Edit tour
Windows
Analysis Report
file.exe
Overview
General Information
| Sample name: | file.exe |
| Analysis ID: | 1428845 |
| MD5: | c9ad12873e4b3f8ae042800ab6ca01b5 |
| SHA1: | 4a687ce2dddd416b7da22724c312588d737b36b1 |
| SHA256: | 3eb812720aa52ff562da685c76976d20a569c2f0a929bde19558bdd4241e9867 |
| Tags: | exe |
| Infos: |  |
 | |
Detection
RedLine
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Antivirus / Scanner detection for submitted sample
Found malware configuration
Snort IDS alert for network traffic
Yara detected RedLine Stealer
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Installs new ROOT certificates
Machine Learning detection for sample
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops certificate files (DER)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Classification
- System is w10x64
file.exe (PID: 6496 cmdline: "C:\Users\ user\Deskt op\file.ex e" MD5: C9AD12873E4B3F8AE042800AB6CA01B5) 
conhost.exe (PID: 6512 cmdline: C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - RegAsm.exe (PID: 6680 cmdline:
"C:\Window s\Microsof t.NET\Fram ework\v4.0 .30319\Reg Asm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13) - RegAsm.exe (PID: 6708 cmdline:
"C:\Window s\Microsof t.NET\Fram ework\v4.0 .30319\Reg Asm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)
- cleanup
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| RedLine Stealer | RedLine Stealer is a malware available on underground forums for sale apparently as standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer. | No Attribution |
{"C2 url": ["5.42.65.50:33080"], "Bot Id": "LogsDiller Cloud (TG: @logsdillabot)", "Authorization Header": "3a050df92d0cf082b2cdaf87863616be"}| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_RedLine_1 | Yara detected RedLine Stealer | Joe Security | ||
| JoeSecurity_RedLine | Yara detected RedLine Stealer | Joe Security |
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_RedLine | Yara detected RedLine Stealer | Joe Security | ||
| JoeSecurity_RedLine | Yara detected RedLine Stealer | Joe Security | ||
| JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
| JoeSecurity_RedLine | Yara detected RedLine Stealer | Joe Security | ||
| JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
| Click to see the 3 entries | ||||
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_RedLine | Yara detected RedLine Stealer | Joe Security | ||
| JoeSecurity_RedLine | Yara detected RedLine Stealer | Joe Security | ||
| JoeSecurity_RedLine | Yara detected RedLine Stealer | Joe Security | ||
| JoeSecurity_RedLine | Yara detected RedLine Stealer | Joe Security |
⊘No Sigma rule has matched
| Timestamp: | 04/19/24-17:46:01.373743 |
| SID: | 2046045 |
| Source Port: | 49730 |
| Destination Port: | 33080 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
| Timestamp: | 04/19/24-17:46:06.860200 |
| SID: | 2046056 |
| Source Port: | 33080 |
| Destination Port: | 49730 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
| Timestamp: | 04/19/24-17:46:13.759629 |
| SID: | 2043231 |
| Source Port: | 49730 |
| Destination Port: | 33080 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
| Timestamp: | 04/19/24-17:46:01.590722 |
| SID: | 2043234 |
| Source Port: | 33080 |
| Destination Port: | 49730 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
Click to jump to signature section
Show All Signature Results
AV Detection |   |
|---|
| Source: | Avira: | ||
| Source: | Malware Configuration Extractor: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Code function: | 0_2_010090D1 | |
| Source: | Code function: | 3_2_06B806A8 | |
| Source: | Code function: | 3_2_06B80340 | |
| Source: | Code function: | 3_2_06B83DF8 | |
Networking | |
|---|
| Source: | Snort IDS: | ||
| Source: | Snort IDS: | ||
| Source: | Snort IDS: | ||
| Source: | Snort IDS: | ||
| Source: | URLs: | ||
| Source: | TCP traffic: | ||
| Source: | IP Address: | ||
| Source: | ASN Name: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | File created: | Jump to dropped file | ||
| Source: | File created: | Jump to dropped file | ||
| Source: | Code function: | 0_2_01024850 | |
| Source: | Code function: | 0_2_01003092 | |
| Source: | Code function: | 0_2_00FFB962 | |
| Source: | Code function: | 0_2_01004C60 | |
| Source: | Code function: | 0_2_0100B736 | |
| Source: | Code function: | 0_2_00FFF680 | |
| Source: | Code function: | 0_2_0100CF9B | |
| Source: | Code function: | 0_2_01024FD5 | |
| Source: | Code function: | 3_2_00E625D8 | |
| Source: | Code function: | 3_2_00E6DC74 | |
| Source: | Code function: | 3_2_05006948 | |
| Source: | Code function: | 3_2_05007C20 | |
| Source: | Code function: | 3_2_05000007 | |
| Source: | Code function: | 3_2_05000040 | |
| Source: | Code function: | 3_2_05007C12 | |
| Source: | Code function: | 3_2_05005A45 | |
| Source: | Code function: | 3_2_064667D8 | |
| Source: | Code function: | 3_2_0646A3E8 | |
| Source: | Code function: | 3_2_06463F50 | |
| Source: | Code function: | 3_2_0646A3D8 | |
| Source: | Code function: | 3_2_06466FE8 | |
| Source: | Code function: | 3_2_06466FF8 | |
| Source: | Code function: | 3_2_06B8BB70 | |
| Source: | Code function: | 3_2_06B8F8E0 | |
| Source: | Code function: | 3_2_06B806A8 | |
| Source: | Code function: | 3_2_06B810F0 | |
| Source: | Code function: | 3_2_06B83138 | |
| Source: | Code function: | 3_2_06B83148 | |
| Source: | Code function: | 3_2_06B83DF8 | |
| Source: | Code function: | 3_2_06B81BA0 | |
| Source: | Code function: | 3_2_06B86BD8 | |
| Source: | Code function: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Static PE information: | ||
| Source: | Classification label: | ||
| Source: | File created: | Jump to behavior | ||
| Source: | Mutant created: | ||
| Source: | Mutant created: | ||
| Source: | File created: | Jump to behavior | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | File read: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Key value queried: | Jump to behavior | ||
| Source: | LNK file: | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Code function: | 0_2_00FF61DF | |
| Source: | Code function: | 0_2_01024556 | |
| Source: | Code function: | 0_2_01024556 | |
| Source: | Code function: | 0_2_01024565 | |
| Source: | Code function: | 0_2_01024556 | |
| Source: | Code function: | 0_2_01024565 | |
| Source: | Code function: | 0_2_010245C2 | |
| Source: | Code function: | 0_2_010245D2 | |
| Source: | Code function: | 3_2_0646E070 | |
| Source: | Code function: | 3_2_0646001C | |
| Source: | Code function: | 3_2_0646ED01 | |
| Source: | Code function: | 3_2_06463B53 | |
| Source: | Code function: | 3_2_064649AD | |
Persistence and Installation Behavior | |
|---|
| Source: | Registry value created: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
Malware Analysis System Evasion | |
|---|
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | Memory allocated: | Jump to behavior | ||
| Source: | Memory allocated: | Jump to behavior | ||
| Source: | Memory allocated: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Window / User API: | Jump to behavior | ||
| Source: | Window / User API: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | WMI Queries: | ||
| Source: | Code function: | 0_2_010090D1 | |
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | Process information queried: | Jump to behavior | ||
| Source: | Code function: | 0_2_00FFD209 | |
| Source: | Code function: | 0_2_01000947 | |
| Source: | Code function: | 0_2_0100A24C | |
| Source: | Code function: | 0_2_0100C84B | |
| Source: | Process token adjusted: | Jump to behavior | ||
| Source: | Code function: | 0_2_00FF693B | |
| Source: | Code function: | 0_2_00FFD209 | |
| Source: | Code function: | 0_2_00FF64D0 | |
| Source: | Code function: | 0_2_00FF67DF | |
| Source: | Memory allocated: | Jump to behavior | ||
HIPS / PFW / Operating System Protection Evasion | |
|---|
| Source: | Memory allocated: | Jump to behavior | ||
| Source: | Code function: | 0_2_0106AC4D | |
| Source: | Memory written: | Jump to behavior | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Code function: | 0_2_00FF62BC | |
| Source: | Code function: | 0_2_0100C00D | |
| Source: | Code function: | 0_2_0100C098 | |
| Source: | Code function: | 0_2_010052B3 | |
| Source: | Code function: | 0_2_0100C2EB | |
| Source: | Code function: | 0_2_0100C51A | |
| Source: | Code function: | 0_2_0100C5E9 | |
| Source: | Code function: | 0_2_0100C414 | |
| Source: | Code function: | 0_2_0100BC85 | |
| Source: | Code function: | 0_2_0100BF27 | |
| Source: | Code function: | 0_2_0100BF72 | |
| Source: | Code function: | 0_2_010057D9 | |
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Code function: | 0_2_00FF66D2 | |
| Source: | Key value queried: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
Stealing of Sensitive Information | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
Remote Access Functionality | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | 221 Windows Management Instrumentation | 1 DLL Side-Loading | 411 Process Injection | 1 Masquerading | 1 OS Credential Dumping | 1 System Time Discovery | Remote Services | 1 Archive Collected Data | 1 Encrypted Channel | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
| Credentials | Domains | Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | 1 DLL Side-Loading | 1 Disable or Modify Tools | LSASS Memory | 251 Security Software Discovery | Remote Desktop Protocol | 3 Data from Local System | 1 Non-Standard Port | Exfiltration Over Bluetooth | Network Denial of Service |
| Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | Logon Script (Windows) | 241 Virtualization/Sandbox Evasion | Security Account Manager | 1 Process Discovery | SMB/Windows Admin Shares | Data from Network Shared Drive | 1 Application Layer Protocol | Automated Exfiltration | Data Encrypted for Impact |
| Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | 411 Process Injection | NTDS | 241 Virtualization/Sandbox Evasion | Distributed Component Object Model | Input Capture | Protocol Impersonation | Traffic Duplication | Data Destruction |
| Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | 1 Deobfuscate/Decode Files or Information | LSA Secrets | 1 Application Window Discovery | SSH | Keylogging | Fallback Channels | Scheduled Transfer | Data Encrypted for Impact |
| Domain Properties | Botnet | Replication Through Removable Media | Scheduled Task | RC Scripts | RC Scripts | 3 Obfuscated Files or Information | Cached Domain Credentials | 2 File and Directory Discovery | VNC | GUI Input Capture | Multiband Communication | Data Transfer Size Limits | Service Stop |
| DNS | Web Services | External Remote Services | Systemd Timers | Startup Items | Startup Items | 1 Install Root Certificate | DCSync | 134 System Information Discovery | Windows Remote Management | Web Portal Capture | Commonly Used Port | Exfiltration Over C2 Channel | Inhibit System Recovery |
| Network Trust Dependencies | Serverless | Drive-by Compromise | Container Orchestration Job | Scheduled Task/Job | Scheduled Task/Job | 1 DLL Side-Loading | Proc Filesystem | System Owner/User Discovery | Cloud Services | Credential API Hooking | Application Layer Protocol | Exfiltration Over Alternative Protocol | Defacement |
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetThis section contains all screenshots as thumbnails, including those not shown in the slideshow.
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 100% | Avira | HEUR/AGEN.1352999 | ||
| 100% | Joe Sandbox ML |
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 0% | URL Reputation | safe |
⊘No contacted domains info
| Name | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|
| true | unknown |
| Name | Source | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | unknown | |||
| false | unknown | |||
| false | high | |||
| false | unknown | |||
| false | unknown | |||
| false | unknown | |||
| false | high | |||
| false | unknown | |||
| false | high | |||
| false | unknown | |||
| false | high | |||
| false | unknown | |||
| false | unknown | |||
| false | unknown | |||
| false | unknown | |||
| false | unknown | |||
| false | unknown | |||
| false | high | |||
| false | unknown | |||
| false | unknown | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | unknown | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | unknown | |||
| false | unknown | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | unknown | |||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false | unknown | |||
| false | high | |||
| false | high | |||
| false | unknown | |||
| false | high | |||
| false | unknown | |||
| false | unknown | |||
| false | unknown | |||
| false | high | |||
| false | unknown | |||
| false | high | |||
| false | unknown | |||
| false | high | |||
| false | unknown | |||
| false | high | |||
| false | unknown | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | unknown | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | unknown | |||
| false | unknown | |||
| false | unknown | |||
| false | unknown | |||
| false | unknown | |||
| false | high | |||
| false | high | |||
| false | unknown | |||
| false | unknown | |||
| false | unknown | |||
| false | unknown | |||
| false | high | |||
| false | unknown | |||
| false | unknown | |||
| false | unknown | |||
| false | unknown | |||
| false | high | |||
| false | unknown | |||
| false | unknown | |||
| false | high | |||
| false | unknown | |||
| false | unknown | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | unknown | |||
| false | high |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
| IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
|---|---|---|---|---|---|---|
| 5.42.65.50 | unknown | Russian Federation | 39493 | RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU | true |
| Joe Sandbox version: | 40.0.0 Tourmaline |
| Analysis ID: | 1428845 |
| Start date and time: | 2024-04-19 17:45:07 +02:00 |
| Joe Sandbox product: | CloudBasic |
| Overall analysis duration: | 0h 5m 3s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
| Number of analysed new started processes analysed: | 7 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Sample name: | file.exe |
| Detection: | MAL |
| Classification: | mal100.troj.spyw.evad.winEXE@6/5@0/1 |
| EGA Information: |
|
| HCA Information: |
|
| Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): MpCmdRun.exe, SIHClient.exe, conhost.exe
- Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
- Not all processes where analyzed, report is missing behavior information
- Report size getting too big, too many NtAllocateVirtualMemory calls found.
- Report size getting too big, too many NtOpenKeyEx calls found.
- Report size getting too big, too many NtProtectVirtualMemory calls found.
- Report size getting too big, too many NtQueryValueKey calls found.
- Report size getting too big, too many NtReadVirtualMemory calls found.
- VT rate limit hit for: file.exe
| Time | Type | Description |
|---|---|---|
| 17:46:08 | API Interceptor |
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| 5.42.65.50 | Get hash | malicious | LummaC, Glupteba, LummaC Stealer, Mars Stealer, PureLog Stealer, RedLine, RisePro Stealer | Browse | ||
| Get hash | malicious | RedLine | Browse | |||
| Get hash | malicious | RedLine | Browse | |||
| Get hash | malicious | RedLine, Xmrig | Browse | |||
| Get hash | malicious | LummaC, Babuk, Clipboard Hijacker, Djvu, LummaC Stealer, RedLine, SmokeLoader | Browse | |||
| Get hash | malicious | LummaC, Babuk, Djvu, LummaC Stealer, RedLine, SmokeLoader | Browse | |||
| Get hash | malicious | RedLine | Browse | |||
| Get hash | malicious | RedLine | Browse | |||
| Get hash | malicious | Glupteba, LummaC Stealer, Mars Stealer, PureLog Stealer, RedLine, RisePro Stealer, SmokeLoader | Browse | |||
| Get hash | malicious | GCleaner, Glupteba, LummaC Stealer, Mars Stealer, PureLog Stealer, RedLine, RisePro Stealer | Browse |
⊘No context
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU | Get hash | malicious | LummaC, Glupteba, LummaC Stealer, Mars Stealer, PureLog Stealer, RedLine, RisePro Stealer | Browse |
| |
| Get hash | malicious | RedLine | Browse |
| ||
| Get hash | malicious | Mirai | Browse |
| ||
| Get hash | malicious | RedLine | Browse |
| ||
| Get hash | malicious | Glupteba, PureLog Stealer, zgRAT | Browse |
| ||
| Get hash | malicious | RedLine, Xmrig | Browse |
| ||
| Get hash | malicious | LummaC, Babuk, Clipboard Hijacker, Djvu, LummaC Stealer, RedLine, SmokeLoader | Browse |
| ||
| Get hash | malicious | LummaC, Babuk, Djvu, LummaC Stealer, RedLine, SmokeLoader | Browse |
| ||
| Get hash | malicious | RedLine | Browse |
| ||
| Get hash | malicious | RedLine | Browse |
|
⊘No context
⊘No context
| Process: | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 2104 |
| Entropy (8bit): | 3.4599413576416165 |
| Encrypted: | false |
| SSDEEP: | 48:8SmdPTndGRYrnvPdAKRkdAGdAKRFdAKR/U:8Su5 |
| MD5: | 450CE6DA8A3164388BE258615BD4DD84 |
| SHA1: | 0E91F56AE2CD108498972E1951B27CB6530F2AD8 |
| SHA-256: | 10439D716F5C2AF93F3DA91F27D0EC4803BD0BEF71746C70379B5D94866BC803 |
| SHA-512: | BB619858A4F5659BC8E4832FCDDAD3BCB8D4FBB56FFACE007653EDC4A5994B5CD8AAFC59E8548193AD22FBDABED78B3DDB34D5396805C5EA477ECC4BE1B29D37 |
| Malicious: | false |
| Reputation: | low |
| Preview: |
| Process: | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 3274 |
| Entropy (8bit): | 5.3318368586986695 |
| Encrypted: | false |
| SSDEEP: | 96:Pq5qHwCYqh3oPtI6eqzxP0aymRLKTqdqlq7qqjqc85VD:Pq5qHwCYqh3qtI6eqzxP0at9KTqdqlq0 |
| MD5: | 0C1110E9B7BBBCB651A0B7568D796468 |
| SHA1: | 7AEE00407EE27655FFF0ADFBC96CF7FAD9610AAA |
| SHA-256: | 112E21404A85963FB5DF8388F97429D6A46E9D4663435CC86267C563C0951FA2 |
| SHA-512: | 46E37552764B4E61006AB99F8C542D55B2418668B097D3C6647D306604C3D7CA3FAF34F8B4121D94B0E7168295B2ABEB7C21C3B96F37208943537B887BC81590 |
| Malicious: | false |
| Reputation: | low |
| Preview: |
| Process: | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 2662 |
| Entropy (8bit): | 7.8230547059446645 |
| Encrypted: | false |
| SSDEEP: | 48:qJdHasMPAUha1DgSVVi59ca13MfyKjWwUmq9W2UgniDhiRhkjp9g:bhhEgSVVi59defyfW2sDgAj3g |
| MD5: | 1420D30F964EAC2C85B2CCFE968EEBCE |
| SHA1: | BDF9A6876578A3E38079C4F8CF5D6C79687AD750 |
| SHA-256: | F3327793E3FD1F3F9A93F58D033ED89CE832443E2695BECA9F2B04ADBA049ED9 |
| SHA-512: | 6FCB6CE148E1E246D6805502D4914595957061946751656567A5013D96033DD1769A22A87C45821E7542CDE533450E41182CEE898CD2CCF911C91BC4822371A8 |
| Malicious: | false |
| Reputation: | moderate, very likely benign file |
| Preview: |
| Process: | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 2662 |
| Entropy (8bit): | 7.8230547059446645 |
| Encrypted: | false |
| SSDEEP: | 48:qJdHasMPAUha1DgSVVi59ca13MfyKjWwUmq9W2UgniDhiRhkjp9g:bhhEgSVVi59defyfW2sDgAj3g |
| MD5: | 1420D30F964EAC2C85B2CCFE968EEBCE |
| SHA1: | BDF9A6876578A3E38079C4F8CF5D6C79687AD750 |
| SHA-256: | F3327793E3FD1F3F9A93F58D033ED89CE832443E2695BECA9F2B04ADBA049ED9 |
| SHA-512: | 6FCB6CE148E1E246D6805502D4914595957061946751656567A5013D96033DD1769A22A87C45821E7542CDE533450E41182CEE898CD2CCF911C91BC4822371A8 |
| Malicious: | false |
| Reputation: | moderate, very likely benign file |
| Preview: |
C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1002\76b53b3ec448f7ccdda2063b15d2bfc3_9e146be9-c76a-4720-bcdb-53011b87bd06
Download File
| Process: | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 2251 |
| Entropy (8bit): | 0.0 |
| Encrypted: | false |
| SSDEEP: | 3:: |
| MD5: | 0158FE9CEAD91D1B027B795984737614 |
| SHA1: | B41A11F909A7BDF1115088790A5680AC4E23031B |
| SHA-256: | 513257326E783A862909A2A0F0941D6FF899C403E104FBD1DBC10443C41D9F9A |
| SHA-512: | C48A55CC7A92CEFCEFE5FB2382CCD8EF651FC8E0885E88A256CD2F5D83B824B7D910F755180B29ECCB54D9361D6AF82F9CC741BD7E6752122949B657DA973676 |
| Malicious: | false |
| Reputation: | moderate, very likely benign file |
| Preview: |
| File type: | |
| Entropy (8bit): | 7.676537576463092 |
| TrID: |
|
| File name: | file.exe |
| File size: | 503'296 bytes |
| MD5: | c9ad12873e4b3f8ae042800ab6ca01b5 |
| SHA1: | 4a687ce2dddd416b7da22724c312588d737b36b1 |
| SHA256: | 3eb812720aa52ff562da685c76976d20a569c2f0a929bde19558bdd4241e9867 |
| SHA512: | 6b4e5a2b296d00bc2179616aaa4a040cc1938872ea9b309683226fe8979c39e6976d3c9980b1983378f081cfd76ce6af37e3b9196fbd05c584caf1e0ddf3e016 |
| SSDEEP: | 12288:Z0fa1MGNMpySMcLnZ+LdfdyQPT7tnirfoCe:ka1zNM3zZIddB7tyQR |
| TLSH: | E3B4E15571C08073D5A728324AF4D7B9AA3DF9300B52698F67A94F7F4F30381D621AAB |
| File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........E\..+...+...+.B.(...+.B...;.+.B./...+.B.*...+...*...+.SN/...+.SN(...+.SN....+.bM"...+.bM)...+.Rich..+.........PE..L....~"f... |
 | |
| Icon Hash: | 90cececece8e8eb0 |
| Entrypoint: | 0x405f71 |
| Entrypoint Section: | .text |
| Digitally signed: | false |
| Imagebase: | 0x400000 |
| Subsystem: | windows cui |
| Image File Characteristics: | EXECUTABLE_IMAGE, 32BIT_MACHINE |
| DLL Characteristics: | DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE |
| Time Stamp: | 0x66227EEA [Fri Apr 19 14:25:46 2024 UTC] |
| TLS Callbacks: | |
| CLR (.Net) Version: | |
| OS Version Major: | 6 |
| OS Version Minor: | 0 |
| File Version Major: | 6 |
| File Version Minor: | 0 |
| Subsystem Version Major: | 6 |
| Subsystem Version Minor: | 0 |
| Import Hash: | f578d161341ba8161650c97fe866d0ab |
| Instruction |
|---|
| call 00007F9585656AFEh |
| jmp 00007F95856561C9h |
| push ebp |
| mov ebp, esp |
| mov eax, dword ptr [ebp+08h] |
| push esi |
| mov ecx, dword ptr [eax+3Ch] |
| add ecx, eax |
| movzx eax, word ptr [ecx+14h] |
| lea edx, dword ptr [ecx+18h] |
| add edx, eax |
| movzx eax, word ptr [ecx+06h] |
| imul esi, eax, 28h |
| add esi, edx |
| cmp edx, esi |
| je 00007F958565636Bh |
| mov ecx, dword ptr [ebp+0Ch] |
| cmp ecx, dword ptr [edx+0Ch] |
| jc 00007F958565635Ch |
| mov eax, dword ptr [edx+08h] |
| add eax, dword ptr [edx+0Ch] |
| cmp ecx, eax |
| jc 00007F958565635Eh |
| add edx, 28h |
| cmp edx, esi |
| jne 00007F958565633Ch |
| xor eax, eax |
| pop esi |
| pop ebp |
| ret |
| mov eax, edx |
| jmp 00007F958565634Bh |
| push esi |
| call 00007F9585656DD5h |
| test eax, eax |
| je 00007F9585656372h |
| mov eax, dword ptr fs:[00000018h] |
| mov esi, 0047B70Ch |
| mov edx, dword ptr [eax+04h] |
| jmp 00007F9585656356h |
| cmp edx, eax |
| je 00007F9585656362h |
| xor eax, eax |
| mov ecx, edx |
| lock cmpxchg dword ptr [esi], ecx |
| test eax, eax |
| jne 00007F9585656342h |
| xor al, al |
| pop esi |
| ret |
| mov al, 01h |
| pop esi |
| ret |
| push ebp |
| mov ebp, esp |
| cmp dword ptr [ebp+08h], 00000000h |
| jne 00007F9585656359h |
| mov byte ptr [0047B710h], 00000001h |
| call 00007F958565660Bh |
| call 00007F9585659378h |
| test al, al |
| jne 00007F9585656356h |
| xor al, al |
| pop ebp |
| ret |
| call 00007F95856629A8h |
| test al, al |
| jne 00007F958565635Ch |
| push 00000000h |
| call 00007F958565937Fh |
| pop ecx |
| jmp 00007F958565633Bh |
| mov al, 01h |
| pop ebp |
| ret |
| push ebp |
| mov ebp, esp |
| cmp byte ptr [0047B711h], 00000000h |
| je 00007F9585656356h |
| mov al, 01h |
| Name | Virtual Address | Virtual Size | Is in Section |
|---|---|---|---|
| IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IMPORT | 0x2d5e8 | 0x28 | .rdata |
| IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x7d000 | 0x1ad8 | .reloc |
| IMAGE_DIRECTORY_ENTRY_DEBUG | 0x2bbe0 | 0x1c | .rdata |
| IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x2bb20 | 0x40 | .rdata |
| IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IAT | 0x24000 | 0x140 | .rdata |
| IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
| Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
|---|---|---|---|---|---|---|---|---|---|
| .text | 0x1000 | 0x2141f | 0x21600 | 45f90ba7fec42844709dd5a33ed30d49 | False | 0.5795148642322098 | data | 6.630131576402872 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
| .bss | 0x23000 | 0x3c2 | 0x400 | d14c206ab71341ede3901479a932d666 | False | 0.751953125 | data | 6.255853854636498 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
| .rdata | 0x24000 | 0x9d20 | 0x9e00 | d71ca39436edf52c27bf3a24c00f4a58 | False | 0.43623912183544306 | DIY-Thermocam raw data (Lepton 3.x), scale 0-0, spot sensor temperature 0.000000, unit celsius, color scheme 0, calibration: offset 8589934592.000000, slope 2418061182712720643850240.000000 | 4.979954979638253 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .data | 0x2e000 | 0x4e228 | 0x4d600 | ae3ebae5a68388bac78a1b17700af1b7 | False | 0.9879152362681745 | DOS executable (block device driver \377\377\377\377,32-bit sector-support) | 7.989782811225375 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .reloc | 0x7d000 | 0x1ad8 | 0x1c00 | ab8e07fb057287a476331407b0e45295 | False | 0.7296316964285714 | data | 6.374869257528181 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
| DLL | Import |
|---|---|
| KERNEL32.dll | WaitForSingleObjectEx, CloseHandle, FreeConsole, VirtualProtectEx, CreateRemoteThread, MultiByteToWideChar, GetStringTypeW, WideCharToMultiByte, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSectionEx, DeleteCriticalSection, EncodePointer, DecodePointer, LCMapStringEx, GetCPInfo, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, GetStartupInfoW, GetModuleHandleW, CreateFileW, RaiseException, RtlUnwind, GetLastError, SetLastError, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, FreeLibrary, GetProcAddress, LoadLibraryExW, GetStdHandle, WriteFile, GetModuleFileNameW, ExitProcess, GetModuleHandleExW, GetCommandLineA, GetCommandLineW, HeapAlloc, HeapFree, GetFileType, CompareStringW, LCMapStringW, GetLocaleInfoW, IsValidLocale, GetUserDefaultLCID, EnumSystemLocalesW, GetFileSizeEx, SetFilePointerEx, FlushFileBuffers, GetConsoleOutputCP, GetConsoleMode, ReadFile, HeapReAlloc, FindClose, FindFirstFileExW, FindNextFileW, IsValidCodePage, GetACP, GetOEMCP, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableW, SetStdHandle, GetProcessHeap, ReadConsoleW, HeapSize, WriteConsoleW |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library Node| Timestamp | Protocol | SID | Message | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|---|---|---|
| 04/19/24-17:46:01.373743 | TCP | 2046045 | ET TROJAN [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization) | 49730 | 33080 | 192.168.2.4 | 5.42.65.50 |
| 04/19/24-17:46:06.860200 | TCP | 2046056 | ET TROJAN Redline Stealer/MetaStealer Family Activity (Response) | 33080 | 49730 | 5.42.65.50 | 192.168.2.4 |
| 04/19/24-17:46:13.759629 | TCP | 2043231 | ET TROJAN Redline Stealer TCP CnC Activity | 49730 | 33080 | 192.168.2.4 | 5.42.65.50 |
| 04/19/24-17:46:01.590722 | TCP | 2043234 | ET MALWARE Redline Stealer TCP CnC - Id1Response | 33080 | 49730 | 5.42.65.50 | 192.168.2.4 |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Apr 19, 2024 17:46:00.888281107 CEST | 49730 | 33080 | 192.168.2.4 | 5.42.65.50 |
| Apr 19, 2024 17:46:01.100178957 CEST | 33080 | 49730 | 5.42.65.50 | 192.168.2.4 |
| Apr 19, 2024 17:46:01.100322008 CEST | 49730 | 33080 | 192.168.2.4 | 5.42.65.50 |
| Apr 19, 2024 17:46:01.112889051 CEST | 49730 | 33080 | 192.168.2.4 | 5.42.65.50 |
| Apr 19, 2024 17:46:01.325066090 CEST | 33080 | 49730 | 5.42.65.50 | 192.168.2.4 |
| Apr 19, 2024 17:46:01.373743057 CEST | 49730 | 33080 | 192.168.2.4 | 5.42.65.50 |
| Apr 19, 2024 17:46:01.590722084 CEST | 33080 | 49730 | 5.42.65.50 | 192.168.2.4 |
| Apr 19, 2024 17:46:01.640321016 CEST | 49730 | 33080 | 192.168.2.4 | 5.42.65.50 |
| Apr 19, 2024 17:46:06.644601107 CEST | 49730 | 33080 | 192.168.2.4 | 5.42.65.50 |
| Apr 19, 2024 17:46:06.860199928 CEST | 33080 | 49730 | 5.42.65.50 | 192.168.2.4 |
| Apr 19, 2024 17:46:06.860219955 CEST | 33080 | 49730 | 5.42.65.50 | 192.168.2.4 |
| Apr 19, 2024 17:46:06.860230923 CEST | 33080 | 49730 | 5.42.65.50 | 192.168.2.4 |
| Apr 19, 2024 17:46:06.860238075 CEST | 33080 | 49730 | 5.42.65.50 | 192.168.2.4 |
| Apr 19, 2024 17:46:06.860249043 CEST | 33080 | 49730 | 5.42.65.50 | 192.168.2.4 |
| Apr 19, 2024 17:46:06.860361099 CEST | 49730 | 33080 | 192.168.2.4 | 5.42.65.50 |
| Apr 19, 2024 17:46:06.860419035 CEST | 49730 | 33080 | 192.168.2.4 | 5.42.65.50 |
| Apr 19, 2024 17:46:06.988401890 CEST | 49730 | 33080 | 192.168.2.4 | 5.42.65.50 |
| Apr 19, 2024 17:46:07.200787067 CEST | 33080 | 49730 | 5.42.65.50 | 192.168.2.4 |
| Apr 19, 2024 17:46:07.249732971 CEST | 49730 | 33080 | 192.168.2.4 | 5.42.65.50 |
| Apr 19, 2024 17:46:07.268594027 CEST | 49730 | 33080 | 192.168.2.4 | 5.42.65.50 |
| Apr 19, 2024 17:46:07.480577946 CEST | 33080 | 49730 | 5.42.65.50 | 192.168.2.4 |
| Apr 19, 2024 17:46:07.480690956 CEST | 33080 | 49730 | 5.42.65.50 | 192.168.2.4 |
| Apr 19, 2024 17:46:07.480725050 CEST | 33080 | 49730 | 5.42.65.50 | 192.168.2.4 |
| Apr 19, 2024 17:46:07.480767012 CEST | 49730 | 33080 | 192.168.2.4 | 5.42.65.50 |
| Apr 19, 2024 17:46:07.480849981 CEST | 49730 | 33080 | 192.168.2.4 | 5.42.65.50 |
| Apr 19, 2024 17:46:07.692831993 CEST | 33080 | 49730 | 5.42.65.50 | 192.168.2.4 |
| Apr 19, 2024 17:46:07.692878008 CEST | 33080 | 49730 | 5.42.65.50 | 192.168.2.4 |
| Apr 19, 2024 17:46:07.692962885 CEST | 49730 | 33080 | 192.168.2.4 | 5.42.65.50 |
| Apr 19, 2024 17:46:07.693847895 CEST | 33080 | 49730 | 5.42.65.50 | 192.168.2.4 |
| Apr 19, 2024 17:46:07.693919897 CEST | 49730 | 33080 | 192.168.2.4 | 5.42.65.50 |
| Apr 19, 2024 17:46:07.909338951 CEST | 33080 | 49730 | 5.42.65.50 | 192.168.2.4 |
| Apr 19, 2024 17:46:07.909400940 CEST | 33080 | 49730 | 5.42.65.50 | 192.168.2.4 |
| Apr 19, 2024 17:46:07.909562111 CEST | 49730 | 33080 | 192.168.2.4 | 5.42.65.50 |
| Apr 19, 2024 17:46:07.909733057 CEST | 49730 | 33080 | 192.168.2.4 | 5.42.65.50 |
| Apr 19, 2024 17:46:07.909940958 CEST | 33080 | 49730 | 5.42.65.50 | 192.168.2.4 |
| Apr 19, 2024 17:46:08.121476889 CEST | 33080 | 49730 | 5.42.65.50 | 192.168.2.4 |
| Apr 19, 2024 17:46:08.121505976 CEST | 33080 | 49730 | 5.42.65.50 | 192.168.2.4 |
| Apr 19, 2024 17:46:08.121686935 CEST | 49730 | 33080 | 192.168.2.4 | 5.42.65.50 |
| Apr 19, 2024 17:46:08.121910095 CEST | 33080 | 49730 | 5.42.65.50 | 192.168.2.4 |
| Apr 19, 2024 17:46:08.122005939 CEST | 49730 | 33080 | 192.168.2.4 | 5.42.65.50 |
| Apr 19, 2024 17:46:08.122097969 CEST | 33080 | 49730 | 5.42.65.50 | 192.168.2.4 |
| Apr 19, 2024 17:46:08.122162104 CEST | 49730 | 33080 | 192.168.2.4 | 5.42.65.50 |
| Apr 19, 2024 17:46:08.122179031 CEST | 33080 | 49730 | 5.42.65.50 | 192.168.2.4 |
| Apr 19, 2024 17:46:08.122390032 CEST | 33080 | 49730 | 5.42.65.50 | 192.168.2.4 |
| Apr 19, 2024 17:46:08.122467995 CEST | 33080 | 49730 | 5.42.65.50 | 192.168.2.4 |
| Apr 19, 2024 17:46:08.122836113 CEST | 33080 | 49730 | 5.42.65.50 | 192.168.2.4 |
| Apr 19, 2024 17:46:08.122908115 CEST | 33080 | 49730 | 5.42.65.50 | 192.168.2.4 |
| Apr 19, 2024 17:46:08.123148918 CEST | 49730 | 33080 | 192.168.2.4 | 5.42.65.50 |
| Apr 19, 2024 17:46:08.123219013 CEST | 33080 | 49730 | 5.42.65.50 | 192.168.2.4 |
| Apr 19, 2024 17:46:08.123254061 CEST | 49730 | 33080 | 192.168.2.4 | 5.42.65.50 |
| Apr 19, 2024 17:46:08.123298883 CEST | 33080 | 49730 | 5.42.65.50 | 192.168.2.4 |
| Apr 19, 2024 17:46:08.164016008 CEST | 33080 | 49730 | 5.42.65.50 | 192.168.2.4 |
| Apr 19, 2024 17:46:08.333925009 CEST | 33080 | 49730 | 5.42.65.50 | 192.168.2.4 |
| Apr 19, 2024 17:46:08.333945036 CEST | 33080 | 49730 | 5.42.65.50 | 192.168.2.4 |
| Apr 19, 2024 17:46:08.334233999 CEST | 33080 | 49730 | 5.42.65.50 | 192.168.2.4 |
| Apr 19, 2024 17:46:08.334748030 CEST | 33080 | 49730 | 5.42.65.50 | 192.168.2.4 |
| Apr 19, 2024 17:46:08.334803104 CEST | 33080 | 49730 | 5.42.65.50 | 192.168.2.4 |
| Apr 19, 2024 17:46:08.334889889 CEST | 33080 | 49730 | 5.42.65.50 | 192.168.2.4 |
| Apr 19, 2024 17:46:08.335299969 CEST | 33080 | 49730 | 5.42.65.50 | 192.168.2.4 |
| Apr 19, 2024 17:46:08.335335016 CEST | 33080 | 49730 | 5.42.65.50 | 192.168.2.4 |
| Apr 19, 2024 17:46:08.335520029 CEST | 33080 | 49730 | 5.42.65.50 | 192.168.2.4 |
| Apr 19, 2024 17:46:08.335853100 CEST | 33080 | 49730 | 5.42.65.50 | 192.168.2.4 |
| Apr 19, 2024 17:46:08.335958004 CEST | 49730 | 33080 | 192.168.2.4 | 5.42.65.50 |
| Apr 19, 2024 17:46:08.335979939 CEST | 33080 | 49730 | 5.42.65.50 | 192.168.2.4 |
| Apr 19, 2024 17:46:08.336014986 CEST | 33080 | 49730 | 5.42.65.50 | 192.168.2.4 |
| Apr 19, 2024 17:46:08.336150885 CEST | 49730 | 33080 | 192.168.2.4 | 5.42.65.50 |
| Apr 19, 2024 17:46:08.336282969 CEST | 33080 | 49730 | 5.42.65.50 | 192.168.2.4 |
| Apr 19, 2024 17:46:08.336807013 CEST | 33080 | 49730 | 5.42.65.50 | 192.168.2.4 |
| Apr 19, 2024 17:46:08.336941957 CEST | 33080 | 49730 | 5.42.65.50 | 192.168.2.4 |
| Apr 19, 2024 17:46:08.337244987 CEST | 33080 | 49730 | 5.42.65.50 | 192.168.2.4 |
| Apr 19, 2024 17:46:08.337361097 CEST | 33080 | 49730 | 5.42.65.50 | 192.168.2.4 |
| Apr 19, 2024 17:46:08.337604046 CEST | 49730 | 33080 | 192.168.2.4 | 5.42.65.50 |
| Apr 19, 2024 17:46:08.337740898 CEST | 49730 | 33080 | 192.168.2.4 | 5.42.65.50 |
| Apr 19, 2024 17:46:08.547889948 CEST | 33080 | 49730 | 5.42.65.50 | 192.168.2.4 |
| Apr 19, 2024 17:46:08.547947884 CEST | 33080 | 49730 | 5.42.65.50 | 192.168.2.4 |
| Apr 19, 2024 17:46:08.548032045 CEST | 33080 | 49730 | 5.42.65.50 | 192.168.2.4 |
| Apr 19, 2024 17:46:08.548197031 CEST | 33080 | 49730 | 5.42.65.50 | 192.168.2.4 |
| Apr 19, 2024 17:46:08.548516035 CEST | 33080 | 49730 | 5.42.65.50 | 192.168.2.4 |
| Apr 19, 2024 17:46:08.548929930 CEST | 33080 | 49730 | 5.42.65.50 | 192.168.2.4 |
| Apr 19, 2024 17:46:08.549055099 CEST | 33080 | 49730 | 5.42.65.50 | 192.168.2.4 |
| Apr 19, 2024 17:46:08.549201965 CEST | 33080 | 49730 | 5.42.65.50 | 192.168.2.4 |
| Apr 19, 2024 17:46:08.549444914 CEST | 33080 | 49730 | 5.42.65.50 | 192.168.2.4 |
| Apr 19, 2024 17:46:08.549576998 CEST | 33080 | 49730 | 5.42.65.50 | 192.168.2.4 |
| Apr 19, 2024 17:46:08.549731016 CEST | 33080 | 49730 | 5.42.65.50 | 192.168.2.4 |
| Apr 19, 2024 17:46:08.550076008 CEST | 33080 | 49730 | 5.42.65.50 | 192.168.2.4 |
| Apr 19, 2024 17:46:08.550101995 CEST | 49730 | 33080 | 192.168.2.4 | 5.42.65.50 |
| Apr 19, 2024 17:46:08.550302982 CEST | 49730 | 33080 | 192.168.2.4 | 5.42.65.50 |
| Apr 19, 2024 17:46:08.550316095 CEST | 33080 | 49730 | 5.42.65.50 | 192.168.2.4 |
| Apr 19, 2024 17:46:08.550520897 CEST | 33080 | 49730 | 5.42.65.50 | 192.168.2.4 |
| Apr 19, 2024 17:46:08.550719976 CEST | 33080 | 49730 | 5.42.65.50 | 192.168.2.4 |
| Apr 19, 2024 17:46:08.550812960 CEST | 33080 | 49730 | 5.42.65.50 | 192.168.2.4 |
| Apr 19, 2024 17:46:08.550889015 CEST | 33080 | 49730 | 5.42.65.50 | 192.168.2.4 |
| Apr 19, 2024 17:46:08.551369905 CEST | 33080 | 49730 | 5.42.65.50 | 192.168.2.4 |
| Apr 19, 2024 17:46:08.551402092 CEST | 33080 | 49730 | 5.42.65.50 | 192.168.2.4 |
| Apr 19, 2024 17:46:08.551476002 CEST | 33080 | 49730 | 5.42.65.50 | 192.168.2.4 |
| Apr 19, 2024 17:46:08.551914930 CEST | 33080 | 49730 | 5.42.65.50 | 192.168.2.4 |
| Apr 19, 2024 17:46:08.552198887 CEST | 49730 | 33080 | 192.168.2.4 | 5.42.65.50 |
| Apr 19, 2024 17:46:08.552325964 CEST | 49730 | 33080 | 192.168.2.4 | 5.42.65.50 |
| Apr 19, 2024 17:46:08.762012959 CEST | 33080 | 49730 | 5.42.65.50 | 192.168.2.4 |
| Apr 19, 2024 17:46:08.762125969 CEST | 33080 | 49730 | 5.42.65.50 | 192.168.2.4 |
| Apr 19, 2024 17:46:08.762159109 CEST | 33080 | 49730 | 5.42.65.50 | 192.168.2.4 |
| Apr 19, 2024 17:46:08.762192965 CEST | 33080 | 49730 | 5.42.65.50 | 192.168.2.4 |
| Apr 19, 2024 17:46:08.762609959 CEST | 33080 | 49730 | 5.42.65.50 | 192.168.2.4 |
| Apr 19, 2024 17:46:08.762638092 CEST | 33080 | 49730 | 5.42.65.50 | 192.168.2.4 |
| Apr 19, 2024 17:46:08.762947083 CEST | 33080 | 49730 | 5.42.65.50 | 192.168.2.4 |
| Apr 19, 2024 17:46:08.762968063 CEST | 33080 | 49730 | 5.42.65.50 | 192.168.2.4 |
| Apr 19, 2024 17:46:08.763359070 CEST | 33080 | 49730 | 5.42.65.50 | 192.168.2.4 |
| Apr 19, 2024 17:46:08.763370037 CEST | 33080 | 49730 | 5.42.65.50 | 192.168.2.4 |
| Apr 19, 2024 17:46:08.764142036 CEST | 33080 | 49730 | 5.42.65.50 | 192.168.2.4 |
| Apr 19, 2024 17:46:08.764226913 CEST | 33080 | 49730 | 5.42.65.50 | 192.168.2.4 |
| Apr 19, 2024 17:46:08.764491081 CEST | 49730 | 33080 | 192.168.2.4 | 5.42.65.50 |
| Apr 19, 2024 17:46:08.764708042 CEST | 49730 | 33080 | 192.168.2.4 | 5.42.65.50 |
| Apr 19, 2024 17:46:08.764812946 CEST | 33080 | 49730 | 5.42.65.50 | 192.168.2.4 |
| Apr 19, 2024 17:46:08.764825106 CEST | 33080 | 49730 | 5.42.65.50 | 192.168.2.4 |
| Apr 19, 2024 17:46:08.765007019 CEST | 33080 | 49730 | 5.42.65.50 | 192.168.2.4 |
| Apr 19, 2024 17:46:08.765017986 CEST | 33080 | 49730 | 5.42.65.50 | 192.168.2.4 |
| Apr 19, 2024 17:46:08.765273094 CEST | 33080 | 49730 | 5.42.65.50 | 192.168.2.4 |
| Apr 19, 2024 17:46:08.765539885 CEST | 33080 | 49730 | 5.42.65.50 | 192.168.2.4 |
| Apr 19, 2024 17:46:08.765826941 CEST | 33080 | 49730 | 5.42.65.50 | 192.168.2.4 |
| Apr 19, 2024 17:46:08.766084909 CEST | 49730 | 33080 | 192.168.2.4 | 5.42.65.50 |
| Apr 19, 2024 17:46:08.766241074 CEST | 49730 | 33080 | 192.168.2.4 | 5.42.65.50 |
| Apr 19, 2024 17:46:08.976330042 CEST | 33080 | 49730 | 5.42.65.50 | 192.168.2.4 |
| Apr 19, 2024 17:46:08.976388931 CEST | 33080 | 49730 | 5.42.65.50 | 192.168.2.4 |
| Apr 19, 2024 17:46:08.976423979 CEST | 33080 | 49730 | 5.42.65.50 | 192.168.2.4 |
| Apr 19, 2024 17:46:08.976983070 CEST | 33080 | 49730 | 5.42.65.50 | 192.168.2.4 |
| Apr 19, 2024 17:46:08.977094889 CEST | 33080 | 49730 | 5.42.65.50 | 192.168.2.4 |
| Apr 19, 2024 17:46:08.977129936 CEST | 33080 | 49730 | 5.42.65.50 | 192.168.2.4 |
| Apr 19, 2024 17:46:08.977164030 CEST | 33080 | 49730 | 5.42.65.50 | 192.168.2.4 |
| Apr 19, 2024 17:46:08.977200031 CEST | 33080 | 49730 | 5.42.65.50 | 192.168.2.4 |
| Apr 19, 2024 17:46:08.977269888 CEST | 33080 | 49730 | 5.42.65.50 | 192.168.2.4 |
| Apr 19, 2024 17:46:08.977503061 CEST | 49730 | 33080 | 192.168.2.4 | 5.42.65.50 |
| Apr 19, 2024 17:46:08.979368925 CEST | 33080 | 49730 | 5.42.65.50 | 192.168.2.4 |
| Apr 19, 2024 17:46:08.979403019 CEST | 33080 | 49730 | 5.42.65.50 | 192.168.2.4 |
| Apr 19, 2024 17:46:08.979435921 CEST | 33080 | 49730 | 5.42.65.50 | 192.168.2.4 |
| Apr 19, 2024 17:46:08.979469061 CEST | 33080 | 49730 | 5.42.65.50 | 192.168.2.4 |
| Apr 19, 2024 17:46:09.189744949 CEST | 33080 | 49730 | 5.42.65.50 | 192.168.2.4 |
| Apr 19, 2024 17:46:09.191483021 CEST | 33080 | 49730 | 5.42.65.50 | 192.168.2.4 |
| Apr 19, 2024 17:46:09.234066963 CEST | 49730 | 33080 | 192.168.2.4 | 5.42.65.50 |
| Apr 19, 2024 17:46:09.582618952 CEST | 49730 | 33080 | 192.168.2.4 | 5.42.65.50 |
| Apr 19, 2024 17:46:09.796258926 CEST | 33080 | 49730 | 5.42.65.50 | 192.168.2.4 |
| Apr 19, 2024 17:46:09.799221039 CEST | 33080 | 49730 | 5.42.65.50 | 192.168.2.4 |
| Apr 19, 2024 17:46:09.823612928 CEST | 49730 | 33080 | 192.168.2.4 | 5.42.65.50 |
| Apr 19, 2024 17:46:10.036582947 CEST | 33080 | 49730 | 5.42.65.50 | 192.168.2.4 |
| Apr 19, 2024 17:46:10.041766882 CEST | 49730 | 33080 | 192.168.2.4 | 5.42.65.50 |
| Apr 19, 2024 17:46:10.254038095 CEST | 33080 | 49730 | 5.42.65.50 | 192.168.2.4 |
| Apr 19, 2024 17:46:10.262917995 CEST | 49730 | 33080 | 192.168.2.4 | 5.42.65.50 |
| Apr 19, 2024 17:46:10.475959063 CEST | 33080 | 49730 | 5.42.65.50 | 192.168.2.4 |
| Apr 19, 2024 17:46:10.478504896 CEST | 49730 | 33080 | 192.168.2.4 | 5.42.65.50 |
| Apr 19, 2024 17:46:10.690783024 CEST | 33080 | 49730 | 5.42.65.50 | 192.168.2.4 |
| Apr 19, 2024 17:46:10.694576025 CEST | 49730 | 33080 | 192.168.2.4 | 5.42.65.50 |
| Apr 19, 2024 17:46:10.907038927 CEST | 33080 | 49730 | 5.42.65.50 | 192.168.2.4 |
| Apr 19, 2024 17:46:10.943166971 CEST | 49730 | 33080 | 192.168.2.4 | 5.42.65.50 |
| Apr 19, 2024 17:46:11.155931950 CEST | 33080 | 49730 | 5.42.65.50 | 192.168.2.4 |
| Apr 19, 2024 17:46:11.159832001 CEST | 49730 | 33080 | 192.168.2.4 | 5.42.65.50 |
| Apr 19, 2024 17:46:11.371942043 CEST | 33080 | 49730 | 5.42.65.50 | 192.168.2.4 |
| Apr 19, 2024 17:46:11.375854015 CEST | 49730 | 33080 | 192.168.2.4 | 5.42.65.50 |
| Apr 19, 2024 17:46:11.589466095 CEST | 33080 | 49730 | 5.42.65.50 | 192.168.2.4 |
| Apr 19, 2024 17:46:11.594537020 CEST | 49730 | 33080 | 192.168.2.4 | 5.42.65.50 |
| Apr 19, 2024 17:46:11.807043076 CEST | 33080 | 49730 | 5.42.65.50 | 192.168.2.4 |
| Apr 19, 2024 17:46:11.808047056 CEST | 49730 | 33080 | 192.168.2.4 | 5.42.65.50 |
| Apr 19, 2024 17:46:12.020556927 CEST | 33080 | 49730 | 5.42.65.50 | 192.168.2.4 |
| Apr 19, 2024 17:46:12.062203884 CEST | 49730 | 33080 | 192.168.2.4 | 5.42.65.50 |
| Apr 19, 2024 17:46:12.156868935 CEST | 49730 | 33080 | 192.168.2.4 | 5.42.65.50 |
| Apr 19, 2024 17:46:12.373675108 CEST | 33080 | 49730 | 5.42.65.50 | 192.168.2.4 |
| Apr 19, 2024 17:46:12.421550989 CEST | 49730 | 33080 | 192.168.2.4 | 5.42.65.50 |
| Apr 19, 2024 17:46:12.424582005 CEST | 49730 | 33080 | 192.168.2.4 | 5.42.65.50 |
| Apr 19, 2024 17:46:12.636460066 CEST | 33080 | 49730 | 5.42.65.50 | 192.168.2.4 |
| Apr 19, 2024 17:46:12.636480093 CEST | 33080 | 49730 | 5.42.65.50 | 192.168.2.4 |
| Apr 19, 2024 17:46:12.636778116 CEST | 33080 | 49730 | 5.42.65.50 | 192.168.2.4 |
| Apr 19, 2024 17:46:12.636797905 CEST | 33080 | 49730 | 5.42.65.50 | 192.168.2.4 |
| Apr 19, 2024 17:46:12.637672901 CEST | 33080 | 49730 | 5.42.65.50 | 192.168.2.4 |
| Apr 19, 2024 17:46:12.639383078 CEST | 49730 | 33080 | 192.168.2.4 | 5.42.65.50 |
| Apr 19, 2024 17:46:12.851864100 CEST | 33080 | 49730 | 5.42.65.50 | 192.168.2.4 |
| Apr 19, 2024 17:46:12.905921936 CEST | 49730 | 33080 | 192.168.2.4 | 5.42.65.50 |
| Apr 19, 2024 17:46:12.939644098 CEST | 49730 | 33080 | 192.168.2.4 | 5.42.65.50 |
| Apr 19, 2024 17:46:13.154464006 CEST | 33080 | 49730 | 5.42.65.50 | 192.168.2.4 |
| Apr 19, 2024 17:46:13.159665108 CEST | 49730 | 33080 | 192.168.2.4 | 5.42.65.50 |
| Apr 19, 2024 17:46:13.371655941 CEST | 33080 | 49730 | 5.42.65.50 | 192.168.2.4 |
| Apr 19, 2024 17:46:13.372818947 CEST | 33080 | 49730 | 5.42.65.50 | 192.168.2.4 |
| Apr 19, 2024 17:46:13.373600006 CEST | 49730 | 33080 | 192.168.2.4 | 5.42.65.50 |
| Apr 19, 2024 17:46:13.586390972 CEST | 33080 | 49730 | 5.42.65.50 | 192.168.2.4 |
| Apr 19, 2024 17:46:13.640291929 CEST | 49730 | 33080 | 192.168.2.4 | 5.42.65.50 |
| Apr 19, 2024 17:46:13.759629011 CEST | 49730 | 33080 | 192.168.2.4 | 5.42.65.50 |
| Apr 19, 2024 17:46:13.976141930 CEST | 33080 | 49730 | 5.42.65.50 | 192.168.2.4 |
| Apr 19, 2024 17:46:14.021796942 CEST | 49730 | 33080 | 192.168.2.4 | 5.42.65.50 |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
| Target ID: | 0 |
| Start time: | 17:45:58 |
| Start date: | 19/04/2024 |
| Path: | C:\Users\user\Desktop\file.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0xff0000 |
| File size: | 503'296 bytes |
| MD5 hash: | C9AD12873E4B3F8AE042800AB6CA01B5 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Yara matches: |
|
| Reputation: | low |
| Has exited: | true |
| Target ID: | 1 |
| Start time: | 17:45:58 |
| Start date: | 19/04/2024 |
| Path: | C:\Windows\System32\conhost.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff7699e0000 |
| File size: | 862'208 bytes |
| MD5 hash: | 0D698AF330FD17BEE3BF90011D49251D |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 2 |
| Start time: | 17:45:58 |
| Start date: | 19/04/2024 |
| Path: | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x200000 |
| File size: | 65'440 bytes |
| MD5 hash: | 0D5DF43AF2916F47D00C1573797C1A13 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 3 |
| Start time: | 17:45:58 |
| Start date: | 19/04/2024 |
| Path: | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x740000 |
| File size: | 65'440 bytes |
| MD5 hash: | 0D5DF43AF2916F47D00C1573797C1A13 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Yara matches: |
|
| Reputation: | high |
| Has exited: | true |
Execution Graph
| Execution Coverage: | 5.5% |
| Dynamic/Decrypted Code Coverage: | 0.4% |
| Signature Coverage: | 1.3% |
| Total number of Nodes: | 2000 |
| Total number of Limit Nodes: | 47 |
Graph
Function 0106AC4D Relevance: 26.5, APIs: 11, Strings: 4, Instructions: 282threadinjectionmemoryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0100A24C Relevance: .0, Instructions: 22COMMONLIBRARYCODE
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 01000947 Relevance: .0, Instructions: 12COMMONLIBRARYCODE
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 010132DF Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 81threadinjectionCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0100547C Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 010083DF Relevance: 7.7, APIs: 5, Instructions: 202COMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 01009B7D Relevance: 3.2, APIs: 2, Instructions: 177COMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00FF4FA8 Relevance: 3.1, APIs: 2, Instructions: 116COMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 01004652 Relevance: 3.1, APIs: 2, Instructions: 65COMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 01009781 Relevance: 1.6, APIs: 1, Instructions: 147COMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00FF1BFF Relevance: 1.6, APIs: 1, Instructions: 69COMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00FF2323 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0100CF9B Relevance: 10.2, APIs: 1, Strings: 4, Instructions: 1436COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0100C414 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMONLIBRARYCODE
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0100BC85 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 251COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00FF67DF Relevance: 6.1, APIs: 4, Instructions: 70COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0100C098 Relevance: 4.7, APIs: 3, Instructions: 205COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00FF62BC Relevance: 1.6, APIs: 1, Instructions: 147COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 010090D1 Relevance: 1.6, APIs: 1, Instructions: 140COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0100C2EB Relevance: 1.6, APIs: 1, Instructions: 83COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0100C51A Relevance: 1.5, APIs: 1, Instructions: 45COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00FF693B Relevance: 1.5, APIs: 1, Instructions: 3COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0100C84B Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 01024FD5 Relevance: .9, Instructions: 943COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 01024850 Relevance: .6, Instructions: 555COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0100B736 Relevance: .3, Instructions: 327COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00FF9438 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 303COMMONLIBRARYCODE
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00FF4457 Relevance: 10.6, APIs: 7, Instructions: 65COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0100EF6F Relevance: 9.3, APIs: 6, Instructions: 298COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 01000969 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00FF36B0 Relevance: 7.5, APIs: 5, Instructions: 48COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00FF2F91 Relevance: 7.5, APIs: 5, Instructions: 48COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00FF34E8 Relevance: 7.5, APIs: 5, Instructions: 47COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00FFA212 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 01008E8E Relevance: 6.1, APIs: 4, Instructions: 82COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00FFFCAB Relevance: 6.1, APIs: 4, Instructions: 79COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 01009E24 Relevance: 6.1, APIs: 4, Instructions: 74COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00FF97DD Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00FF15DF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 33COMMONLIBRARYCODE
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Execution Graph
| Execution Coverage: | 7.4% |
| Dynamic/Decrypted Code Coverage: | 100% |
| Signature Coverage: | 0% |
| Total number of Nodes: | 95 |
| Total number of Limit Nodes: | 10 |
Graph
Function 06B8BB70 Relevance: 14.9, Strings: 11, Instructions: 1127COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 06B8F8E0 Relevance: 6.8, Strings: 5, Instructions: 515COMMON
Download Yara Rule
Control-flow Graph
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 06463F50 Relevance: 1.8, Strings: 1, Instructions: 520COMMON
Download Yara Rule
Control-flow Graph
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 064667D8 Relevance: .4, Instructions: 411COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0646A3D8 Relevance: .3, Instructions: 298COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0646A3E8 Relevance: .3, Instructions: 289COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 06440D80 Relevance: 21.9, Strings: 17, Instructions: 621COMMON
Download Yara Rule
Control-flow Graph
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 06B8D450 Relevance: 19.5, Strings: 15, Instructions: 714COMMON
Download Yara Rule
Control-flow Graph
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 06441530 Relevance: 17.0, Strings: 12, Instructions: 1959COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 06B8F680 Relevance: 2.7, Strings: 2, Instructions: 187COMMON
Download Yara Rule
Control-flow Graph
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 06B8A97F Relevance: 2.7, Strings: 2, Instructions: 182COMMON
Download Yara Rule
Control-flow Graph
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 06B8E191 Relevance: 2.5, Strings: 2, Instructions: 31COMMON
Download Yara Rule
Control-flow Graph
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 06440598 Relevance: 1.7, Strings: 1, Instructions: 462COMMON
Download Yara Rule
Control-flow Graph
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00E6AE30 Relevance: 1.7, APIs: 1, Instructions: 196COMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 05000BFC Relevance: 1.6, APIs: 1, Instructions: 97COMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00E64248 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00E65935 Relevance: 1.6, APIs: 1, Instructions: 93COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00E6C9A0 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00E6D2F9 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00E6A870 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00E6B2A0 Relevance: 1.6, APIs: 1, Instructions: 54libraryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00E6B020 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 06463DE0 Relevance: 1.4, Strings: 1, Instructions: 107COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 064684D8 Relevance: 1.3, Strings: 1, Instructions: 98COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 06B8B385 Relevance: 1.3, Strings: 1, Instructions: 95COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 064684C8 Relevance: 1.3, Strings: 1, Instructions: 90COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 06B8AC47 Relevance: 1.3, Strings: 1, Instructions: 82COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 06B8AC58 Relevance: 1.3, Strings: 1, Instructions: 72COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0646B358 Relevance: 1.3, Strings: 1, Instructions: 43COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 06B8F8DA Relevance: 1.3, Strings: 1, Instructions: 43COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 06463EC8 Relevance: 1.3, Strings: 1, Instructions: 36COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0646B368 Relevance: 1.3, Strings: 1, Instructions: 32COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 064400D8 Relevance: .7, Instructions: 676COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 06442070 Relevance: .6, Instructions: 569COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 06440610 Relevance: .4, Instructions: 450COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 06443B22 Relevance: .4, Instructions: 407COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 06440688 Relevance: .4, Instructions: 389COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 06B8B4B0 Relevance: .4, Instructions: 371COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 06440700 Relevance: .4, Instructions: 354COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 064400B7 Relevance: .3, Instructions: 339COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 06464AFF Relevance: .3, Instructions: 294COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 06467D58 Relevance: .1, Instructions: 147COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 06443328 Relevance: .1, Instructions: 143COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 06467D4C Relevance: .1, Instructions: 128COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 064659C8 Relevance: .1, Instructions: 118COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 06443308 Relevance: .1, Instructions: 116COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 06465579 Relevance: .1, Instructions: 101COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0646F920 Relevance: .1, Instructions: 99COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 06465588 Relevance: .1, Instructions: 96COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 06B8AE30 Relevance: .1, Instructions: 95COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 064687A0 Relevance: .1, Instructions: 93COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 06441514 Relevance: .1, Instructions: 93COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 06468796 Relevance: .1, Instructions: 78COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0644360B Relevance: .1, Instructions: 78COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 06468A98 Relevance: .1, Instructions: 77COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00DED3D8 Relevance: .1, Instructions: 75COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00DED4C4 Relevance: .1, Instructions: 75COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 06B8FF20 Relevance: .1, Instructions: 72COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 06B8BB61 Relevance: .1, Instructions: 72COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 06441068 Relevance: .1, Instructions: 72COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00DFD01C Relevance: .1, Instructions: 72COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 06B8B021 Relevance: .1, Instructions: 66COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0646549F Relevance: .1, Instructions: 63COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 06468A8C Relevance: .1, Instructions: 63COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00DFD005 Relevance: .1, Instructions: 62COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0646BC5F Relevance: .1, Instructions: 60COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 06468C58 Relevance: .1, Instructions: 57COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00DED3D3 Relevance: .1, Instructions: 56COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00DED4BF Relevance: .1, Instructions: 56COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0646C499 Relevance: .0, Instructions: 50COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 06468350 Relevance: .0, Instructions: 50COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0646BC70 Relevance: .0, Instructions: 46COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 06B8AF90 Relevance: .0, Instructions: 46COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0646E8B0 Relevance: .0, Instructions: 45COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00DEDA25 Relevance: .0, Instructions: 45COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 06466E90 Relevance: .0, Instructions: 44COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 06B8A778 Relevance: .0, Instructions: 44COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0646C4A8 Relevance: .0, Instructions: 42COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 06465508 Relevance: .0, Instructions: 42COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0646C170 Relevance: .0, Instructions: 39COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 06B8BA9A Relevance: .0, Instructions: 39COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 06468F42 Relevance: .0, Instructions: 38COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0646ADE9 Relevance: .0, Instructions: 38COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 06468F50 Relevance: .0, Instructions: 37COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0646ACB8 Relevance: .0, Instructions: 36COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 06B8FF30 Relevance: .0, Instructions: 36COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00DEDA24 Relevance: .0, Instructions: 36COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0646C110 Relevance: .0, Instructions: 35COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 06466EA0 Relevance: .0, Instructions: 35COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0646FF50 Relevance: .0, Instructions: 35COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 06B8AE21 Relevance: .0, Instructions: 35COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 064667C8 Relevance: .0, Instructions: 34COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 06468FC0 Relevance: .0, Instructions: 33COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 06B8BB0A Relevance: .0, Instructions: 33COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 06468341 Relevance: .0, Instructions: 32COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 06B8AD30 Relevance: .0, Instructions: 32COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 064654F8 Relevance: .0, Instructions: 31COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 06B8F67A Relevance: .0, Instructions: 31COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 06B8BAA8 Relevance: .0, Instructions: 31COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0646FF60 Relevance: .0, Instructions: 30COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 06B8FD78 Relevance: .0, Instructions: 30COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0646ADF8 Relevance: .0, Instructions: 28COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 06B8D3F0 Relevance: .0, Instructions: 28COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0646C180 Relevance: .0, Instructions: 27COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0646CC38 Relevance: .0, Instructions: 27COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0646B500 Relevance: .0, Instructions: 26COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 06B8BB18 Relevance: .0, Instructions: 26COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 06B8E948 Relevance: .0, Instructions: 26COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0646C120 Relevance: .0, Instructions: 25COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0646CE88 Relevance: .0, Instructions: 25COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 06B8AD40 Relevance: .0, Instructions: 24COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 06465698 Relevance: .0, Instructions: 23COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0646E8F8 Relevance: .0, Instructions: 23COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0646F910 Relevance: .0, Instructions: 23COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0646E280 Relevance: .0, Instructions: 22COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0646E1FF Relevance: .0, Instructions: 22COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0646AC80 Relevance: .0, Instructions: 20COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0646B510 Relevance: .0, Instructions: 19COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 06B8EB90 Relevance: .0, Instructions: 19COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0646E210 Relevance: .0, Instructions: 16COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0646F8EA Relevance: .0, Instructions: 15COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0646DFD1 Relevance: .0, Instructions: 9COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 06463721 Relevance: .0, Instructions: 8COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 06B83DF8 Relevance: 2.9, Strings: 2, Instructions: 364COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 06B806A8 Relevance: .4, Instructions: 426COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 06B80340 Relevance: .2, Instructions: 190COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0646E2C7 Relevance: 46.6, Strings: 37, Instructions: 391COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0646E2D8 Relevance: 46.6, Strings: 37, Instructions: 383COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0646CC7F Relevance: 16.4, Strings: 13, Instructions: 152COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0646CC90 Relevance: 16.4, Strings: 13, Instructions: 143COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 06B880C0 Relevance: 15.1, Strings: 12, Instructions: 144COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 06B880D0 Relevance: 15.1, Strings: 12, Instructions: 140COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0646CED1 Relevance: 10.1, Strings: 8, Instructions: 106COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0646CEE0 Relevance: 10.1, Strings: 8, Instructions: 93COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 06B8EBFA Relevance: 9.2, Strings: 7, Instructions: 471COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 06B8EC08 Relevance: 9.2, Strings: 7, Instructions: 464COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0646C968 Relevance: 8.8, Strings: 7, Instructions: 89COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0646C978 Relevance: 8.8, Strings: 7, Instructions: 83COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0646ED10 Relevance: 7.9, Strings: 6, Instructions: 381COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0646D538 Relevance: 7.6, Strings: 6, Instructions: 84COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0646D548 Relevance: 7.6, Strings: 6, Instructions: 73COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 06B8E419 Relevance: 6.5, Strings: 5, Instructions: 277COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 06B8E428 Relevance: 6.5, Strings: 5, Instructions: 273COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |