Windows
Analysis Report
upd_1916298.exe
Overview
General Information
Detection
Score: | 88 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
- System is w10x64
- upd_1916298.exe (PID: 4508 cmdline:
"C:\Users\ user\Deskt op\upd_191 6298.exe" MD5: ABDCC4A6D9EBCDB3F832DE479BEC51E0) - cmd.exe (PID: 6660 cmdline:
"c:\window s\system32 \cmd.exe" /c wmic Co mputerSyst em get dom ain > C:\P rogramData \ffdbfkc\c hbdcee MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 3424 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - WMIC.exe (PID: 6172 cmdline:
wmic Compu terSystem get domain MD5: E2DE6500DE1148C7F6027AD50AC8B891)
- cleanup
{"C2 url": "91.222.173.80", "check_ram": false, "crypter_rawstub": "DarkGate", "crypter_dll": "R0ijS0qCVITtS0e6xeZ", "crypter_au3": 6, "flag_14": true, "crypto_key": 80, "startup_persistence": false, "flag_32": false, "anti_vm": true, "min_disk": false, "flag_18": 100, "anti_analysis": true, "min_ram": false, "flag_19": 4096, "check_disk": false, "flag_21": true, "flag_23": false, "flag_31": false, "flag_24": "new10oct", "flag_25": "x88y8y", "flag_26": false, "flag_27": "voULmQMO", "flag_28": false, "flag_29": 2, "flag_35": false}
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_DarkGate | Yara detected DarkGate | Joe Security | ||
JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | ||
JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | ||
JoeSecurity_DarkGate | Yara detected DarkGate | Joe Security | ||
JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | ||
Click to see the 1 entries |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | ||
JoeSecurity_DarkGate | Yara detected DarkGate | Joe Security | ||
JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | ||
JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | ||
JoeSecurity_DarkGate | Yara detected DarkGate | Joe Security | ||
Click to see the 2 entries |
Click to jump to signature section
AV Detection |
---|
Source: | Malware Configuration Extractor: |
Source: | Integrated Neural Analysis Model: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: |
Source: | Code function: | 0_2_043588D0 | |
Source: | Code function: | 0_2_043589D8 | |
Source: | Code function: | 0_2_04398A34 | |
Source: | Code function: | 0_2_04372B90 | |
Source: | Code function: | 0_2_043795A4 | |
Source: | Code function: | 0_2_043A12AC | |
Source: | Code function: | 0_2_0439FDC0 | |
Source: | Code function: | 0_2_04355934 |
Networking |
---|
Source: | IPs: |
Source: | ASN Name: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | Code function: | 0_2_0436BE20 |
Source: | Code function: | 0_2_04380380 |
Source: | Code function: | 0_2_04371458 |
Source: | Code function: | 0_2_043792B0 |
Source: | Code function: | 0_2_00401093 | |
Source: | Code function: | 0_2_04370694 | |
Source: | Code function: | 0_2_04370374 | |
Source: | Code function: | 0_2_04399C28 | |
Source: | Code function: | 0_2_04399C5C | |
Source: | Code function: | 0_2_04399CB4 | |
Source: | Code function: | 0_2_04399D04 | |
Source: | Code function: | 0_2_04399FA8 |
Source: | Code function: | 0_2_0044F050 | |
Source: | Code function: | 0_2_00409000 | |
Source: | Code function: | 0_2_004470D0 | |
Source: | Code function: | 0_2_0041E0E0 | |
Source: | Code function: | 0_2_004290A0 | |
Source: | Code function: | 0_2_004340A0 | |
Source: | Code function: | 0_2_00425120 | |
Source: | Code function: | 0_2_00423250 | |
Source: | Code function: | 0_2_004102E0 | |
Source: | Code function: | 0_2_0040F300 | |
Source: | Code function: | 0_2_00417330 | |
Source: | Code function: | 0_2_004A23F0 | |
Source: | Code function: | 0_2_004373A5 | |
Source: | Code function: | 0_2_00441460 | |
Source: | Code function: | 0_2_00421430 | |
Source: | Code function: | 0_2_0041E600 | |
Source: | Code function: | 0_2_00430620 | |
Source: | Code function: | 0_2_00427720 | |
Source: | Code function: | 0_2_00482720 | |
Source: | Code function: | 0_2_0044F840 | |
Source: | Code function: | 0_2_0041F800 | |
Source: | Code function: | 0_2_0042E880 | |
Source: | Code function: | 0_2_0040E890 | |
Source: | Code function: | 0_2_00408930 | |
Source: | Code function: | 0_2_00403980 | |
Source: | Code function: | 0_2_00428A80 | |
Source: | Code function: | 0_2_00422A90 | |
Source: | Code function: | 0_2_0040BBE0 | |
Source: | Code function: | 0_2_00409CF0 | |
Source: | Code function: | 0_2_0041BD40 | |
Source: | Code function: | 0_2_00414D50 | |
Source: | Code function: | 0_2_00426D00 | |
Source: | Code function: | 0_2_00429D30 | |
Source: | Code function: | 0_2_004A0D30 | |
Source: | Code function: | 0_2_00401DF0 | |
Source: | Code function: | 0_2_00421F80 | |
Source: | Code function: | 0_2_00467FB0 | |
Source: | Code function: | 0_2_0438443C | |
Source: | Code function: | 0_2_043909F4 | |
Source: | Code function: | 0_2_0438F40C | |
Source: | Code function: | 0_2_0436FB8C |
Source: | Static PE information: |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Static PE information: |
Source: | Classification label: |
Source: | Code function: | 0_2_0437D924 |
Source: | Code function: | 0_2_04358C34 |
Source: | Code function: | 0_2_0435DEC0 |
Source: | File created: | Jump to behavior |
Source: | Mutant created: |
Source: | File created: | Jump to behavior |
Source: | Static PE information: |
Source: | Key opened: | Jump to behavior |
Source: | Static file information: |
Source: | Key opened: | Jump to behavior |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | String found in binary or memory: |
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior |
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior |
Source: | Key value queried: | Jump to behavior |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Static file information: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: |
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Code function: | 0_2_0436C0C8 |
Source: | Static PE information: |
Source: | Code function: | 0_2_0059118C | |
Source: | Code function: | 0_2_0053C4E9 | |
Source: | Code function: | 0_2_04378448 | |
Source: | Code function: | 0_2_043984C0 | |
Source: | Code function: | 0_2_043564ED | |
Source: | Code function: | 0_2_043A05BE | |
Source: | Code function: | 0_2_0439A4A8 | |
Source: | Code function: | 0_2_0436A693 | |
Source: | Code function: | 0_2_0436A693 | |
Source: | Code function: | 0_2_0436A728 | |
Source: | Code function: | 0_2_04356710 | |
Source: | Code function: | 0_2_0436A758 | |
Source: | Code function: | 0_2_0436A758 | |
Source: | Code function: | 0_2_0439C774 | |
Source: | Code function: | 0_2_04356764 | |
Source: | Code function: | 0_2_0436C7A4 | |
Source: | Code function: | 0_2_04356764 | |
Source: | Code function: | 0_2_0439C7D0 | |
Source: | Code function: | 0_2_0436802D | |
Source: | Code function: | 0_2_0436C08C | |
Source: | Code function: | 0_2_0436C08C | |
Source: | Code function: | 0_2_0437014C | |
Source: | Code function: | 0_2_0439A130 | |
Source: | Code function: | 0_2_04370184 | |
Source: | Code function: | 0_2_043701E4 | |
Source: | Code function: | 0_2_043701E4 | |
Source: | Code function: | 0_2_0439A2D0 | |
Source: | Code function: | 0_2_043902DA | |
Source: | Code function: | 0_2_0436CC68 | |
Source: | Code function: | 0_2_04396E03 | |
Source: | Code function: | 0_2_0439CCC6 |
Source: | Code function: | 0_2_0436C0C8 |
Source: | Process information set: | Jump to behavior |
Malware Analysis System Evasion |
---|
Source: | Code function: | 0_2_043A2064 |
Source: | Binary or memory string: |
Source: | API coverage: |
Source: | Code function: | 0_2_043A2064 |
Source: | WMI Queries: |
Source: | Last function: |
Source: | Code function: | 0_2_043588D0 | |
Source: | Code function: | 0_2_043589D8 | |
Source: | Code function: | 0_2_04398A34 | |
Source: | Code function: | 0_2_04372B90 | |
Source: | Code function: | 0_2_043795A4 | |
Source: | Code function: | 0_2_043A12AC | |
Source: | Code function: | 0_2_0439FDC0 | |
Source: | Code function: | 0_2_04355934 |
Source: | Code function: | 0_2_043768D0 |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Process information queried: | Jump to behavior |
Source: | Code function: | 0_2_005526A5 |
Source: | Code function: | 0_2_0436C0C8 |
Source: | Code function: | 0_2_0057C074 | |
Source: | Code function: | 0_2_0058061A | |
Source: | Code function: | 0_2_0436D494 | |
Source: | Code function: | 0_2_0436FB8C | |
Source: | Code function: | 0_2_0436FB8C |
Source: | Code function: | 0_2_04370374 |
Source: | Code function: | 0_2_0053B537 | |
Source: | Code function: | 0_2_0056DD94 |
HIPS / PFW / Operating System Protection Evasion |
---|
Source: | Code function: | 0_2_04373730 |
Source: | Code function: | 0_2_04373730 |
Source: | Code function: | 0_2_04396BA8 |
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior |
Source: | Code function: | 0_2_0053C0F0 |
Source: | Code function: | 0_2_04355B0C | |
Source: | Code function: | 0_2_04356430 | |
Source: | Code function: | 0_2_0435CB64 | |
Source: | Code function: | 0_2_0435B4FC | |
Source: | Code function: | 0_2_0435B548 | |
Source: | Code function: | 0_2_04355C17 |
Source: | Registry key value queried: | Jump to behavior | ||
Source: | Registry key value queried: | Jump to behavior |
Source: | Key value queried: | Jump to behavior | ||
Source: | Key value queried: | Jump to behavior |
Source: | Code function: | 0_2_0053C4EB |
Source: | Code function: | 0_2_04376A54 |
Source: | Code function: | 0_2_0057D5CA |
Source: | Code function: | 0_2_043564F9 |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Stealing of Sensitive Information |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Remote Access Functionality |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | 1 Windows Management Instrumentation | 1 Create Account | 211 Process Injection | 1 Masquerading | 11 Input Capture | 2 System Time Discovery | Remote Services | 11 Input Capture | 1 Encrypted Channel | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
Credentials | Domains | Default Accounts | 2 Command and Scripting Interpreter | 1 DLL Side-Loading | 1 DLL Side-Loading | 1 Virtualization/Sandbox Evasion | LSASS Memory | 251 Security Software Discovery | Remote Desktop Protocol | 1 Archive Collected Data | 1 Application Layer Protocol | Exfiltration Over Bluetooth | Network Denial of Service |
Email Addresses | DNS Server | Domain Accounts | 1 Native API | Logon Script (Windows) | Logon Script (Windows) | 211 Process Injection | Security Account Manager | 1 Virtualization/Sandbox Evasion | SMB/Windows Admin Shares | 2 Clipboard Data | Steganography | Automated Exfiltration | Data Encrypted for Impact |
Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | 1 Deobfuscate/Decode Files or Information | NTDS | 2 Process Discovery | Distributed Component Object Model | Input Capture | Protocol Impersonation | Traffic Duplication | Data Destruction |
Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | 2 Obfuscated Files or Information | LSA Secrets | 1 Account Discovery | SSH | Keylogging | Fallback Channels | Scheduled Transfer | Data Encrypted for Impact |
Domain Properties | Botnet | Replication Through Removable Media | Scheduled Task | RC Scripts | RC Scripts | 1 DLL Side-Loading | Cached Domain Credentials | 1 System Owner/User Discovery | VNC | GUI Input Capture | Multiband Communication | Data Transfer Size Limits | Service Stop |
DNS | Web Services | External Remote Services | Systemd Timers | Startup Items | Startup Items | Compile After Delivery | DCSync | 1 File and Directory Discovery | Windows Remote Management | Web Portal Capture | Commonly Used Port | Exfiltration Over C2 Channel | Inhibit System Recovery |
Network Trust Dependencies | Serverless | Drive-by Compromise | Container Orchestration Job | Scheduled Task/Job | Scheduled Task/Job | Indicator Removal from Tools | Proc Filesystem | 55 System Information Discovery | Cloud Services | Credential API Hooking | Application Layer Protocol | Exfiltration Over Alternative Protocol | Defacement |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe |
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false | unknown | |||
false |
| unknown | ||
false |
| unknown | ||
false | unknown | |||
false | unknown | |||
false |
| unknown | ||
false | unknown | |||
false |
| unknown | ||
false |
| unknown |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
91.222.173.80 | unknown | Ukraine | 39249 | KICUA-ASGI | true |
Joe Sandbox version: | 41.0.0 Charoite |
Analysis ID: | 1531070 |
Start date and time: | 2024-10-10 20:12:07 +02:00 |
Joe Sandbox product: | CloudBasic |
Overall analysis duration: | 0h 3m 4s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
Number of analysed new started processes analysed: | 5 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Sample name: | upd_1916298.exe |
Detection: | MAL |
Classification: | mal88.troj.spyw.evad.winEXE@6/2@0/1 |
EGA Information: |
|
HCA Information: |
|
Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): dllhost.exe
- Not all processes where analyzed, report is missing behavior information
- VT rate limit hit for: upd_1916298.exe
Time | Type | Description |
---|---|---|
14:12:57 | API Interceptor |
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
KICUA-ASGI | Get hash | malicious | Phisher | Browse |
| |
Get hash | malicious | DarkGate, MailPassView | Browse |
| ||
Get hash | malicious | DarkGate, MailPassView | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | RHADAMANTHYS | Browse |
| ||
Get hash | malicious | RHADAMANTHYS | Browse |
| ||
Get hash | malicious | Bdaejec | Browse |
| ||
Get hash | malicious | DarkGate, MailPassView | Browse |
| ||
Get hash | malicious | DarkGate, MailPassView | Browse |
| ||
Get hash | malicious | DarkGate, MailPassView | Browse |
|
Process: | C:\Windows\SysWOW64\cmd.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 42 |
Entropy (8bit): | 2.914979271060093 |
Encrypted: | false |
SSDEEP: | 3:Qh9eolFl+ClFYn:Q7eY+Xn |
MD5: | AA80D60A166F0455FF52A716AB4484BA |
SHA1: | 8D6F9C56DCB008FF63ACBE7EE601F02B9E072A66 |
SHA-256: | DFBA4B33F04967D617B2D4222B574BB3D2C7C2E1816D12D22A7AB4732D86678C |
SHA-512: | B25BE93F450333EE027AC15C3CA79C6F55A1DAAF211AA99839A59302D4F4519EA192A08E0CAF67AB42436243FE35A4F2AC978C0D4DBE3423A839F5C5D5988BCC |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Users\user\Desktop\upd_1916298.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 32 |
Entropy (8bit): | 3.7417292966721747 |
Encrypted: | false |
SSDEEP: | 3:MQnFuGGSQuygn:M1GTzn |
MD5: | C98F11CED00A201D0520C3B721D1C1BC |
SHA1: | 35036B454AEC25C848313688A7DF2EFF774D719C |
SHA-256: | 2CD35C2AB938E02D14A1BF7D118B7BC38C9377715D0E580BC25C74503171ABD5 |
SHA-512: | 6AC3865166064167726C5EF993119558211FD6959A13DE4AA34562AE0C8C4B8D2B00633552D2285C4BFE316DED91C1ED6F04C1A2309F6E6A81EC2B5DCDA5368D |
Malicious: | false |
Reputation: | low |
Preview: |
File type: | |
Entropy (8bit): | 6.95323091118722 |
TrID: |
|
File name: | upd_1916298.exe |
File size: | 2'695'440 bytes |
MD5: | abdcc4a6d9ebcdb3f832de479bec51e0 |
SHA1: | ab8e09f1b836a3bc07a4fd72fc17155f304e8c87 |
SHA256: | 2fa83a1f4b3196a87645d4e71c3a486c7eb433ccb462c85888d5a5dee2abe2e2 |
SHA512: | 8adf6d9ec903385be0d379ecfd122db5ae2f30e393105b2d1db8fcde6816c85c7b709fe700ab90f1d7bd187d0d22b538a62e033238925fb3c77972281e8253e7 |
SSDEEP: | 49152:Ms8boAvk/rdETXD/j6qYMfnz8xvMOjyPNerGSbR7Wtg2l3ZjH+7DnGdc9iOj:MNboAurdEPjflSb1WtZte7DB |
TLSH: | 5AC5AF13B7C7C073EC929171557ADBA7582D7A20072848CBE2C05E1D68E26D26F36B6F |
File Content Preview: | MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.........p>...m...m...m...lv..m...l...mVn.m...me..l...me..l...me..lA..m...l...m...l...m...l...m...m...m...l...m...l...m...l...m...m... |
Icon Hash: | 173149cccc490307 |
Entrypoint: | 0x53c060 |
Entrypoint Section: | .text |
Digitally signed: | true |
Imagebase: | 0x400000 |
Subsystem: | windows gui |
Image File Characteristics: | RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE |
DLL Characteristics: | NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE |
Time Stamp: | 0x6645E940 [Thu May 16 11:08:48 2024 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 6 |
OS Version Minor: | 0 |
File Version Major: | 6 |
File Version Minor: | 0 |
Subsystem Version Major: | 6 |
Subsystem Version Minor: | 0 |
Import Hash: | 8228b51f94e32d919543d0118d0ddc46 |
Signature Valid: | true |
Signature Issuer: | CN=Certum Extended Validation Code Signing 2021 CA, O=Asseco Data Systems S.A., C=PL |
Signature Validation Error: | The operation completed successfully |
Error Number: | 0 |
Not Before, Not After |
|
Subject Chain |
|
Version: | 3 |
Thumbprint MD5: | 6678FF8DD909DD56B4AEB4ADF6E8729D |
Thumbprint SHA-1: | 443CAD90EB0711571D60B7DF7B1DBC7F97C3DCC2 |
Thumbprint SHA-256: | CB821EC143C163713C13111D49FBC544CA7B7E00950ECBE890CC493D60EB5704 |
Serial: | 6DFFAF77D8C06AF0EF1E2A88CFE4360B |
Instruction |
---|
call 00007F4C04845DDBh |
jmp 00007F4C048457DDh |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
push ecx |
lea ecx, dword ptr [esp+04h] |
sub ecx, eax |
sbb eax, eax |
not eax |
and ecx, eax |
mov eax, esp |
and eax, FFFFF000h |
cmp ecx, eax |
jc 00007F4C0484595Eh |
mov eax, ecx |
pop ecx |
xchg eax, esp |
mov eax, dword ptr [eax] |
mov dword ptr [esp], eax |
ret |
sub eax, 00001000h |
test dword ptr [eax], eax |
jmp 00007F4C04845939h |
int3 |
int3 |
int3 |
push ebp |
mov ebp, esp |
push esi |
push dword ptr [ebp+08h] |
mov esi, ecx |
call 00007F4C047B3767h |
mov dword ptr [esi], 005C2C28h |
mov eax, esi |
pop esi |
pop ebp |
retn 0004h |
and dword ptr [ecx+04h], 00000000h |
mov eax, ecx |
and dword ptr [ecx+08h], 00000000h |
mov dword ptr [ecx+04h], 005C2C30h |
mov dword ptr [ecx], 005C2C28h |
ret |
push ebp |
mov ebp, esp |
sub esp, 0Ch |
lea ecx, dword ptr [ebp-0Ch] |
call 00007F4C047B37A4h |
push 00604774h |
lea eax, dword ptr [ebp-0Ch] |
push eax |
call 00007F4C048749F0h |
int3 |
push ebp |
mov ebp, esp |
sub esp, 0Ch |
lea ecx, dword ptr [ebp-0Ch] |
call 00007F4C04845912h |
push 0060142Ch |
lea eax, dword ptr [ebp-0Ch] |
push eax |
call 00007F4C048749D3h |
int3 |
push ebp |
mov ebp, esp |
and dword ptr [0060E7E8h], 00000000h |
sub esp, 2Ch |
push ebx |
xor ebx, ebx |
inc ebx |
or dword ptr [006071E0h], ebx |
push 0000000Ah |
call 00007F4C04845A20h |
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x204ae0 | 0x4c8 | .rdata |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x204fa8 | 0xb4 | .rdata |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x215000 | 0x70a80 | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x28f800 | 0x2910 | .reloc |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x286000 | 0x115e8 | .reloc |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x1ee010 | 0x70 | .rdata |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x1ee080 | 0x18 | .rdata |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x1d26f8 | 0x40 | .rdata |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x1a1000 | 0x43c | .rdata |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x204a54 | 0x40 | .rdata |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|---|
.text | 0x1000 | 0x19ff5a | 0x1a0000 | c309efacfcca325177df19fd50cad3de | False | 0.5116541935847356 | data | 6.62770760824614 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
.rdata | 0x1a1000 | 0x6575a | 0x65800 | 98499091282bed2ccdafdb62d6361afe | False | 0.31095578048029554 | data | 5.384936595689672 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.data | 0x207000 | 0xb178 | 0x7600 | 453997f62050178efeae0a6777c39680 | False | 0.19974841101694915 | data | 4.715686411768808 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.didat | 0x213000 | 0x10 | 0x200 | c38288023812070ce82b7497534c2042 | False | 0.041015625 | data | 0.16476501235057214 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.tls | 0x214000 | 0x9 | 0x200 | 1f354d76203061bfdd5a53dae48d5435 | False | 0.033203125 | data | 0.020393135236084953 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.rsrc | 0x215000 | 0x70a80 | 0x70c00 | 2c7b614854efe38a314201bfbe45657d | False | 0.798758834534368 | data | 7.798650482101254 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.reloc | 0x286000 | 0x115e8 | 0x11600 | c169161967d938c5cc8ce39678463bcd | False | 0.6230328237410072 | data | 6.649750511860731 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
---|---|---|---|---|---|---|
RT_ICON | 0x2152e0 | 0x568 | Device independent bitmap graphic, 16 x 32 x 8, image size 0 | 0.4913294797687861 | ||
RT_ICON | 0x215848 | 0x8a8 | Device independent bitmap graphic, 32 x 64 x 8, image size 0 | 0.46435018050541516 | ||
RT_ICON | 0x2160f0 | 0xea8 | Device independent bitmap graphic, 48 x 96 x 8, image size 0 | 0.39072494669509594 | ||
RT_ICON | 0x216f98 | 0x468 | Device independent bitmap graphic, 16 x 32 x 32, image size 0 | 0.6214539007092199 | ||
RT_ICON | 0x217400 | 0x10a8 | Device independent bitmap graphic, 32 x 64 x 32, image size 0 | 0.4298780487804878 | ||
RT_ICON | 0x2184a8 | 0x25a8 | Device independent bitmap graphic, 48 x 96 x 32, image size 0 | 0.32863070539419087 | ||
RT_ICON | 0x21aa50 | 0x7cfc | PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced | 0.9984998124765596 | ||
RT_FONT | 0x22274c | 0x5f600 | data | 0.821141874180865 | ||
RT_RCDATA | 0x281d4c | 0x3800 | PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows | English | United States | 0.4654017857142857 |
RT_GROUP_ICON | 0x28554c | 0x68 | data | 0.7019230769230769 | ||
RT_VERSION | 0x2855b4 | 0x34c | data | English | United States | 0.4834123222748815 |
RT_MANIFEST | 0x285900 | 0x17f | XML 1.0 document, ASCII text, with CRLF line terminators | English | United States | 0.5953002610966057 |
DLL | Import |
---|---|
KERNEL32.dll | GetTempPathA, FormatMessageW, GetDiskFreeSpaceA, GetLastError, GetFileAttributesA, GetFileAttributesExW, OutputDebugStringW, FlushViewOfFile, CreateFileA, LoadLibraryA, WaitForSingleObjectEx, DeleteFileA, DeleteFileW, HeapReAlloc, CloseHandle, RaiseException, GetSystemInfo, LoadLibraryW, HeapAlloc, HeapCompact, HeapDestroy, UnlockFile, GetProcAddress, LocalFree, LockFileEx, GetFileSize, DeleteCriticalSection, GetCurrentProcessId, GetProcessHeap, SystemTimeToFileTime, FreeLibrary, WideCharToMultiByte, GetSystemTimeAsFileTime, GetSystemTime, FormatMessageA, CreateFileMappingW, MapViewOfFile, QueryPerformanceCounter, GetTickCount, FlushFileBuffers, GetTickCount64, SizeofResource, GetModuleHandleExW, GetModuleFileNameW, LocalAlloc, FreeResource, LockResource, LoadResource, FindResourceW, SetErrorMode, LoadLibraryExW, InitializeCriticalSectionEx, Sleep, GetWindowsDirectoryW, GetEnvironmentStringsW, GetCurrentDirectoryW, SetCurrentDirectoryW, FindFirstFileW, FindNextFileW, FindClose, FileTimeToSystemTime, GetFileTime, GetVolumeNameForVolumeMountPointW, GetLogicalDriveStringsW, GetDriveTypeW, DeviceIoControl, GetSystemWindowsDirectoryW, lstrcpyW, GetModuleHandleW, WaitForMultipleObjects, CreateEventW, SetEvent, CreateNamedPipeW, OpenProcess, CreateThread, GetOverlappedResult, ConnectNamedPipe, GetExitCodeProcess, CreateToolhelp32Snapshot, Process32NextW, Process32FirstW, DisconnectNamedPipe, CreateDirectoryW, GetCurrentProcess, CreateProcessW, CopyFileW, SetLastError, lstrcpynW, GetLocaleInfoW, TerminateProcess, GetTempFileNameW, ExpandEnvironmentStringsW, GetVersionExW, GetTimeZoneInformation, GetSystemDirectoryW, ReleaseMutex, CreateMutexA, VirtualAlloc, VirtualFree, VirtualQuery, WriteConsoleW, ReadConsoleW, SetStdHandle, MultiByteToWideChar, HeapSize, HeapValidate, UnmapViewOfFile, GetCurrentThreadId, GetFileAttributesW, CreateFileW, WaitForSingleObject, CreateMutexW, GetTempPathW, UnlockFileEx, SetEndOfFile, AreFileApisANSI, GetFullPathNameA, SetFilePointer, InitializeCriticalSection, LeaveCriticalSection, LockFile, OutputDebugStringA, GetDiskFreeSpaceW, WriteFile, GetFullPathNameW, EnterCriticalSection, HeapFree, HeapCreate, TryEnterCriticalSection, ReadFile, DecodePointer, FreeEnvironmentStringsW, FindFirstFileExW, SetEnvironmentVariableW, SetFilePointerEx, GetFileSizeEx, GetConsoleMode, GetConsoleOutputCP, GetOEMCP, GetACP, IsValidCodePage, GetFileType, EnumSystemLocalesW, GetUserDefaultLCID, IsValidLocale, GetTimeFormatW, GetDateFormatW, GetCommandLineW, GetCommandLineA, GetStdHandle, ExitProcess, ExitThread, RtlUnwind, UnregisterWaitEx, QueryDepthSList, InterlockedFlushSList, InterlockedPushEntrySList, InterlockedPopEntrySList, ReleaseSemaphore, VirtualProtect, UnregisterWait, RegisterWaitForSingleObject, SetThreadAffinityMask, GetProcessAffinityMask, GetNumaHighestNodeNumber, DeleteTimerQueueTimer, ChangeTimerQueueTimer, CreateTimerQueueTimer, GetLogicalProcessorInformation, GetThreadPriority, SetThreadPriority, SwitchToThread, SignalObjectAndWait, GetModuleHandleA, FreeLibraryAndExitThread, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsProcessorFeaturePresent, ResetEvent, IsDebuggerPresent, GetStartupInfoW, InitializeSListHead, GetStringTypeW, DuplicateHandle, GetCurrentThread, GetExitCodeThread, GetNativeSystemInfo, QueryPerformanceFrequency, EncodePointer, QueueUserWorkItem, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, CompareStringW, LCMapStringW, GetCPInfo, CreateTimerQueue, GetThreadTimes, LoadLibraryExA |
USER32.dll | PostThreadMessageW, wsprintfW |
ADVAPI32.dll | OpenSCManagerW, EqualSid, AllocateAndInitializeSid, FreeSid, CheckTokenMembership, QueryServiceStatus, OpenServiceW, RegCloseKey, RegEnumKeyExW, RegOpenKeyExW, RegQueryValueExW, CloseServiceHandle, GetSidSubAuthorityCount, GetSidSubAuthority, GetTokenInformation, AccessCheck, GetFileSecurityW, DuplicateToken, MapGenericMask, LookupPrivilegeValueW, AdjustTokenPrivileges, RegSaveKeyW, OpenProcessToken |
ole32.dll | CoSetProxyBlanket, CoUninitialize, CoInitializeEx, CoCreateInstance, IIDFromString, CLSIDFromString, CoAddRefServerProcess, CoReleaseServerProcess, OleRun |
OLEAUT32.dll | GetErrorInfo, VariantTimeToSystemTime, VariantClear, SafeArrayCreateVector, SafeArrayCreate, SafeArrayLock, VariantCopy, SafeArrayPutElement, SysAllocString, SysFreeString, SafeArrayGetDim, SysStringLen, SysAllocStringLen, SafeArrayDestroy, VariantInit, SafeArrayGetElement, SafeArrayUnlock |
VERSION.dll | GetFileVersionInfoSizeW, GetFileVersionInfoW, VerQueryValueW |
SHLWAPI.dll | StrStrIW |
