Edit tour
Windows
Analysis Report
.com.exe
Overview
General Information
| Sample name: | .com.exerenamed because original name is a hash value |
| Original sample name: | instruction.htm .com.exe |
| Analysis ID: | 1410989 |
| MD5: | b1f6a4cc592f3c9f7d4b69c02ac74d11 |
| SHA1: | db2db17c1d3e2c4f3a45aad9215cc77ed455ffcc |
| SHA256: | 3db846a796caa001666df8f7cae709fff02f984711b0e70e0e79c457d631b4e5 |
| Tags: | exe |
| Infos: |   |
 | |
Detection
MyDoom
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected MyDoom
Connects to many different private IPs (likely to spread or exploit)
Drops PE files with benign system names
Drops executables to the windows directory (C:\Windows) and starts them
Exploit detected, runtime environment dropped PE file
Exploit detected, runtime environment starts unknown processes
Found evasive API chain (may stop execution after checking mutex)
Machine Learning detection for dropped file
Machine Learning detection for sample
Opens the same file many times (likely Sandbox evasion)
PE file has a writeable .text section
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: System File Execution Location Anomaly
AV process strings found (often used to terminate AV products)
Checks if the current process is being debugged
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to search for IE or Outlook window (often done to steal information)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found decision node followed by non-executed suspicious APIs
Found dropped PE file which has not been started or loaded
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file contains sections with non-standard names
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification
Tries to load missing DLLs
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Uses the system / local time for branch decision (may execute only at specific dates)
Classification
- System is w10x64
.com.exe (PID: 3416 cmdline: C:\Users\u ser\Deskto p\ .com.e xe MD5: B1F6A4CC592F3C9F7D4B69C02AC74D11) 
services.exe (PID: 2680 cmdline: C:\Windows \services. exe MD5: B0FE74719B1B647E2056641931907F4A) 
WerFault.exe (PID: 5272 cmdline: C:\Windows \SysWOW64\ WerFault.e xe -u -p 3 416 -s 118 8 MD5: C31336C1EFC2CCB44B4326EA793040F2)
- java.exe (PID: 3384 cmdline:
"C:\Window s\java.exe " MD5: B1F6A4CC592F3C9F7D4B69C02AC74D11) - services.exe (PID: 2992 cmdline:
C:\Users\u ser\AppDat a\Local\Te mp\service s.exe MD5: B0FE74719B1B647E2056641931907F4A)
- services.exe (PID: 5308 cmdline:
"C:\Window s\services .exe" MD5: B0FE74719B1B647E2056641931907F4A)
- cleanup
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| MyDoom | No Attribution |
⊘No configs have been found
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_MyDoom | Yara detected MyDoom | Joe Security | ||
| JoeSecurity_MyDoom | Yara detected MyDoom | Joe Security | ||
| JoeSecurity_MyDoom | Yara detected MyDoom | Joe Security | ||
| JoeSecurity_MyDoom | Yara detected MyDoom | Joe Security |
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_MyDoom | Yara detected MyDoom | Joe Security | ||
| JoeSecurity_MyDoom | Yara detected MyDoom | Joe Security |
System Summary |   |
|---|
| Source: | Author: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): | ||
| Source: | Author: Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali: | ||
| Source: | Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): | ||
| Source: | Author: vburov: | ||
⊘No Snort rule has matched
Click to jump to signature section
Show All Signature Results
AV Detection | |
|---|
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | ReversingLabs: | ||
| Source: | ReversingLabs: | ||
| Source: | ReversingLabs: | ||
| Source: | ReversingLabs: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Joe Sandbox ML: | ||
Exploits | |
|---|
| Source: | TCP traffic: | Jump to behavior | ||
| Source: | TCP traffic: | Jump to behavior | ||
| Source: | TCP traffic: | Jump to behavior | ||
| Source: | Static PE information: | ||
Spreading | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | Code function: | 0_2_005052AD | |
| Source: | Code function: | 7_2_005052AD | |
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
Software Vulnerabilities | |
|---|
| Source: | Process created: | ||
| Source: | Code function: | 0_2_00506AB8 | |
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
Spam, unwanted Advertisements and Ransom Demands | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
System Summary | |
|---|
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | File created: | Jump to behavior | ||
| Source: | File created: | Jump to behavior | ||
| Source: | File created: | Jump to behavior | ||
| Source: | File created: | Jump to behavior | ||
| Source: | File deleted: | Jump to behavior | ||
| Source: | Code function: | 0_2_00507730 | |
| Source: | Code function: | 0_2_005011C9 | |
| Source: | Code function: | 7_2_00507730 | |
| Source: | Dropped File: | ||
| Source: | Process created: | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Classification label: | ||
| Source: | Mutant created: | ||
| Source: | Mutant created: | ||
| Source: | File created: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | ReversingLabs: | ||
| Source: | File read: | Jump to behavior | ||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Key value queried: | Jump to behavior | ||
| Source: | Code function: | 0_2_00503620 | |
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Code function: | 0_2_0050A42E | |
| Source: | Code function: | 0_2_0050DEBE | |
| Source: | Code function: | 0_2_0050A53F | |
| Source: | Code function: | 0_2_0050A53F | |
| Source: | Code function: | 0_2_00509BAB | |
