Edit tour
Windows
Analysis Report
db_Usr.dll
Overview
General Information
| Sample name: | db_Usr.dll (renamed file extension from sql to dll) |
| Original sample name: | db_Usr.sql |
| Analysis ID: | 1431865 |
| MD5: | 286394d06972734946774c85742a094f |
| SHA1: | 616415b3ec0c08511d232e56b51faf7a03c45183 |
| SHA256: | 8501e14ee6ee142122746333b936c9ab0fc541328f37b5612b6804e6cdc2c2c6 |
| Infos: | |
 | |
Detection
| Score: | 48 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
System process connects to network (likely due to code injection or exploit)
AV process strings found (often used to terminate AV products)
Checks if the current process is being debugged
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file contains an invalid checksum
PE file contains sections with non-standard names
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Classification
- System is w10x64
loaddll64.exe (PID: 7104 cmdline: loaddll64. exe "C:\Us ers\user\D esktop\db_ Usr.dll" MD5: 763455F9DCB24DFEECC2B9D9F8D46D52) 
conhost.exe (PID: 3160 cmdline: C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - cmd.exe (PID: 3180 cmdline:
cmd.exe /C rundll32. exe "C:\Us ers\user\D esktop\db_ Usr.dll",# 1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) 
rundll32.exe (PID: 2956 cmdline: rundll32.e xe "C:\Use rs\user\De sktop\db_U sr.dll",#1 MD5: EF3179D498793BF4234F708D3BE28633) 
WerFault.exe (PID: 3172 cmdline: C:\Windows \system32\ WerFault.e xe -u -p 2 956 -s 332 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0) - rundll32.exe (PID: 4068 cmdline:
rundll32.e xe C:\User s\user\Des ktop\db_Us r.dll,GetA nalyzerInt erfaceByTy pe MD5: EF3179D498793BF4234F708D3BE28633) - WerFault.exe (PID: 6148 cmdline:
C:\Windows \system32\ WerFault.e xe -u -p 4 068 -s 316 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0) - rundll32.exe (PID: 180 cmdline:
rundll32.e xe C:\User s\user\Des ktop\db_Us r.dll,GetA nalyzerTyp es MD5: EF3179D498793BF4234F708D3BE28633) - rundll32.exe (PID: 6180 cmdline:
rundll32.e xe C:\User s\user\Des ktop\db_Us r.dll,GetC onfigurato rInterface ByType MD5: EF3179D498793BF4234F708D3BE28633) - WerFault.exe (PID: 4372 cmdline:
C:\Windows \system32\ WerFault.e xe -u -p 6 180 -s 328 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0) - rundll32.exe (PID: 3496 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\db_U sr.dll",Ge tAnalyzerI nterfaceBy Type MD5: EF3179D498793BF4234F708D3BE28633) - WerFault.exe (PID: 6484 cmdline:
C:\Windows \system32\ WerFault.e xe -u -p 3 496 -s 328 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0) - rundll32.exe (PID: 4276 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\db_U sr.dll",Ge tAnalyzerT ypes MD5: EF3179D498793BF4234F708D3BE28633) - rundll32.exe (PID: 3608 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\db_U sr.dll",Ge tConfigura torInterfa ceByType MD5: EF3179D498793BF4234F708D3BE28633)
- cleanup
⊘No configs have been found
⊘No yara matches
⊘No Sigma rule has matched
⊘No Snort rule has matched
Click to jump to signature section
Show All Signature Results
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Code function: | 3_2_0000000180031E94 | |
Networking |   |
|---|
| Source: | Network Connect: | Jump to behavior | ||
| Source: | ASN Name: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | Code function: | 12_2_00000195B44600CE | |
| Source: | String found in binary or memory: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Code function: | 3_2_00000001800013E0 | |
| Source: | Code function: | 3_2_0000000180015638 | |
| Source: | Code function: | 3_2_0000000180033718 | |
| Source: | Code function: | 3_2_0000000180006740 | |
| Source: | Code function: | 3_2_000000018002E754 | |
| Source: | Code function: | 3_2_0000000180034C48 | |
| Source: | Code function: | 3_2_0000000180031C88 | |
| Source: | Code function: | 3_2_0000000180006D10 | |
| Source: | Code function: | 3_2_0000000180031E94 | |
| Source: | Code function: | 12_2_00000195B44600CE | |
| Source: | Code function: | 12_2_00000195B44609A1 | |
| Source: | Code function: | 17_2_0000020C5A8700CE | |
| Source: | Code function: | 17_2_0000020C5A8709A1 | |
| Source: | Process created: | ||
| Source: | Binary or memory string: | ||
| Source: | Classification label: | ||
| Source: | Mutant created: | ||
| Source: | Mutant created: | ||
| Source: | Mutant created: | ||
| Source: | Mutant created: | ||
| Source: | Mutant created: | ||
| Source: | File created: | Jump to behavior | ||
| Source: | Static PE information: | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Process created: | ||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Code function: | 3_2_0000000180002CA0 | |
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Code function: | 3_2_000000018001E168 | |
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Last function: | ||
| Source: | Code function: | 3_2_0000000180031E94 | |
| Source: | Code function: | 3_2_0000000180009D20 | |
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Process queried: | Jump to behavior | ||
| Source: | Process queried: | Jump to behavior | ||
| Source: | Process queried: | Jump to behavior | ||
| Source: | Process queried: | Jump to behavior | ||
| Source: | Process queried: | Jump to behavior | ||
| Source: | Process queried: | Jump to behavior | ||
| Source: | Process queried: | Jump to behavior | ||
| Source: | Process queried: | Jump to behavior | ||
| Source: | Process queried: | Jump to behavior | ||
| Source: | Process queried: | Jump to behavior | ||
| Source: | Code function: | 3_2_000000018002D210 | |
| Source: | Code function: | 3_2_0000000180002CA0 | |
| Source: | Code function: | 3_2_0000000180033330 | |
| Source: | Code function: | 3_2_000000018000C074 | |
| Source: | Code function: | 3_2_000000018002D210 | |
| Source: | Code function: | 3_2_000000018000C4F8 | |
HIPS / PFW / Operating System Protection Evasion | |
|---|
| Source: | Network Connect: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Code function: | 3_2_0000000180034340 | |
| Source: | Code function: | 3_2_000000018000B090 | |
| Source: | Code function: | 3_2_00000001800124D8 | |
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Code function: | 3_2_0000000180021A04 | |
| Source: | Code function: | 3_2_0000000180022A60 | |
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | 1 Native API | 1 DLL Side-Loading | 111 Process Injection | 21 Virtualization/Sandbox Evasion | OS Credential Dumping | 1 System Time Discovery | Remote Services | 1 Archive Collected Data | 12 Encrypted Channel | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
| Credentials | Domains | Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | 1 DLL Side-Loading | 111 Process Injection | LSASS Memory | 41 Security Software Discovery | Remote Desktop Protocol | Data from Removable Media | 1 Ingress Tool Transfer | Exfiltration Over Bluetooth | Network Denial of Service |
| Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | Logon Script (Windows) | 1 Rundll32 | Security Account Manager | 21 Virtualization/Sandbox Evasion | SMB/Windows Admin Shares | Data from Network Shared Drive | 1 Application Layer Protocol | Automated Exfiltration | Data Encrypted for Impact |
| Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | 1 DLL Side-Loading | NTDS | 1 File and Directory Discovery | Distributed Component Object Model | Input Capture | Protocol Impersonation | Traffic Duplication | Data Destruction |
| Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | Software Packing | LSA Secrets | 14 System Information Discovery | SSH | Keylogging | Fallback Channels | Scheduled Transfer | Data Encrypted for Impact |
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetThis section contains all screenshots as thumbnails, including those not shown in the slideshow.
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 12% | ReversingLabs | Win64.Malware.Generic |
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
⊘No contacted domains info
| Name | Source | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|
| false | high |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
| IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
|---|---|---|---|---|---|---|
| 185.219.221.136 | unknown | Sweden | 39378 | SERVINGADE | true |
| Joe Sandbox version: | 40.0.0 Tourmaline |
| Analysis ID: | 1431865 |
| Start date and time: | 2024-04-25 22:03:15 +02:00 |
| Joe Sandbox product: | CloudBasic |
| Overall analysis duration: | 0h 6m 2s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
| Number of analysed new started processes analysed: | 25 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Sample name: | db_Usr.dll (renamed file extension from sql to dll) |
| Original Sample Name: | db_Usr.sql |
| Detection: | MAL |
| Classification: | mal48.evad.winDLL@22/17@0/1 |
| EGA Information: |
|
| HCA Information: |
|
- Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
- Excluded IPs from analysis (whitelisted): 52.168.117.173, 20.42.73.29
- Excluded domains from analysis (whitelisted): onedsblobprdeus16.eastus.cloudapp.azure.com, ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, onedsblobprdeus15.eastus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
- Execution Graph export aborted for target rundll32.exe, PID 4068 because there are no executed function
- Not all processes where analyzed, report is missing behavior information
- Report size exceeded maximum capacity and may have missing behavior information.