WININET.dll | HttpSendRequestW, InternetConnectW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetReadFile, HttpOpenRequestW |
Name | Ordinal | Address |
---|---|---|
_QHChangeOnAccessScanState@8 | 1 | 0x51fa40 |
_QHEnableOnAccessScan@8 | 2 | 0x51e740 |
_QHFreeThreatHistoryListA@8 | 3 | 0x51ed00 |
_QHFreeThreatHistoryListW@8 | 4 | 0x51ed40 |
_QHGetAppLanguageA@16 | 5 | 0x51ee10 |
_QHGetAppLanguageW@16 | 6 | 0x51eec0 |
_QHGetDigitalCertSignerA@12 | 7 | 0x51ef80 |
_QHGetDigitalCertSignerW@12 | 8 | 0x51f020 |
_QHGetEngineVersionA@12 | 9 | 0x51e570 |
_QHGetEngineVersionW@12 | 10 | 0x51e610 |
_QHGetExpDate@8 | 11 | 0x51e7d0 |
_QHGetLastFullScanTime@8 | 12 | 0x51f650 |
_QHGetProductInstallDirA@12 | 13 | 0x51f0c0 |
_QHGetProductInstallDirW@12 | 14 | 0x51f160 |
_QHGetSASQHStatus@8 | 15 | 0x51f9a0 |
_QHGetSigDatabaseDirA@12 | 16 | 0x51f200 |
_QHGetSigDatabaseDirW@12 | 17 | 0x51f2a0 |
_QHGetSigDatabaseTime@8 | 18 | 0x51e390 |
_QHGetSigDatabaseVersionA@12 | 19 | 0x51e430 |
_QHGetSigDatabaseVersionW@12 | 20 | 0x51e4d0 |
_QHGetThreatHistoryA@8 | 21 | 0x51e990 |
_QHGetThreatHistoryW@8 | 22 | 0x51eb80 |
_QHInitUpdate@4 | 23 | 0x51e900 |
_QHInitiateFileScanA@8 | 24 | 0x51f510 |
_QHInitiateFileScanW@8 | 25 | 0x51f5b0 |
_QHInitiateFolderScanA@8 | 26 | 0x51f3d0 |
_QHInitiateFolderScanW@8 | 27 | 0x51f470 |
_QHInitiateFullScan@4 | 28 | 0x51f340 |
_QHIsAVInstalled@4 | 29 | 0x51e290 |
_QHIsFullScanRunning@4 | 30 | 0x51f6f0 |
_QHIsLicenseExpired@4 | 31 | 0x51e870 |
_QHIsOnAccessScanEnabled@4 | 32 | 0x51e6b0 |
_QHIsUpdateInProgress@4 | 33 | 0x51ed80 |
_QHOpenScanner@4 | 34 | 0x51f870 |
Language of compilation system | Country where language is spoken | Map |
---|---|---|
English | United States |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
Target ID: | 0 |
Start time: | 14:12:56 |
Start date: | 10/10/2024 |
Path: | C:\Users\user\Desktop\upd_1916298.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x400000 |
File size: | 2'695'440 bytes |
MD5 hash: | ABDCC4A6D9EBCDB3F832DE479BEC51E0 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | Borland Delphi |
Yara matches: |
|
Reputation: | low |
Has exited: | true |
Target ID: | 2 |
Start time: | 14:12:56 |
Start date: | 10/10/2024 |
Path: | C:\Windows\SysWOW64\cmd.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x790000 |
File size: | 236'544 bytes |
MD5 hash: | D0FCE3AFA6AA1D58CE9FA336CC2B675B |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Target ID: | 3 |
Start time: | 14:12:56 |
Start date: | 10/10/2024 |
Path: | C:\Windows\System32\conhost.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff6d64d0000 |
File size: | 862'208 bytes |
MD5 hash: | 0D698AF330FD17BEE3BF90011D49251D |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Target ID: | 4 |
Start time: | 14:12:56 |
Start date: | 10/10/2024 |
Path: | C:\Windows\SysWOW64\wbem\WMIC.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0xfe0000 |
File size: | 427'008 bytes |
MD5 hash: | E2DE6500DE1148C7F6027AD50AC8B891 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | moderate |
Has exited: | true |
Execution Graph
Execution Coverage: | 1.7% |
Dynamic/Decrypted Code Coverage: | 0% |
Signature Coverage: | 5.5% |
Total number of Nodes: | 1226 |
Total number of Limit Nodes: | 14 |
Graph
Function 04355B0C Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 186registrystringlibraryCOMMON
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00401093 Relevance: 21.3, APIs: 4, Strings: 8, Instructions: 301nativememorylibraryCOMMON
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 04355C17 Relevance: 15.1, APIs: 10, Instructions: 101stringlibrarythreadCOMMON
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 043792B0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 167processsynchronizationCOMMON
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 04376A54 Relevance: 1.5, APIs: 1, Instructions: 27COMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0435DEC0 Relevance: 1.5, APIs: 1, Instructions: 17processCOMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 043768D0 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 043A3990 Relevance: 49.4, APIs: 6, Strings: 22, Instructions: 403threadsleepCOMMON
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 04378354 Relevance: 15.8, APIs: 2, Strings: 7, Instructions: 29libraryCOMMON
Control-flow Graph
APIs |
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Control-flow Graph
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Control-flow Graph
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0437A2D0 Relevance: 4.6, APIs: 3, Instructions: 54fileCOMMON
Control-flow Graph
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 04354A94 Relevance: 3.0, APIs: 2, Instructions: 15memoryCOMMON
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 043515A0 Relevance: 2.5, APIs: 2, Instructions: 37memoryCOMMON
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 04376B38 Relevance: 1.6, APIs: 1, Instructions: 140COMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0435CA14 Relevance: 1.6, APIs: 1, Instructions: 71COMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 04376AB0 Relevance: 1.5, APIs: 1, Instructions: 43COMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 04355878 Relevance: 1.5, APIs: 1, Instructions: 26COMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 04357FC0 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0435DEE0 Relevance: 1.5, APIs: 1, Instructions: 17COMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0435DF00 Relevance: 1.5, APIs: 1, Instructions: 17COMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 043776C8 Relevance: 1.5, APIs: 1, Instructions: 16COMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0436BE02 Relevance: 1.5, APIs: 1, Instructions: 7networkCOMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 04351744 Relevance: 1.3, APIs: 1, Instructions: 71memoryCOMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 04379FC8 Relevance: 1.3, APIs: 1, Instructions: 67COMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 04379AD8 Relevance: 1.3, APIs: 1, Instructions: 52COMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 04378AA4 Relevance: 1.3, APIs: 1, Instructions: 42sleepCOMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0437A364 Relevance: 1.3, APIs: 1, Instructions: 39sleepCOMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 04376DF0 Relevance: 1.3, APIs: 1, Instructions: 3sleepCOMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0436C0C8 Relevance: 145.5, APIs: 43, Strings: 40, Instructions: 284libraryloaderCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 043A2064 Relevance: 55.5, APIs: 13, Strings: 18, Instructions: 1220threadsleepCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 04355934 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 144stringlibraryfileCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 04370374 Relevance: 22.7, APIs: 15, Instructions: 241memorythreadprocessCOMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00441460 Relevance: 19.9, Strings: 15, Instructions: 1168COMMON
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0439FDC0 Relevance: 19.5, APIs: 7, Strings: 4, Instructions: 272filestringtimeCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 04399D04 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 174nativeCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 04370694 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 180sleepprocessnativeCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00403980 Relevance: 16.5, Strings: 13, Instructions: 253COMMON
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 04373730 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 174processinjectionmemoryCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00428A80 Relevance: 14.3, Strings: 11, Instructions: 526COMMON
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004A0D30 Relevance: 14.3, Strings: 11, Instructions: 523COMMON
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 04398A34 Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 168fileCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0436FB8C Relevance: 9.2, Strings: 7, Instructions: 450COMMON
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 043564F9 Relevance: 9.0, APIs: 6, Instructions: 41threadCOMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 043588D0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 37timefileCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0041BD40 Relevance: 8.0, APIs: 5, Instructions: 495COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004290A0 Relevance: 7.9, Strings: 6, Instructions: 359COMMON
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0057D5CA Relevance: 7.8, APIs: 5, Instructions: 332timeCOMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004373A5 Relevance: 6.8, Strings: 5, Instructions: 592COMMON
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00482720 Relevance: 6.7, Strings: 5, Instructions: 413COMMON
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00467FB0 Relevance: 6.6, Strings: 5, Instructions: 341COMMON
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0040F300 Relevance: 6.6, Strings: 5, Instructions: 320COMMON
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0438F40C Relevance: 6.4, Strings: 5, Instructions: 179COMMON
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 04399FA8 Relevance: 6.1, APIs: 4, Instructions: 106sleepCOMMON
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0042E880 Relevance: 5.7, Strings: 4, Instructions: 692COMMON
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0053C0F0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144COMMONLIBRARYCODE
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00425120 Relevance: 5.2, Strings: 3, Instructions: 1427COMMON
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 043A12AC Relevance: 4.8, APIs: 3, Instructions: 305fileCOMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 043795A4 Relevance: 4.6, APIs: 3, Instructions: 114fileCOMMON
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00423250 Relevance: 4.3, Strings: 3, Instructions: 543COMMON
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00426D00 Relevance: 4.3, Strings: 3, Instructions: 540COMMON
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00417330 Relevance: 4.2, Strings: 3, Instructions: 495COMMON
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00430620 Relevance: 4.2, Strings: 3, Instructions: 437COMMON
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00427720 Relevance: 4.2, Strings: 3, Instructions: 417COMMON
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0041E600 Relevance: 4.1, Strings: 3, Instructions: 381COMMON
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00422A90 Relevance: 4.1, Strings: 3, Instructions: 345COMMON
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00421F80 Relevance: 4.1, Strings: 3, Instructions: 328COMMON
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00421430 Relevance: 4.0, Strings: 3, Instructions: 231COMMON
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004470D0 Relevance: 3.2, Strings: 2, Instructions: 651COMMON
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0437D924 Relevance: 3.0, APIs: 2, Instructions: 46windowCOMMON
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 04399C5C Relevance: 3.0, APIs: 2, Instructions: 38nativeCOMMON
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0435CB64 Relevance: 3.0, APIs: 2, Instructions: 37COMMON
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 04399C28 Relevance: 3.0, APIs: 2, Instructions: 24nativeCOMMON
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 04396BA8 Relevance: 3.0, APIs: 2, Instructions: 13COMMON
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00409CF0 Relevance: 2.4, APIs: 1, Instructions: 909COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00429D30 Relevance: 2.2, APIs: 1, Instructions: 663COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0041F800 Relevance: 1.8, Strings: 1, Instructions: 560COMMON
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0438443C Relevance: 1.8, APIs: 1, Instructions: 286COMMON
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0044F050 Relevance: 1.7, Strings: 1, Instructions: 490COMMON
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0044F840 Relevance: 1.6, Strings: 1, Instructions: 385COMMON
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00401DF0 Relevance: 1.6, Strings: 1, Instructions: 311COMMON
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 04358C34 Relevance: 1.6, APIs: 1, Instructions: 53COMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 04356430 Relevance: 1.5, APIs: 1, Instructions: 37COMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 04399CB4 Relevance: 1.5, APIs: 1, Instructions: 32nativeCOMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0435B4FC Relevance: 1.5, APIs: 1, Instructions: 29COMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0435B548 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00409000 Relevance: .4, Instructions: 403COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00414D50 Relevance: .3, Instructions: 283COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00408930 Relevance: .3, Instructions: 270COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 043909F4 Relevance: .2, Instructions: 238COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0040E890 Relevance: .2, Instructions: 238COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004102E0 Relevance: .2, Instructions: 177COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0041E0E0 Relevance: .2, Instructions: 157COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004A23F0 Relevance: .1, Instructions: 140COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004340A0 Relevance: .1, Instructions: 99COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0040BBE0 Relevance: .1, Instructions: 95COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0058061A Relevance: .0, Instructions: 22COMMONLIBRARYCODE
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0436D494 Relevance: .0, Instructions: 2COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0436DBDC Relevance: 75.4, APIs: 24, Strings: 19, Instructions: 132libraryloaderCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0435DC44 Relevance: 59.6, APIs: 17, Strings: 17, Instructions: 99libraryloaderCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0439DD64 Relevance: 31.7, APIs: 4, Strings: 17, Instructions: 219sleepCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0436E488 Relevance: 26.7, APIs: 6, Strings: 9, Instructions: 475processCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 043979AC Relevance: 26.4, APIs: 4, Strings: 11, Instructions: 133processthreadCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 04371474 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 250sleepkeyboardthreadCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 04397DD4 Relevance: 17.8, APIs: 8, Strings: 2, Instructions: 275windowsleepthreadCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 04398F40 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 156fileCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0435CDC8 Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 201threadCOMMON
APIs |
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0051E990 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 169libraryloaderCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0051EB80 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 133libraryloaderCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0437FC84 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 122fileCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 043540F8 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 38filewindowCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0437DF18 Relevance: 12.1, APIs: 8, Instructions: 79COMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 043790B8 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 153processsynchronizationCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0439821C Relevance: 10.6, APIs: 2, Strings: 5, Instructions: 103sleepCOMMON
APIs |
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0057FEB6 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 77COMMONLIBRARYCODE
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 043808BC Relevance: 10.6, APIs: 7, Instructions: 66COMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00583022 Relevance: 10.6, APIs: 7, Instructions: 65COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0439B494 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 63libraryloaderCOMMON
APIs |
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 04378BB4 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 61sleepCOMMON
APIs |
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0437365C Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 35libraryloaderCOMMON
APIs |
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 04369ECC Relevance: 9.1, APIs: 6, Instructions: 109threadCOMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0437E420 Relevance: 9.1, APIs: 6, Instructions: 84COMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0436A340 Relevance: 9.1, APIs: 6, Instructions: 73synchronizationthreadCOMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 04351C18 Relevance: 9.1, APIs: 6, Instructions: 72COMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0437E8A4 Relevance: 9.1, APIs: 6, Instructions: 65COMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0437E0C8 Relevance: 9.1, APIs: 6, Instructions: 55COMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0437D7A0 Relevance: 9.0, APIs: 6, Instructions: 43COMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 04382724 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 113windowCOMMON
APIs |
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0439EB54 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 105sleepCOMMON
APIs |
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 04351B40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 54memoryCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 04353458 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 49registryCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0057C0F9 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 30libraryloaderCOMMONLIBRARYCODE
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 04399130 Relevance: 7.6, APIs: 5, Instructions: 89fileCOMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0436B992 Relevance: 7.6, APIs: 5, Instructions: 78networkCOMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0436B994 Relevance: 7.6, APIs: 5, Instructions: 77networkCOMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 04396E5C Relevance: 7.6, APIs: 5, Instructions: 73COMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 04381BA0 Relevance: 7.6, APIs: 5, Instructions: 66windowCOMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0436A4D8 Relevance: 7.6, APIs: 5, Instructions: 59threadsynchronizationwindowCOMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0437E030 Relevance: 7.6, APIs: 5, Instructions: 55COMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0435B784 Relevance: 7.6, APIs: 5, Instructions: 50threadCOMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00582AF6 Relevance: 7.5, APIs: 5, Instructions: 40COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0435B834 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 148threadCOMMON
APIs |
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0051EE10 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66libraryloaderCOMMON
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0051EEC0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66libraryloaderCOMMON
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0051F020 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63libraryloaderCOMMON
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0051F0C0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63libraryloaderCOMMON
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0051F160 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63libraryloaderCOMMON
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0051F200 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63libraryloaderCOMMON
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0051F2A0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63libraryloaderCOMMON
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0051E430 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63libraryloaderCOMMON
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0051E4D0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63libraryloaderCOMMON
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0051E570 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63libraryloaderCOMMON
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0051E610 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63libraryloaderCOMMON
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0051EF80 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63libraryloaderCOMMON
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0436BC5C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62networksleepCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 04372FB8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62memoryCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0051F3D0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 60libraryloaderCOMMON
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0051E390 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 60libraryloaderCOMMON
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0051F470 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 60libraryloaderCOMMON
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0051F510 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 60libraryloaderCOMMON
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0051F5B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 60libraryloaderCOMMON
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0051F650 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 60libraryloaderCOMMON
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0051E7D0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 60libraryloaderCOMMON
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0051F9A0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 60libraryloaderCOMMON
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0051E740 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58libraryloaderCOMMON
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0051FA40 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58libraryloaderCOMMON
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0051F340 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 57libraryloaderCOMMON
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0051F6F0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 57libraryloaderCOMMON
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0051E6B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 57libraryloaderCOMMON
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0051F870 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 57libraryloaderCOMMON
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0051E870 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 57libraryloaderCOMMON
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0051E900 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 57libraryloaderCOMMON
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0051ED80 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 57libraryloaderCOMMON
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0436BA8C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 48networkCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0435D220 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 16libraryloaderCOMMON
APIs |
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 04368458 Relevance: 6.4, APIs: 5, Instructions: 122COMMON
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 04373C88 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 135sleepCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0040C120 Relevance: 6.1, APIs: 4, Instructions: 118COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 04360C4C Relevance: 6.1, APIs: 4, Instructions: 115COMMON
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0435BA68 Relevance: 6.1, APIs: 4, Instructions: 108COMMON
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0435BA66 Relevance: 6.1, APIs: 4, Instructions: 107COMMON
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0435CC50 Relevance: 6.1, APIs: 4, Instructions: 97threadCOMMON
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0437A0F4 Relevance: 6.1, APIs: 4, Instructions: 87COMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 04380704 Relevance: 6.1, APIs: 4, Instructions: 83COMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 043976D0 Relevance: 6.1, APIs: 4, Instructions: 80COMMON
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 043A1E54 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 69sleepCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0439F338 Relevance: 6.1, APIs: 4, Instructions: 65COMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 004A9DB0 Relevance: 6.0, APIs: 4, Instructions: 40COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 04384CC8 Relevance: 6.0, APIs: 4, Instructions: 24COMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 04356E38 Relevance: 6.0, APIs: 4, Instructions: 11memoryCOMMON
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 043A08A4 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 122fileCOMMON
APIs |
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0435A25C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 74threadCOMMON
APIs |
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00541B9A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 31COMMONLIBRARYCODE
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|