| Source: | Code function: | 1_2_00405A8E | |
| Source: | Code function: | 7_2_0050A42E | |
| Source: | Code function: | 7_2_0050DEBE | |
| Source: | Code function: | 7_2_0050A53F | |
| Source: | Code function: | 7_2_0050A53F | |
| Source: | Code function: | 7_2_00509BAB | |
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
Persistence and Installation Behavior | |
|---|
| Source: | File created: | Jump to dropped file | ||
| Source: | File created: | Jump to dropped file | ||
| Source: | Executable created and started: | Jump to behavior | ||
| Source: | Executable created and started: | |||
| Source: | File created: | Jump to dropped file | ||
| Source: | File created: | Jump to dropped file | ||
| Source: | File created: | Jump to dropped file | ||
| Source: | File created: | Jump to dropped file | ||
| Source: | File created: | Jump to dropped file | ||
| Source: | File created: | Jump to dropped file | ||
| Source: | File created: | Jump to dropped file | ||
| Source: | Registry value created or modified: | Jump to behavior | ||
| Source: | Registry value created or modified: | Jump to behavior | ||
| Source: | Registry value created or modified: | Jump to behavior | ||
| Source: | Registry value created or modified: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
Malware Analysis System Evasion | |
|---|
| Source: | Evasive API call chain: | graph_0-3007 | ||
| Source: | Evasive API call chain: | graph_0-3007 | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | Window / User API: | Jump to behavior | ||
| Source: | Window / User API: | Jump to behavior | ||
| Source: | Window / User API: | Jump to behavior | ||
| Source: | Window / User API: | Jump to behavior | ||
| Source: | Window / User API: | Jump to behavior | ||
| Source: | Window / User API: | Jump to behavior | ||
| Source: | Decision node followed by non-executed suspicious API: | graph_7-2834 | ||
| Source: | Decision node followed by non-executed suspicious API: | graph_1-1036 | ||
| Source: | Dropped PE file which has not been started: | Jump to dropped file | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep count: | Jump to behavior | ||
| Source: | Thread sleep count: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep count: | Jump to behavior | ||
| Source: | Thread sleep count: | Jump to behavior | ||
| Source: | Thread sleep count: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep count: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep count: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep count: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep count: | Jump to behavior | ||
| Source: | Last function: | ||
| Source: | Code function: | 0_2_00505717 | |
| Source: | Code function: | 7_2_00505717 | |
| Source: | Code function: | 0_2_005052AD | |
| Source: | Code function: | 7_2_005052AD | |
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | API call chain: | graph_0-2984 | ||
| Source: | API call chain: | graph_1-1005 | ||
| Source: | Process queried: | Jump to behavior | ||
| Source: | Code function: | 0_2_00505A45 | |
| Source: | Code function: | 0_2_00503620 | |
| Source: | Code function: | 0_2_00504E00 | |
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Code function: | 0_2_005032CB | |
| Source: | Code function: | 0_2_005032CB | |
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Code function: | 0_2_0050311C | |
| Source: | Code function: | 7_2_0050311C | |
| Source: | Code function: | 1_2_00401F0E | |
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | 11 Native API | 1 Registry Run Keys / Startup Folder | 11 Process Injection | 22 Masquerading | OS Credential Dumping | 12 System Time Discovery | Remote Services | 1 Email Collection | 1 Encrypted Channel | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
| Credentials | Domains | Default Accounts | 2 Exploitation for Client Execution | 1 DLL Side-Loading | 1 Registry Run Keys / Startup Folder | 121 Virtualization/Sandbox Evasion | LSASS Memory | 131 Security Software Discovery | Remote Desktop Protocol | 1 Archive Collected Data | 1 Ingress Tool Transfer | Exfiltration Over Bluetooth | Network Denial of Service |
| Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | 1 DLL Side-Loading | 11 Process Injection | Security Account Manager | 121 Virtualization/Sandbox Evasion | SMB/Windows Admin Shares | Data from Network Shared Drive | Steganography | Automated Exfiltration | Data Encrypted for Impact |
| Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | 21 Obfuscated Files or Information | NTDS | 1 Application Window Discovery | Distributed Component Object Model | Input Capture | Protocol Impersonation | Traffic Duplication | Data Destruction |
| Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | 21 Software Packing | LSA Secrets | 2 File and Directory Discovery | SSH | Keylogging | Fallback Channels | Scheduled Transfer | Data Encrypted for Impact |
| Domain Properties | Botnet | Replication Through Removable Media | Scheduled Task | RC Scripts | RC Scripts | 1 DLL Side-Loading | Cached Domain Credentials | 2 System Information Discovery | VNC | GUI Input Capture | Multiband Communication | Data Transfer Size Limits | Service Stop |
| DNS | Web Services | External Remote Services | Systemd Timers | Startup Items | Startup Items | 1 File Deletion | DCSync | Remote System Discovery | Windows Remote Management | Web Portal Capture | Commonly Used Port | Exfiltration Over C2 Channel | Inhibit System Recovery |
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetThis section contains all screenshots as thumbnails, including those not shown in the slideshow.
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 74% | ReversingLabs | Win32.Trojan.FlyAgent | ||
| 100% | Avira | TR/Spy.Banker.Gen | ||
| 100% | Joe Sandbox ML |
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 100% | Avira | TR/Spy.Banker.Gen | ||
| 100% | Avira | BDS/Backdoor.fszhy | ||
| 100% | Avira | TR/Spy.Banker.Gen | ||
| 100% | Avira | BDS/Backdoor.fszhy | ||
| 100% | Joe Sandbox ML | |||
| 100% | Joe Sandbox ML | |||
| 100% | Joe Sandbox ML | |||
| 100% | Joe Sandbox ML | |||
| 100% | Joe Sandbox ML | |||
| 100% | ReversingLabs | Win32.Worm.Mydoom | ||
| 74% | ReversingLabs | Win32.Trojan.FlyAgent | ||
| 100% | ReversingLabs | Win32.Worm.Mydoom |
⊘No Antivirus matches
⊘No Antivirus matches
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe |
⊘No contacted domains info
| Name | Source | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|
| false |
| unknown | ||
| false |
| unknown | ||
| false | high | |||
| false |
| low | ||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false |
| low | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
| IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
|---|
| IP |
|---|
| 172.16.1.166 |
| 10.0.2.15 |
| 172.16.1.4 |
| 192.168.2.14 |
| 10.127.0.3 |
| 172.16.1.2 |
| 172.16.1.104 |
| 192.168.2.18 |
| 192.168.2.9 |
| Joe Sandbox version: | 40.0.0 Tourmaline |
| Analysis ID: | 1410989 |
| Start date and time: | 2024-03-18 14:35:59 +01:00 |
| Joe Sandbox product: | CloudBasic |
| Overall analysis duration: | 0h 7m 48s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
| Number of analysed new started processes analysed: | 12 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Sample name: | .com.exerenamed because original name is a hash value |
| Original Sample Name: | instruction.htm .com.exe |
| Detection: | MAL |
| Classification: | mal100.spre.expl.evad.winEXE@8/13@0/9 |
| EGA Information: |
|
| HCA Information: |
|
| Cookbook Comments: |
|
- Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
- Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
- Excluded IPs from analysis (whitelisted): 20.42.65.92, 17.179.253.242
- Excluded domains from analysis (whitelisted): apple.com, client.wns.windows.com, onedsblobprdeus17.eastus.cloudapp.azure.com, ocsp.digicert.com, mx-in-rno.apple.com, login.live.com, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
- Report size exceeded maximum capacity and may have missing behavior information.
- Report size getting too big, too many NtOpenFile calls found.
- Report size getting too big, too many NtQueryValueKey calls found.
- VT rate limit hit for: .com.exe
| Time | Type | Description |
|---|---|---|
| 14:36:45 | API Interceptor | |
| 14:36:47 | Autostart | |
| 14:36:55 | Autostart | |
| 14:36:56 | API Interceptor | |
| 14:37:29 | API Interceptor | |
| 14:37:31 | API Interceptor |
⊘No context
⊘No context
⊘No context
⊘No context
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| C:\Users\user\AppData\Local\Temp\services.exe | Get hash | malicious | MyDoom | Browse | ||
| Get hash | malicious | MyDoom | Browse | |||
| Get hash | malicious | MyDoom | Browse | |||
| Get hash | malicious | MyDoom | Browse | |||
| Get hash | malicious | MyDoom | Browse | |||
| Get hash | malicious | MyDoom | Browse | |||
| Get hash | malicious | MyDoom | Browse | |||
| Get hash | malicious | MyDoom | Browse | |||
| Get hash | malicious | MyDoom | Browse | |||
| Get hash | malicious | MyDoom | Browse |
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_.com.exe_532a1c85ccf97a88b6c767898461e0aa5a7927b_c857d077_bd394482-40cb-47de-84be-3ef2afd40a7d\Report.wer
Download File
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 65536 |
| Entropy (8bit): | 0.8543619628301916 |
| Encrypted: | false |
| SSDEEP: | 96:g+FxLlLAx9syhM1yDfwQXIDcQvc6QcEVcw3cE/n+HbHg/opAnQzOqg7TlOy4aEuE:Pux9H0BU/gjdKzuiFrZ24IO87OM |
| MD5: | 20673EC9C7AFCC45F423994ADC299BED |
| SHA1: | 2388865D5980FB02F7FEF2D267E1255A1535EECD |
| SHA-256: | B7EF9675D9A94E35DAB6ADBC86A6BE09B6B03FCAE499F986D1698CB4B839A262 |
| SHA-512: | 8B97480448D97EE2D7B0E91549719670E6E57B6B18A0531411066FDE7F8A124BE1591E797A139A1FF988C62356744D888202C3F1C40FFEF06823F2C6D0F8D1C9 |
| Malicious: | false |
| Reputation: | low |
| Preview: |
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 99082 |
| Entropy (8bit): | 1.9719455879344538 |
| Encrypted: | false |
| SSDEEP: | 384:jna14Oqq498D+jmihIhhtqLItZSjopqNOCpyuNOfSU7ep/x:KjZ4HhINqo778 |
| MD5: | BF830199210033620FC920E07D18EB81 |
| SHA1: | B83577224BAF2095D266F26DEC5917219206DDAF |
| SHA-256: | 7C50178B702FCAA9FDFADA2DF8CBF59681396AA44B3951F21186B29BC10A7F1A |
| SHA-512: | DDC2FD56BA951A6885F882FCAC794CE308B4467A74E5F444CBA9EFB6C882B2C409EA8EAF2AACAD3D17D85038DBE4EB11FC96C2181610CC224645C646788D2090 |
| Malicious: | false |
| Reputation: | low |
| Preview: |
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 8316 |
| Entropy (8bit): | 3.693237086548923 |
| Encrypted: | false |
| SSDEEP: | 192:R6l7wVeJev626Y2DNSU9FTgmfnJjBpr189bansfk+m:R6lXJm626YASU9FTgmfnJj+asfU |
| MD5: | 88977EC5A0476C714715927E9D7432C9 |
| SHA1: | DDD1B3B8790DC43AA068F7AB49F4F0C1BC13981A |
| SHA-256: | C874A6AD45DD5413BDB47279BFCA653E54E4CE8B543E58AAFB799EA4547DA5FE |
| SHA-512: | 7041D732BA069D28F21956D1C485012610FCCF3382B2EE5364A3A598FD0C8DE8B696186C009B2EC67ADD36B2B3102024928AFE143334402C7D073B8FF700176D |
| Malicious: | false |
| Reputation: | low |
| Preview: |
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 4567 |
| Entropy (8bit): | 4.414719805422548 |
| Encrypted: | false |
| SSDEEP: | 48:cvIwWl8zsnJg77aI9ZmWpW8VYoYm8M4J58FAvc+q8oTsjtR/x3mJd:uIjfJI77n7VUJTU/sjt5x3mJd |
| MD5: | C214B4089F941DC6F9DE76272113F1BF |
| SHA1: | 017CC8C83D28931641575DE55667F0102A98ACEF |
| SHA-256: | E1E3B1B89FD579E01F2508548B63DD27F01631EE95AC436D9D84E34A795C5270 |
| SHA-512: | CA10638BA95B4C591A42528600D49127670E2A813FAFB596D1B6DBB033B8137245766E5922B2AE524F0DEADE83E73F8D2F92F66A11A7E89DF810E15B02D812DE |
| Malicious: | false |
| Reputation: | low |
| Preview: |
| Process: | C:\Windows\java.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 8192 |
| Entropy (8bit): | 6.951274251785221 |
| Encrypted: | false |
| SSDEEP: | 192:tZWNqWKIzebvOZnzCj6juhEJS3/Uf/tpfmG62X9f3:tZ6qWTYvczfahX/UHtF6e9f3 |
| MD5: | B0FE74719B1B647E2056641931907F4A |
| SHA1: | E858C206D2D1542A79936CB00D85DA853BFC95E2 |
| SHA-256: | BF316F51D0C345D61EAEE3940791B64E81F676E3BCA42BAD61073227BEE6653C |
| SHA-512: | 9C82E88264696D0DADEF9C0442AD8D1183E48F0FB355A4FC9BF4FA5DB4E27745039F98B1FD1FEBFF620A5DED6DD493227F00D7D2E74B19757685AA8655F921C2 |
| Malicious: | true |
| Antivirus: |
|
| Joe Sandbox View: |
|
| Reputation: | moderate, very likely benign file |
| Preview: |
| Process: | C:\Windows\java.exe |
| File Type: | |
| Category: | modified |
| Size (bytes): | 43082 |
| Entropy (8bit): | 5.919302793183291 |
| Encrypted: | false |
| SSDEEP: | 768:8EwHupU99d2JE0jNJJ83+8zzqgTdVY9/V:8EwVs+0jNDY1qi/qd |
| MD5: | 124B7F11670EACBEF87715EB5246BF72 |
| SHA1: | 4150723F29428194B2C4A95A87353842D927EB26 |
| SHA-256: | 850AFFEA519E6280CCA2812E52BD61FC97C83CA9301D4A60FDFE9A46261B95B7 |
| SHA-512: | 2B535530CCD530A95B3A9768A91B97CED5B88E098D1AB8B366BC338F6D02748F34E43566DB9CA40B69B0BC8C2250D2AAB7CE47513AA71C85CE4C6C9A0122507D |
| Malicious: | true |
| Antivirus: |
|
| Reputation: | low |
| Preview: |
| Process: | C:\Windows\java.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 42966 |
| Entropy (8bit): | 5.920540053120464 |
| Encrypted: | false |
| SSDEEP: | 768:AEwHupU99d2JE0jNJJ83+8zzqgTdVY9/:AEwVs+0jNDY1qi/q |
| MD5: | 29E4B34709AA95FA4189F0340FCD3869 |
| SHA1: | 579935A09FEB86FE6ED921B89C1D1C2AA7C116A8 |
| SHA-256: | 2EB6D37566A40E43AB4206214556921CA0F62AD8D76FF15CD9385BCA2365B46F |
| SHA-512: | 679482ACD5F7F7638749A92BB05BB11C52FD2215C7D3D4C986BC172D266FAC42714B86D76AB387C682A12A073EE9703609CF923F4B68AAF9777082AB767E8DB1 |
| Malicious: | true |
| Antivirus: |
|
| Reputation: | low |
| Preview: |
| Process: | C:\Windows\java.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 26 |
| Entropy (8bit): | 3.95006375643621 |
| Encrypted: | false |
| SSDEEP: | 3:ggPYV:rPYV |
| MD5: | 187F488E27DB4AF347237FE461A079AD |
| SHA1: | 6693BA299EC1881249D59262276A0D2CB21F8E64 |
| SHA-256: | 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309 |
| SHA-512: | 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\Desktop\ .com.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 128 |
| Entropy (8bit): | 5.7528209267673045 |
| Encrypted: | false |
| SSDEEP: | 3:v+71kalcQ9VdJgjJZGpyPtPsbgqYUqXbGfL97t8Qh:vi1kutNJg4pylCg7XSfL97uQh |
| MD5: | 0159C0BB4689222E72001A5D33336D4B |
| SHA1: | 77E06830296F998584B2B9949C366822E4A4718D |
| SHA-256: | 3BF6AF374EBA669A13BDEA8CED3C4D284616C5FB92F8199C465F54546485D023 |
| SHA-512: | 5B896547BF23FCA6EB0B9B7C2C339C8F85E76B3C6C5B2147E480B0790DC73F6C74B108D6FDA56B1955E7F1BE3808DCAF9D8450B9F9B38588C1A16B7A3ED7CFE2 |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 1835008 |
| Entropy (8bit): | 4.4685561320578495 |
| Encrypted: | false |
| SSDEEP: | 6144:ozZfpi6ceLPx9skLmb0fpZWSP3aJG8nAgeiJRMMhA2zX4WABluuN5jDH5S:+ZHtpZWOKnMM6bFpnj4 |
| MD5: | 0979DB735B9DA0AF767D4F71077D959E |
| SHA1: | CBD04A82A455F507CD444C56FC0E31B36BC22630 |
| SHA-256: | 8C858C0E3E4449C2422A147931BC3EB8A042715BF45A90488DE3602FE3D04771 |
| SHA-512: | 8A1D483D0CBBCF9856CF8765AE0EF858FB0B3465F9FA243A2636270373674D7BB52D34733CCE1D1E5F3F8FA0667650790B9E44C8B39C785E57C6532462FE4C42 |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\Desktop\ .com.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 42966 |
| Entropy (8bit): | 5.920676271954214 |
| Encrypted: | false |
| SSDEEP: | 768:AEwHupU99d2JE0jNJJ83+8zzqgTdVY9/:AEwVs+0jNDY1qi/q |
| MD5: | B1F6A4CC592F3C9F7D4B69C02AC74D11 |
| SHA1: | DB2DB17C1D3E2C4F3A45AAD9215CC77ED455FFCC |
| SHA-256: | 3DB846A796CAA001666DF8F7CAE709FFF02F984711B0E70E0E79C457D631B4E5 |
| SHA-512: | 66C3D5CB3C9BF13604748853797E4C1A1EAE13D52CDF43F16DA0B1B180AD0C10102A2935D4D6BD0549F6E48427C0181CBB07F1EE664274727DFF0CC61E5075C5 |
| Malicious: | true |
| Antivirus: |
|
| Preview: |
| Process: | C:\Users\user\Desktop\ .com.exe |
| File Type: | |
| Category: | modified |
| Size (bytes): | 26 |
| Entropy (8bit): | 3.95006375643621 |
| Encrypted: | false |
| SSDEEP: | 3:ggPYV:rPYV |
| MD5: | 187F488E27DB4AF347237FE461A079AD |
| SHA1: | 6693BA299EC1881249D59262276A0D2CB21F8E64 |
| SHA-256: | 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309 |
| SHA-512: | 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\Desktop\ .com.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 8192 |
| Entropy (8bit): | 6.951274251785221 |
| Encrypted: | false |
| SSDEEP: | 192:tZWNqWKIzebvOZnzCj6juhEJS3/Uf/tpfmG62X9f3:tZ6qWTYvczfahX/UHtF6e9f3 |
| MD5: | B0FE74719B1B647E2056641931907F4A |
| SHA1: | E858C206D2D1542A79936CB00D85DA853BFC95E2 |
| SHA-256: | BF316F51D0C345D61EAEE3940791B64E81F676E3BCA42BAD61073227BEE6653C |
| SHA-512: | 9C82E88264696D0DADEF9C0442AD8D1183E48F0FB355A4FC9BF4FA5DB4E27745039F98B1FD1FEBFF620A5DED6DD493227F00D7D2E74B19757685AA8655F921C2 |
| Malicious: | true |
| Antivirus: |
|
| Preview: |
| File type: | |
| Entropy (8bit): | 5.920676271954214 |
| TrID: |
|
| File name: | .com.exe |
| File size: | 42'966 bytes |
| MD5: | b1f6a4cc592f3c9f7d4b69c02ac74d11 |
| SHA1: | db2db17c1d3e2c4f3a45aad9215cc77ed455ffcc |
| SHA256: | 3db846a796caa001666df8f7cae709fff02f984711b0e70e0e79c457d631b4e5 |
| SHA512: | 66c3d5cb3c9bf13604748853797e4c1a1eae13d52cdf43f16da0b1b180ad0c10102a2935d4d6bd0549f6e48427c0181cbb07f1ee664274727dff0cc61e5075c5 |
| SSDEEP: | 768:AEwHupU99d2JE0jNJJ83+8zzqgTdVY9/:AEwVs+0jNDY1qi/q |
| TLSH: | 8D13E0983E8FBD42D2840C382903EE7ABE52FD444D09268BB5B87B0BBDB1F95455DC46 |
| File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...............................................................................................PE..L........................b......... |
 | |
| Icon Hash: | 9361c4a092b08082 |
| Entrypoint: | 0x510024 |
| Entrypoint Section: | .text |
| Digitally signed: | false |
| Imagebase: | 0x500000 |
| Subsystem: | windows gui |
| Image File Characteristics: | RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE |
| DLL Characteristics: | |
| Time Stamp: | 0x0 [Thu Jan 1 00:00:00 1970 UTC] |
| TLS Callbacks: | |
| CLR (.Net) Version: | |
| OS Version Major: | 4 |
| OS Version Minor: | 0 |
| File Version Major: | 4 |
| File Version Minor: | 0 |
| Subsystem Version Major: | 4 |
| Subsystem Version Minor: | 0 |
| Import Hash: | 98cd465c2ab2841f9fd90d5e847563f4 |
| Instruction |
|---|
| stc |
| jc 00007F6EC0C2DE49h |
| pop ds |
| xor esi, dword ptr [ecx-49h] |
| cwde |
| leave |
| jmp 00007F6EC0C2DEA2h |
| jmp 00007F6EC0C2DE45h |
| cmp dl, byte ptr [ebp+0006E8D2h] |
| add byte ptr [eax], al |
| dec ecx |
| stc |
| mov dl, EDh |
| pop ecx |
| pop ebx |
| jc 00007F6EC0C2DE49h |
| jne 00007F6EC0C2DDD7h |
| jnl 00007F6EC0C2DE25h |
| sbb dword ptr [edx-383C7EDCh], FFFFFFFFh |
| Name | Virtual Address | Virtual Size | Is in Section |
|---|---|---|---|
| IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IMPORT | 0xf514 | 0x130 | .rsrc |
| IMAGE_DIRECTORY_ENTRY_RESOURCE | 0xf000 | 0x514 | .rsrc |
| IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x101f7 | 0x8 | .text |
| IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IAT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
| Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
|---|---|---|---|---|---|---|---|---|---|
| UPX0 | 0x1000 | 0x8000 | 0x0 | d41d8cd98f00b204e9800998ecf8427e | False | 0 | empty | 0.0 | IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| UPX1 | 0x9000 | 0x6000 | 0x6000 | 95e7e2aea06fcf90374e473c416d1137 | False | 0.9812825520833334 | data | 7.938048293950375 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .rsrc | 0xf000 | 0x1000 | 0x800 | 60d328df3a5dff05a8db261a75a0deda | False | 0.27880859375 | data | 2.6542421841999686 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .text | 0x10000 | 0x1ff | 0x200 | 49d1ec1d6eed7ca336017bbbebab7b7d | False | 0.978515625 | data | 6.805048281534057 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
|---|---|---|---|---|---|---|
| RT_ICON | 0xf0d8 | 0x2e8 | Device independent bitmap graphic, 32 x 64 x 4, image size 640 | English | United States | 0.2782258064516129 |
| RT_ICON | 0xf3c4 | 0x128 | Device independent bitmap graphic, 16 x 32 x 4, image size 192 | English | United States | 0.4189189189189189 |
| RT_GROUP_ICON | 0xf4f0 | 0x22 | data | English | United States | 1.0 |
| DLL | Import |
|---|---|
| KERNEL32.DLL | LoadLibraryA, GetProcAddress, ExitProcess |
| ADVAPI32.dll | RegCloseKey |
| MSVCRT.dll | memset |
| USER32.dll | wsprintfA |
| WS2_32.dll | gethostname |
| Language of compilation system | Country where language is spoken | Map |
|---|---|---|
| English | United States |  |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library Node| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Mar 18, 2024 14:36:47.602288961 CET | 49713 | 1034 | 192.168.2.6 | 172.16.1.2 |
| Mar 18, 2024 14:36:48.601149082 CET | 49713 | 1034 | 192.168.2.6 | 172.16.1.2 |
| Mar 18, 2024 14:36:50.601166964 CET | 49713 | 1034 | 192.168.2.6 | 172.16.1.2 |
| Mar 18, 2024 14:36:54.601149082 CET | 49713 | 1034 | 192.168.2.6 | 172.16.1.2 |
| Mar 18, 2024 14:37:02.601167917 CET | 49713 | 1034 | 192.168.2.6 | 172.16.1.2 |
| Mar 18, 2024 14:37:08.603070974 CET | 49721 | 1034 | 192.168.2.6 | 172.16.1.4 |
| Mar 18, 2024 14:37:09.616800070 CET | 49721 | 1034 | 192.168.2.6 | 172.16.1.4 |
| Mar 18, 2024 14:37:11.632421017 CET | 49721 | 1034 | 192.168.2.6 | 172.16.1.4 |
| Mar 18, 2024 14:37:15.632402897 CET | 49721 | 1034 | 192.168.2.6 | 172.16.1.4 |
| Mar 18, 2024 14:37:23.632411003 CET | 49721 | 1034 | 192.168.2.6 | 172.16.1.4 |
| Mar 18, 2024 14:37:29.633754969 CET | 49724 | 1034 | 192.168.2.6 | 172.16.1.166 |
| Mar 18, 2024 14:37:30.632405996 CET | 49724 | 1034 | 192.168.2.6 | 172.16.1.166 |
| Mar 18, 2024 14:37:32.632445097 CET | 49724 | 1034 | 192.168.2.6 | 172.16.1.166 |
| Mar 18, 2024 14:37:36.632396936 CET | 49724 | 1034 | 192.168.2.6 | 172.16.1.166 |
| Mar 18, 2024 14:37:44.632435083 CET | 49724 | 1034 | 192.168.2.6 | 172.16.1.166 |
| Mar 18, 2024 14:38:11.634995937 CET | 49730 | 1034 | 192.168.2.6 | 10.0.2.15 |
| Mar 18, 2024 14:38:12.648094893 CET | 49730 | 1034 | 192.168.2.6 | 10.0.2.15 |
| Mar 18, 2024 14:38:14.663645983 CET | 49730 | 1034 | 192.168.2.6 | 10.0.2.15 |
| Mar 18, 2024 14:38:18.757368088 CET | 49730 | 1034 | 192.168.2.6 | 10.0.2.15 |
| Mar 18, 2024 14:38:26.757381916 CET | 49730 | 1034 | 192.168.2.6 | 10.0.2.15 |
| Mar 18, 2024 14:38:54.555514097 CET | 49733 | 1034 | 192.168.2.6 | 10.127.0.3 |
| Mar 18, 2024 14:38:55.648008108 CET | 49733 | 1034 | 192.168.2.6 | 10.127.0.3 |
| Mar 18, 2024 14:38:57.648058891 CET | 49733 | 1034 | 192.168.2.6 | 10.127.0.3 |
| Mar 18, 2024 14:39:01.648014069 CET | 49733 | 1034 | 192.168.2.6 | 10.127.0.3 |
| Mar 18, 2024 14:39:09.648015976 CET | 49733 | 1034 | 192.168.2.6 | 10.127.0.3 |
| Mar 18, 2024 14:39:36.932564974 CET | 49736 | 1034 | 192.168.2.6 | 172.16.1.4 |
| Mar 18, 2024 14:39:37.944891930 CET | 49736 | 1034 | 192.168.2.6 | 172.16.1.4 |
| Mar 18, 2024 14:39:40.054251909 CET | 49736 | 1034 | 192.168.2.6 | 172.16.1.4 |
| Mar 18, 2024 14:39:44.054244041 CET | 49736 | 1034 | 192.168.2.6 | 172.16.1.4 |
| Mar 18, 2024 14:39:52.148000956 CET | 49736 | 1034 | 192.168.2.6 | 172.16.1.4 |
| Mar 18, 2024 14:40:19.259031057 CET | 49738 | 1034 | 192.168.2.6 | 172.16.1.4 |
| Mar 18, 2024 14:40:20.351142883 CET | 49738 | 1034 | 192.168.2.6 | 172.16.1.4 |
| Mar 18, 2024 14:40:22.444873095 CET | 49738 | 1034 | 192.168.2.6 | 172.16.1.4 |
| Mar 18, 2024 14:40:26.554239035 CET | 49738 | 1034 | 192.168.2.6 | 172.16.1.4 |
| Mar 18, 2024 14:40:34.554217100 CET | 49738 | 1034 | 192.168.2.6 | 172.16.1.4 |
| Mar 18, 2024 14:40:40.555363894 CET | 49740 | 1034 | 192.168.2.6 | 172.16.1.104 |
| Mar 18, 2024 14:40:41.554260015 CET | 49740 | 1034 | 192.168.2.6 | 172.16.1.104 |
| Mar 18, 2024 14:40:43.554259062 CET | 49740 | 1034 | 192.168.2.6 | 172.16.1.104 |
| Mar 18, 2024 14:40:47.757380962 CET | 49740 | 1034 | 192.168.2.6 | 172.16.1.104 |
| Mar 18, 2024 14:40:55.851130962 CET | 49740 | 1034 | 192.168.2.6 | 172.16.1.104 |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
| Target ID: | 0 |
| Start time: | 14:36:45 |
| Start date: | 18/03/2024 |
| Path: | C:\Users\user\Desktop\ .com.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x500000 |
| File size: | 42'966 bytes |
| MD5 hash: | B1F6A4CC592F3C9F7D4B69C02AC74D11 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Yara matches: |
|
| Reputation: | low |
| Has exited: | true |
| Target ID: | 1 |
| Start time: | 14:36:45 |
| Start date: | 18/03/2024 |
| Path: | C:\Windows\services.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x400000 |
| File size: | 8'192 bytes |
| MD5 hash: | B0FE74719B1B647E2056641931907F4A |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Antivirus matches: |
|
| Reputation: | moderate |
| Has exited: | false |
| Target ID: | 6 |
| Start time: | 14:36:54 |
| Start date: | 18/03/2024 |
| Path: | C:\Windows\SysWOW64\WerFault.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x260000 |
| File size: | 483'680 bytes |
| MD5 hash: | C31336C1EFC2CCB44B4326EA793040F2 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 7 |
| Start time: | 14:36:55 |
| Start date: | 18/03/2024 |
| Path: | C:\Windows\java.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x500000 |
| File size: | 42'966 bytes |
| MD5 hash: | B1F6A4CC592F3C9F7D4B69C02AC74D11 |
| Has elevated privileges: | false |
| Has administrator privileges: | false |
| Programmed in: | C, C++ or other language |
| Yara matches: |
|
| Antivirus matches: |
|
| Reputation: | low |
| Has exited: | false |
| Target ID: | 8 |
| Start time: | 14:36:55 |
| Start date: | 18/03/2024 |
| Path: | C:\Users\user\AppData\Local\Temp\services.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x400000 |
| File size: | 8'192 bytes |
| MD5 hash: | B0FE74719B1B647E2056641931907F4A |
| Has elevated privileges: | false |
| Has administrator privileges: | false |
| Programmed in: | C, C++ or other language |
| Antivirus matches: |
|
| Reputation: | moderate |
| Has exited: | false |
| Target ID: | 9 |
| Start time: | 14:37:03 |
| Start date: | 18/03/2024 |
| Path: | C:\Windows\services.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x400000 |
| File size: | 8'192 bytes |
| MD5 hash: | B0FE74719B1B647E2056641931907F4A |
| Has elevated privileges: | false |
| Has administrator privileges: | false |
| Programmed in: | C, C++ or other language |
| Reputation: | moderate |
| Has exited: | false |
Execution Graph
| Execution Coverage: | 11.8% |
| Dynamic/Decrypted Code Coverage: | 0% |
| Signature Coverage: | 13.7% |
| Total number of Nodes: | 651 |
| Total number of Limit Nodes: | 13 |
Graph
Function 005052AD Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 120stringsleepfileCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 005011C9 Relevance: 23.8, APIs: 3, Strings: 9, Instructions: 2801registryCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00504E00 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 88memoryfileCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0050311C Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 23threadCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00503620 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 43libraryloadernetworkCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00504FF8 Relevance: 78.8, APIs: 4, Strings: 41, Instructions: 84registryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00502E50 Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 107stringfileCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 005075E5 Relevance: 24.6, APIs: 10, Strings: 4, Instructions: 109stringprocessfileCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00505449 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 108stringCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00502FB0 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 102registrystringCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00503697 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 93fileCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0050746B Relevance: 12.1, APIs: 8, Instructions: 81fileCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 005055B4 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 50sleepstringCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00502C90 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88registryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00505131 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 140sleepstringCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00503280 Relevance: 4.5, APIs: 3, Instructions: 19networkCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0050737C Relevance: 3.0, APIs: 2, Instructions: 42fileCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00507730 Relevance: 39.2, APIs: 13, Strings: 13, Instructions: 188stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00505A45 Relevance: 34.6, APIs: 10, Strings: 13, Instructions: 148stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 005032CB Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 74timeCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00506AB8 Relevance: 3.1, APIs: 2, Instructions: 61networkCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00505717 Relevance: 1.5, APIs: 1, Instructions: 30timeCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00505FAF Relevance: 61.5, APIs: 27, Strings: 8, Instructions: 277stringfileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 005057E6 Relevance: 40.5, APIs: 22, Strings: 1, Instructions: 201filestringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00506E01 Relevance: 33.5, APIs: 7, Strings: 12, Instructions: 219networkstringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0050402F Relevance: 33.5, APIs: 17, Strings: 2, Instructions: 214stringCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 005067C2 Relevance: 31.6, APIs: 12, Strings: 9, Instructions: 82stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00507093 Relevance: 28.1, APIs: 10, Strings: 6, Instructions: 116registryCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00506895 Relevance: 27.1, APIs: 11, Strings: 7, Instructions: 90stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00505BF9 Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 172stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00503EF3 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 95memorylibrarynetworkCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 005071F8 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 135stringnetworkCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00503E35 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 77memorylibrarystringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0050666D Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 122fileCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00502D8E Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 67stringsynchronizationnetworkCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 005073E8 Relevance: 14.0, APIs: 5, Strings: 3, Instructions: 36stringCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00504EEA Relevance: 12.1, APIs: 8, Instructions: 107fileCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00503A35 Relevance: 10.6, APIs: 7, Instructions: 118COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0050754A Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 59fileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00507940 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 45librarystringloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00505F2A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 41filestringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00506966 Relevance: 9.1, APIs: 6, Instructions: 108filememorystringCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00503819 Relevance: 9.1, APIs: 6, Instructions: 90networkCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 005047B7 Relevance: 9.1, APIs: 6, Instructions: 73memorystringthreadCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00504A37 Relevance: 7.5, APIs: 5, Instructions: 25threadCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00504244 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 60stringCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0050315C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 41libraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00506B89 Relevance: 6.2, APIs: 4, Instructions: 173stringCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Execution Graph
| Execution Coverage: | 33.4% |
| Dynamic/Decrypted Code Coverage: | 0% |
| Signature Coverage: | 10.4% |
| Total number of Nodes: | 230 |
| Total number of Limit Nodes: | 6 |
Graph
Callgraph
Function 00401F0E Relevance: 40.4, APIs: 21, Strings: 2, Instructions: 171memorynetworksleepCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00401C50 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 64stringfileCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00402746 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 152memorystringnetworkCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00401D22 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 109registrystringCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00402C20 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 93fileCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00402667 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 76fileCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00402BDC Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 29libraryloadernetworkCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 004019A3 Relevance: 9.1, APIs: 6, Instructions: 93networkCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 004024AB Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 48networkfileCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00401947 Relevance: 3.0, APIs: 2, Instructions: 38networkCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00402110 Relevance: 1.5, APIs: 1, Instructions: 8networkCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00401AF2 Relevance: 1.4, APIs: 1, Instructions: 128sleepCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 004012C6 Relevance: 44.0, APIs: 22, Strings: 3, Instructions: 261filestringnetworkCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00401E86 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 41libraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00402180 Relevance: 6.1, APIs: 4, Instructions: 66memoryCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Execution Graph
| Execution Coverage: | 29% |
| Dynamic/Decrypted Code Coverage: | 0% |
| Signature Coverage: | 0% |
| Total number of Nodes: | 650 |
| Total number of Limit Nodes: | 24 |
Graph
Function 005052AD Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 120stringsleepfileCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00504FF8 Relevance: 78.8, APIs: 4, Strings: 41, Instructions: 84registryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00505FAF Relevance: 61.5, APIs: 27, Strings: 8, Instructions: 277stringfileCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 005057E6 Relevance: 40.5, APIs: 22, Strings: 1, Instructions: 201filestringCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00506E01 Relevance: 33.5, APIs: 7, Strings: 12, Instructions: 219networkstringCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00502E50 Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 107stringfileCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00506895 Relevance: 27.1, APIs: 11, Strings: 7, Instructions: 90stringCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 005075E5 Relevance: 24.6, APIs: 10, Strings: 4, Instructions: 109stringprocessfileCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00505449 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 108stringCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00503E35 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 77memorylibrarystringCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 005071F8 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 135stringnetworkCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0050666D Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 122fileCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00504E00 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 88memoryfileCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00502D8A Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 69stringsynchronizationnetworkCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00502D8E Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 67stringsynchronizationnetworkCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00502FB0 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 102registrystringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00503697 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 93fileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0050746B Relevance: 12.1, APIs: 8, Instructions: 81fileCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 005032CB Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 74timeCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0050754A Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 59fileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 005055B4 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 50sleepstringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00503620 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 43libraryloadernetworkCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00506966 Relevance: 9.1, APIs: 6, Instructions: 108filememorystringCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00504A37 Relevance: 7.5, APIs: 5, Instructions: 25threadCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00505131 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 140sleepstringCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00505772 Relevance: 4.5, APIs: 3, Instructions: 47fileCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00505EE3 Relevance: 4.5, APIs: 3, Instructions: 27fileCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00503280 Relevance: 4.5, APIs: 3, Instructions: 19networkCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0050737C Relevance: 3.0, APIs: 2, Instructions: 42fileCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00506B54 Relevance: 3.0, APIs: 2, Instructions: 23networkCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 005049C5 Relevance: 2.6, APIs: 2, Instructions: 52stringCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00507730 Relevance: 37.7, APIs: 13, Strings: 12, Instructions: 188stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0050311C Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 64libraryloaderthreadCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00505A45 Relevance: 34.6, APIs: 10, Strings: 13, Instructions: 148stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0050402F Relevance: 33.5, APIs: 17, Strings: 2, Instructions: 214stringCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 005067C2 Relevance: 31.6, APIs: 12, Strings: 9, Instructions: 82stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00507093 Relevance: 28.1, APIs: 10, Strings: 6, Instructions: 116registryCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00505BF9 Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 172stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00503EF3 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 95memorylibrarynetworkCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 005042CE Relevance: 15.1, APIs: 8, Strings: 2, Instructions: 128stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 005073E8 Relevance: 14.0, APIs: 5, Strings: 3, Instructions: 36stringCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00504EEA Relevance: 12.1, APIs: 8, Instructions: 107fileCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00503A35 Relevance: 10.6, APIs: 7, Instructions: 118COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00504244 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 60stringCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00507940 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 45librarystringloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00505F2A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 41filestringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00503819 Relevance: 9.1, APIs: 6, Instructions: 90networkCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 005047B7 Relevance: 9.1, APIs: 6, Instructions: 73memorystringthreadCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0050315C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 41libraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00506B89 Relevance: 6.2, APIs: 4, Instructions: 173stringCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |