Windows
Analysis Report
db_Usr.dll
Overview
General Information
Detection
Score: | 48 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
- System is w10x64
- loaddll64.exe (PID: 7104 cmdline:
loaddll64. exe "C:\Us ers\user\D esktop\db_ Usr.dll" MD5: 763455F9DCB24DFEECC2B9D9F8D46D52) - conhost.exe (PID: 3160 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - cmd.exe (PID: 3180 cmdline:
cmd.exe /C rundll32. exe "C:\Us ers\user\D esktop\db_ Usr.dll",# 1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - rundll32.exe (PID: 2956 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\db_U sr.dll",#1 MD5: EF3179D498793BF4234F708D3BE28633) - WerFault.exe (PID: 3172 cmdline:
C:\Windows \system32\ WerFault.e xe -u -p 2 956 -s 332 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0) - rundll32.exe (PID: 4068 cmdline:
rundll32.e xe C:\User s\user\Des ktop\db_Us r.dll,GetA nalyzerInt erfaceByTy pe MD5: EF3179D498793BF4234F708D3BE28633) - WerFault.exe (PID: 6148 cmdline:
C:\Windows \system32\ WerFault.e xe -u -p 4 068 -s 316 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0) - rundll32.exe (PID: 180 cmdline:
rundll32.e xe C:\User s\user\Des ktop\db_Us r.dll,GetA nalyzerTyp es MD5: EF3179D498793BF4234F708D3BE28633) - rundll32.exe (PID: 6180 cmdline:
rundll32.e xe C:\User s\user\Des ktop\db_Us r.dll,GetC onfigurato rInterface ByType MD5: EF3179D498793BF4234F708D3BE28633) - WerFault.exe (PID: 4372 cmdline:
C:\Windows \system32\ WerFault.e xe -u -p 6 180 -s 328 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0) - rundll32.exe (PID: 3496 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\db_U sr.dll",Ge tAnalyzerI nterfaceBy Type MD5: EF3179D498793BF4234F708D3BE28633) - WerFault.exe (PID: 6484 cmdline:
C:\Windows \system32\ WerFault.e xe -u -p 3 496 -s 328 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0) - rundll32.exe (PID: 4276 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\db_U sr.dll",Ge tAnalyzerT ypes MD5: EF3179D498793BF4234F708D3BE28633) - rundll32.exe (PID: 3608 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\db_U sr.dll",Ge tConfigura torInterfa ceByType MD5: EF3179D498793BF4234F708D3BE28633)
- cleanup
Click to jump to signature section
Source: | Binary string: | ||
Source: | Binary string: |
Source: | Code function: | 3_2_0000000180031E94 |
Networking |
---|
Source: | Network Connect: | Jump to behavior |
Source: | ASN Name: |
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: |
Source: | Code function: | 12_2_00000195B44600CE |
Source: | String found in binary or memory: |
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: |
Source: | Code function: | 3_2_00000001800013E0 | |
Source: | Code function: | 3_2_0000000180015638 | |
Source: | Code function: | 3_2_0000000180033718 | |
Source: | Code function: | 3_2_0000000180006740 | |
Source: | Code function: | 3_2_000000018002E754 | |
Source: | Code function: | 3_2_0000000180034C48 | |
Source: | Code function: | 3_2_0000000180031C88 | |
Source: | Code function: | 3_2_0000000180006D10 | |
Source: | Code function: | 3_2_0000000180031E94 | |
Source: | Code function: | 12_2_00000195B44600CE | |
Source: | Code function: | 12_2_00000195B44609A1 | |
Source: | Code function: | 17_2_0000020C5A8700CE | |
Source: | Code function: | 17_2_0000020C5A8709A1 |
Source: | Process created: |
Source: | Binary or memory string: |
Source: | Classification label: |
Source: | Mutant created: | ||
Source: | Mutant created: | ||
Source: | Mutant created: | ||
Source: | Mutant created: | ||
Source: | Mutant created: |
Source: | File created: | Jump to behavior |
Source: | Static PE information: |
Source: | Key opened: | Jump to behavior |
Source: | Process created: |
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior |
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior |
Source: | Static PE information: |
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Binary string: | ||
Source: | Binary string: |
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Code function: | 3_2_0000000180002CA0 |
Source: | Static PE information: |
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Code function: | 3_2_000000018001E168 |
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior |
Source: | Thread sleep time: | Jump to behavior |
Source: | Last function: |
Source: | Code function: | 3_2_0000000180031E94 |
Source: | Code function: | 3_2_0000000180009D20 |
Source: | Thread delayed: | Jump to behavior |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Process queried: | Jump to behavior | ||
Source: | Process queried: | Jump to behavior | ||
Source: | Process queried: | Jump to behavior | ||
Source: | Process queried: | Jump to behavior | ||
Source: | Process queried: | Jump to behavior | ||
Source: | Process queried: | Jump to behavior | ||
Source: | Process queried: | Jump to behavior | ||
Source: | Process queried: | Jump to behavior | ||
Source: | Process queried: | Jump to behavior | ||
Source: | Process queried: | Jump to behavior |
Source: | Code function: | 3_2_000000018002D210 |
Source: | Code function: | 3_2_0000000180002CA0 |
Source: | Code function: | 3_2_0000000180033330 |
Source: | Code function: | 3_2_000000018000C074 | |
Source: | Code function: | 3_2_000000018002D210 | |
Source: | Code function: | 3_2_000000018000C4F8 |
HIPS / PFW / Operating System Protection Evasion |
---|
Source: | Network Connect: | Jump to behavior |
Source: | Process created: | Jump to behavior |
Source: | Code function: | 3_2_0000000180034340 |
Source: | Code function: | 3_2_000000018000B090 |
Source: | Code function: | 3_2_00000001800124D8 |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Code function: | 3_2_0000000180021A04 | |
Source: | Code function: | 3_2_0000000180022A60 |
Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | 1 Native API | 1 DLL Side-Loading | 111 Process Injection | 21 Virtualization/Sandbox Evasion | OS Credential Dumping | 1 System Time Discovery | Remote Services | 1 Archive Collected Data | 12 Encrypted Channel | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
Credentials | Domains | Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | 1 DLL Side-Loading | 111 Process Injection | LSASS Memory | 41 Security Software Discovery | Remote Desktop Protocol | Data from Removable Media | 1 Ingress Tool Transfer | Exfiltration Over Bluetooth | Network Denial of Service |
Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | Logon Script (Windows) | 1 Rundll32 | Security Account Manager | 21 Virtualization/Sandbox Evasion | SMB/Windows Admin Shares | Data from Network Shared Drive | 1 Application Layer Protocol | Automated Exfiltration | Data Encrypted for Impact |
Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | 1 DLL Side-Loading | NTDS | 1 File and Directory Discovery | Distributed Component Object Model | Input Capture | Protocol Impersonation | Traffic Duplication | Data Destruction |
Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | Software Packing | LSA Secrets | 14 System Information Discovery | SSH | Keylogging | Fallback Channels | Scheduled Transfer | Data Encrypted for Impact |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
12% | ReversingLabs | Win64.Malware.Generic |
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false | high |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
185.219.221.136 | unknown | Sweden | 39378 | SERVINGADE | true |
Joe Sandbox version: | 40.0.0 Tourmaline |
Analysis ID: | 1431865 |
Start date and time: | 2024-04-25 22:03:15 +02:00 |
Joe Sandbox product: | CloudBasic |
Overall analysis duration: | 0h 6m 2s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
Number of analysed new started processes analysed: | 25 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Sample name: | db_Usr.dll (renamed file extension from sql to dll) |
Original Sample Name: | db_Usr.sql |
Detection: | MAL |
Classification: | mal48.evad.winDLL@22/17@0/1 |
EGA Information: |
|
HCA Information: |
|
- Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
- Excluded IPs from analysis (whitelisted): 52.168.117.173, 20.42.73.29
- Excluded domains from analysis (whitelisted): onedsblobprdeus16.eastus.cloudapp.azure.com, ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, onedsblobprdeus15.eastus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
- Execution Graph export aborted for target rundll32.exe, PID 4068 because there are no executed function
- Not all processes where analyzed, report is missing behavior information
- Report size exceeded maximum capacity and may have missing behavior information.
- VT rate limit hit for: db_Usr.dll
Time | Type | Description |
---|---|---|
22:04:09 | API Interceptor | |
22:04:33 | API Interceptor |
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
185.219.221.136 | Get hash | malicious | Bazar Loader | Browse | ||
Get hash | malicious | Unknown | Browse |
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
SERVINGADE | Get hash | malicious | Unknown | Browse |
| |
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
|
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_db__1b87ef64a16ad462376f2db4ab981261bef3b791_c73d58ab_b2f3ca5e-b9ba-4fcb-873e-24a2179dcc68\Report.wer
Download File
Process: | C:\Windows\System32\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 65536 |
Entropy (8bit): | 0.7550143332935241 |
Encrypted: | false |
SSDEEP: | 96:zdFgbfLmiAPyKytsjLR4RveCbfOQXIDcQfc6mcEwcw3eXaXz+HbHgSQgJjOh88WJ:hwmiAPytCG0RiKgj2uzuiFZZ24lO8uy |
MD5: | 4EAFE77700D48887D73CAA8593D8AFD9 |
SHA1: | 61D8BB1B0303B3A517809B5427B03E28B377309F |
SHA-256: | 8F1D3485E210C554C546D2A0C84014911110388394089C7980608758B3C48FC0 |
SHA-512: | A44B4A43111EA454C0B693562D904D3E6B769D6A7E8987C7913C898980C0FBB940B5E5B8892308CFFE6B863E31810440EC021830242E0C346536FACACDFC56FA |
Malicious: | false |
Preview: |
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_db__2f24483d5cae89ea74bb89d749f146a03c193cde_c73d58ab_2446f0af-ab7b-41de-b85f-917e3e32776e\Report.wer
Download File
Process: | C:\Windows\System32\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 65536 |
Entropy (8bit): | 0.7547443414102687 |
Encrypted: | false |
SSDEEP: | 96:HsFrLmi0yKy2sjLR4RveCbfQQXIDcQfc6mcE0cw3yXaXz+HbHgSQgJjOh88WpOye:Mlmi0y2CI0Riekj2uzuiFZZ24lO8uy |
MD5: | 8F726D5F444DCE60C196429CC4C631F9 |
SHA1: | 546EDEF46D21C3AFDFABC2F0006C0F4AC37BFFB6 |
SHA-256: | 7BC5FF7BAECEB7A3BDFE9DA402FDA3EA6455E76D08F8601FCB07C98DFAB6AD3F |
SHA-512: | 4B8398B76227325B617E68BA1D63F0C2FD575B01556352656802D53BF4D6843725E4A99C1FC2216200C41625F15734749A077D007EE1A7F08DBA8F97BE5ECD88 |
Malicious: | false |
Preview: |
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_db__2f24483d5cae89ea74bb89d749f146a03c193cde_c73d58ab_9f936d4a-ed4d-4bd6-86dd-a6521ac0b55c\Report.wer
Download File
Process: | C:\Windows\System32\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 65536 |
Entropy (8bit): | 0.7550021288003151 |
Encrypted: | false |
SSDEEP: | 96:F4rF0bLwLmihyKyxsjLR4RveCbfQQXIDcQfc6mcE0cw3yXaXz+HbHgSQgJjOh88g:0tmihyxCI0Riekj2uzuiFZZ24lO8uy |
MD5: | CDE6EBF087558C1C139E4AF8060CDEC0 |
SHA1: | A465E44817CB174F9AD2E24C5FC0DEE4241A953F |
SHA-256: | DF5AA0BD894E3676D07D58E1A2DC4F4EC4609769260EADF8D680CF9579418020 |
SHA-512: | 6CE671C5419E22DE848899D1E7FE8141CBCA4FCC11063A5DBDC39A0A0C3A5AEE45AE730ECB3C3806E9E6644F861754002864F30CD2533E3AAD8B297CDA0A92C8 |
Malicious: | false |
Preview: |
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_db__2f24483d5cae89ea74bb89d749f146a03c193cde_c73d58ab_f7d2f3ff-f520-43dc-8b1d-015fa9db15e6\Report.wer
Download File
Process: | C:\Windows\System32\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 65536 |
Entropy (8bit): | 0.7545985185272127 |
Encrypted: | false |
SSDEEP: | 96:/VFwGQLmiWyKyJsjLR4RveCbfQQXIDcQfc6mcE0cw3yXaXz+HbHgSQgJjOh88Wpo:dzEmiWyJCI0Riekj2uzuiFZZ24lO8uy |
MD5: | D2D06F72AD84CAB9A241508C3963A808 |
SHA1: | D6C2DBB0F439B5CCFAE199EBCE841AE5464B05A7 |
SHA-256: | 601F6E8CC9DD274015FEA63E77A7E6AAF8825B7A92A9B45AE0D69D376224C007 |
SHA-512: | 19EFDF880E270AF03CF848A789D0615A63B3AD9A8556016D47E5AAD2DE219003ACDF4901D218D6D8F40250523F9A44F60DFCF7A78CC9E8626A5C949FBF3185AA |
Malicious: | false |
Preview: |
Process: | C:\Windows\System32\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 56068 |
Entropy (8bit): | 1.6484281004653722 |
Encrypted: | false |
SSDEEP: | 192:qy7M1OMsP/1GXlYlvyM5Gwyft+2r3lcJ13Y:EYdP/M2ByBlft+2rGJ1 |
MD5: | 00F04C8B8290F071D1C2B34D9AB7C7A2 |
SHA1: | EF8DD4EF3DACA6BDD75746EE5C226A4577566A14 |
SHA-256: | E6395E02FABED4CD93DFDB1B1D6904BE98B405E44B4A293B4C46B97F6F113D8E |
SHA-512: | 4DA363AEEBEB65AAD83B6B659987E399459BEBBC62E11DB7CC723A691473A314A2E11EF47E08DA67158AE7A67B0D74CF11FB4D9029703D2F9AEA025D1D7C2EDF |
Malicious: | false |
Preview: |
Process: | C:\Windows\System32\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 55040 |
Entropy (8bit): | 1.6743453438052422 |
Encrypted: | false |
SSDEEP: | 96:578qE3n8c2H1vJJ/1ouihmaoi7MTJ0vhYVz6WGQi2YvL46wn86aWIwXIBbpyttDH:q7MOMTuvhG6WGQiRvpyv3j |
MD5: | 95CB3B84B42D69496B66F8792A33A371 |
SHA1: | 17DE3B60C3A4AF07DD06215D254F63DA632C5AF4 |
SHA-256: | 709F79670FA0A3E893D6A8E18DC717D868BF0C8DE3F2E46431633843C626C5D1 |
SHA-512: | 98B041D3C30A44ECA175164CE1E67900C307814110502AB70F4147E7C1F2E160279C3E47F15CF5B9C25DC2DCE8D65D5EE4B647BAB49C11DC1471C7E7C078A156 |
Malicious: | false |
Preview: |
Process: | C:\Windows\System32\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 8746 |
Entropy (8bit): | 3.698132855710452 |
Encrypted: | false |
SSDEEP: | 192:R6l7wVeJHXaIH6Y8g1Pgmf4kllprr89bqdDfyum:R6lXJ3aIH6YpPgmf4klkqpfy |
MD5: | 8E23789B65366F9CDD2FB239E302EA47 |
SHA1: | 311D366E48B21740721C5268F07154D0B0B9A515 |
SHA-256: | CD38FBE76CEE0007C90D2BB979C95B87173DB955EBEB8F0C0B4B960C5D61B577 |
SHA-512: | 0AA4EB2B4A0F961611178C5182C04518D841C2F2A143943B06912391AB72EC5170CB801FF6A0ED2008C6440A5BEE6A73625F7D283F4E7B79EBC20EB6E4B491DE |
Malicious: | false |
Preview: |
Process: | C:\Windows\System32\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 8754 |
Entropy (8bit): | 3.6960741853810872 |
Encrypted: | false |
SSDEEP: | 192:R6l7wVeJdmUIeDUe6YJxhwd13gmf4kllprO89bqh+Df7vum:R6lXJMUII6Y/Wd13gmf4klPqEfD |
MD5: | 807E7E088A7157815F88C03475243DD7 |
SHA1: | 018F3ADEE84E4717581C97720EA31517198BA46E |
SHA-256: | D64B93936F731A70F3B2BAE1B81E32E8A3A912C553042090065DD79E2398ABF9 |
SHA-512: | C25CD2ABD521C56B1F771E0E2B59D16E7F64D6F658C7A13F973427BFBF78BCF1FDADDD5F176B0E07A19F18A18CD4AC3B12BB0EEF128CB22845F6F9E04B6E453E |
Malicious: | false |
Preview: |
Process: | C:\Windows\System32\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 4734 |
Entropy (8bit): | 4.470022451515776 |
Encrypted: | false |
SSDEEP: | 48:cvIwWl8zsqJg771I9B2WpW8VYuYm8M4JCqCIBGuF6fyq85mw9cWyptSTSid:uIjf4I7GX7VKJSfeypoOid |
MD5: | 3AB8E770D189CCF32218EAE1C8EDF229 |
SHA1: | 72E98B50E5007D6E9DE07A4549198B06A17E3163 |
SHA-256: | 62B9D42B8B5061D8CE4F9D0B3462A5FEE0D460B7AF9E5229E997048C202AE964 |
SHA-512: | 7E4892751450FA57BBFFD6108BA69F37E79D0B6CCA85E09F3D018ADD75E736CD5E3D24C5887C0EB19170F28DC34D7B2D81928F4A0BA005BBC63FF61E663B2797 |
Malicious: | false |
Preview: |
Process: | C:\Windows\System32\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 4734 |
Entropy (8bit): | 4.470607437696413 |
Encrypted: | false |
SSDEEP: | 48:cvIwWl8zsqJg771I9B2WpW8VY2Ym8M4JCqCIBGuFUyq85mw9cK8ptSTS5d:uIjf4I7GX7VKJMnpoO5d |
MD5: | 18F3D167C53297E8E2098E6B188C04D3 |
SHA1: | 7D2D7F6915E1564AB9180F6D8679CA732D0A4F69 |
SHA-256: | 02F902F955DA1E0804448DA66F9DB7182CA8E356C945499A54EEF530A265F491 |
SHA-512: | E9D798FE36D2584D76286B8C69CDC45A9032E66489C00277C77892CC3AEFCF40CA2CC1CBF540152626D328AB60721668A0296D7CBBE20E692F49FFF6E60B42D1 |
Malicious: | false |
Preview: |
Process: | C:\Windows\System32\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 54964 |
Entropy (8bit): | 1.670325692624638 |
Encrypted: | false |
SSDEEP: | 96:5F8+E3L8c2H1vJJ/1ouiFAlToi7MauKIDzkNh0X+wWBcLzpqdMrLJ9IuTPKWI3nw:EL3OMauKwPX+wbKA+6bhD |
MD5: | 6BD415429EA98168FD44C1395597D4D1 |
SHA1: | 8889BE012CFC8CAF16BE0D4A2EAD773298E42CCB |
SHA-256: | CE617F9F0DA38C5F787EB00BD53E23B7F27C6985F0F5908833DA16CA77F08645 |
SHA-512: | D41BC82A289AEBB37AD78BB26269D61E7FCD37CA235CB5239716683BBD36FBF09A3B81D444ACAAF8CBE2779E03F6C4C7513A2D08FB216821286E968159096B35 |
Malicious: | false |
Preview: |
Process: | C:\Windows\System32\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 8754 |
Entropy (8bit): | 3.6965785520083627 |
Encrypted: | false |
SSDEEP: | 192:R6l7wVeJ6juMIY6Y8gEPgmf4krCYprl89b2bQgDf8wjm:R6lXJ8uMIY6YYPgmf4krS2bQcfz6 |
MD5: | 970E213525C53E86C047F161B6AB7831 |
SHA1: | A1B6D617F9C53C9E01ABEE9D9F076DDC62ACFFDF |
SHA-256: | 2ED0337339064CE87C11A23AF09BF1064F99A6AABCF5C645AD57405BDBC70D5D |
SHA-512: | 713EC38DDC47E87CD4570492D3E5E68E9F63BBF7D9D30E9E6C8703932E5CB65EE1F4A4602ABC18CE2EEC6B1652AEF365E197F5232D9CA48CDF8FCD2BA2482CC1 |
Malicious: | false |
Preview: |
Process: | C:\Windows\System32\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 4734 |
Entropy (8bit): | 4.471201142668408 |
Encrypted: | false |
SSDEEP: | 48:cvIwWl8zsqJg771I9B2WpW8VYpYm8M4JCqCIBZF7oyq85mw96ptSTSYd:uIjf4I7GX7VpJ1odpoOYd |
MD5: | 96321C390683D2B0FEB1AC2E4C08FABF |
SHA1: | D42A3204BEEA1A3201E100884DC03117AC2C2F50 |
SHA-256: | 40EE6512BAB6627E0FA12B6ED35904E13E698C5854BC60D4FC06899B35C9179D |
SHA-512: | AD4828D8937BD8D2C7D1A31AD196246CE09B8ED950B450D218DB9AF286A89974A5C11E6DEA23FC6EA4959C240FCDE015BC412360FB3D72FC63923E93194063C0 |
Malicious: | false |
Preview: |
Process: | C:\Windows\System32\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 55460 |
Entropy (8bit): | 1.6546439822119097 |
Encrypted: | false |
SSDEEP: | 96:5B8gE3U8c2H1vJJ/1ouii/Yoi7MUYxDHVzhcrwEKf1cj3aC3bKyiN9scrKWIabIl:whdOMrlhcrwnf1DdN9sfrEqX |
MD5: | 6CE9DCAB429A9B42FD9107347F92AF8B |
SHA1: | 489DCA4FFC37CA2CA556A018C3115DE1E4245CF1 |
SHA-256: | 973103FD74A72A5DAEB378ABA88965E7866A65D96F637725928EFBC989CDFC72 |
SHA-512: | 6B98784A6BAFC7A263C3ABC7F6AC88B02A36EE23082EDB6B509AA4EC59D516FB29EB7E31D15B04446A5090CF2F0363B6631AB1898C8F45BF18810A61A7F57E2C |
Malicious: | false |
Preview: |
Process: | C:\Windows\System32\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 8938 |
Entropy (8bit): | 3.699285037276246 |
Encrypted: | false |
SSDEEP: | 192:R6l7wVeJ12DIeg6Y8TlWSegmf4kllpru89bQMAfuQm:R6lXJ0DIB6YyWlgmf4klPQDfg |
MD5: | AC95CD35AC64E5355EE18BBEB874E34A |
SHA1: | 8DC46A9DFEA704E0DD1268D3E200A337C89BFAF6 |
SHA-256: | F155F4FE7BE2CD4F39DB6E5C038103154AFB969034608BE9CF8C66D701383F97 |
SHA-512: | 122924947B10685E8AD2323F6059BC4E84455BFB1E2A93178875E99FB35C09844C38732DC27730BE1B58A9F88EF3B433A72FE1C74F0451CC2F7555AB8D0FD1CA |
Malicious: | false |
Preview: |
Process: | C:\Windows\System32\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 4734 |
Entropy (8bit): | 4.470000125591021 |
Encrypted: | false |
SSDEEP: | 48:cvIwWl8zsqJg771I9B2WpW8VYIYm8M4JCqCIBGuFTyq85mw9c6ptSTSMd:uIjf4I7GX7VEJbypoOMd |
MD5: | 57D2176F7D36B1D1578019C1F84C521C |
SHA1: | 01148600358937A240B5EB82B2144568ACD76D5F |
SHA-256: | 07C7ED92131304C3A3A7E036753D6DEAC41C97C10F1175578F966AAFBBCF54B3 |
SHA-512: | 677F85FF6A1EDDFDEF98BDD031E1024AD3D4809868DB5E98F0574E70BB0B62DBCAFCFAEDAE7875F88E215D865858AC63DDF9A8AC97C3C203FBE23102B7C638A2 |
Malicious: | false |
Preview: |
Process: | C:\Windows\System32\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 1835008 |
Entropy (8bit): | 4.422400705061707 |
Encrypted: | false |
SSDEEP: | 6144:eSvfpi6ceLP/9skLmb0OTMWSPHaJG8nAgeMZMMhA2fX4WABlEnNa0uhiTw:9vloTMW+EZMM6DFy003w |
MD5: | F1219AE826397C1041106F5CBE4CDEAF |
SHA1: | 6241EFAC3CA03AB8B7884AE51284FA3B7F0CB01D |
SHA-256: | 8ABC95345B1DA0E7E0D0E9FBBDF43440B93293F20C225FA2735CB78B01DDC09C |
SHA-512: | 0B4F82D6D0993E8FDB096A7B1B8AA1A5AC99970F9B340A3453DE4B70BB83FE2AAF51C76DEF77222282AC39874E3EB7521095787172799C934839F7A195B30DE6 |
Malicious: | false |
Preview: |
File type: | |
Entropy (8bit): | 6.298239096752118 |
TrID: |
|
File name: | db_Usr.dll |
File size: | 382'976 bytes |
MD5: | 286394d06972734946774c85742a094f |
SHA1: | 616415b3ec0c08511d232e56b51faf7a03c45183 |
SHA256: | 8501e14ee6ee142122746333b936c9ab0fc541328f37b5612b6804e6cdc2c2c6 |
SHA512: | 1e8e0c408d27721284160e716d8421e2f53ce4176c392ebf1797ce5f6465cfb0abe272e2671fc9809848842f8aac1c586ae5c9c960599215778b8edb3b4d0bcc |
SSDEEP: | 6144:yPfFKlojxM82ScMOM2gWfXyRtEmvLMOFIQV5ilTHoZTE4sUsdJn:yPYoORgLE7uIuIpoZgqs |
TLSH: | 62846C5ABB5404B5E4678078C9638A0BE3B2BC451361C7DF26E4479E2F37BE1693E720 |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........p..F...F...F....y..W....y..H....y.......a..H....a..O....a..-....y..E...F........`..O....`..G....`..G...F.q.G....`..G...RichF.. |
Icon Hash: | 7ae282899bbab082 |
Entrypoint: | 0x18000bf30 |
Entrypoint Section: | .text |
Digitally signed: | true |
Imagebase: | 0x180000000 |
Subsystem: | windows gui |
Image File Characteristics: | RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, DLL |
DLL Characteristics: | HIGH_ENTROPY_VA, NX_COMPAT, GUARD_CF |
Time Stamp: | 0x61F3FE2A [Fri Jan 28 14:31:06 2022 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 6 |
OS Version Minor: | 0 |
File Version Major: | 6 |
File Version Minor: | 0 |
Subsystem Version Major: | 6 |
Subsystem Version Minor: | 0 |
Import Hash: | 1f852021aa767827db12999991ad10a4 |
Signature Valid: | |
Signature Issuer: | |
Signature Validation Error: | |
Error Number: | |
Not Before, Not After | |
Subject Chain | |
Version: | |
Thumbprint MD5: | |
Thumbprint SHA-1: | |
Thumbprint SHA-256: | |
Serial: |
Instruction |
---|
ret |
mov dword ptr [esp+08h], ebx |
dec eax |
mov dword ptr [esp+10h], esi |
push edi |
dec eax |
sub esp, 20h |
dec ecx |
mov edi, eax |
mov ebx, edx |
dec eax |
mov esi, ecx |
cmp edx, 01h |
jne 00007FCA4CD6A9E7h |
call 00007FCA4CD6B0D8h |
dec esp |
mov eax, edi |
mov edx, ebx |
dec eax |
mov ecx, esi |
dec eax |
mov ebx, dword ptr [esp+30h] |
dec eax |
mov esi, dword ptr [esp+38h] |
dec eax |
add esp, 20h |
pop edi |
jmp 00007FCA4CD6A874h |
int3 |
int3 |
int3 |
dec eax |
sub esp, 28h |
dec ebp |
mov eax, dword ptr [ecx+38h] |
dec eax |
mov ecx, edx |
dec ecx |
mov edx, ecx |
call 00007FCA4CD6A9F2h |
mov eax, 00000001h |
dec eax |
add esp, 28h |
ret |
int3 |
int3 |
int3 |
inc eax |
push ebx |
inc ebp |
mov ebx, dword ptr [eax] |
dec eax |
mov ebx, edx |
inc ecx |
and ebx, FFFFFFF8h |
dec esp |
mov ecx, ecx |
inc ecx |
test byte ptr [eax], 00000004h |
dec esp |
mov edx, ecx |
je 00007FCA4CD6A9F5h |
inc ecx |
mov eax, dword ptr [eax+08h] |
dec ebp |
arpl word ptr [eax+04h], dx |
neg eax |
dec esp |
add edx, ecx |
dec eax |
arpl ax, cx |
dec esp |
and edx, ecx |
dec ecx |
arpl bx, ax |
dec edx |
mov edx, dword ptr [eax+edx] |
dec eax |
mov eax, dword ptr [ebx+10h] |
mov ecx, dword ptr [eax+08h] |
dec eax |
mov eax, dword ptr [ebx+08h] |
test byte ptr [ecx+eax+03h], 0000000Fh |
je 00007FCA4CD6A9EDh |
movzx eax, byte ptr [ecx+eax+03h] |
and eax, FFFFFFF0h |
dec esp |
add ecx, eax |
dec esp |
xor ecx, edx |
dec ecx |
mov ecx, ecx |
pop ebx |
jmp 00007FCA4CD69E0Ah |
int3 |
dec eax |
mov eax, esp |
dec eax |
mov dword ptr [eax+08h], ebx |
dec eax |
mov dword ptr [eax+10h], ebp |
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x51ac0 | 0xa0 | .rdata |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x51b60 | 0x28 | .rdata |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x62000 | 0x1888 | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x5b000 | 0x405c | .pdata |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x5c400 | 0x3798 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x64000 | 0xd74 | .reloc |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x48ea4 | 0x70 | .rdata |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x48f18 | 0x28 | .rdata |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x3d1d0 | 0x130 | .rdata |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x3b000 | 0x3b0 | .rdata |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x51a5c | 0x40 | .rdata |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|---|
.text | 0x1000 | 0x3953c | 0x39600 | 9ec98ef972b39acc498404c0904e83a3 | False | 0.5384582652505446 | data | 6.39324545352626 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
.rdata | 0x3b000 | 0x17802 | 0x17a00 | a2892c398b2b47d3aab6892aca7f7f63 | False | 0.4185681216931217 | data | 4.90161140273218 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.data | 0x53000 | 0x728c | 0x5600 | 75dc56ee3f5cb0c806fb561fbeef585b | False | 0.5056776889534884 | DOS executable (block device driver \322f\324\377\3772) | 6.094877040377164 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.pdata | 0x5b000 | 0x405c | 0x4200 | 8ae6220ea44f3848228f9b8061920ee3 | False | 0.47022964015151514 | PEX Binary Archive | 5.466077612144935 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.didat | 0x60000 | 0x10 | 0x200 | 982998454860f426a296c28db71401dd | False | 0.03515625 | data | 0.08153941234324169 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
_RDATA | 0x61000 | 0x94 | 0x200 | 98ecda63236cd17614dc4e53eb62d728 | False | 0.21484375 | data | 1.455240117357614 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.rsrc | 0x62000 | 0x1888 | 0x1a00 | 3b5428e74aee5e63d23fdde8c6abe6e2 | False | 0.7270132211538461 | data | 7.26740595365208 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.reloc | 0x64000 | 0xd74 | 0xe00 | 31cd9a799deb90fd71ebee13ce8933ee | False | 0.48074776785714285 | data | 5.500053908992591 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
---|---|---|---|---|---|---|
RT_ICON | 0x620e8 | 0x1400 | data | 0.8263671875 | ||
RT_VERSION | 0x634e8 | 0x30c | data | English | United States | 0.44743589743589746 |
RT_MANIFEST | 0x637f4 | 0x91 | XML 1.0 document, ASCII text, with CRLF line terminators | English | United States | 0.8689655172413793 |
DLL | Import |
---|---|
KERNEL32.dll | GetModuleFileNameA, GetModuleHandleExA, LoadLibraryA, GetProcAddress, ReadFile, SetFilePointer, CreateFileW, MultiByteToWideChar, GetLastError, CloseHandle, GetFileSize, RaiseException, GetSystemInfo, VirtualProtect, VirtualQuery, FreeLibrary, GetModuleHandleW, LoadLibraryExA, LocalFree, FormatMessageA, FindClose, FindFirstFileExW, FindNextFileW, SetFilePointerEx, AreFileApisANSI, SetLastError, WideCharToMultiByte, EnterCriticalSection, LeaveCriticalSection, TryEnterCriticalSection, DeleteCriticalSection, GetCurrentThreadId, InitializeCriticalSectionAndSpinCount, CreateEventW, SwitchToThread, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetSystemTimeAsFileTime, GetTickCount, QueryPerformanceCounter, SetEvent, ResetEvent, WaitForSingleObjectEx, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, IsProcessorFeaturePresent, IsDebuggerPresent, GetStartupInfoW, GetCurrentProcessId, InitializeSListHead, Sleep, SignalObjectAndWait, CreateThread, SetThreadPriority, GetThreadPriority, GetLogicalProcessorInformation, CreateTimerQueueTimer, ChangeTimerQueueTimer, DeleteTimerQueueTimer, GetNumaHighestNodeNumber, GetProcessAffinityMask, SetThreadAffinityMask, RegisterWaitForSingleObject, UnregisterWait, EncodePointer, GetCurrentThread, GetThreadTimes, FreeLibraryAndExitThread, GetModuleFileNameW, GetModuleHandleA, LoadLibraryExW, GetVersionExW, VirtualAlloc, VirtualFree, DuplicateHandle, ReleaseSemaphore, InterlockedPopEntrySList, InterlockedPushEntrySList, InterlockedFlushSList, QueryDepthSList, UnregisterWaitEx, CreateTimerQueue, LoadLibraryW, RtlUnwindEx, RtlPcToFileHeader, GetCPInfo, ExitProcess, GetModuleHandleExW, GetConsoleMode, GetStdHandle, GetFileType, HeapFree, HeapAlloc, GetStringTypeW, LCMapStringW, IsValidCodePage, GetACP, GetOEMCP, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, GetProcessHeap, FlushFileBuffers, WriteFile, GetConsoleCP, SetStdHandle, HeapSize, HeapReAlloc, WriteConsoleW |
Name | Ordinal | Address |
---|---|---|
GetAnalyzerInterfaceByType | 1 | 0x180008250 |
GetAnalyzerTypes | 2 | 0x1800084d0 |
GetConfiguratorInterfaceByType | 3 | 0x1800083d0 |
Language of compilation system | Country where language is spoken | Map |
---|---|---|
English | United States |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Apr 25, 2024 22:04:05.245631933 CEST | 49711 | 443 | 192.168.2.5 | 185.219.221.136 |
Apr 25, 2024 22:04:05.245670080 CEST | 443 | 49711 | 185.219.221.136 | 192.168.2.5 |
Apr 25, 2024 22:04:05.245733023 CEST | 49711 | 443 | 192.168.2.5 | 185.219.221.136 |
Apr 25, 2024 22:04:05.245754957 CEST | 49711 | 443 | 192.168.2.5 | 185.219.221.136 |
Apr 25, 2024 22:04:05.245759964 CEST | 443 | 49711 | 185.219.221.136 | 192.168.2.5 |
Apr 25, 2024 22:04:05.245795012 CEST | 49711 | 443 | 192.168.2.5 | 185.219.221.136 |
Apr 25, 2024 22:04:05.245799065 CEST | 443 | 49711 | 185.219.221.136 | 192.168.2.5 |
Apr 25, 2024 22:04:05.246021986 CEST | 443 | 49711 | 185.219.221.136 | 192.168.2.5 |
Apr 25, 2024 22:04:12.656924963 CEST | 49712 | 443 | 192.168.2.5 | 185.219.221.136 |
Apr 25, 2024 22:04:12.656969070 CEST | 443 | 49712 | 185.219.221.136 | 192.168.2.5 |
Apr 25, 2024 22:04:12.657032967 CEST | 49712 | 443 | 192.168.2.5 | 185.219.221.136 |
Apr 25, 2024 22:04:12.657078981 CEST | 49712 | 443 | 192.168.2.5 | 185.219.221.136 |
Apr 25, 2024 22:04:12.657084942 CEST | 443 | 49712 | 185.219.221.136 | 192.168.2.5 |
Apr 25, 2024 22:04:12.657121897 CEST | 49712 | 443 | 192.168.2.5 | 185.219.221.136 |
Apr 25, 2024 22:04:12.657126904 CEST | 443 | 49712 | 185.219.221.136 | 192.168.2.5 |
Apr 25, 2024 22:04:12.657298088 CEST | 443 | 49712 | 185.219.221.136 | 192.168.2.5 |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
Target ID: | 0 |
Start time: | 22:04:00 |
Start date: | 25/04/2024 |
Path: | C:\Windows\System32\loaddll64.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff7d3740000 |
File size: | 165'888 bytes |
MD5 hash: | 763455F9DCB24DFEECC2B9D9F8D46D52 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | moderate |
Has exited: | true |
Target ID: | 1 |
Start time: | 22:04:00 |
Start date: | 25/04/2024 |
Path: | C:\Windows\System32\conhost.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff6d64d0000 |
File size: | 862'208 bytes |
MD5 hash: | 0D698AF330FD17BEE3BF90011D49251D |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Target ID: | 2 |
Start time: | 22:04:00 |
Start date: | 25/04/2024 |
Path: | C:\Windows\System32\cmd.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff7fdf20000 |
File size: | 289'792 bytes |
MD5 hash: | 8A2122E8162DBEF04694B9C3E0B6CDEE |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Target ID: | 3 |
Start time: | 22:04:00 |
Start date: | 25/04/2024 |
Path: | C:\Windows\System32\rundll32.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff61b9b0000 |
File size: | 71'680 bytes |
MD5 hash: | EF3179D498793BF4234F708D3BE28633 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Target ID: | 4 |
Start time: | 22:04:00 |
Start date: | 25/04/2024 |
Path: | C:\Windows\System32\rundll32.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff61b9b0000 |
File size: | 71'680 bytes |
MD5 hash: | EF3179D498793BF4234F708D3BE28633 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Target ID: | 8 |
Start time: | 22:04:00 |
Start date: | 25/04/2024 |
Path: | C:\Windows\System32\WerFault.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff656d90000 |
File size: | 570'736 bytes |
MD5 hash: | FD27D9F6D02763BDE32511B5DF7FF7A0 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Target ID: | 10 |
Start time: | 22:04:00 |
Start date: | 25/04/2024 |
Path: | C:\Windows\System32\WerFault.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff656d90000 |
File size: | 570'736 bytes |
MD5 hash: | FD27D9F6D02763BDE32511B5DF7FF7A0 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Target ID: | 12 |
Start time: | 22:04:03 |
Start date: | 25/04/2024 |
Path: | C:\Windows\System32\rundll32.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff61b9b0000 |
File size: | 71'680 bytes |
MD5 hash: | EF3179D498793BF4234F708D3BE28633 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | false |
Target ID: | 13 |
Start time: | 22:04:06 |
Start date: | 25/04/2024 |
Path: | C:\Windows\System32\rundll32.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff61b9b0000 |
File size: | 71'680 bytes |
MD5 hash: | EF3179D498793BF4234F708D3BE28633 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Target ID: | 15 |
Start time: | 22:04:07 |
Start date: | 25/04/2024 |
Path: | C:\Windows\System32\WerFault.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff656d90000 |
File size: | 570'736 bytes |
MD5 hash: | FD27D9F6D02763BDE32511B5DF7FF7A0 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Target ID: | 16 |
Start time: | 22:04:09 |
Start date: | 25/04/2024 |
Path: | C:\Windows\System32\rundll32.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff61b9b0000 |
File size: | 71'680 bytes |
MD5 hash: | EF3179D498793BF4234F708D3BE28633 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Target ID: | 17 |
Start time: | 22:04:09 |
Start date: | 25/04/2024 |
Path: | C:\Windows\System32\rundll32.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff61b9b0000 |
File size: | 71'680 bytes |
MD5 hash: | EF3179D498793BF4234F708D3BE28633 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | false |
Target ID: | 18 |
Start time: | 22:04:09 |
Start date: | 25/04/2024 |
Path: | C:\Windows\System32\rundll32.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff61b9b0000 |
File size: | 71'680 bytes |
MD5 hash: | EF3179D498793BF4234F708D3BE28633 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Target ID: | 21 |
Start time: | 22:04:11 |
Start date: | 25/04/2024 |
Path: | C:\Windows\System32\WerFault.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff656d90000 |
File size: | 570'736 bytes |
MD5 hash: | FD27D9F6D02763BDE32511B5DF7FF7A0 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Has exited: | true |
Function 000000018001E168 Relevance: 121.1, APIs: 51, Strings: 18, Instructions: 371libraryloaderCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0000000180002CA0 Relevance: 23.0, APIs: 11, Strings: 2, Instructions: 234libraryloaderCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00000001800013E0 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 470COMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0000000180031C88 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 165COMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 000000018002E754 Relevance: .1, Instructions: 126COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0000000180006740 Relevance: .1, Instructions: 51COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0000000180034340 Relevance: .0, Instructions: 32COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 000000018000B090 Relevance: .0, Instructions: 5COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 000000018000ABA0 Relevance: 143.7, APIs: 41, Strings: 41, Instructions: 169libraryloaderCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 000000018001EF98 Relevance: 28.1, APIs: 9, Strings: 7, Instructions: 60libraryloaderCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0000000180009F80 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 196libraryCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 000000018000B970 Relevance: 22.8, APIs: 9, Strings: 4, Instructions: 61libraryloaderCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0000000180012E44 Relevance: 21.2, APIs: 14, Instructions: 235registrytimeCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0000000180018BFC Relevance: 19.5, APIs: 9, Strings: 2, Instructions: 247COMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 000000018001E7E4 Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 66libraryloaderCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 000000018000D464 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 63libraryloaderCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0000000180021750 Relevance: 15.1, APIs: 10, Instructions: 125threadCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 000000018000C7C0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 63timeCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0000000180005310 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 93COMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 000000018002CD3C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 86libraryloaderCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 000000018003694C Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 000000018002B244 Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 321COMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0000000180003930 Relevance: 9.1, APIs: 1, Strings: 4, Instructions: 309COMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0000000180026880 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 103threadCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0000000180016CAC Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 68threadCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 000000018002E078 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0000000180007790 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 195COMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 000000018002B754 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 190COMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0000000180016F60 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 157COMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0000000180007210 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 150COMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0000000180038D3C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 120COMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 000000018001D2B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 000000018002BCC8 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 163COMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 000000018002D534 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 159COMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0000000180037B80 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 133COMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 000000018002C110 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 117COMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 000000018002AA44 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 112COMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0000000180037494 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 102COMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0000000180033E08 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0000000180013A04 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 97COMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0000000180026CA0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 97COMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0000000180023198 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0000000180031600 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 000000018002F3F8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47COMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0000000180029B1C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00000001800343B0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 33COMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 000000018003159C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25COMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0000000180031548 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Execution Graph
Execution Coverage: | 32.5% |
Dynamic/Decrypted Code Coverage: | 100% |
Signature Coverage: | 90.9% |
Total number of Nodes: | 11 |
Total number of Limit Nodes: | 1 |
Graph
Callgraph
Function 00000195B44600CE Relevance: 102.2, APIs: 8, Strings: 50, Instructions: 675networklibraryCOMMON
Control-flow Graph
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Execution Graph
Execution Coverage: | 32.5% |
Dynamic/Decrypted Code Coverage: | 100% |
Signature Coverage: | 0% |
Total number of Nodes: | 11 |
Total number of Limit Nodes: | 1 |
Graph
Callgraph
Function 0000020C5A8700CE Relevance: 102.2, APIs: 8, Strings: 50, Instructions: 675networklibraryCOMMON
Control-flow Graph
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |