Edit tour
Windows
Analysis Report
#Uc774#Uc9c0#Ud604_#Uc785#Uc0ac#Uc9c0#Uc6d0#Uc11c.hpw.scr.exe
Overview
General Information
| Sample name: | #Uc774#Uc9c0#Ud604_#Uc785#Uc0ac#Uc9c0#Uc6d0#Uc11c.hpw.scr.exerenamed because original name is a hash value |
| Original sample name: | _.hpw.scr.exe |
| Analysis ID: | 1543679 |
| MD5: | 697d9c4f0800f93a19b89bf923d4135a |
| SHA1: | 6d77a6b41de8d1f24bee70ea628029fe7784077f |
| SHA256: | 8071c7b74e7ca2769f3746ec8cc007caee65474bb77808b7a84c84f877452605 |
| Tags: | exeuser-zhuzhu0009 |
| Infos: |  |
 | |
Detection
| Score: | 69 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Compliance
| Score: | 31 |
| Range: | 0 - 100 |
Signatures
Detected unpacking (changes PE section rights)
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Suricata IDS alerts for network traffic
Detected PE file pumping (to bypass AV & sandboxing)
Found API chain indicative of debugger detection
Found evasive API chain (may stop execution after checking mutex)
Injects a PE file into a foreign processes
Sigma detected: Execution from Suspicious Folder
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Suspicious Program Location with Network Connections
Contains functionality to delete services
Contains functionality to enumerate running services
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to query network adapater information
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
EXE planting / hijacking vulnerabilities found
Entry point lies outside standard sections
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Searches for user specific document files
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Explorer Process Tree Break
Sleep loop found (likely to delay execution)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Classification
- System is w10x64
#Uc774#Uc9c0#Ud604_#Uc785#Uc0ac#Uc9c0#Uc6d0#Uc11c.hpw.scr.exe (PID: 7480 cmdline: "C:\Users\ user\Deskt op\#Uc774# Uc9c0#Ud60 4_#Uc785#U c0ac#Uc9c0 #Uc6d0#Uc1 1c.hpw.scr .exe" MD5: 697D9C4F0800F93A19B89BF923D4135A) 
explorer.exe (PID: 7540 cmdline: C:\Windows \explorer. exe C:\Use rs\Public\ Music\LI1L 1K MD5: 662F4F92FDE3557E86D110526BB578D5)
- explorer.exe (PID: 7568 cmdline:
C:\Windows \explorer. exe /facto ry,{75dff2 b7-6936-4c 06-a8bb-67 6a7b00b24b } -Embeddi ng MD5: 662F4F92FDE3557E86D110526BB578D5) 
TASLogin.exe (PID: 7988 cmdline: "C:\Users\ Public\Doc uments\A9Q 9P9\TASLog in.exe" MD5: E6A3CACCBD9CA82F38A14BD0D4428240) - TASLogin.exe (PID: 8016 cmdline:
C:\Users\P ublic\Docu ments\A9Q9 P9\TASLogi n.exe MD5: E6A3CACCBD9CA82F38A14BD0D4428240)
rundll32.exe (PID: 7628 cmdline: C:\Windows \System32\ rundll32.e xe C:\Wind ows\System 32\shell32 .dll,SHCre ateLocalSe rverRunDll {9aa46009 -3ce0-458a -a354-7156 10a075e6} -Embedding MD5: EF3179D498793BF4234F708D3BE28633)
OpenWith.exe (PID: 7744 cmdline: C:\Windows \system32\ OpenWith.e xe -Embedd ing MD5: E4A834784FA08C17D47A1E72429C5109)
- TASLogin.exe (PID: 1620 cmdline:
"C:\Users\ Public\Doc uments\A9Q 9P9\TASLog in.exe" MD5: E6A3CACCBD9CA82F38A14BD0D4428240) - TASLogin.exe (PID: 3384 cmdline:
C:\Users\P ublic\Docu ments\A9Q9 P9\TASLogi n.exe MD5: E6A3CACCBD9CA82F38A14BD0D4428240)
- TASLogin.exe (PID: 2084 cmdline:
"C:\Users\ Public\Doc uments\A9Q 9P9\TASLog in.exe" MD5: E6A3CACCBD9CA82F38A14BD0D4428240) - TASLogin.exe (PID: 3512 cmdline:
C:\Users\P ublic\Docu ments\A9Q9 P9\TASLogi n.exe MD5: E6A3CACCBD9CA82F38A14BD0D4428240)
- cleanup
⊘No configs have been found
⊘No yara matches
System Summary |   |
|---|
| Source: | Author: Florian Roth (Nextron Systems), Tim Shelton: | ||
| Source: | Author: Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing: | ||
| Source: | Author: Florian Roth (Nextron Systems), Tim Shelton: | ||
| Source: | Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): | ||
| Source: | Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems), @gott_cyber: | ||
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-10-28T09:05:22.603593+0100 | 2016922 | 1 | Malware Command and Control Activity Detected | 192.168.2.4 | 49740 | 137.220.137.85 | 24818 | TCP |
Click to jump to signature section
Show All Signature Results
| Source: | EXE: | Jump to behavior | ||
Compliance | |
|---|
| Source: | EXE: | Jump to behavior | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Code function: | 9_2_00408694 | |
| Source: | Code function: | 9_2_004080C8 | |
| Source: | Code function: | 13_2_00408694 | |
| Source: | Code function: | 13_2_004080C8 | |
| Source: | Code function: | 15_2_00408694 | |
| Source: | Code function: | 15_2_004080C8 | |
| Source: | Code function: | 9_2_00427EE0 | |
Networking | |
|---|
| Source: | Suricata IDS: | ||
| Source: | TCP traffic: | ||
| Source: | ASN Name: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | Code function: | 9_2_0042B0E8 | |
| Source: | DNS traffic detected: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | Code function: | 9_2_0042D600 | |
| Source: | Code function: | 9_2_004208F4 | |
| Source: | Code function: | 9_2_004250A3 | |
| Source: | Code function: | 9_2_0041E0A4 | |
| Source: | Code function: | 9_2_004248B4 | |
| Source: | Code function: | 9_2_0042215C | |
| Source: | Code function: | 9_2_0041E9D4 | |
| Source: | Code function: | 9_2_00425496 | |
| Source: | Code function: | 9_2_00424DF9 | |
| Source: | Code function: | 9_2_00424600 | |
| Source: | Code function: | 9_2_004256E7 | |
| Source: | Code function: | 13_2_004208F4 | |
| Source: | Code function: | 13_2_004250A3 | |
| Source: | Code function: | 13_2_0041E0A4 | |
| Source: | Code function: | 13_2_004248B4 | |
| Source: | Code function: | 13_2_0042215C | |
| Source: | Code function: | 13_2_0041E9D4 | |
| Source: | Code function: | 13_2_00425496 | |
| Source: | Code function: | 13_2_00424DF9 | |
| Source: | Code function: | 13_2_00424600 | |
| Source: | Code function: | 13_2_004256E7 | |
| Source: | Code function: | 15_2_004208F4 | |
| Source: | Code function: | 15_2_004250A3 | |
| Source: | Code function: | 15_2_0041E0A4 | |
| Source: | Code function: | 15_2_004248B4 | |
| Source: | Code function: | 15_2_0042215C | |
| Source: | Code function: | 15_2_0041E9D4 | |
| Source: | Code function: | 15_2_00425496 | |
| Source: | Code function: | 15_2_00424DF9 | |
| Source: | Code function: | 15_2_00424600 | |
| Source: | Code function: | 15_2_004256E7 | |
| Source: | Dropped File: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Classification label: | ||
| Source: | Code function: | 9_2_0043BC08 | |
| Source: | Code function: | 9_2_0043D53C | |
| Source: | Code function: | 9_2_0040BA58 | |
| Source: | Code function: | 9_2_0042D600 | |
| Source: | File created: | Jump to behavior | ||
| Source: | Mutant created: | ||
| Source: | Mutant created: | ||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | Jump to behavior | ||
| Source: | Static PE information: | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | File read: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Process created: | ||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Key value queried: | Jump to behavior | ||
| Source: | Window detected: | ||
| Source: | Static PE information: | ||
| Source: | Static file information: | ||
| Source: | Static PE information: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
Data Obfuscation | |
|---|
| Source: | Unpacked PE file: | ||
| Source: | Unpacked PE file: | ||
| Source: | Unpacked PE file: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Code function: | 0_3_05BBB76B | |
| Source: | Code function: | 0_3_05BBB76B | |
| Source: | Code function: | 0_3_05BBB76B | |
| Source: | Code function: | 0_3_05BBB76B | |
| Source: | Code function: | 0_3_05BBB76B | |
| Source: | Code function: | 0_3_05BBB76B | |
| Source: | Code function: | 0_3_05BBB76B | |
| Source: | Code function: | 0_3_05BBB76B | |
| Source: | Code function: | 0_3_05BBB76B | |
| Source: | Code function: | 0_3_05BBB76B | |
| Source: | Code function: | 0_3_05BBB76B | |
| Source: | Code function: | 0_3_05BBB76B | |
| Source: | Code function: | 0_3_05BBB76B | |
| Source: | Code function: | 0_3_05BBB76B | |
| Source: | Code function: | 0_3_05BBB76B | |
| Source: | Code function: | 0_3_05BBB76B | |
| Source: | Code function: | 0_3_05BBB76B | |
| Source: | Code function: | 0_3_05BBB76B | |
| Source: | Code function: | 8_2_0044CD56 | |
| Source: | Code function: | 9_2_00426845 | |
| Source: | Code function: | 9_2_004433AD | |
| Source: | Code function: | 9_2_00426449 | |
| Source: | Code function: | 9_2_00426409 | |
| Source: | Code function: | 9_2_004310B0 | |
| Source: | Code function: | 9_2_0043E92D | |
| Source: | Code function: | 9_2_0042C130 | |
| Source: | Code function: | 9_2_0042B0DC | |
| Source: | Code function: | 9_2_004159E2 | |
| Source: | Code function: | 9_2_004079FE | |
| Source: | Code function: | 9_2_00415AA6 | |
| Source: | Code function: | 9_2_0042C3B0 | |
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | File created: | Jump to dropped file | ||
| Source: | File created: | Jump to dropped file | ||
| Source: | Code function: | 9_2_0042D600 | |
| Source: | Registry value created or modified: | Jump to behavior | ||
| Source: | Registry value created or modified: | Jump to behavior | ||
Hooking and other Techniques for Hiding and Protection | |
|---|
| Source: | Icon embedded in binary file: | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
Malware Analysis System Evasion | |
|---|
| Source: | Static PE information: | ||
| Source: | Evasive API call chain: | graph_13-18111 | ||
| Source: | Code function: | 9_2_0042D1D4 | |
| Source: | Code function: | 9_2_0040B0EC | |
| Source: | Code function: | 9_2_0040B0EA | |
| Source: | Code function: | 9_2_0040AEE0 | |
| Source: | Window / User API: | Jump to behavior | ||
| Source: | API coverage: | ||
| Source: | API coverage: | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Last function: | ||
| Source: | Thread sleep count: | Jump to behavior | ||
| Source: | Code function: | 9_2_00408694 | |
| Source: | Code function: | 9_2_004080C8 | |
| Source: | Code function: | 13_2_00408694 | |
| Source: | Code function: | 13_2_004080C8 | |
| Source: | Code function: | 15_2_00408694 | |
| Source: | Code function: | 15_2_004080C8 | |
| Source: | Code function: | 9_2_00427EE0 | |
| Source: | Code function: | 9_2_00408F10 | |
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | API call chain: | graph_9-15813 | ||
| Source: | API call chain: | graph_13-15782 | ||
| Source: | API call chain: | graph_13-17591 | ||
| Source: | API call chain: | graph_13-17818 | ||
| Source: | API call chain: | graph_15-15782 | ||
| Source: | API call chain: | graph_15-17591 | ||
| Source: | API call chain: | graph_15-17818 | ||
| Source: | Process information queried: | Jump to behavior | ||
Anti Debugging | |
|---|
| Source: | Debugger detection routine: | graph_9-15882 | ||
| Source: | Code function: | 9_2_0042CD20 | |
HIPS / PFW / Operating System Protection Evasion | |
|---|
| Source: | Memory written: | Jump to behavior | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Code function: | 9_2_004046A0 | |
| Source: | Code function: | 9_2_004087CC | |
| Source: | Code function: | 9_2_0041A844 | |
| Source: | Code function: | 9_2_0041D2E0 | |
| Source: | Code function: | 9_2_00407C6C | |
| Source: | Code function: | 9_2_0041D4C8 | |
| Source: | Code function: | 9_2_0041A7F8 | |
| Source: | Code function: | 13_2_004087CC | |
| Source: | Code function: | 13_2_0041A844 | |
| Source: | Code function: | 13_2_0041D2E0 | |
| Source: | Code function: | 13_2_00407C6C | |
| Source: | Code function: | 13_2_0041D4C8 | |
| Source: | Code function: | 13_2_0041A7F8 | |
| Source: | Code function: | 15_2_004087CC | |
| Source: | Code function: | 15_2_0041A844 | |
| Source: | Code function: | 15_2_0041D2E0 | |
| Source: | Code function: | 15_2_00407C6C | |
| Source: | Code function: | 15_2_0041D4C8 | |
| Source: | Code function: | 15_2_0041A7F8 | |
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Code function: | 9_2_0041A7A8 | |
| Source: | Code function: | 9_2_0043B588 | |
| Source: | Code function: | 9_2_0041C9BC | |
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | 1 Native API | 1 DLL Side-Loading | 1 DLL Side-Loading | 1 Deobfuscate/Decode Files or Information | OS Credential Dumping | 1 System Time Discovery | Remote Services | 1 Archive Collected Data | 1 Ingress Tool Transfer | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
| Credentials | Domains | Default Accounts | 12 Service Execution | 1 DLL Search Order Hijacking | 1 DLL Search Order Hijacking | 3 Obfuscated Files or Information | LSASS Memory | 1 Account Discovery | Remote Desktop Protocol | 1 Data from Local System | 1 Encrypted Channel | Exfiltration Over Bluetooth | Network Denial of Service |
| Email Addresses | DNS Server | Domain Accounts | At | 11 Windows Service | 1 Access Token Manipulation | 12 Software Packing | Security Account Manager | 1 System Service Discovery | SMB/Windows Admin Shares | Data from Network Shared Drive | 1 Non-Standard Port | Automated Exfiltration | Data Encrypted for Impact |
| Employee Names | Virtual Private Server | Local Accounts | Cron | 1 Registry Run Keys / Startup Folder | 11 Windows Service | 1 DLL Side-Loading | NTDS | 13 File and Directory Discovery | Distributed Component Object Model | Input Capture | 1 Non-Application Layer Protocol | Traffic Duplication | Data Destruction |
| Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | 112 Process Injection | 1 DLL Search Order Hijacking | LSA Secrets | 35 System Information Discovery | SSH | Keylogging | 1 Application Layer Protocol | Scheduled Transfer | Data Encrypted for Impact |
| Domain Properties | Botnet | Replication Through Removable Media | Scheduled Task | RC Scripts | 1 Registry Run Keys / Startup Folder | 11 Masquerading | Cached Domain Credentials | 211 Security Software Discovery | VNC | GUI Input Capture | Multiband Communication | Data Transfer Size Limits | Service Stop |
| DNS | Web Services | External Remote Services | Systemd Timers | Startup Items | Startup Items | 22 Virtualization/Sandbox Evasion | DCSync | 22 Virtualization/Sandbox Evasion | Windows Remote Management | Web Portal Capture | Commonly Used Port | Exfiltration Over C2 Channel | Inhibit System Recovery |
| Network Trust Dependencies | Serverless | Drive-by Compromise | Container Orchestration Job | Scheduled Task/Job | Scheduled Task/Job | 1 Access Token Manipulation | Proc Filesystem | 2 Process Discovery | Cloud Services | Credential API Hooking | Application Layer Protocol | Exfiltration Over Alternative Protocol | Defacement |
| Network Topology | Malvertising | Exploit Public-Facing Application | Command and Scripting Interpreter | At | At | 112 Process Injection | /etc/passwd and /etc/shadow | 1 Application Window Discovery | Direct Cloud VM Connections | Data Staged | Web Protocols | Exfiltration Over Symmetric Encrypted Non-C2 Protocol | Internal Defacement |
| IP Addresses | Compromise Infrastructure | Supply Chain Compromise | PowerShell | Cron | Cron | 1 Rundll32 | Network Sniffing | 1 System Owner/User Discovery | Shared Webroot | Local Data Staging | File Transfer Protocols | Exfiltration Over Asymmetric Encrypted Non-C2 Protocol | External Defacement |
| Network Security Appliances | Domains | Compromise Software Dependencies and Development Tools | AppleScript | Launchd | Launchd | Stripped Payloads | Input Capture | 1 System Network Configuration Discovery | Software Deployment Tools | Remote Data Staging | Mail Protocols | Exfiltration Over Unencrypted Non-C2 Protocol | Firmware Corruption |
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetThis section contains all screenshots as thumbnails, including those not shown in the slideshow.
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 3% | ReversingLabs |
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 0% | ReversingLabs | |||
| 3% | ReversingLabs |
⊘No Antivirus matches
⊘No Antivirus matches
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe |
| Name | IP | Active | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|---|
| 24818.windows-updata.com | 137.220.137.85 | true | true | unknown |
| Name | Source | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|
| false |
| unknown | ||
| false | unknown | |||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false | unknown | |||
| false | unknown | |||
| false |
| unknown | ||
| false | unknown |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
| IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
|---|---|---|---|---|---|---|
| 137.220.137.85 | 24818.windows-updata.com | Singapore | 64050 | BCPL-SGBGPNETGlobalASNSG | true |
| Joe Sandbox version: | 41.0.0 Charoite |
| Analysis ID: | 1543679 |
| Start date and time: | 2024-10-28 09:04:11 +01:00 |
| Joe Sandbox product: | CloudBasic |
| Overall analysis duration: | 0h 8m 5s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
| Number of analysed new started processes analysed: | 17 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Sample name: | #Uc774#Uc9c0#Ud604_#Uc785#Uc0ac#Uc9c0#Uc6d0#Uc11c.hpw.scr.exerenamed because original name is a hash value |
| Original Sample Name: | _.hpw.scr.exe |
| Detection: | MAL |
| Classification: | mal69.evad.winEXE@16/21@1/1 |
| EGA Information: |
|
| HCA Information: |
|
| Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
- Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
- Execution Graph export aborted for target #Uc774#Uc9c0#Ud604_#Uc785#Uc0ac#Uc9c0#Uc6d0#Uc11c.hpw.scr.exe, PID 7480 because there are no executed function
- Execution Graph export aborted for target TASLogin.exe, PID 1620 because there are no executed function
- Execution Graph export aborted for target TASLogin.exe, PID 2084 because there are no executed function
- Execution Graph export aborted for target TASLogin.exe, PID 7988 because there are no executed function
- Not all processes where analyzed, report is missing behavior information
- Report size getting too big, too many NtEnumerateKey calls found.
- Report size getting too big, too many NtOpenKeyEx calls found.
- Report size getting too big, too many NtProtectVirtualMemory calls found.
- Report size getting too big, too many NtQueryValueKey calls found.
- VT rate limit hit for: #Uc774#Uc9c0#Ud604_#Uc785#Uc0ac#Uc9c0#Uc6d0#Uc11c.hpw.scr.exe
| Time | Type | Description |
|---|---|---|
| 04:05:11 | API Interceptor | |
| 04:05:16 | API Interceptor | |
| 04:05:22 | API Interceptor | |
| 08:05:22 | Autostart | |
| 08:05:30 | Autostart |
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| 137.220.137.85 | Get hash | malicious | Unknown | Browse | ||
| Get hash | malicious | Unknown | Browse |
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| 24818.windows-updata.com | Get hash | malicious | Unknown | Browse |
| |
| Get hash | malicious | Unknown | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| BCPL-SGBGPNETGlobalASNSG | Get hash | malicious | Unknown | Browse |
| |
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Rekoobe | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | ConnectBack | Browse |
| ||
| Get hash | malicious | ConnectBack | Browse |
| ||
| Get hash | malicious | Rekoobe | Browse |
| ||
| Get hash | malicious | Rekoobe | Browse |
|
⊘No context
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| C:\Users\Public\Documents\A9Q9P9\TASLogin.exe | Get hash | malicious | Unknown | Browse | ||
| Get hash | malicious | Unknown | Browse | |||
| C:\Users\Public\Documents\A9Q9P9\TASLoginBase.dll | Get hash | malicious | Unknown | Browse | ||
| Get hash | malicious | Unknown | Browse |
| Process: | C:\Users\user\Desktop\#Uc774#Uc9c0#Ud604_#Uc785#Uc0ac#Uc9c0#Uc6d0#Uc11c.hpw.scr.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 7 |
| Entropy (8bit): | 2.5216406363433186 |
| Encrypted: | false |
| SSDEEP: | 3:4sm:45 |
| MD5: | 3A910712891157EEA6A3244E09C71327 |
| SHA1: | DC4F35ADF281441C6F289D7DC2DF3176200CCB89 |
| SHA-256: | D6DFEBF391F795583510D07C8C1078FC240F1CE0490C379202B05FC47C1A3184 |
| SHA-512: | A11832E10155EB0F4AFCCB1AF942816CEAA30CA5A6218D81FF023B3098D9FE854152989A73AEF6B439A7CE03A3B8839DF101AB26DBADA8834D4169D5C90E715A |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\Desktop\#Uc774#Uc9c0#Ud604_#Uc785#Uc0ac#Uc9c0#Uc6d0#Uc11c.hpw.scr.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 2084675 |
| Entropy (8bit): | 7.858929675721841 |
| Encrypted: | false |
| SSDEEP: | 49152:er57pncZYCvtokiIs5pc+hhdtP6I7D2Sk:er5m2gtDiBH2 |
| MD5: | B8AA59AE7DACA08C83F3C1D833BC2CA9 |
| SHA1: | DA85B9EF05D8B786CAEF59DFB987B869A0872295 |
| SHA-256: | B25C78CED002AC56D45792272487BAEBDFEEC643634D26C2F95070FBE1AD4044 |
| SHA-512: | 4B9F9C1711855F5884E36C76E0BBE72E6616BDA2D4387CC750403C4EA0D6B025E826F213CD5953C0AAC8E83C06ADFCBED6AE3564BC8087CC5C82D8AAAF48ACA1 |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\Public\Documents\A9Q9P9\TASLogin.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 342 |
| Entropy (8bit): | 3.8464484274890114 |
| Encrypted: | false |
| SSDEEP: | 6:fTHNlKnGK1Mg1ftsoPf21kDxfnLQyw+/THNlKnGV/B1ftsoPf21kDxfnLQywc:rH3KqStJSOLi+LH3KAtJSOLic |
| MD5: | 70DA3A34D12F090D3EEE3BE320E77E37 |
| SHA1: | 4BBF76873DCAA58F4F7F1C14A0AB0EA4153AC46C |
| SHA-256: | F0E89736800249D2359A266F9CB2E6CDDD22570D45FA2B6A39AE92477401C594 |
| SHA-512: | 0B8A6F6B5D4352577B36291334DBF4C8A3C5F0E8948EB01639378F1994B46DA302618E7A9B72B027154C9DB318F3C3CFCEF724E85449C95179D6C8B83BCA5FB5 |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\Desktop\#Uc774#Uc9c0#Ud604_#Uc785#Uc0ac#Uc9c0#Uc6d0#Uc11c.hpw.scr.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 581584 |
| Entropy (8bit): | 6.872912235056943 |
| Encrypted: | false |
| SSDEEP: | 6144:vSB3SqIVGOto+XBwwcr7oegM5BZvzx/LH2V9TBipz1ze5H7wOgyS64GdPgdYuR:vSBXLODdcdqXTUpz1Kbsyb4FdYG |
| MD5: | E6A3CACCBD9CA82F38A14BD0D4428240 |
| SHA1: | 63937051B04582255505261D512A80AB40513B5F |
| SHA-256: | CA1F26619B4483F4BDA6B4D352B58A9C4F30C2E985E62E761B7D6F3440922264 |
| SHA-512: | 21FBC87528DBC6B0F4AEE165D9B812595AD1D30AF434C401F4BC86D8BD6A209DA950523CF00E7AE5FB1676350CD299D96E0E7A0255E6EBF53AEB7E51DD5D133E |
| Malicious: | true |
| Antivirus: |
|
| Joe Sandbox View: | |
| Preview: |
| Process: | C:\Users\user\Desktop\#Uc774#Uc9c0#Ud604_#Uc785#Uc0ac#Uc9c0#Uc6d0#Uc11c.hpw.scr.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 55734272 |
| Entropy (8bit): | 5.679064125230232 |
| Encrypted: | false |
| SSDEEP: | 24576:geiVTsbha1Ap4sB8n4ypNqb5GWKHuVFtNjHYPQhNzl+qNLCWhFBIIb7SCeU:9iVyCCMHYTce9NmuISSjU |
| MD5: | 4792F8361D50D90955C0525A2BFF1625 |
| SHA1: | 9C304B2CDA0F6701F89AFA21C8F8521E6B0BB22C |
| SHA-256: | 44FED379DC48CEEEFF46FD463CBC19015ADAF625FCF6279675724A600520E345 |
| SHA-512: | 52FAE02210C88F90634D711E20B1CC2BA3F4DBDE6801B41942E8538E8E7EABD2D7AB1D9938EB180C092DC92F4B466FB2629F8A604F4CE6B3769DC39C593B9A2A |
| Malicious: | false |
| Antivirus: |
|
| Joe Sandbox View: | |
| Preview: |
| Process: | C:\Users\user\Desktop\#Uc774#Uc9c0#Ud604_#Uc785#Uc0ac#Uc9c0#Uc6d0#Uc11c.hpw.scr.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 324608 |
| Entropy (8bit): | 6.519141819659315 |
| Encrypted: | false |
| SSDEEP: | 6144:sDERrfEH1INKtzWc9yijT0OPFJXpLxytqGjd17:2ERAHSszWcEif0+FRBwtp7 |
| MD5: | 469CAF4D761A34C793201A577963E414 |
| SHA1: | 3ED245D3C96E36F4E7E6A08AD4C66E8ECA65F7A5 |
| SHA-256: | F76F68C9E3AFB0D4D5B5AEFFF62D76024C8C2CB50D7BFCB8E11AFA297F5B5CB0 |
| SHA-512: | B8117428DD401C7E16860C92D5C73DE68FD16C708E9AB7F06A51E63A738CB790722CE281C85043D3455B3E05D15B7E450FAF8CD8CB4C92AB137048C9A0AA9F58 |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\Desktop\#Uc774#Uc9c0#Ud604_#Uc785#Uc0ac#Uc9c0#Uc6d0#Uc11c.hpw.scr.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 200704 |
| Entropy (8bit): | 7.855367666447655 |
| Encrypted: | false |
| SSDEEP: | 3072:ySVmSJYhsV+O9JXWIfRNFyrQ2KGw4wI3m6QfZMOBUyMO+wiloOy81Ty:BXKhsV+GJXxLzGwo3mjhb8O+wc1Ty |
| MD5: | A2758B91909ECAAF1E3948EC6596B023 |
| SHA1: | 1287B543FA62039150BDC876FB4ED5A73A6D0093 |
| SHA-256: | 5D41A54E8E24725CE1A0237A1254B197AFD13F40D1A049F90D9F04D8902801B4 |
| SHA-512: | AB0B98E4A99D623E38D803BDE23F1A00F7F036E3C673BD157FEF04DF803819B61156D1840C615BFC0AC642DB277B202773D36C80C6076D1A8446FB28B3C40DE3 |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\Desktop\#Uc774#Uc9c0#Ud604_#Uc785#Uc0ac#Uc9c0#Uc6d0#Uc11c.hpw.scr.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 130 |
| Entropy (8bit): | 4.933813966373562 |
| Encrypted: | false |
| SSDEEP: | 3:HRAbABGQYmHmRDaHF5hdCl+D10AqSVyyKTLwkPaHF5hdCl+D1Vvn:HRYFVmoaH9dClApVh0BPaH9dCGn |
| MD5: | A95FA9F0434DA0FE1747F3A9EAFD2445 |
| SHA1: | 05D283F953397C91C3D8C0365878D1B4BA0DF0FE |
| SHA-256: | B35102AFB23B03D3E9489B76A92855ED3AC7D72AE3F87D1AC5367FC40F1FD8D0 |
| SHA-512: | 62F232737B4C95F12B60B1176EC06A161AE8121CAF41D3281BA72061A8AF22FA476C28370F52584A2D9794A1228C024F6B48C5EEE19EE8B7CA03B95F5682DC92 |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\Desktop\#Uc774#Uc9c0#Ud604_#Uc785#Uc0ac#Uc9c0#Uc6d0#Uc11c.hpw.scr.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 130 |
| Entropy (8bit): | 4.933813966373562 |
| Encrypted: | false |
| SSDEEP: | 3:HRAbABGQYmHmRDaHF5hdCl+D10AqSVyyKTLwkPaHF5hdCl+D1Vvn:HRYFVmoaH9dClApVh0BPaH9dCGn |
| MD5: | A95FA9F0434DA0FE1747F3A9EAFD2445 |
| SHA1: | 05D283F953397C91C3D8C0365878D1B4BA0DF0FE |
| SHA-256: | B35102AFB23B03D3E9489B76A92855ED3AC7D72AE3F87D1AC5367FC40F1FD8D0 |
| SHA-512: | 62F232737B4C95F12B60B1176EC06A161AE8121CAF41D3281BA72061A8AF22FA476C28370F52584A2D9794A1228C024F6B48C5EEE19EE8B7CA03B95F5682DC92 |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\Desktop\#Uc774#Uc9c0#Ud604_#Uc785#Uc0ac#Uc9c0#Uc6d0#Uc11c.hpw.scr.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 130 |
| Entropy (8bit): | 4.933813966373562 |
| Encrypted: | false |
| SSDEEP: | 3:HRAbABGQYmHmRDaHF5hdCl+D10AqSVyyKTLwkPaHF5hdCl+D1Vvn:HRYFVmoaH9dClApVh0BPaH9dCGn |
| MD5: | A95FA9F0434DA0FE1747F3A9EAFD2445 |
| SHA1: | 05D283F953397C91C3D8C0365878D1B4BA0DF0FE |
| SHA-256: | B35102AFB23B03D3E9489B76A92855ED3AC7D72AE3F87D1AC5367FC40F1FD8D0 |
| SHA-512: | 62F232737B4C95F12B60B1176EC06A161AE8121CAF41D3281BA72061A8AF22FA476C28370F52584A2D9794A1228C024F6B48C5EEE19EE8B7CA03B95F5682DC92 |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\Desktop\#Uc774#Uc9c0#Ud604_#Uc785#Uc0ac#Uc9c0#Uc6d0#Uc11c.hpw.scr.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 130 |
| Entropy (8bit): | 4.933813966373562 |
| Encrypted: | false |
| SSDEEP: | 3:HRAbABGQYmHmRDaHF5hdCl+D10AqSVyyKTLwkPaHF5hdCl+D1Vvn:HRYFVmoaH9dClApVh0BPaH9dCGn |
| MD5: | A95FA9F0434DA0FE1747F3A9EAFD2445 |
| SHA1: | 05D283F953397C91C3D8C0365878D1B4BA0DF0FE |
| SHA-256: | B35102AFB23B03D3E9489B76A92855ED3AC7D72AE3F87D1AC5367FC40F1FD8D0 |
| SHA-512: | 62F232737B4C95F12B60B1176EC06A161AE8121CAF41D3281BA72061A8AF22FA476C28370F52584A2D9794A1228C024F6B48C5EEE19EE8B7CA03B95F5682DC92 |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\Desktop\#Uc774#Uc9c0#Ud604_#Uc785#Uc0ac#Uc9c0#Uc6d0#Uc11c.hpw.scr.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 131 |
| Entropy (8bit): | 4.876320183147702 |
| Encrypted: | false |
| SSDEEP: | 3:HRAbABGQYmHmRDaHF5hdCl+D1MkOKPSxXjLwkPaHF5hdCl+D1Vvn:HRYFVmoaH9dCdkhSxTBPaH9dCGn |
| MD5: | 83EF7F4389E982E161E52FE111E992B2 |
| SHA1: | 198BDCAA7B6BD89DF4A0F9AECCFCD08A8937C44B |
| SHA-256: | 0146331AC469E8527473D768840FFD205BD751C11E98FA1C98F9CB81834B0222 |
| SHA-512: | D161046CF16DC76308AAF342E7B221723A2C841C7711D5C0741772B5AFC2BCA132398021AA040D31D9E627BB909C4224525EA8BE3658795EBF01426DAC66900C |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\Desktop\#Uc774#Uc9c0#Ud604_#Uc785#Uc0ac#Uc9c0#Uc6d0#Uc11c.hpw.scr.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 131 |
| Entropy (8bit): | 4.876320183147702 |
| Encrypted: | false |
| SSDEEP: | 3:HRAbABGQYmHmRDaHF5hdCl+D1MkOKPSxXjLwkPaHF5hdCl+D1Vvn:HRYFVmoaH9dCdkhSxTBPaH9dCGn |
| MD5: | 83EF7F4389E982E161E52FE111E992B2 |
| SHA1: | 198BDCAA7B6BD89DF4A0F9AECCFCD08A8937C44B |
| SHA-256: | 0146331AC469E8527473D768840FFD205BD751C11E98FA1C98F9CB81834B0222 |
| SHA-512: | D161046CF16DC76308AAF342E7B221723A2C841C7711D5C0741772B5AFC2BCA132398021AA040D31D9E627BB909C4224525EA8BE3658795EBF01426DAC66900C |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\Desktop\#Uc774#Uc9c0#Ud604_#Uc785#Uc0ac#Uc9c0#Uc6d0#Uc11c.hpw.scr.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 130 |
| Entropy (8bit): | 4.933813966373562 |
| Encrypted: | false |
| SSDEEP: | 3:HRAbABGQYmHmRDaHF5hdCl+D10AqSVyyKTLwkPaHF5hdCl+D1Vvn:HRYFVmoaH9dClApVh0BPaH9dCGn |
| MD5: | A95FA9F0434DA0FE1747F3A9EAFD2445 |
| SHA1: | 05D283F953397C91C3D8C0365878D1B4BA0DF0FE |
| SHA-256: | B35102AFB23B03D3E9489B76A92855ED3AC7D72AE3F87D1AC5367FC40F1FD8D0 |
| SHA-512: | 62F232737B4C95F12B60B1176EC06A161AE8121CAF41D3281BA72061A8AF22FA476C28370F52584A2D9794A1228C024F6B48C5EEE19EE8B7CA03B95F5682DC92 |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\Desktop\#Uc774#Uc9c0#Ud604_#Uc785#Uc0ac#Uc9c0#Uc6d0#Uc11c.hpw.scr.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 131 |
| Entropy (8bit): | 4.876320183147702 |
| Encrypted: | false |
| SSDEEP: | 3:HRAbABGQYmHmRDaHF5hdCl+D1MkOKPSxXjLwkPaHF5hdCl+D1Vvn:HRYFVmoaH9dCdkhSxTBPaH9dCGn |
| MD5: | 83EF7F4389E982E161E52FE111E992B2 |
| SHA1: | 198BDCAA7B6BD89DF4A0F9AECCFCD08A8937C44B |
| SHA-256: | 0146331AC469E8527473D768840FFD205BD751C11E98FA1C98F9CB81834B0222 |
| SHA-512: | D161046CF16DC76308AAF342E7B221723A2C841C7711D5C0741772B5AFC2BCA132398021AA040D31D9E627BB909C4224525EA8BE3658795EBF01426DAC66900C |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\Desktop\#Uc774#Uc9c0#Ud604_#Uc785#Uc0ac#Uc9c0#Uc6d0#Uc11c.hpw.scr.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 130 |
| Entropy (8bit): | 4.933813966373562 |
| Encrypted: | false |
| SSDEEP: | 3:HRAbABGQYmHmRDaHF5hdCl+D10AqSVyyKTLwkPaHF5hdCl+D1Vvn:HRYFVmoaH9dClApVh0BPaH9dCGn |
| MD5: | A95FA9F0434DA0FE1747F3A9EAFD2445 |
| SHA1: | 05D283F953397C91C3D8C0365878D1B4BA0DF0FE |
| SHA-256: | B35102AFB23B03D3E9489B76A92855ED3AC7D72AE3F87D1AC5367FC40F1FD8D0 |
| SHA-512: | 62F232737B4C95F12B60B1176EC06A161AE8121CAF41D3281BA72061A8AF22FA476C28370F52584A2D9794A1228C024F6B48C5EEE19EE8B7CA03B95F5682DC92 |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\Desktop\#Uc774#Uc9c0#Ud604_#Uc785#Uc0ac#Uc9c0#Uc6d0#Uc11c.hpw.scr.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 131 |
| Entropy (8bit): | 4.876320183147702 |
| Encrypted: | false |
| SSDEEP: | 3:HRAbABGQYmHmRDaHF5hdCl+D1MkOKPSxXjLwkPaHF5hdCl+D1Vvn:HRYFVmoaH9dCdkhSxTBPaH9dCGn |
| MD5: | 83EF7F4389E982E161E52FE111E992B2 |
| SHA1: | 198BDCAA7B6BD89DF4A0F9AECCFCD08A8937C44B |
| SHA-256: | 0146331AC469E8527473D768840FFD205BD751C11E98FA1C98F9CB81834B0222 |
| SHA-512: | D161046CF16DC76308AAF342E7B221723A2C841C7711D5C0741772B5AFC2BCA132398021AA040D31D9E627BB909C4224525EA8BE3658795EBF01426DAC66900C |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\Desktop\#Uc774#Uc9c0#Ud604_#Uc785#Uc0ac#Uc9c0#Uc6d0#Uc11c.hpw.scr.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 131 |
| Entropy (8bit): | 4.876320183147702 |
| Encrypted: | false |
| SSDEEP: | 3:HRAbABGQYmHmRDaHF5hdCl+D1MkOKPSxXjLwkPaHF5hdCl+D1Vvn:HRYFVmoaH9dCdkhSxTBPaH9dCGn |
| MD5: | 83EF7F4389E982E161E52FE111E992B2 |
| SHA1: | 198BDCAA7B6BD89DF4A0F9AECCFCD08A8937C44B |
| SHA-256: | 0146331AC469E8527473D768840FFD205BD751C11E98FA1C98F9CB81834B0222 |
| SHA-512: | D161046CF16DC76308AAF342E7B221723A2C841C7711D5C0741772B5AFC2BCA132398021AA040D31D9E627BB909C4224525EA8BE3658795EBF01426DAC66900C |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\Desktop\#Uc774#Uc9c0#Ud604_#Uc785#Uc0ac#Uc9c0#Uc6d0#Uc11c.hpw.scr.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 130 |
| Entropy (8bit): | 4.933813966373562 |
| Encrypted: | false |
| SSDEEP: | 3:HRAbABGQYmHmRDaHF5hdCl+D10AqSVyyKTLwkPaHF5hdCl+D1Vvn:HRYFVmoaH9dClApVh0BPaH9dCGn |
| MD5: | A95FA9F0434DA0FE1747F3A9EAFD2445 |
| SHA1: | 05D283F953397C91C3D8C0365878D1B4BA0DF0FE |
| SHA-256: | B35102AFB23B03D3E9489B76A92855ED3AC7D72AE3F87D1AC5367FC40F1FD8D0 |
| SHA-512: | 62F232737B4C95F12B60B1176EC06A161AE8121CAF41D3281BA72061A8AF22FA476C28370F52584A2D9794A1228C024F6B48C5EEE19EE8B7CA03B95F5682DC92 |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\Desktop\#Uc774#Uc9c0#Ud604_#Uc785#Uc0ac#Uc9c0#Uc6d0#Uc11c.hpw.scr.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 131 |
| Entropy (8bit): | 4.876320183147702 |
| Encrypted: | false |
| SSDEEP: | 3:HRAbABGQYmHmRDaHF5hdCl+D1MkOKPSxXjLwkPaHF5hdCl+D1Vvn:HRYFVmoaH9dCdkhSxTBPaH9dCGn |
| MD5: | 83EF7F4389E982E161E52FE111E992B2 |
| SHA1: | 198BDCAA7B6BD89DF4A0F9AECCFCD08A8937C44B |
| SHA-256: | 0146331AC469E8527473D768840FFD205BD751C11E98FA1C98F9CB81834B0222 |
| SHA-512: | D161046CF16DC76308AAF342E7B221723A2C841C7711D5C0741772B5AFC2BCA132398021AA040D31D9E627BB909C4224525EA8BE3658795EBF01426DAC66900C |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\Desktop\#Uc774#Uc9c0#Ud604_#Uc785#Uc0ac#Uc9c0#Uc6d0#Uc11c.hpw.scr.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 131 |
| Entropy (8bit): | 4.876320183147702 |
| Encrypted: | false |
| SSDEEP: | 3:HRAbABGQYmHmRDaHF5hdCl+D1MkOKPSxXjLwkPaHF5hdCl+D1Vvn:HRYFVmoaH9dCdkhSxTBPaH9dCGn |
| MD5: | 83EF7F4389E982E161E52FE111E992B2 |
| SHA1: | 198BDCAA7B6BD89DF4A0F9AECCFCD08A8937C44B |
| SHA-256: | 0146331AC469E8527473D768840FFD205BD751C11E98FA1C98F9CB81834B0222 |
| SHA-512: | D161046CF16DC76308AAF342E7B221723A2C841C7711D5C0741772B5AFC2BCA132398021AA040D31D9E627BB909C4224525EA8BE3658795EBF01426DAC66900C |
| Malicious: | false |
| Preview: |
| File type: | |
| Entropy (8bit): | 5.778961878652255 |
| TrID: |
|
| File name: | #Uc774#Uc9c0#Ud604_#Uc785#Uc0ac#Uc9c0#Uc6d0#Uc11c.hpw.scr.exe |
| File size: | 57'700'088 bytes |
| MD5: | 697d9c4f0800f93a19b89bf923d4135a |
| SHA1: | 6d77a6b41de8d1f24bee70ea628029fe7784077f |
| SHA256: | 8071c7b74e7ca2769f3746ec8cc007caee65474bb77808b7a84c84f877452605 |
| SHA512: | a699819be46329980047f50b819b84ce585115871b2a8e41c61a8cd66dcf4739213e195d280e993716d6ba0b0f8b15954b77330e0e97acd57029624895faa145 |
| SSDEEP: | 49152:29oGEDr57pncZYCvtokiIs5pc+hhdtP6I7D2SGcCyEq9DRho/ctH01Ws74rA4RUS:29rgr5m2gtDiBHG5qFb0I+0PqkW6 |
| TLSH: | 53C77BE5EBB67553E861E63418F16778A567321BA370DD8630AC92398F857C04F8F08E |
| File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........4...Z...Z...Z.6.....Z.6.....Z...[...Z..d'...Z..d7.4.Z..d4.S.Z..d&...Z..d"...Z.Rich..Z.........PE..L......f................... |
 | |
| Icon Hash: | 80829e9e9a9e8c91 |
| Entrypoint: | 0x440cf2 |
| Entrypoint Section: | .text |
| Digitally signed: | true |
| Imagebase: | 0x400000 |
| Subsystem: | windows gui |
| Image File Characteristics: | RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE |
| DLL Characteristics: | |
| Time Stamp: | 0x66F00D2E [Sun Sep 22 12:27:26 2024 UTC] |
| TLS Callbacks: | |
| CLR (.Net) Version: | |
| OS Version Major: | 4 |
| OS Version Minor: | 0 |
| File Version Major: | 4 |
| File Version Minor: | 0 |
| Subsystem Version Major: | 4 |
| Subsystem Version Minor: | 0 |
| Import Hash: | f77f649cebbc2879c7b68076eb63bc11 |
| Signature Valid: | true |
| Signature Issuer: | CN=Sectigo Public Code Signing CA EV R36, O=Sectigo Limited, C=GB |
| Signature Validation Error: | The operation completed successfully |
| Error Number: | 0 |
| Not Before, Not After |
|
| Subject Chain |
|
| Version: | 3 |
| Thumbprint MD5: | 1545B69C7993DB703C90CD929857CB8B |
| Thumbprint SHA-1: | 81458929D258DB62735B3A6D56577FED725C2A02 |
| Thumbprint SHA-256: | 1F8381B50B8366D3BD0DF428CA6DCDFA69C26116B81A58CA43A1464EDFA6F5FE |
| Serial: | 00FEF386AC9C1D8636CB370C8C247F44FA |
| Instruction |
|---|
| call 00007F33C06301B3h |
| jmp 00007F33C06271CBh |
| push 00000000h |
| push dword ptr [esp+14h] |
| push dword ptr [esp+14h] |
| push dword ptr [esp+14h] |
| push dword ptr [esp+14h] |
| call 00007F33C063022Bh |
| add esp, 14h |
| ret |
| mov eax, dword ptr [esp+04h] |
| xor ecx, ecx |
| cmp eax, dword ptr [00474EE8h+ecx*8] |
| je 00007F33C06273C4h |
| inc ecx |
| cmp ecx, 2Dh |
| jl 00007F33C06273A3h |
| lea ecx, dword ptr [eax-13h] |
| cmp ecx, 11h |
| jnbe 00007F33C06273BEh |
| push 0000000Dh |
| pop eax |
| ret |
| mov eax, dword ptr [00474EECh+ecx*8] |
| ret |
| add eax, FFFFFF44h |
| push 0000000Eh |
| pop ecx |
| cmp ecx, eax |
| sbb eax, eax |
| and eax, ecx |
| add eax, 08h |
| ret |
| call 00007F33C0629888h |
| test eax, eax |
| jne 00007F33C06273B8h |
| mov eax, 00475050h |
| ret |
| add eax, 08h |
| ret |
| call 00007F33C0629875h |
| test eax, eax |
| jne 00007F33C06273B8h |
| mov eax, 00475054h |
| ret |
| add eax, 0Ch |
| ret |
| push esi |
| call 00007F33C062739Ch |
| mov ecx, dword ptr [esp+08h] |
| push ecx |
| mov dword ptr [eax], ecx |
| call 00007F33C0627342h |
| pop ecx |
| mov esi, eax |
| call 00007F33C0627375h |
| mov dword ptr [eax], esi |
| pop esi |
| ret |
| call 00007F33C062917Ch |
| push dword ptr [esp+04h] |
| call 00007F33C0628FD3h |
| push dword ptr [00475058h] |
| call 00007F33C06296A9h |
| push 000000FFh |
| call eax |
| add esp, 0Ch |
| Programming Language: |
|
| Name | Virtual Address | Virtual Size | Is in Section |
|---|---|---|---|
| IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IMPORT | 0x722b4 | 0xa0 | .rdata |
| IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x7b000 | 0x368ac84 | .rsrc |
| IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_SECURITY | 0x3702000 | 0x4ef8 | |
| IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x66458 | 0x40 | .rdata |
| IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IAT | 0x60000 | 0x42c | .rdata |
| IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x7222c | 0x40 | .rdata |
| IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
| Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
|---|---|---|---|---|---|---|---|---|---|
| .text | 0x1000 | 0x5e1a4 | 0x5f000 | b92461ad663671071019fb20093c4505 | False | 0.4565403988486842 | data | 6.476084791222863 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
| .rdata | 0x60000 | 0x13902 | 0x14000 | 4ef4a007f5ead19f60aa4494ae216eac | False | 0.35657958984375 | data | 4.689943254518714 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .data | 0x74000 | 0x6264 | 0x3000 | 946ebd3e93aff950f8bacd1eee5afbfb | False | 0.23575846354166666 | data | 3.2699659458180044 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .rsrc | 0x7b000 | 0x368ac84 | 0x368b000 | bf9991bfec032c13dd4873dedbe72114 | unknown | unknown | unknown | unknown | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
|---|---|---|---|---|---|---|
| ZIP | 0x7bf04 | 0x1fcf43 | Zip archive data, at least v2.0 to extract, compression method=deflate | Chinese | China | 0.99932861328125 |
| RT_CURSOR | 0x278e48 | 0x134 | Targa image data - RGB 64 x 65536 x 1 +32 "\001" | Chinese | China | 0.4805194805194805 |
| RT_CURSOR | 0x278f7c | 0xb4 | Targa image data - Map 32 x 65536 x 1 +16 "\001" | Chinese | China | 0.7 |
| RT_CURSOR | 0x279030 | 0x134 | AmigaOS bitmap font "(", fc_YSize 4294967264, 5120 elements, 2nd "\377\360?\377\377\370\177\377\377\374\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377", 3rd | Chinese | China | 0.36363636363636365 |
| RT_CURSOR | 0x279164 | 0x134 | Targa image data - RLE 64 x 65536 x 1 +32 "\001" | Chinese | China | 0.35714285714285715 |
| RT_CURSOR | 0x279298 | 0x134 | data | Chinese | China | 0.37337662337662336 |
| RT_CURSOR | 0x2793cc | 0x134 | data | Chinese | China | 0.37662337662337664 |
| RT_CURSOR | 0x279500 | 0x134 | Targa image data 64 x 65536 x 1 +32 "\001" | Chinese | China | 0.36688311688311687 |
| RT_CURSOR | 0x279634 | 0x134 | Targa image data 64 x 65536 x 1 +32 "\001" | Chinese | China | 0.37662337662337664 |
| RT_CURSOR | 0x279768 | 0x134 | Targa image data - Mono - RLE 64 x 65536 x 1 +32 "\001" | Chinese | China | 0.36688311688311687 |
| RT_CURSOR | 0x27989c | 0x134 | Targa image data - RGB - RLE 64 x 65536 x 1 +32 "\001" | Chinese | China | 0.38636363636363635 |
| RT_CURSOR | 0x2799d0 | 0x134 | data | Chinese | China | 0.44155844155844154 |
| RT_CURSOR | 0x279b04 | 0x134 | data | Chinese | China | 0.4155844155844156 |
| RT_CURSOR | 0x279c38 | 0x134 | AmigaOS bitmap font "(", fc_YSize 4294966847, 3840 elements, 2nd "\377?\374\377\377\300\003\377\377\300\003\377\377\340\007\377\377\360\017\377\377\370\037\377\377\374?\377\377\376\177\377\377\377\377\377\377\377\377\377\377\377\377\377", 3rd | Chinese | China | 0.5422077922077922 |
| RT_CURSOR | 0x279d6c | 0x134 | data | Chinese | China | 0.2662337662337662 |
| RT_CURSOR | 0x279ea0 | 0x134 | data | Chinese | China | 0.2824675324675325 |
| RT_CURSOR | 0x279fd4 | 0x134 | data | Chinese | China | 0.3246753246753247 |
| RT_BITMAP | 0x27a108 | 0xb8 | Device independent bitmap graphic, 12 x 10 x 4, image size 80 | Chinese | China | 0.44565217391304346 |
| RT_BITMAP | 0x27a1c0 | 0x144 | Device independent bitmap graphic, 33 x 11 x 4, image size 220 | Chinese | China | 0.37962962962962965 |
| RT_ICON | 0x27a304 | 0x8a8 | Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors | 0.180956678700361 | ||
| RT_ICON | 0x27abac | 0x568 | Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors | 0.18280346820809248 | ||
| RT_ICON | 0x27b114 | 0xdac | PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced | 0.8914285714285715 | ||
| RT_ICON | 0x27bec0 | 0xdac | PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced | 0.8914285714285715 | ||
| RT_ICON | 0x27cc6c | 0x25a8 | Device independent bitmap graphic, 48 x 96 x 32, image size 9600 | 0.06887966804979254 | ||
| RT_ICON | 0x27f214 | 0x10a8 | Device independent bitmap graphic, 32 x 64 x 32, image size 4224 | 0.11092870544090057 | ||
| RT_ICON | 0x2802bc | 0x468 | Device independent bitmap graphic, 16 x 32 x 32, image size 1088 | 0.20656028368794327 | ||
| RT_DIALOG | 0x280724 | 0xcc | data | Chinese | China | 0.7107843137254902 |
| RT_DIALOG | 0x2807f0 | 0xe2 | data | Chinese | China | 0.6637168141592921 |
| RT_DIALOG | 0x2808d4 | 0x34 | data | Chinese | China | 0.9038461538461539 |
| RT_STRING | 0x280908 | 0x54 | data | Chinese | China | 0.8571428571428571 |
| RT_STRING | 0x28095c | 0x2c | data | Chinese | China | 0.5909090909090909 |
| RT_STRING | 0x280988 | 0x82 | data | Chinese | China | 0.8769230769230769 |
| RT_STRING | 0x280a0c | 0x1d0 | data | Chinese | China | 0.8060344827586207 |
| RT_STRING | 0x280bdc | 0x164 | data | Chinese | China | 0.48314606741573035 |
| RT_STRING | 0x280d40 | 0x132 | data | Chinese | China | 0.6405228758169934 |
| RT_STRING | 0x280e74 | 0x50 | data | Chinese | China | 0.725 |
| RT_STRING | 0x280ec4 | 0x40 | data | Chinese | China | 0.65625 |
| RT_STRING | 0x280f04 | 0x6a | data | Chinese | China | 0.7452830188679245 |
| RT_STRING | 0x280f70 | 0x1d6 | data | Chinese | China | 0.6723404255319149 |
| RT_STRING | 0x281148 | 0x110 | data | Chinese | China | 0.625 |
| RT_STRING | 0x281258 | 0x24 | data | Chinese | China | 0.4444444444444444 |
| RT_STRING | 0x28127c | 0x30 | data | Chinese | China | 0.625 |
| RT_RCDATA | 0x2812ac | 0x335c318 | JPEG image data, Exif standard: [TIFF image data, little-endian, direntries=8, orientation=upper-left, xresolution=110, yresolution=118, resolutionunit=2, software=ACDSee Pro 6, datetime=2023:10:27 16:07:55], baseline, precision 8, 55x67, components 3 | 0.012384414672851562 | ||
| RT_RCDATA | 0x35dd5c4 | 0x80 | MSVC .res | Chinese | China | 0.640625 |
| RT_RCDATA | 0x35dd644 | 0x122bd8 | MSVC .res | Chinese | China | 1.0003061294555664 |
| RT_GROUP_CURSOR | 0x370021c | 0x22 | Lotus unknown worksheet or configuration, revision 0x2 | Chinese | China | 0.9705882352941176 |
| RT_GROUP_CURSOR | 0x3700240 | 0x14 | Lotus unknown worksheet or configuration, revision 0x1 | Chinese | China | 1.3 |
| RT_GROUP_CURSOR | 0x3700254 | 0x14 | Lotus unknown worksheet or configuration, revision 0x1 | Chinese | China | 1.3 |
| RT_GROUP_CURSOR | 0x3700268 | 0x14 | Lotus unknown worksheet or configuration, revision 0x1 | Chinese | China | 1.3 |
| RT_GROUP_CURSOR | 0x370027c | 0x14 | Lotus unknown worksheet or configuration, revision 0x1 | Chinese | China | 1.3 |
| RT_GROUP_CURSOR | 0x3700290 | 0x14 | Lotus unknown worksheet or configuration, revision 0x1 | Chinese | China | 1.3 |
| RT_GROUP_CURSOR | 0x37002a4 | 0x14 | Lotus unknown worksheet or configuration, revision 0x1 | Chinese | China | 1.3 |
| RT_GROUP_CURSOR | 0x37002b8 | 0x14 | Lotus unknown worksheet or configuration, revision 0x1 | Chinese | China | 1.3 |
| RT_GROUP_CURSOR | 0x37002cc | 0x14 | Lotus unknown worksheet or configuration, revision 0x1 | Chinese | China | 1.3 |
| RT_GROUP_CURSOR | 0x37002e0 | 0x14 | Lotus unknown worksheet or configuration, revision 0x1 | Chinese | China | 1.3 |
| RT_GROUP_CURSOR | 0x37002f4 | 0x14 | Lotus unknown worksheet or configuration, revision 0x1 | Chinese | China | 1.3 |
| RT_GROUP_CURSOR | 0x3700308 | 0x14 | Lotus unknown worksheet or configuration, revision 0x1 | Chinese | China | 1.3 |
| RT_GROUP_CURSOR | 0x370031c | 0x14 | Lotus unknown worksheet or configuration, revision 0x1 | Chinese | China | 1.3 |
| RT_GROUP_CURSOR | 0x3700330 | 0x14 | Lotus unknown worksheet or configuration, revision 0x1 | Chinese | China | 1.3 |
| RT_GROUP_CURSOR | 0x3700344 | 0x14 | Lotus unknown worksheet or configuration, revision 0x1 | Chinese | China | 1.3 |
| RT_GROUP_ICON | 0x3700358 | 0x5a | data | 0.7333333333333333 | ||
| RT_HTML | 0x37003b4 | 0x2b6 | ASCII text | Chinese | China | 0.4755043227665706 |
| RT_HTML | 0x370066c | 0x216 | ASCII text | Chinese | China | 0.4700374531835206 |
| RT_HTML | 0x3700884 | 0x8f0 | HTML document, Unicode text, UTF-8 text | Chinese | China | 0.4785839160839161 |
| RT_HTML | 0x3701174 | 0x973 | HTML document, Unicode text, UTF-8 (with BOM) text | Chinese | China | 0.4803637866887143 |
| RT_HTML | 0x3701ae8 | 0x7f4 | HTML document, Unicode text, UTF-8 text | Chinese | China | 0.4764243614931238 |
| RT_HTML | 0x37022dc | 0x859 | HTML document, Unicode text, UTF-8 (with BOM) text | Chinese | China | 0.48713149274684137 |
| RT_HTML | 0x3702b38 | 0x7e6 | HTML document, Unicode text, UTF-8 text | Chinese | China | 0.46439169139465875 |
| RT_HTML | 0x3703320 | 0x815 | HTML document, Unicode text, UTF-8 text | Chinese | China | 0.471725471242146 |
| RT_HTML | 0x3703b38 | 0x9bc | HTML document, Unicode text, UTF-8 (with BOM) text | Chinese | China | 0.47752808988764045 |
| RT_HTML | 0x37044f4 | 0x7b7 | HTML document, ASCII text | Chinese | China | 0.4450632911392405 |
| RT_HTML | 0x3704cac | 0x792 | HTML document, ASCII text | Chinese | China | 0.45562435500515996 |
| RT_HTML | 0x3705440 | 0x7ec | HTML document, Unicode text, UTF-8 text | Chinese | China | 0.4723865877712032 |
| RT_MANIFEST | 0x3705c2c | 0x56 | ASCII text, with CRLF line terminators | English | United States | 1.0232558139534884 |
| DLL | Import |
|---|---|
| KERNEL32.dll | GetCurrentProcess, GetCPInfo, GetOEMCP, SetErrorMode, GetFileAttributesA, HeapAlloc, HeapFree, TerminateProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, HeapReAlloc, RaiseException, VirtualAlloc, RtlUnwind, GetCommandLineA, GetProcessHeap, GetStartupInfoA, ExitProcess, HeapSize, SetEndOfFile, VirtualFree, HeapDestroy, HeapCreate, GetStdHandle, SetHandleCount, GetFileType, GetConsoleCP, GetConsoleMode, GetACP, LCMapStringA, LCMapStringW, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, GetEnvironmentStringsW, QueryPerformanceCounter, GetSystemTimeAsFileTime, WriteConsoleA, GetConsoleOutputCP, WriteConsoleW, SetStdHandle, GetStringTypeA, GetStringTypeW, GetUserDefaultLCID, EnumSystemLocalesA, IsValidLocale, IsValidCodePage, GetLocaleInfoW, FlushFileBuffers, SetFilePointer, ReadFile, GlobalFlags, WritePrivateProfileStringA, InterlockedIncrement, TlsFree, DeleteCriticalSection, LocalReAlloc, TlsSetValue, TlsAlloc, InitializeCriticalSection, GlobalHandle, GlobalReAlloc, EnterCriticalSection, TlsGetValue, LeaveCriticalSection, LocalAlloc, FreeResource, GlobalGetAtomNameA, GlobalFindAtomA, lstrcmpW, GetVersionExA, InterlockedDecrement, GetModuleFileNameW, GetCurrentProcessId, GlobalAddAtomA, GetCurrentThread, GetCurrentThreadId, ConvertDefaultLocale, GetModuleFileNameA, EnumResourceLanguagesA, GetLocaleInfoA, lstrcmpA, GlobalDeleteAtom, GetModuleHandleA, GlobalFree, GlobalAlloc, GlobalLock, GlobalUnlock, FormatMessageA, LocalFree, MulDiv, SetLastError, lstrcpyA, Sleep, GetThreadLocale, FreeLibrary, GetProcAddress, LoadLibraryA, GetTickCount, WriteFile, SetFileTime, LocalFileTimeToFileTime, CreateDirectoryA, CloseHandle, CreateFileA, SystemTimeToFileTime, lstrlenA, CreateFileW, CompareStringA, GetVersion, FindResourceA, LoadResource, LockResource, SizeofResource, GetLastError, WideCharToMultiByte, MultiByteToWideChar, InterlockedExchange |
| USER32.dll | GetClassNameA, SetPropA, GetPropA, RemovePropA, IsWindow, SetFocus, GetWindowTextA, GetForegroundWindow, SetActiveWindow, GetDlgItem, GetTopWindow, DestroyWindow, GetMessagePos, MapWindowPoints, SetForegroundWindow, UpdateWindow, GetMenu, CreateWindowExA, GetClassInfoExA, GetClassInfoA, RegisterClassA, GetSysColor, AdjustWindowRectEx, CopyRect, PtInRect, GetDlgCtrlID, DefWindowProcA, SetWindowLongA, SetWindowPos, SystemParametersInfoA, GetWindowPlacement, GetWindowRect, GetWindow, UnhookWindowsHookEx, GetWindowThreadProcessId, GetWindowLongA, GetLastActivePopup, IsWindowEnabled, MessageBoxA, SetCursor, SetWindowsHookExA, CallNextHookEx, GetMessageA, TranslateMessage, DispatchMessageA, GetActiveWindow, IsWindowVisible, GetKeyState, PeekMessageA, GetCursorPos, ValidateRect, SetMenuItemBitmaps, GetMenuCheckMarkDimensions, LoadBitmapA, GetFocus, GetParent, ModifyMenuA, EnableMenuItem, CheckMenuItem, PostMessageA, PostQuitMessage, GetMenuState, GetMenuItemID, GetMenuItemCount, GetSubMenu, LoadCursorA, GetSysColorBrush, GetSystemMetrics, EnableWindow, LoadIconA, GetClientRect, IsIconic, SendMessageA, DrawIcon, wsprintfA, GetDesktopWindow, DestroyMenu, UnregisterClassA, CallWindowProcA, EndPaint, BeginPaint, ReleaseDC, GetDC, ClientToScreen, GrayStringA, DrawTextExA, DrawTextA, TabbedTextOutA, ShowWindow, SetWindowTextA, IsDialogMessageA, CreateDialogIndirectParamA, GetNextDlgTabItem, EndDialog, RegisterWindowMessageA, SendDlgItemMessageA, WinHelpA, GetCapture, GetClassLongA, GetMessageTime |
| GDI32.dll | SetMapMode, DeleteObject, PtVisible, RectVisible, TextOutA, ExtTextOutA, Escape, SelectObject, SetViewportOrgEx, OffsetViewportOrgEx, SetViewportExtEx, ScaleViewportExtEx, SetWindowExtEx, ScaleWindowExtEx, DeleteDC, GetStockObject, RestoreDC, SaveDC, GetObjectA, SetBkColor, SetTextColor, GetClipBox, CreateBitmap, GetDeviceCaps |
| WINSPOOL.DRV | ClosePrinter, DocumentPropertiesA, OpenPrinterA |
| ADVAPI32.dll | RegSetValueExA, RegCreateKeyExA, RegQueryValueA, RegEnumKeyA, RegDeleteKeyA, RegOpenKeyExA, RegQueryValueExA, RegOpenKeyA, RegCloseKey |
| SHLWAPI.dll | PathFindFileNameA, PathFindExtensionA |
| OLEAUT32.dll | VariantInit, VariantChangeType, VariantClear |
| Language of compilation system | Country where language is spoken | Map |
|---|---|---|
| Chinese | China |  |
| English | United States |  |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library Node| Timestamp | SID | Signature | Severity | Source IP | Source Port | Dest IP | Dest Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-10-28T09:05:22.603593+0100 | 2016922 | ET MALWARE Backdoor family PCRat/Gh0st CnC traffic | 1 | 192.168.2.4 | 49740 | 137.220.137.85 | 24818 | TCP |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Oct 28, 2024 09:05:22.158482075 CET | 49740 | 24818 | 192.168.2.4 | 137.220.137.85 |
| Oct 28, 2024 09:05:22.163866997 CET | 24818 | 49740 | 137.220.137.85 | 192.168.2.4 |
| Oct 28, 2024 09:05:22.163953066 CET | 49740 | 24818 | 192.168.2.4 | 137.220.137.85 |
| Oct 28, 2024 09:05:22.603593111 CET | 49740 | 24818 | 192.168.2.4 | 137.220.137.85 |
| Oct 28, 2024 09:05:22.610053062 CET | 24818 | 49740 | 137.220.137.85 | 192.168.2.4 |
| Oct 28, 2024 09:05:23.049129963 CET | 24818 | 49740 | 137.220.137.85 | 192.168.2.4 |
| Oct 28, 2024 09:05:23.095026016 CET | 49740 | 24818 | 192.168.2.4 | 137.220.137.85 |
| Oct 28, 2024 09:06:23.048217058 CET | 49740 | 24818 | 192.168.2.4 | 137.220.137.85 |
| Oct 28, 2024 09:06:23.053555012 CET | 24818 | 49740 | 137.220.137.85 | 192.168.2.4 |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Oct 28, 2024 09:05:22.119610071 CET | 55245 | 53 | 192.168.2.4 | 1.1.1.1 |
| Oct 28, 2024 09:05:22.154263020 CET | 53 | 55245 | 1.1.1.1 | 192.168.2.4 |
| Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|
| Oct 28, 2024 09:05:22.119610071 CET | 192.168.2.4 | 1.1.1.1 | 0x33fe | Standard query (0) | A (IP address) | IN (0x0001) | false |
| Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|---|---|
| Oct 28, 2024 09:05:22.154263020 CET | 1.1.1.1 | 192.168.2.4 | 0x33fe | No error (0) | 137.220.137.85 | A (IP address) | IN (0x0001) | false |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
| Target ID: | 0 |
| Start time: | 04:05:03 |
| Start date: | 28/10/2024 |
| Path: | C:\Users\user\Desktop\#Uc774#Uc9c0#Ud604_#Uc785#Uc0ac#Uc9c0#Uc6d0#Uc11c.hpw.scr.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x400000 |
| File size: | 57'700'088 bytes |
| MD5 hash: | 697D9C4F0800F93A19B89BF923D4135A |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | low |
| Has exited: | true |
| Target ID: | 1 |
| Start time: | 04:05:08 |
| Start date: | 28/10/2024 |
| Path: | C:\Windows\explorer.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff72b770000 |
| File size: | 5'141'208 bytes |
| MD5 hash: | 662F4F92FDE3557E86D110526BB578D5 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 2 |
| Start time: | 04:05:08 |
| Start date: | 28/10/2024 |
| Path: | C:\Windows\explorer.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff72b770000 |
| File size: | 5'141'208 bytes |
| MD5 hash: | 662F4F92FDE3557E86D110526BB578D5 |
| Has elevated privileges: | false |
| Has administrator privileges: | false |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | false |
| Target ID: | 3 |
| Start time: | 04:05:09 |
| Start date: | 28/10/2024 |
| Path: | C:\Windows\System32\rundll32.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff6bd680000 |
| File size: | 71'680 bytes |
| MD5 hash: | EF3179D498793BF4234F708D3BE28633 |
| Has elevated privileges: | false |
| Has administrator privileges: | false |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 4 |
| Start time: | 04:05:16 |
| Start date: | 28/10/2024 |
| Path: | C:\Windows\System32\OpenWith.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff612240000 |
| File size: | 123'984 bytes |
| MD5 hash: | E4A834784FA08C17D47A1E72429C5109 |
| Has elevated privileges: | false |
| Has administrator privileges: | false |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 8 |
| Start time: | 04:05:20 |
| Start date: | 28/10/2024 |
| Path: | C:\Users\Public\Documents\A9Q9P9\TASLogin.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x7ff71e800000 |
| File size: | 581'584 bytes |
| MD5 hash: | E6A3CACCBD9CA82F38A14BD0D4428240 |
| Has elevated privileges: | false |
| Has administrator privileges: | false |
| Programmed in: | C, C++ or other language |
| Antivirus matches: |
|
| Reputation: | low |
| Has exited: | true |
| Target ID: | 9 |
| Start time: | 04:05:21 |
| Start date: | 28/10/2024 |
| Path: | C:\Users\Public\Documents\A9Q9P9\TASLogin.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x400000 |
| File size: | 581'584 bytes |
| MD5 hash: | E6A3CACCBD9CA82F38A14BD0D4428240 |
| Has elevated privileges: | false |
| Has administrator privileges: | false |
| Programmed in: | Borland Delphi |
| Reputation: | low |
| Has exited: | false |
| Target ID: | 12 |
| Start time: | 04:05:30 |
| Start date: | 28/10/2024 |
| Path: | C:\Users\Public\Documents\A9Q9P9\TASLogin.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x400000 |
| File size: | 581'584 bytes |
| MD5 hash: | E6A3CACCBD9CA82F38A14BD0D4428240 |
| Has elevated privileges: | false |
| Has administrator privileges: | false |
| Programmed in: | C, C++ or other language |
| Reputation: | low |
| Has exited: | true |
| Target ID: | 13 |
| Start time: | 04:05:31 |
| Start date: | 28/10/2024 |
| Path: | C:\Users\Public\Documents\A9Q9P9\TASLogin.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x400000 |
| File size: | 581'584 bytes |
| MD5 hash: | E6A3CACCBD9CA82F38A14BD0D4428240 |
| Has elevated privileges: | false |
| Has administrator privileges: | false |
| Programmed in: | Borland Delphi |
| Reputation: | low |
| Has exited: | true |
| Target ID: | 14 |
| Start time: | 04:05:38 |
| Start date: | 28/10/2024 |
| Path: | C:\Users\Public\Documents\A9Q9P9\TASLogin.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x400000 |
| File size: | 581'584 bytes |
| MD5 hash: | E6A3CACCBD9CA82F38A14BD0D4428240 |
| Has elevated privileges: | false |
| Has administrator privileges: | false |
| Programmed in: | C, C++ or other language |
| Reputation: | low |
| Has exited: | true |
| Target ID: | 15 |
| Start time: | 04:05:39 |
| Start date: | 28/10/2024 |
| Path: | C:\Users\Public\Documents\A9Q9P9\TASLogin.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x400000 |
| File size: | 581'584 bytes |
| MD5 hash: | E6A3CACCBD9CA82F38A14BD0D4428240 |
| Has elevated privileges: | false |
| Has administrator privileges: | false |
| Programmed in: | Borland Delphi |
| Reputation: | low |
| Has exited: | true |
Execution Graph
| Execution Coverage: | 13.4% |
| Dynamic/Decrypted Code Coverage: | 0% |
| Signature Coverage: | 7.4% |
| Total number of Nodes: | 2000 |
| Total number of Limit Nodes: | 34 |
Graph
Control-flow Graph
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040B0EC Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114memorystringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040B0EA Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79memorystringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00427EE0 Relevance: 6.1, APIs: 4, Instructions: 82stringCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042B0E8 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 156networkCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004087CC Relevance: 3.1, APIs: 2, Instructions: 63COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043BC08 Relevance: 3.0, APIs: 2, Instructions: 35COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00408694 Relevance: 3.0, APIs: 2, Instructions: 33fileCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00408F10 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040BDE8 Relevance: 220.0, APIs: 8, Strings: 117, Instructions: 1214libraryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00428F34 Relevance: 76.0, APIs: 7, Strings: 36, Instructions: 733sleepCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00431870 Relevance: 33.4, APIs: 3, Strings: 16, Instructions: 168libraryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00428C28 Relevance: 29.9, APIs: 12, Strings: 5, Instructions: 172filestringCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004082B8 Relevance: 28.2, APIs: 12, Strings: 4, Instructions: 173registryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042FE9C Relevance: 24.6, APIs: 2, Strings: 12, Instructions: 139libraryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043C2D4 Relevance: 19.4, APIs: 5, Strings: 6, Instructions: 143registryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00428590 Relevance: 17.6, APIs: 2, Strings: 8, Instructions: 102libraryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042A7F0 Relevance: 10.8, APIs: 3, Strings: 3, Instructions: 290fileCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004289D0 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 180fileCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040B654 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 80libraryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043DC14 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 61registryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00407E68 Relevance: 6.1, APIs: 4, Instructions: 95threadCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042A3EC Relevance: 4.6, APIs: 3, Instructions: 51fileCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00406188 Relevance: 4.5, APIs: 3, Instructions: 24memoryCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00427BF0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 66registryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043C658 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 41networkCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00408898 Relevance: 3.1, APIs: 2, Instructions: 93COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004089BC Relevance: 3.1, APIs: 2, Instructions: 55libraryCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00426840 Relevance: 3.0, APIs: 2, Instructions: 47networkCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004264F4 Relevance: 3.0, APIs: 2, Instructions: 41networkCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042674C Relevance: 3.0, APIs: 2, Instructions: 27networkCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040B948 Relevance: 3.0, APIs: 2, Instructions: 22COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043B35C Relevance: 3.0, APIs: 2, Instructions: 17COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00437F88 Relevance: 2.5, APIs: 2, Instructions: 42COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043A7B4 Relevance: 1.6, APIs: 1, Instructions: 79fileCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405EDC Relevance: 1.5, APIs: 1, Instructions: 48threadCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00428018 Relevance: 1.5, APIs: 1, Instructions: 43COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042817C Relevance: 1.5, APIs: 1, Instructions: 42timeCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00407744 Relevance: 1.5, APIs: 1, Instructions: 26COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004264A8 Relevance: 1.5, APIs: 1, Instructions: 16COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004265CC Relevance: 1.5, APIs: 1, Instructions: 13networkCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043C2AC Relevance: 1.5, APIs: 1, Instructions: 11COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00426448 Relevance: 1.5, APIs: 1, Instructions: 11COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00426408 Relevance: 1.5, APIs: 1, Instructions: 11COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00426564 Relevance: 1.5, APIs: 1, Instructions: 7networkCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042B474 Relevance: 1.4, APIs: 1, Instructions: 155stringCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043BC54 Relevance: 1.3, APIs: 1, Instructions: 55COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004027A8 Relevance: 1.3, APIs: 1, Instructions: 38memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040B216 Relevance: 1.3, APIs: 1, Instructions: 7COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042D1D4 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 240serviceCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004080C8 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 140stringlibraryfileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040BA58 Relevance: 7.5, APIs: 5, Instructions: 49COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004208F4 Relevance: 6.9, Strings: 5, Instructions: 623COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00407C6C Relevance: 4.6, APIs: 3, Instructions: 99COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042215C Relevance: 1.6, Strings: 1, Instructions: 368COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043D53C Relevance: 1.5, APIs: 1, Instructions: 45COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0041A7F8 Relevance: 1.5, APIs: 1, Instructions: 29COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0041C9BC Relevance: 1.5, APIs: 1, Instructions: 26COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0041D4C8 Relevance: 1.5, APIs: 1, Instructions: 26COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0041A844 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0041A7A8 Relevance: 1.5, APIs: 1, Instructions: 22timeCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0041D2E0 Relevance: 1.5, APIs: 1, Instructions: 17COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0041E9D4 Relevance: .7, Instructions: 681COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004256E7 Relevance: .4, Instructions: 401COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004250A3 Relevance: .3, Instructions: 316COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00425496 Relevance: .3, Instructions: 270COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0041E0A4 Relevance: .2, Instructions: 238COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004248B4 Relevance: .2, Instructions: 222COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00424600 Relevance: .2, Instructions: 190COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00424DF9 Relevance: .1, Instructions: 126COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004046A0 Relevance: .0, Instructions: 22COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00425F00 Relevance: 31.7, APIs: 1, Strings: 17, Instructions: 184libraryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00432368 Relevance: 31.6, APIs: 17, Strings: 1, Instructions: 79windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00436E6C Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 290sleepCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043DDC4 Relevance: 28.1, APIs: 12, Strings: 4, Instructions: 136windowsleepCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042BAFC Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 191windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042DC10 Relevance: 16.0, APIs: 3, Strings: 6, Instructions: 255stringCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0041A870 Relevance: 16.0, APIs: 2, Strings: 7, Instructions: 219threadCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0041B074 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 175threadCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0041B8F4 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 97filewindowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042CF20 Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 92libraryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00404F84 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 65libraryloaderCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00404F82 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 52libraryloaderCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405CB8 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 40filewindowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00402E44 Relevance: 12.2, APIs: 8, Instructions: 221sleepCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043E080 Relevance: 12.2, APIs: 1, Strings: 7, Instructions: 169sleepCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040303C Relevance: 10.9, APIs: 7, Instructions: 407COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042C71C Relevance: 10.9, APIs: 4, Strings: 3, Instructions: 365stringmemoryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004038AC Relevance: 10.8, APIs: 1, Strings: 5, Instructions: 285windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042E088 Relevance: 10.7, APIs: 4, Strings: 3, Instructions: 241stringsleepCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043CCA8 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 162libraryCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042E47C Relevance: 10.6, APIs: 1, Strings: 6, Instructions: 135sleepCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00402AC0 Relevance: 9.0, APIs: 7, Instructions: 298sleepCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042C13C Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 105windowCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042BD88 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 72registryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040BA5C Relevance: 7.6, APIs: 5, Instructions: 55COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00426F90 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 148stringCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405D48 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 94threadCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405D50 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 92threadCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040B5E8 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 20windowCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00439284 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 139stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042BA24 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042743C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 40libraryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004303EC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 27windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043E4A4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 18libraryCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Execution Graph
| Execution Coverage: | 4.8% |
| Dynamic/Decrypted Code Coverage: | 0% |
| Signature Coverage: | 0% |
| Total number of Nodes: | 2000 |
| Total number of Limit Nodes: | 30 |
Graph
Function 004087CC Relevance: 3.1, APIs: 2, Instructions: 63COMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00408694 Relevance: 3.0, APIs: 2, Instructions: 33fileCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040BDE8 Relevance: 220.0, APIs: 8, Strings: 117, Instructions: 1214libraryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004082B8 Relevance: 28.2, APIs: 12, Strings: 4, Instructions: 173registryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040B654 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 80libraryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043DC14 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 61registryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00407E68 Relevance: 6.1, APIs: 4, Instructions: 95threadCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00408898 Relevance: 3.1, APIs: 2, Instructions: 93COMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004089BC Relevance: 3.1, APIs: 2, Instructions: 55libraryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040B948 Relevance: 3.0, APIs: 2, Instructions: 22COMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043A7B4 Relevance: 1.6, APIs: 1, Instructions: 79fileCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00407744 Relevance: 1.5, APIs: 1, Instructions: 26COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00426564 Relevance: 1.5, APIs: 1, Instructions: 7networkCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00408F10 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043D50C Relevance: 1.5, APIs: 1, Instructions: 5COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004027A8 Relevance: 1.3, APIs: 1, Instructions: 38memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004080C8 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 140stringlibraryfileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00431870 Relevance: 33.4, APIs: 3, Strings: 16, Instructions: 168libraryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00425F00 Relevance: 31.7, APIs: 1, Strings: 17, Instructions: 184libraryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00432368 Relevance: 31.6, APIs: 17, Strings: 1, Instructions: 79windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00436E6C Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 290sleepCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043DDC4 Relevance: 28.1, APIs: 12, Strings: 4, Instructions: 136windowsleepCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042FE9C Relevance: 24.6, APIs: 2, Strings: 12, Instructions: 139libraryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00428C28 Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 172stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042BAFC Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 191windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00428590 Relevance: 17.6, APIs: 2, Strings: 8, Instructions: 102libraryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042DC10 Relevance: 16.0, APIs: 3, Strings: 6, Instructions: 255stringCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0041A870 Relevance: 16.0, APIs: 2, Strings: 7, Instructions: 219threadCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0041B074 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 175threadCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0041B8F4 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 97filewindowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042CF20 Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 92libraryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00404F84 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 65libraryloaderCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00404F82 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 52libraryloaderCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405CB8 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 40filewindowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00402E44 Relevance: 12.2, APIs: 8, Instructions: 221sleepCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043E080 Relevance: 12.2, APIs: 1, Strings: 7, Instructions: 169sleepCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040303C Relevance: 10.9, APIs: 7, Instructions: 407COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042C71C Relevance: 10.9, APIs: 4, Strings: 3, Instructions: 365stringmemoryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004038AC Relevance: 10.8, APIs: 1, Strings: 5, Instructions: 285windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042E088 Relevance: 10.7, APIs: 4, Strings: 3, Instructions: 241stringsleepCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043CCA8 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 162libraryCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042E47C Relevance: 10.6, APIs: 1, Strings: 6, Instructions: 135sleepCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00402AC0 Relevance: 9.0, APIs: 7, Instructions: 298sleepCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042C13C Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 105windowCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042BD88 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 72registryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040BA5C Relevance: 7.6, APIs: 5, Instructions: 55COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040BA58 Relevance: 7.5, APIs: 5, Instructions: 49COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00426F90 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 148stringCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405D48 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 94threadCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405D50 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 92threadCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040B5E8 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 20windowCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00439284 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 139stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040B0EC Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 114memorystringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00427EE0 Relevance: 6.1, APIs: 4, Instructions: 82stringCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040B0EB Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 77memorystringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042BA24 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042743C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 40libraryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004303EC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 27windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043E4A4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 18libraryCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Execution Graph
| Execution Coverage: | 4.8% |
| Dynamic/Decrypted Code Coverage: | 0% |
| Signature Coverage: | 0% |
| Total number of Nodes: | 2000 |
| Total number of Limit Nodes: | 30 |
Graph
Function 004087CC Relevance: 3.1, APIs: 2, Instructions: 63COMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00408694 Relevance: 3.0, APIs: 2, Instructions: 33fileCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040BDE8 Relevance: 220.0, APIs: 8, Strings: 117, Instructions: 1214libraryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004082B8 Relevance: 28.2, APIs: 12, Strings: 4, Instructions: 173registryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040B654 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 80libraryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043DC14 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 61registryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00407E68 Relevance: 6.1, APIs: 4, Instructions: 95threadCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00408898 Relevance: 3.1, APIs: 2, Instructions: 93COMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004089BC Relevance: 3.1, APIs: 2, Instructions: 55libraryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040B948 Relevance: 3.0, APIs: 2, Instructions: 22COMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043A7B4 Relevance: 1.6, APIs: 1, Instructions: 79fileCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00407744 Relevance: 1.5, APIs: 1, Instructions: 26COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00426564 Relevance: 1.5, APIs: 1, Instructions: 7networkCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00408F10 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043D50C Relevance: 1.5, APIs: 1, Instructions: 5COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004027A8 Relevance: 1.3, APIs: 1, Instructions: 38memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004080C8 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 140stringlibraryfileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00431870 Relevance: 33.4, APIs: 3, Strings: 16, Instructions: 168libraryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00425F00 Relevance: 31.7, APIs: 1, Strings: 17, Instructions: 184libraryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00432368 Relevance: 31.6, APIs: 17, Strings: 1, Instructions: 79windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00436E6C Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 290sleepCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043DDC4 Relevance: 28.1, APIs: 12, Strings: 4, Instructions: 136windowsleepCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042FE9C Relevance: 24.6, APIs: 2, Strings: 12, Instructions: 139libraryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00428C28 Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 172stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042BAFC Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 191windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00428590 Relevance: 17.6, APIs: 2, Strings: 8, Instructions: 102libraryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042DC10 Relevance: 16.0, APIs: 3, Strings: 6, Instructions: 255stringCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0041A870 Relevance: 16.0, APIs: 2, Strings: 7, Instructions: 219threadCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0041B074 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 175threadCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0041B8F4 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 97filewindowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042CF20 Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 92libraryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00404F84 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 65libraryloaderCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00404F82 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 52libraryloaderCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405CB8 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 40filewindowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00402E44 Relevance: 12.2, APIs: 8, Instructions: 221sleepCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043E080 Relevance: 12.2, APIs: 1, Strings: 7, Instructions: 169sleepCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040303C Relevance: 10.9, APIs: 7, Instructions: 407COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042C71C Relevance: 10.9, APIs: 4, Strings: 3, Instructions: 365stringmemoryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004038AC Relevance: 10.8, APIs: 1, Strings: 5, Instructions: 285windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042E088 Relevance: 10.7, APIs: 4, Strings: 3, Instructions: 241stringsleepCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043CCA8 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 162libraryCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042E47C Relevance: 10.6, APIs: 1, Strings: 6, Instructions: 135sleepCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00402AC0 Relevance: 9.0, APIs: 7, Instructions: 298sleepCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042C13C Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 105windowCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042BD88 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 72registryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040BA5C Relevance: 7.6, APIs: 5, Instructions: 55COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040BA58 Relevance: 7.5, APIs: 5, Instructions: 49COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00426F90 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 148stringCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405D48 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 94threadCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405D50 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 92threadCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040B5E8 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 20windowCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00439284 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 139stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040B0EC Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 114memorystringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00427EE0 Relevance: 6.1, APIs: 4, Instructions: 82stringCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040B0EB Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 77memorystringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042BA24 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042743C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 40libraryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004303EC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 27windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043E4A4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 18libraryCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|