, esp |
| push FFFFFFFFh |
| push 004020F8h |
| push 00401830h |
| mov eax, dword ptr fs:[00000000h] |
| push eax |
| mov dword ptr fs:[00000000h], esp |
| sub esp, 68h |
| push ebx |
| push esi |
| push edi |
| mov dword ptr [ebp-18h], esp |
| xor ebx, ebx |
| mov dword ptr [ebp-04h], ebx |
| push 00000002h |
| pop edi |
| push edi |
| call dword ptr [004020D4h] |
| pop ecx |
| or dword ptr [00403090h], FFFFFFFFh |
| or dword ptr [00403094h], FFFFFFFFh |
| call dword ptr [004020D0h] |
| mov ecx, dword ptr [0040308Ch] |
| mov dword ptr [eax], ecx |
| call dword ptr [004020CCh] |
| mov ecx, dword ptr [00403088h] |
| mov dword ptr [eax], ecx |
| mov eax, dword ptr [004020C8h] |
| mov eax, dword ptr [eax] |
| mov dword ptr [00403098h], eax |
| call 00007F97A0B143AAh |
| cmp dword ptr [00403070h], ebx |
| jne 00007F97A0B1427Eh |
| push 00401822h |
| call dword ptr [004020C4h] |
| pop ecx |
| call 00007F97A0B1437Ch |
| push 0040300Ch |
| push 00403008h |
| call 00007F97A0B14367h |
| mov eax, dword ptr [00403084h] |
| mov dword ptr [ebp-6Ch], eax |
| lea eax, dword ptr [ebp-6Ch] |
| push eax |
| push dword ptr [00403080h] |
| lea eax, dword ptr [ebp-64h] |
| push eax |
| lea eax, dword ptr [ebp-70h] |
| push eax |
| lea eax, dword ptr [ebp-60h] |
| push eax |
| call dword ptr [004020BCh] |
| push 00403004h |
| push 00403000h |
| Programming Language: |
|
| Name | Virtual Address | Virtual Size | Is in Section |
|---|---|---|---|
| IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IMPORT | 0x2104 | 0x64 | .rdata |
| IMAGE_DIRECTORY_ENTRY_RESOURCE | 0xbe000 | 0xe0f4 | .rsrc |
| IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IAT | 0x2000 | 0xf4 | .rdata |
| IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
| Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
|---|---|---|---|---|---|---|---|---|---|
| .text | 0x1000 | 0x83c | 0xa00 | 6dbb11cce72cc16b887018dd4c34d252 | False | 0.569921875 | data | 5.438914555753771 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
| .rdata | 0x2000 | 0x5c6 | 0x600 | 838666d924e8b6e9dfc84f930bd16733 | False | 0.515625 | data | 4.859194046971246 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .data | 0x3000 | 0xbb000 | 0x200 | 7d6dcdf3bcb22dca4957ddb77c1c8cbf | False | 0.130859375 | Matlab v4 mat-file (little endian) e, numeric, rows 0, columns 0 | 0.545273764156015 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .rsrc | 0xbe000 | 0xe0f4 | 0xe200 | e7c931bab9c2d389ac0ab577dc48d249 | False | 0.44571003871681414 | data | 5.885941048379587 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
|---|---|---|---|---|---|---|
| RT_ICON | 0xbe21c | 0x4627 | PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced | English | United States | 0.9883623809788964 |
| RT_ICON | 0xc2844 | 0x3a48 | Device independent bitmap graphic, 60 x 120 x 32, image size 0 | English | United States | 0.17868632707774798 |
| RT_ICON | 0xc628c | 0x25a8 | Device independent bitmap graphic, 48 x 96 x 32, image size 0 | English | United States | 0.204149377593361 |
| RT_ICON | 0xc8834 | 0x1a68 | Device independent bitmap graphic, 40 x 80 x 32, image size 0 | English | United States | 0.21893491124260356 |
| RT_ICON | 0xca29c | 0x10a8 | Device independent bitmap graphic, 32 x 64 x 32, image size 0 | English | United States | 0.2450750469043152 |
| RT_ICON | 0xcb344 | 0x6b8 | Device independent bitmap graphic, 20 x 40 x 32, image size 0 | English | United States | 0.23662790697674418 |
| RT_ICON | 0xcb9fc | 0x468 | Device independent bitmap graphic, 16 x 32 x 32, image size 0 | English | United States | 0.30230496453900707 |
| RT_GROUP_ICON | 0xcbe64 | 0x68 | data | English | United States | 0.7596153846153846 |
| RT_VERSION | 0xcbecc | 0x228 | data | English | United States | 0.4963768115942029 |
| DLL | Import |
|---|---|
| KERNEL32.dll | ResumeThread, WriteProcessMemory, VirtualProtectEx, GetModuleFileNameW, DuplicateHandle, GetCurrentProcess, SetFileTime, CopyFileW, GetDriveTypeW, GetFileTime, CreateFileW, SetErrorMode, GetTempFileNameW, GetTempPathW, ExitProcess, Sleep, DeleteFileW, CloseHandle, WaitForSingleObject, CreateProcessW, ReadProcessMemory, GetThreadSelectorEntry, GetThreadContext, GetLastError, lstrlenW, GetModuleHandleW, GetStartupInfoW |
| USER32.dll | MessageBoxA |
| SHELL32.dll | ShellExecuteW |
| MSVCRT.dll | memset, wcscpy, free, _fileno, _chsize, wcsrchr, wcscat, malloc, fclose, fread, fwrite, fseek, _wfopen, sprintf, fflush, _exit, _XcptFilter, exit, _wcmdln, __wgetmainargs, _initterm, __setusermatherr, _adjust_fdiv, __p__commode, __p__fmode, __set_app_type, _except_handler3, _controlfp |
| Language of compilation system | Country where language is spoken | Map |
|---|---|---|
| English | United States |  |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library Node| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Oct 2, 2024 23:25:02.103918076 CEST | 53 | 62427 | 1.1.1.1 | 192.168.2.4 |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
| Target ID: | 0 |
| Start time: | 17:24:42 |
| Start date: | 02/10/2024 |
| Path: | C:\Users\user\Desktop\test.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x400000 |
| File size: | 2'614'323 bytes |
| MD5 hash: | 2A98009EBC2E830E2E2DE723312EE8A6 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Antivirus matches: |
|
| Reputation: | low |
| Has exited: | true |
| Target ID: | 1 |
| Start time: | 17:24:42 |
| Start date: | 02/10/2024 |
| Path: | C:\Windows\SysWOW64\explorer.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x40000 |
| File size: | 4'514'184 bytes |
| MD5 hash: | DD6597597673F72E10C9DE7901FBA0A8 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | moderate |
| Has exited: | true |
| Target ID: | 2 |
| Start time: | 17:24:42 |
| Start date: | 02/10/2024 |
| Path: | C:\Users\user\AppData\Local\Temp\@AE2AF6.tmp.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x400000 |
| File size: | 1'797'699 bytes |
| MD5 hash: | 252EE18EB5E305056FDC9915B278656F |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Antivirus matches: |
|
| Reputation: | low |
| Has exited: | true |
| Target ID: | 3 |
| Start time: | 17:24:42 |
| Start date: | 02/10/2024 |
| Path: | C:\Users\user\Desktop\test.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x400000 |
| File size: | 809'472 bytes |
| MD5 hash: | AA2C0EDAD4DE949A1347F8C6A346AAAB |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | low |
| Has exited: | false |
| Target ID: | 4 |
| Start time: | 17:24:45 |
| Start date: | 02/10/2024 |
| Path: | C:\Windows\SysWOW64\cmd.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x240000 |
| File size: | 236'544 bytes |
| MD5 hash: | D0FCE3AFA6AA1D58CE9FA336CC2B675B |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 5 |
| Start time: | 17:24:45 |
| Start date: | 02/10/2024 |
| Path: | C:\Windows\System32\conhost.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff7699e0000 |
| File size: | 862'208 bytes |
| MD5 hash: | 0D698AF330FD17BEE3BF90011D49251D |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 6 |
| Start time: | 17:24:45 |
| Start date: | 02/10/2024 |
| Path: | C:\Windows\SysWOW64\cmd.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x240000 |
| File size: | 236'544 bytes |
| MD5 hash: | D0FCE3AFA6AA1D58CE9FA336CC2B675B |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 7 |
| Start time: | 17:24:45 |
| Start date: | 02/10/2024 |
| Path: | C:\Windows\System32\conhost.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff7699e0000 |
| File size: | 862'208 bytes |
| MD5 hash: | 0D698AF330FD17BEE3BF90011D49251D |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 8 |
| Start time: | 17:24:45 |
| Start date: | 02/10/2024 |
| Path: | C:\Users\user\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x400000 |
| File size: | 1'799'318 bytes |
| MD5 hash: | 7942494EAC73B2B3281E4A8E94C39376 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Antivirus matches: |
|
| Reputation: | low |
| Has exited: | true |
| Target ID: | 9 |
| Start time: | 17:24:49 |
| Start date: | 02/10/2024 |
| Path: | C:\Windows\SysWOW64\cmd.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x240000 |
| File size: | 236'544 bytes |
| MD5 hash: | D0FCE3AFA6AA1D58CE9FA336CC2B675B |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 10 |
| Start time: | 17:24:49 |
| Start date: | 02/10/2024 |
| Path: | C:\Windows\System32\conhost.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff7699e0000 |
| File size: | 862'208 bytes |
| MD5 hash: | 0D698AF330FD17BEE3BF90011D49251D |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 11 |
| Start time: | 17:24:49 |
| Start date: | 02/10/2024 |
| Path: | C:\Users\user\AppData\Roaming\Microsoft\Defender\launch.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x400000 |
| File size: | 176'386 bytes |
| MD5 hash: | DAAC1781C9D22F5743ADE0CB41FEAEBF |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Antivirus matches: |
|
| Reputation: | moderate |
| Has exited: | true |
| Target ID: | 12 |
| Start time: | 17:24:52 |
| Start date: | 02/10/2024 |
| Path: | C:\Windows\SysWOW64\cmd.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x240000 |
| File size: | 236'544 bytes |
| MD5 hash: | D0FCE3AFA6AA1D58CE9FA336CC2B675B |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 13 |
| Start time: | 17:24:52 |
| Start date: | 02/10/2024 |
| Path: | C:\Windows\System32\conhost.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff7699e0000 |
| File size: | 862'208 bytes |
| MD5 hash: | 0D698AF330FD17BEE3BF90011D49251D |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 14 |
| Start time: | 17:24:52 |
| Start date: | 02/10/2024 |
| Path: | C:\Users\user\AppData\Local\Temp\wtmps.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x400000 |
| File size: | 282'624 bytes |
| MD5 hash: | 75C1467042B38332D1EA0298F29FB592 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Antivirus matches: |
|
| Has exited: | true |
| Target ID: | 15 |
| Start time: | 17:24:53 |
| Start date: | 02/10/2024 |
| Path: | C:\Windows\SysWOW64\mscaps.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x400000 |
| File size: | 204'800 bytes |
| MD5 hash: | 78D3C8705F8BAF7D34E6A6737D1CFA18 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Antivirus matches: |
|
| Has exited: | true |
Execution Graph
| Execution Coverage: | 93.8% |
| Dynamic/Decrypted Code Coverage: | 0% |
| Signature Coverage: | 0% |
| Total number of Nodes: | 36 |
| Total number of Limit Nodes: | 7 |
Graph
Callgraph
Function 00401000 Relevance: 37.0, APIs: 19, Strings: 2, Instructions: 203injectionprocessthreadCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040167F Relevance: 16.6, APIs: 11, Instructions: 123COMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004014EB Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 56stringprocessCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00401346 Relevance: 9.1, APIs: 6, Instructions: 69threadCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004015E1 Relevance: 6.0, APIs: 4, Instructions: 41COMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00401588 Relevance: 6.0, APIs: 4, Instructions: 39COMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00401435 Relevance: 4.6, APIs: 3, Instructions: 60COMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Execution Graph
| Execution Coverage: | 12.8% |
| Dynamic/Decrypted Code Coverage: | 30.5% |
| Signature Coverage: | 4.8% |
| Total number of Nodes: | 2000 |
| Total number of Limit Nodes: | 217 |
Graph
Function 0040318C Relevance: 94.8, APIs: 8, Strings: 46, Instructions: 297libraryloaderCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00402056 Relevance: 65.5, APIs: 18, Strings: 19, Instructions: 734libraryloadernetworkCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00404732 Relevance: 10.6, APIs: 6, Strings: 1, Instructions: 119memoryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00401466 Relevance: 3.0, APIs: 2, Instructions: 17fileCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00402A96 Relevance: 33.7, APIs: 14, Strings: 5, Instructions: 461sleepCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 1000B74E Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 241fileCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 1000C389 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 241fileCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00401EE0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 143threadsynchronizationCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 100025B9 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 109libraryfileloaderCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00403068 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 59stringprocessCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00414B9F Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 241fileCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004124D6 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 170fileCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00410A31 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 135fileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004057F3 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 298fileCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 10009C7D Relevance: 6.2, APIs: 4, Instructions: 170fileCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 100096E4 Relevance: 6.1, APIs: 4, Instructions: 135fileCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 1000A4F3 Relevance: 5.1, APIs: 4, Instructions: 53memoryCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00410188 Relevance: 5.1, APIs: 4, Instructions: 53memoryCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040F8F2 Relevance: 4.6, APIs: 3, Instructions: 51COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 10002761 Relevance: 3.1, APIs: 2, Instructions: 75networkCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00404902 Relevance: 3.1, APIs: 2, Instructions: 68memoryCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 10009959 Relevance: 3.0, APIs: 2, Instructions: 41COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00412322 Relevance: 3.0, APIs: 2, Instructions: 41COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 10009442 Relevance: 3.0, APIs: 2, Instructions: 20memoryCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040FAAF Relevance: 3.0, APIs: 2, Instructions: 20memoryCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00401EBE Relevance: 3.0, APIs: 2, Instructions: 12threadCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00404855 Relevance: 2.6, APIs: 2, Instructions: 68memoryCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 10007C91 Relevance: 2.6, APIs: 2, Instructions: 52COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004107E7 Relevance: 2.6, APIs: 2, Instructions: 52COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 10002541 Relevance: 1.5, APIs: 1, Instructions: 36COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 1000666B Relevance: 1.5, APIs: 1, Instructions: 30memoryCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040D277 Relevance: 1.5, APIs: 1, Instructions: 30memoryCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040D2C5 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 10002A88 Relevance: 1.5, APIs: 1, Instructions: 14COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00401DF4 Relevance: 1.3, APIs: 1, Instructions: 80COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 1000B20A Relevance: 1.3, APIs: 1, Instructions: 56memoryCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004136B5 Relevance: 1.3, APIs: 1, Instructions: 56memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004159BF Relevance: 26.7, Strings: 21, Instructions: 417COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00412794 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 207timeCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00401CB0 Relevance: 6.1, APIs: 4, Instructions: 107COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00406550 Relevance: 1.9, Strings: 1, Instructions: 695COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040A3BD Relevance: 1.6, Strings: 1, Instructions: 362COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004035D5 Relevance: 1.6, Strings: 1, Instructions: 334COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040A8DB Relevance: 1.5, Strings: 1, Instructions: 278COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040B8D2 Relevance: 1.5, APIs: 1, Instructions: 19timeCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 1000BA64 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00411746 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 1000BA76 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00411758 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00404069 Relevance: 1.5, Strings: 1, Instructions: 214COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004042F0 Relevance: 1.5, Strings: 1, Instructions: 214COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040866E Relevance: .9, Instructions: 916COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00407E7F Relevance: .6, Instructions: 604COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004039DA Relevance: .3, Instructions: 272COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00403D17 Relevance: .3, Instructions: 271COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 1000A69F Relevance: .3, Instructions: 259COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00410334 Relevance: .3, Instructions: 259COMMONLIBRARYCODE
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040AECE Relevance: .2, Instructions: 187COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040B965 Relevance: .2, Instructions: 185COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 10001421 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 252libraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 100018DA Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 216libraryloaderCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 1000C300 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 50libraryloaderCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00414F31 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 50libraryloaderCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 1000CF55 Relevance: 13.7, APIs: 9, Instructions: 177COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00411C02 Relevance: 13.6, APIs: 9, Instructions: 147COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 1000952C Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 100fileCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004120E5 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 100fileCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 10001211 Relevance: 12.2, APIs: 8, Instructions: 214libraryloadersynchronizationCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 1000AD2E Relevance: 12.2, APIs: 8, Instructions: 170COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 10009310 Relevance: 12.1, APIs: 8, Instructions: 132COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00401A36 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 194libraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 1000C788 Relevance: 9.1, APIs: 6, Instructions: 143COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 1000C94D Relevance: 9.1, APIs: 6, Instructions: 117COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00411D6F Relevance: 9.1, APIs: 6, Instructions: 65COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00413487 Relevance: 7.7, APIs: 5, Instructions: 154COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 1000947E Relevance: 7.5, APIs: 5, Instructions: 38memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 100089A1 Relevance: 7.5, APIs: 5, Instructions: 38threadCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040E8E3 Relevance: 7.5, APIs: 5, Instructions: 38threadCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 100070BC Relevance: 7.5, APIs: 5, Instructions: 34COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040F340 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 13libraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040BB38 Relevance: 6.2, APIs: 4, Instructions: 206COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00416A7B Relevance: 6.1, APIs: 4, Instructions: 67COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00404BBF Relevance: 6.1, APIs: 4, Instructions: 51memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004163F1 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 103fileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00412A78 Relevance: 5.1, APIs: 4, Instructions: 95COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 10007093 Relevance: 5.0, APIs: 4, Instructions: 12COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040F78F Relevance: 5.0, APIs: 4, Instructions: 12COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043B9C0 Relevance: 30.0, APIs: 13, Strings: 4, Instructions: 228memoryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00451880 Relevance: 7.5, APIs: 5, Instructions: 37COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00433360 Relevance: 65.2, APIs: 33, Strings: 4, Instructions: 456windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042F9B0 Relevance: 65.1, APIs: 29, Strings: 8, Instructions: 322windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040E600 Relevance: 54.7, APIs: 29, Strings: 2, Instructions: 476windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042E580 Relevance: 50.0, APIs: 33, Instructions: 458COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00442D50 Relevance: 45.2, APIs: 30, Instructions: 226COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0041E6F0 Relevance: 37.2, APIs: 18, Strings: 3, Instructions: 429timeCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00421370 Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 174windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0044A1C0 Relevance: 29.9, APIs: 13, Strings: 4, Instructions: 124windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004410D0 Relevance: 27.3, APIs: 18, Instructions: 259COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040E130 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 290windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00409500 Relevance: 26.4, APIs: 12, Strings: 3, Instructions: 192windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040E5F9 Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 165windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004094ED Relevance: 26.4, APIs: 12, Strings: 3, Instructions: 160windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040D150 Relevance: 25.9, APIs: 17, Instructions: 383COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00438D30 Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 69timeCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00408468 Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 207windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00448A40 Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 82windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00437510 Relevance: 21.4, APIs: 14, Instructions: 433COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042F500 Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 179windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0044D400 Relevance: 19.6, APIs: 13, Instructions: 132COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0041C690 Relevance: 18.4, APIs: 12, Instructions: 377COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00474170 Relevance: 18.2, APIs: 12, Instructions: 217COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00432280 Relevance: 18.1, APIs: 12, Instructions: 102COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043EA90 Relevance: 16.8, APIs: 11, Instructions: 337COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004310F0 Relevance: 16.8, APIs: 11, Instructions: 252COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004072C9 Relevance: 16.7, APIs: 11, Instructions: 195COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00440170 Relevance: 16.6, APIs: 11, Instructions: 132COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043D8F0 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 141windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00401500 Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 49libraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0044E6E0 Relevance: 15.1, APIs: 10, Instructions: 118COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00440A30 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 156windowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0044B2C0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 127timeCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042F7C0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 112windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0044DB00 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 73timeCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00432180 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 65windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040C870 Relevance: 13.6, APIs: 9, Instructions: 142COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00406050 Relevance: 13.6, APIs: 9, Instructions: 123COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0041C1B9 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 106timeCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00446080 Relevance: 12.2, APIs: 8, Instructions: 189COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004214AC Relevance: 12.1, APIs: 8, Instructions: 67COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00443270 Relevance: 12.1, APIs: 8, Instructions: 53COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004033F0 Relevance: 12.0, APIs: 8, Instructions: 46COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004737C0 Relevance: 10.8, APIs: 7, Instructions: 287COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00440DB0 Relevance: 10.7, APIs: 7, Instructions: 169COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004414D0 Relevance: 10.6, APIs: 7, Instructions: 139COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00404480 Relevance: 10.6, APIs: 7, Instructions: 118COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0041CCB0 Relevance: 10.6, APIs: 7, Instructions: 112COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0041CCA9 Relevance: 10.6, APIs: 7, Instructions: 105COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00404472 Relevance: 10.6, APIs: 7, Instructions: 88COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405E70 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 58windowCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0044D8C0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51timeCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0044A550 Relevance: 9.2, APIs: 6, Instructions: 220COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00449A80 Relevance: 9.1, APIs: 6, Instructions: 140COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004201BC Relevance: 9.1, APIs: 6, Instructions: 127COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004744D0 Relevance: 9.1, APIs: 6, Instructions: 124memoryCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040F25C Relevance: 9.1, APIs: 6, Instructions: 121COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040F26C Relevance: 9.1, APIs: 6, Instructions: 118windowCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040A830 Relevance: 9.1, APIs: 6, Instructions: 99COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040B980 Relevance: 9.1, APIs: 6, Instructions: 96COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00440060 Relevance: 9.1, APIs: 6, Instructions: 94COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004510C0 Relevance: 9.1, APIs: 6, Instructions: 84COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040A829 Relevance: 9.1, APIs: 6, Instructions: 73COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00403CE0 Relevance: 9.0, APIs: 6, Instructions: 43COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040F88B Relevance: 9.0, APIs: 6, Instructions: 42COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040F8DF Relevance: 9.0, APIs: 6, Instructions: 39COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0041FBD3 Relevance: 9.0, APIs: 6, Instructions: 17COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004015AC Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004015B0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 26libraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004707E0 Relevance: 7.7, APIs: 5, Instructions: 163COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040EAC9 Relevance: 7.6, APIs: 5, Instructions: 140COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004062F0 Relevance: 7.6, APIs: 5, Instructions: 126COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040C3F0 Relevance: 7.6, APIs: 5, Instructions: 123COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040C630 Relevance: 7.6, APIs: 5, Instructions: 123COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040D2FC Relevance: 7.6, APIs: 5, Instructions: 121COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040EC9C Relevance: 7.6, APIs: 5, Instructions: 116COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004416D0 Relevance: 7.6, APIs: 5, Instructions: 113COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00403280 Relevance: 7.6, APIs: 5, Instructions: 108COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040D347 Relevance: 7.6, APIs: 5, Instructions: 95COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405449 Relevance: 7.6, APIs: 5, Instructions: 54COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0041EA59 Relevance: 7.6, APIs: 5, Instructions: 54COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0044E4D0 Relevance: 7.6, APIs: 5, Instructions: 51COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040B6F5 Relevance: 7.6, APIs: 5, Instructions: 51COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00472D60 Relevance: 7.6, APIs: 5, Instructions: 51stringCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00447CF0 Relevance: 7.6, APIs: 5, Instructions: 50COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040F8E1 Relevance: 7.5, APIs: 5, Instructions: 35COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040F8E5 Relevance: 7.5, APIs: 5, Instructions: 33COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00403D2C Relevance: 7.5, APIs: 5, Instructions: 31COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040F8EB Relevance: 7.5, APIs: 5, Instructions: 30COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040F8EF Relevance: 7.5, APIs: 5, Instructions: 27COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0041E604 Relevance: 7.5, APIs: 5, Instructions: 22COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0041E617 Relevance: 7.5, APIs: 5, Instructions: 21COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0041E5BD Relevance: 7.5, APIs: 5, Instructions: 20COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040ED2D Relevance: 7.5, APIs: 5, Instructions: 19COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0041E61B Relevance: 7.5, APIs: 5, Instructions: 18COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00403C9E Relevance: 7.5, APIs: 5, Instructions: 17COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0041E6E9 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 175timeCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004091C0 Relevance: 6.2, APIs: 4, Instructions: 239COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00473460 Relevance: 6.2, APIs: 4, Instructions: 210memoryCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004466B0 Relevance: 6.2, APIs: 4, Instructions: 169COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0041BDCC Relevance: 6.1, APIs: 4, Instructions: 145COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00431BD0 Relevance: 6.1, APIs: 4, Instructions: 94COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004062DC Relevance: 6.1, APIs: 4, Instructions: 75COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004722C0 Relevance: 6.1, APIs: 4, Instructions: 73COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00472860 Relevance: 6.1, APIs: 4, Instructions: 73COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004718D0 Relevance: 6.1, APIs: 4, Instructions: 73COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004729F0 Relevance: 6.1, APIs: 4, Instructions: 73COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00471AE0 Relevance: 6.1, APIs: 4, Instructions: 73COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00471CF0 Relevance: 6.1, APIs: 4, Instructions: 73COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00445420 Relevance: 6.1, APIs: 4, Instructions: 69COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004064A0 Relevance: 6.1, APIs: 4, Instructions: 67COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0041D4AC Relevance: 6.1, APIs: 4, Instructions: 57COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043DB40 Relevance: 6.1, APIs: 4, Instructions: 57COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00433CC0 Relevance: 6.1, APIs: 4, Instructions: 56COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004087CC Relevance: 6.1, APIs: 4, Instructions: 53COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0044E570 Relevance: 6.0, APIs: 4, Instructions: 46COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0041CE50 Relevance: 6.0, APIs: 4, Instructions: 44windowCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042159C Relevance: 6.0, APIs: 4, Instructions: 40COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0041A459 Relevance: 6.0, APIs: 4, Instructions: 36COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405D70 Relevance: 6.0, APIs: 4, Instructions: 34COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004020DC Relevance: 6.0, APIs: 4, Instructions: 32COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00408E10 Relevance: 6.0, APIs: 4, Instructions: 30COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004026AF Relevance: 6.0, APIs: 4, Instructions: 25COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040F8F3 Relevance: 6.0, APIs: 4, Instructions: 25COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040F8FD Relevance: 6.0, APIs: 4, Instructions: 23COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0041CC6A Relevance: 6.0, APIs: 4, Instructions: 23COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004025D4 Relevance: 6.0, APIs: 4, Instructions: 22COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040852E Relevance: 6.0, APIs: 4, Instructions: 20COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00409835 Relevance: 6.0, APIs: 4, Instructions: 19COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0041D31F Relevance: 6.0, APIs: 4, Instructions: 18COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00419642 Relevance: 6.0, APIs: 4, Instructions: 17COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040ED4D Relevance: 6.0, APIs: 4, Instructions: 17COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00451A20 Relevance: 5.0, APIs: 4, Instructions: 48COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00451910 Relevance: 5.0, APIs: 4, Instructions: 39COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|