- VT rate limit hit for: db_Usr.dll
| Time | Type | Description |
|---|---|---|
| 22:04:09 | API Interceptor | |
| 22:04:33 | API Interceptor |
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| 185.219.221.136 | Get hash | malicious | Bazar Loader | Browse | ||
| Get hash | malicious | Unknown | Browse |
⊘No context
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| SERVINGADE | Get hash | malicious | Unknown | Browse |
| |
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
|
⊘No context
⊘No context
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_db__1b87ef64a16ad462376f2db4ab981261bef3b791_c73d58ab_b2f3ca5e-b9ba-4fcb-873e-24a2179dcc68\Report.wer
Download File
| Process: | C:\Windows\System32\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 65536 |
| Entropy (8bit): | 0.7550143332935241 |
| Encrypted: | false |
| SSDEEP: | 96:zdFgbfLmiAPyKytsjLR4RveCbfOQXIDcQfc6mcEwcw3eXaXz+HbHgSQgJjOh88WJ:hwmiAPytCG0RiKgj2uzuiFZZ24lO8uy |
| MD5: | 4EAFE77700D48887D73CAA8593D8AFD9 |
| SHA1: | 61D8BB1B0303B3A517809B5427B03E28B377309F |
| SHA-256: | 8F1D3485E210C554C546D2A0C84014911110388394089C7980608758B3C48FC0 |
| SHA-512: | A44B4A43111EA454C0B693562D904D3E6B769D6A7E8987C7913C898980C0FBB940B5E5B8892308CFFE6B863E31810440EC021830242E0C346536FACACDFC56FA |
| Malicious: | false |
| Preview: |
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_db__2f24483d5cae89ea74bb89d749f146a03c193cde_c73d58ab_2446f0af-ab7b-41de-b85f-917e3e32776e\Report.wer
Download File
| Process: | C:\Windows\System32\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 65536 |
| Entropy (8bit): | 0.7547443414102687 |
| Encrypted: | false |
| SSDEEP: | 96:HsFrLmi0yKy2sjLR4RveCbfQQXIDcQfc6mcE0cw3yXaXz+HbHgSQgJjOh88WpOye:Mlmi0y2CI0Riekj2uzuiFZZ24lO8uy |
| MD5: | 8F726D5F444DCE60C196429CC4C631F9 |
| SHA1: | 546EDEF46D21C3AFDFABC2F0006C0F4AC37BFFB6 |
| SHA-256: | 7BC5FF7BAECEB7A3BDFE9DA402FDA3EA6455E76D08F8601FCB07C98DFAB6AD3F |
| SHA-512: | 4B8398B76227325B617E68BA1D63F0C2FD575B01556352656802D53BF4D6843725E4A99C1FC2216200C41625F15734749A077D007EE1A7F08DBA8F97BE5ECD88 |
| Malicious: | false |
| Preview: |
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_db__2f24483d5cae89ea74bb89d749f146a03c193cde_c73d58ab_9f936d4a-ed4d-4bd6-86dd-a6521ac0b55c\Report.wer
Download File
| Process: | C:\Windows\System32\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 65536 |
| Entropy (8bit): | 0.7550021288003151 |
| Encrypted: | false |
| SSDEEP: | 96:F4rF0bLwLmihyKyxsjLR4RveCbfQQXIDcQfc6mcE0cw3yXaXz+HbHgSQgJjOh88g:0tmihyxCI0Riekj2uzuiFZZ24lO8uy |
| MD5: | CDE6EBF087558C1C139E4AF8060CDEC0 |
| SHA1: | A465E44817CB174F9AD2E24C5FC0DEE4241A953F |
| SHA-256: | DF5AA0BD894E3676D07D58E1A2DC4F4EC4609769260EADF8D680CF9579418020 |
| SHA-512: | 6CE671C5419E22DE848899D1E7FE8141CBCA4FCC11063A5DBDC39A0A0C3A5AEE45AE730ECB3C3806E9E6644F861754002864F30CD2533E3AAD8B297CDA0A92C8 |
| Malicious: | false |
| Preview: |
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_db__2f24483d5cae89ea74bb89d749f146a03c193cde_c73d58ab_f7d2f3ff-f520-43dc-8b1d-015fa9db15e6\Report.wer
Download File
| Process: | C:\Windows\System32\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 65536 |
| Entropy (8bit): | 0.7545985185272127 |
| Encrypted: | false |
| SSDEEP: | 96:/VFwGQLmiWyKyJsjLR4RveCbfQQXIDcQfc6mcE0cw3yXaXz+HbHgSQgJjOh88Wpo:dzEmiWyJCI0Riekj2uzuiFZZ24lO8uy |
| MD5: | D2D06F72AD84CAB9A241508C3963A808 |
| SHA1: | D6C2DBB0F439B5CCFAE199EBCE841AE5464B05A7 |
| SHA-256: | 601F6E8CC9DD274015FEA63E77A7E6AAF8825B7A92A9B45AE0D69D376224C007 |
| SHA-512: | 19EFDF880E270AF03CF848A789D0615A63B3AD9A8556016D47E5AAD2DE219003ACDF4901D218D6D8F40250523F9A44F60DFCF7A78CC9E8626A5C949FBF3185AA |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\System32\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 56068 |
| Entropy (8bit): | 1.6484281004653722 |
| Encrypted: | false |
| SSDEEP: | 192:qy7M1OMsP/1GXlYlvyM5Gwyft+2r3lcJ13Y:EYdP/M2ByBlft+2rGJ1 |
| MD5: | 00F04C8B8290F071D1C2B34D9AB7C7A2 |
| SHA1: | EF8DD4EF3DACA6BDD75746EE5C226A4577566A14 |
| SHA-256: | E6395E02FABED4CD93DFDB1B1D6904BE98B405E44B4A293B4C46B97F6F113D8E |
| SHA-512: | 4DA363AEEBEB65AAD83B6B659987E399459BEBBC62E11DB7CC723A691473A314A2E11EF47E08DA67158AE7A67B0D74CF11FB4D9029703D2F9AEA025D1D7C2EDF |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\System32\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 55040 |
| Entropy (8bit): | 1.6743453438052422 |
| Encrypted: | false |
| SSDEEP: | 96:578qE3n8c2H1vJJ/1ouihmaoi7MTJ0vhYVz6WGQi2YvL46wn86aWIwXIBbpyttDH:q7MOMTuvhG6WGQiRvpyv3j |
| MD5: | 95CB3B84B42D69496B66F8792A33A371 |
| SHA1: | 17DE3B60C3A4AF07DD06215D254F63DA632C5AF4 |
| SHA-256: | 709F79670FA0A3E893D6A8E18DC717D868BF0C8DE3F2E46431633843C626C5D1 |
| SHA-512: | 98B041D3C30A44ECA175164CE1E67900C307814110502AB70F4147E7C1F2E160279C3E47F15CF5B9C25DC2DCE8D65D5EE4B647BAB49C11DC1471C7E7C078A156 |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\System32\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 8746 |
| Entropy (8bit): | 3.698132855710452 |
| Encrypted: | false |
| SSDEEP: | 192:R6l7wVeJHXaIH6Y8g1Pgmf4kllprr89bqdDfyum:R6lXJ3aIH6YpPgmf4klkqpfy |
| MD5: | 8E23789B65366F9CDD2FB239E302EA47 |
| SHA1: | 311D366E48B21740721C5268F07154D0B0B9A515 |
| SHA-256: | CD38FBE76CEE0007C90D2BB979C95B87173DB955EBEB8F0C0B4B960C5D61B577 |
| SHA-512: | 0AA4EB2B4A0F961611178C5182C04518D841C2F2A143943B06912391AB72EC5170CB801FF6A0ED2008C6440A5BEE6A73625F7D283F4E7B79EBC20EB6E4B491DE |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\System32\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 8754 |
| Entropy (8bit): | 3.6960741853810872 |
| Encrypted: | false |
| SSDEEP: | 192:R6l7wVeJdmUIeDUe6YJxhwd13gmf4kllprO89bqh+Df7vum:R6lXJMUII6Y/Wd13gmf4klPqEfD |
| MD5: | 807E7E088A7157815F88C03475243DD7 |
| SHA1: | 018F3ADEE84E4717581C97720EA31517198BA46E |
| SHA-256: | D64B93936F731A70F3B2BAE1B81E32E8A3A912C553042090065DD79E2398ABF9 |
| SHA-512: | C25CD2ABD521C56B1F771E0E2B59D16E7F64D6F658C7A13F973427BFBF78BCF1FDADDD5F176B0E07A19F18A18CD4AC3B12BB0EEF128CB22845F6F9E04B6E453E |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\System32\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 4734 |
| Entropy (8bit): | 4.470022451515776 |
| Encrypted: | false |
| SSDEEP: | 48:cvIwWl8zsqJg771I9B2WpW8VYuYm8M4JCqCIBGuF6fyq85mw9cWyptSTSid:uIjf4I7GX7VKJSfeypoOid |
| MD5: | 3AB8E770D189CCF32218EAE1C8EDF229 |
| SHA1: | 72E98B50E5007D6E9DE07A4549198B06A17E3163 |
| SHA-256: | 62B9D42B8B5061D8CE4F9D0B3462A5FEE0D460B7AF9E5229E997048C202AE964 |
| SHA-512: | 7E4892751450FA57BBFFD6108BA69F37E79D0B6CCA85E09F3D018ADD75E736CD5E3D24C5887C0EB19170F28DC34D7B2D81928F4A0BA005BBC63FF61E663B2797 |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\System32\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 4734 |
| Entropy (8bit): | 4.470607437696413 |
| Encrypted: | false |
| SSDEEP: | 48:cvIwWl8zsqJg771I9B2WpW8VY2Ym8M4JCqCIBGuFUyq85mw9cK8ptSTS5d:uIjf4I7GX7VKJMnpoO5d |
| MD5: | 18F3D167C53297E8E2098E6B188C04D3 |
| SHA1: | 7D2D7F6915E1564AB9180F6D8679CA732D0A4F69 |
| SHA-256: | 02F902F955DA1E0804448DA66F9DB7182CA8E356C945499A54EEF530A265F491 |
| SHA-512: | E9D798FE36D2584D76286B8C69CDC45A9032E66489C00277C77892CC3AEFCF40CA2CC1CBF540152626D328AB60721668A0296D7CBBE20E692F49FFF6E60B42D1 |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\System32\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 54964 |
| Entropy (8bit): | 1.670325692624638 |
| Encrypted: | false |
| SSDEEP: | 96:5F8+E3L8c2H1vJJ/1ouiFAlToi7MauKIDzkNh0X+wWBcLzpqdMrLJ9IuTPKWI3nw:EL3OMauKwPX+wbKA+6bhD |
| MD5: | 6BD415429EA98168FD44C1395597D4D1 |
| SHA1: | 8889BE012CFC8CAF16BE0D4A2EAD773298E42CCB |
| SHA-256: | CE617F9F0DA38C5F787EB00BD53E23B7F27C6985F0F5908833DA16CA77F08645 |
| SHA-512: | D41BC82A289AEBB37AD78BB26269D61E7FCD37CA235CB5239716683BBD36FBF09A3B81D444ACAAF8CBE2779E03F6C4C7513A2D08FB216821286E968159096B35 |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\System32\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 8754 |
| Entropy (8bit): | 3.6965785520083627 |
| Encrypted: | false |
| SSDEEP: | 192:R6l7wVeJ6juMIY6Y8gEPgmf4krCYprl89b2bQgDf8wjm:R6lXJ8uMIY6YYPgmf4krS2bQcfz6 |
| MD5: | 970E213525C53E86C047F161B6AB7831 |
| SHA1: | A1B6D617F9C53C9E01ABEE9D9F076DDC62ACFFDF |
| SHA-256: | 2ED0337339064CE87C11A23AF09BF1064F99A6AABCF5C645AD57405BDBC70D5D |
| SHA-512: | 713EC38DDC47E87CD4570492D3E5E68E9F63BBF7D9D30E9E6C8703932E5CB65EE1F4A4602ABC18CE2EEC6B1652AEF365E197F5232D9CA48CDF8FCD2BA2482CC1 |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\System32\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 4734 |
| Entropy (8bit): | 4.471201142668408 |
| Encrypted: | false |
| SSDEEP: | 48:cvIwWl8zsqJg771I9B2WpW8VYpYm8M4JCqCIBZF7oyq85mw96ptSTSYd:uIjf4I7GX7VpJ1odpoOYd |
| MD5: | 96321C390683D2B0FEB1AC2E4C08FABF |
| SHA1: | D42A3204BEEA1A3201E100884DC03117AC2C2F50 |
| SHA-256: | 40EE6512BAB6627E0FA12B6ED35904E13E698C5854BC60D4FC06899B35C9179D |
| SHA-512: | AD4828D8937BD8D2C7D1A31AD196246CE09B8ED950B450D218DB9AF286A89974A5C11E6DEA23FC6EA4959C240FCDE015BC412360FB3D72FC63923E93194063C0 |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\System32\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 55460 |
| Entropy (8bit): | 1.6546439822119097 |
| Encrypted: | false |
| SSDEEP: | 96:5B8gE3U8c2H1vJJ/1ouii/Yoi7MUYxDHVzhcrwEKf1cj3aC3bKyiN9scrKWIabIl:whdOMrlhcrwnf1DdN9sfrEqX |
| MD5: | 6CE9DCAB429A9B42FD9107347F92AF8B |
| SHA1: | 489DCA4FFC37CA2CA556A018C3115DE1E4245CF1 |
| SHA-256: | 973103FD74A72A5DAEB378ABA88965E7866A65D96F637725928EFBC989CDFC72 |
| SHA-512: | 6B98784A6BAFC7A263C3ABC7F6AC88B02A36EE23082EDB6B509AA4EC59D516FB29EB7E31D15B04446A5090CF2F0363B6631AB1898C8F45BF18810A61A7F57E2C |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\System32\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 8938 |
| Entropy (8bit): | 3.699285037276246 |
| Encrypted: | false |
| SSDEEP: | 192:R6l7wVeJ12DIeg6Y8TlWSegmf4kllpru89bQMAfuQm:R6lXJ0DIB6YyWlgmf4klPQDfg |
| MD5: | AC95CD35AC64E5355EE18BBEB874E34A |
| SHA1: | 8DC46A9DFEA704E0DD1268D3E200A337C89BFAF6 |
| SHA-256: | F155F4FE7BE2CD4F39DB6E5C038103154AFB969034608BE9CF8C66D701383F97 |
| SHA-512: | 122924947B10685E8AD2323F6059BC4E84455BFB1E2A93178875E99FB35C09844C38732DC27730BE1B58A9F88EF3B433A72FE1C74F0451CC2F7555AB8D0FD1CA |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\System32\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 4734 |
| Entropy (8bit): | 4.470000125591021 |
| Encrypted: | false |
| SSDEEP: | 48:cvIwWl8zsqJg771I9B2WpW8VYIYm8M4JCqCIBGuFTyq85mw9c6ptSTSMd:uIjf4I7GX7VEJbypoOMd |
| MD5: | 57D2176F7D36B1D1578019C1F84C521C |
| SHA1: | 01148600358937A240B5EB82B2144568ACD76D5F |
| SHA-256: | 07C7ED92131304C3A3A7E036753D6DEAC41C97C10F1175578F966AAFBBCF54B3 |
| SHA-512: | 677F85FF6A1EDDFDEF98BDD031E1024AD3D4809868DB5E98F0574E70BB0B62DBCAFCFAEDAE7875F88E215D865858AC63DDF9A8AC97C3C203FBE23102B7C638A2 |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\System32\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 1835008 |
| Entropy (8bit): | 4.422400705061707 |
| Encrypted: | false |
| SSDEEP: | 6144:eSvfpi6ceLP/9skLmb0OTMWSPHaJG8nAgeMZMMhA2fX4WABlEnNa0uhiTw:9vloTMW+EZMM6DFy003w |
| MD5: | F1219AE826397C1041106F5CBE4CDEAF |
| SHA1: | 6241EFAC3CA03AB8B7884AE51284FA3B7F0CB01D |
| SHA-256: | 8ABC95345B1DA0E7E0D0E9FBBDF43440B93293F20C225FA2735CB78B01DDC09C |
| SHA-512: | 0B4F82D6D0993E8FDB096A7B1B8AA1A5AC99970F9B340A3453DE4B70BB83FE2AAF51C76DEF77222282AC39874E3EB7521095787172799C934839F7A195B30DE6 |
| Malicious: | false |
| Preview: |
| File type: | |
| Entropy (8bit): | 6.298239096752118 |
| TrID: |
|
| File name: | db_Usr.dll |
| File size: | 382'976 bytes |
| MD5: | 286394d06972734946774c85742a094f |
| SHA1: | 616415b3ec0c08511d232e56b51faf7a03c45183 |
| SHA256: | 8501e14ee6ee142122746333b936c9ab0fc541328f37b5612b6804e6cdc2c2c6 |
| SHA512: | 1e8e0c408d27721284160e716d8421e2f53ce4176c392ebf1797ce5f6465cfb0abe272e2671fc9809848842f8aac1c586ae5c9c960599215778b8edb3b4d0bcc |
| SSDEEP: | 6144:yPfFKlojxM82ScMOM2gWfXyRtEmvLMOFIQV5ilTHoZTE4sUsdJn:yPYoORgLE7uIuIpoZgqs |
| TLSH: | 62846C5ABB5404B5E4678078C9638A0BE3B2BC451361C7DF26E4479E2F37BE1693E720 |
| File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........p..F...F...F....y..W....y..H....y.......a..H....a..O....a..-....y..E...F........`..O....`..G....`..G...F.q.G....`..G...RichF.. |
 | |
| Icon Hash: | 7ae282899bbab082 |
| Entrypoint: | 0x18000bf30 |
| Entrypoint Section: | .text |
| Digitally signed: | true |
| Imagebase: | 0x180000000 |
| Subsystem: | windows gui |
| Image File Characteristics: | RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, DLL |
| DLL Characteristics: | HIGH_ENTROPY_VA, NX_COMPAT, GUARD_CF |
| Time Stamp: | 0x61F3FE2A [Fri Jan 28 14:31:06 2022 UTC] |
| TLS Callbacks: | |
| CLR (.Net) Version: | |
| OS Version Major: | 6 |
| OS Version Minor: | 0 |
| File Version Major: | 6 |
| File Version Minor: | 0 |
| Subsystem Version Major: | 6 |
| Subsystem Version Minor: | 0 |
| Import Hash: | 1f852021aa767827db12999991ad10a4 |
| Signature Valid: | |
| Signature Issuer: | |
| Signature Validation Error: | |
| Error Number: | |
| Not Before, Not After | |
| Subject Chain | |
| Version: | |
| Thumbprint MD5: | |
| Thumbprint SHA-1: | |
| Thumbprint SHA-256: | |
| Serial: |
| Instruction |
|---|
| ret |
| mov dword ptr [esp+08h], ebx |
| dec eax |
| mov dword ptr [esp+10h], esi |
| push edi |
| dec eax |
| sub esp, 20h |
| dec ecx |
| mov edi, eax |
| mov ebx, edx |
| dec eax |
| mov esi, ecx |
| cmp edx, 01h |
| jne 00007FCA4CD6A9E7h |
| call 00007FCA4CD6B0D8h |
| dec esp |
| mov eax, edi |
| mov edx, ebx |
| dec eax |
| mov ecx, esi |
| dec eax |
| mov ebx, dword ptr [esp+30h] |
| dec eax |
| mov esi, dword ptr [esp+38h] |
| dec eax |
| add esp, 20h |
| pop edi |
| jmp 00007FCA4CD6A874h |
| int3 |
| int3 |
| int3 |
| dec eax |
| sub esp, 28h |
| dec ebp |
| mov eax, dword ptr [ecx+38h] |
| dec eax |
| mov ecx, edx |
| dec ecx |
| mov edx, ecx |
| call 00007FCA4CD6A9F2h |
| mov eax, 00000001h |
| dec eax |
| add esp, 28h |
| ret |
| int3 |
| int3 |
| int3 |
| inc eax |
| push ebx |
| inc ebp |
| mov ebx, dword ptr [eax] |
| dec eax |
| mov ebx, edx |
| inc ecx |
| and ebx, FFFFFFF8h |
| dec esp |
| mov ecx, ecx |
| inc ecx |
| test byte ptr [eax], 00000004h |
| dec esp |
| mov edx, ecx |
| je 00007FCA4CD6A9F5h |
| inc ecx |
| mov eax, dword ptr [eax+08h] |
| dec ebp |
| arpl word ptr [eax+04h], dx |
| neg eax |
| dec esp |
| add edx, ecx |
| dec eax |
| arpl ax, cx |
| dec esp |
| and edx, ecx |
| dec ecx |
| arpl bx, ax |
| dec edx |
| mov edx, dword ptr [eax+edx] |
| dec eax |
| mov eax, dword ptr [ebx+10h] |
| mov ecx, dword ptr [eax+08h] |
| dec eax |
| mov eax, dword ptr [ebx+08h] |
| test byte ptr [ecx+eax+03h], 0000000Fh |
| je 00007FCA4CD6A9EDh |
| movzx eax, byte ptr [ecx+eax+03h] |
| and eax, FFFFFFF0h |
| dec esp |
| add ecx, eax |
| dec esp |
| xor ecx, edx |
| dec ecx |
| mov ecx, ecx |
| pop ebx |
| jmp 00007FCA4CD69E0Ah |
| int3 |
| dec eax |
| mov eax, esp |
| dec eax |
| mov dword ptr [eax+08h], ebx |
| dec eax |
| mov dword ptr [eax+10h], ebp |
| Name | Virtual Address | Virtual Size | Is in Section |
|---|---|---|---|
| IMAGE_DIRECTORY_ENTRY_EXPORT | 0x51ac0 | 0xa0 | .rdata |
| IMAGE_DIRECTORY_ENTRY_IMPORT | 0x51b60 | 0x28 | .rdata |
| IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x62000 | 0x1888 | .rsrc |
| IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x5b000 | 0x405c | .pdata |
| IMAGE_DIRECTORY_ENTRY_SECURITY | 0x5c400 | 0x3798 | |
| IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x64000 | 0xd74 | .reloc |
| IMAGE_DIRECTORY_ENTRY_DEBUG | 0x48ea4 | 0x70 | .rdata |
| IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_TLS | 0x48f18 | 0x28 | .rdata |
| IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x3d1d0 | 0x130 | .rdata |
| IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IAT | 0x3b000 | 0x3b0 | .rdata |
| IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x51a5c | 0x40 | .rdata |
| IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
| Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
|---|---|---|---|---|---|---|---|---|---|
| .text | 0x1000 | 0x3953c | 0x39600 | 9ec98ef972b39acc498404c0904e83a3 | False | 0.5384582652505446 | data | 6.39324545352626 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
| .rdata | 0x3b000 | 0x17802 | 0x17a00 | a2892c398b2b47d3aab6892aca7f7f63 | False | 0.4185681216931217 | data | 4.90161140273218 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .data | 0x53000 | 0x728c | 0x5600 | 75dc56ee3f5cb0c806fb561fbeef585b | False | 0.5056776889534884 | DOS executable (block device driver \322f\324\377\3772) | 6.094877040377164 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .pdata | 0x5b000 | 0x405c | 0x4200 | 8ae6220ea44f3848228f9b8061920ee3 | False | 0.47022964015151514 | PEX Binary Archive | 5.466077612144935 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .didat | 0x60000 | 0x10 | 0x200 | 982998454860f426a296c28db71401dd | False | 0.03515625 | data | 0.08153941234324169 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| _RDATA | 0x61000 | 0x94 | 0x200 | 98ecda63236cd17614dc4e53eb62d728 | False | 0.21484375 | data | 1.455240117357614 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .rsrc | 0x62000 | 0x1888 | 0x1a00 | 3b5428e74aee5e63d23fdde8c6abe6e2 | False | 0.7270132211538461 | data | 7.26740595365208 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .reloc | 0x64000 | 0xd74 | 0xe00 | 31cd9a799deb90fd71ebee13ce8933ee | False | 0.48074776785714285 | data | 5.500053908992591 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
| Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
|---|---|---|---|---|---|---|
| RT_ICON | 0x620e8 | 0x1400 | data | 0.8263671875 | ||
| RT_VERSION | 0x634e8 | 0x30c | data | English | United States | 0.44743589743589746 |
| RT_MANIFEST | 0x637f4 | 0x91 | XML 1.0 document, ASCII text, with CRLF line terminators | English | United States | 0.8689655172413793 |
| DLL | Import |
|---|---|
| KERNEL32.dll | GetModuleFileNameA, GetModuleHandleExA, LoadLibraryA, GetProcAddress, ReadFile, SetFilePointer, CreateFileW, MultiByteToWideChar, GetLastError, CloseHandle, GetFileSize, RaiseException, GetSystemInfo, VirtualProtect, VirtualQuery, FreeLibrary, GetModuleHandleW, LoadLibraryExA, LocalFree, FormatMessageA, FindClose, FindFirstFileExW, FindNextFileW, SetFilePointerEx, AreFileApisANSI, SetLastError, WideCharToMultiByte, EnterCriticalSection, LeaveCriticalSection, TryEnterCriticalSection, DeleteCriticalSection, GetCurrentThreadId, InitializeCriticalSectionAndSpinCount, CreateEventW, SwitchToThread, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetSystemTimeAsFileTime, GetTickCount, QueryPerformanceCounter, SetEvent, ResetEvent, WaitForSingleObjectEx, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, IsProcessorFeaturePresent, IsDebuggerPresent, GetStartupInfoW, GetCurrentProcessId, InitializeSListHead, Sleep, SignalObjectAndWait, CreateThread, SetThreadPriority, GetThreadPriority, GetLogicalProcessorInformation, CreateTimerQueueTimer, ChangeTimerQueueTimer, DeleteTimerQueueTimer, GetNumaHighestNodeNumber, GetProcessAffinityMask, SetThreadAffinityMask, RegisterWaitForSingleObject, UnregisterWait, EncodePointer, GetCurrentThread, GetThreadTimes, FreeLibraryAndExitThread, GetModuleFileNameW, GetModuleHandleA, LoadLibraryExW, GetVersionExW, VirtualAlloc, VirtualFree, DuplicateHandle, ReleaseSemaphore, InterlockedPopEntrySList, InterlockedPushEntrySList, InterlockedFlushSList, QueryDepthSList, UnregisterWaitEx, CreateTimerQueue, LoadLibraryW, RtlUnwindEx, RtlPcToFileHeader, GetCPInfo, ExitProcess, GetModuleHandleExW, GetConsoleMode, GetStdHandle, GetFileType, HeapFree, HeapAlloc, GetStringTypeW, LCMapStringW, IsValidCodePage, GetACP, GetOEMCP, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, GetProcessHeap, FlushFileBuffers, WriteFile, GetConsoleCP, SetStdHandle, HeapSize, HeapReAlloc, WriteConsoleW |
| Name | Ordinal | Address |
|---|---|---|
| GetAnalyzerInterfaceByType | 1 | 0x180008250 |
| GetAnalyzerTypes | 2 | 0x1800084d0 |
| GetConfiguratorInterfaceByType | 3 | 0x1800083d0 |
| Language of compilation system | Country where language is spoken | Map |
|---|---|---|
| English | United States |  |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library Node| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Apr 25, 2024 22:04:05.245631933 CEST | 49711 | 443 | 192.168.2.5 | 185.219.221.136 |
| Apr 25, 2024 22:04:05.245670080 CEST | 443 | 49711 | 185.219.221.136 | 192.168.2.5 |
| Apr 25, 2024 22:04:05.245733023 CEST | 49711 | 443 | 192.168.2.5 | 185.219.221.136 |
| Apr 25, 2024 22:04:05.245754957 CEST | 49711 | 443 | 192.168.2.5 | 185.219.221.136 |
| Apr 25, 2024 22:04:05.245759964 CEST | 443 | 49711 | 185.219.221.136 | 192.168.2.5 |
| Apr 25, 2024 22:04:05.245795012 CEST | 49711 | 443 | 192.168.2.5 | 185.219.221.136 |
| Apr 25, 2024 22:04:05.245799065 CEST | 443 | 49711 | 185.219.221.136 | 192.168.2.5 |
| Apr 25, 2024 22:04:05.246021986 CEST | 443 | 49711 | 185.219.221.136 | 192.168.2.5 |
| Apr 25, 2024 22:04:12.656924963 CEST | 49712 | 443 | 192.168.2.5 | 185.219.221.136 |
| Apr 25, 2024 22:04:12.656969070 CEST | 443 | 49712 | 185.219.221.136 | 192.168.2.5 |
| Apr 25, 2024 22:04:12.657032967 CEST | 49712 | 443 | 192.168.2.5 | 185.219.221.136 |
| Apr 25, 2024 22:04:12.657078981 CEST | 49712 | 443 | 192.168.2.5 | 185.219.221.136 |
| Apr 25, 2024 22:04:12.657084942 CEST | 443 | 49712 | 185.219.221.136 | 192.168.2.5 |
| Apr 25, 2024 22:04:12.657121897 CEST | 49712 | 443 | 192.168.2.5 | 185.219.221.136 |
| Apr 25, 2024 22:04:12.657126904 CEST | 443 | 49712 | 185.219.221.136 | 192.168.2.5 |
| Apr 25, 2024 22:04:12.657298088 CEST | 443 | 49712 | 185.219.221.136 | 192.168.2.5 |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
| Target ID: | 0 |
| Start time: | 22:04:00 |
| Start date: | 25/04/2024 |
| Path: | C:\Windows\System32\loaddll64.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff7d3740000 |
| File size: | 165'888 bytes |
| MD5 hash: | 763455F9DCB24DFEECC2B9D9F8D46D52 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | moderate |
| Has exited: | true |
| Target ID: | 1 |
| Start time: | 22:04:00 |
| Start date: | 25/04/2024 |
| Path: | C:\Windows\System32\conhost.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff6d64d0000 |
| File size: | 862'208 bytes |
| MD5 hash: | 0D698AF330FD17BEE3BF90011D49251D |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 2 |
| Start time: | 22:04:00 |
| Start date: | 25/04/2024 |
| Path: | C:\Windows\System32\cmd.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff7fdf20000 |
| File size: | 289'792 bytes |
| MD5 hash: | 8A2122E8162DBEF04694B9C3E0B6CDEE |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 3 |
| Start time: | 22:04:00 |
| Start date: | 25/04/2024 |
| Path: | C:\Windows\System32\rundll32.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff61b9b0000 |
| File size: | 71'680 bytes |
| MD5 hash: | EF3179D498793BF4234F708D3BE28633 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 4 |
| Start time: | 22:04:00 |
| Start date: | 25/04/2024 |
| Path: | C:\Windows\System32\rundll32.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff61b9b0000 |
| File size: | 71'680 bytes |
| MD5 hash: | EF3179D498793BF4234F708D3BE28633 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 8 |
| Start time: | 22:04:00 |
| Start date: | 25/04/2024 |
| Path: | C:\Windows\System32\WerFault.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff656d90000 |
| File size: | 570'736 bytes |
| MD5 hash: | FD27D9F6D02763BDE32511B5DF7FF7A0 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 10 |
| Start time: | 22:04:00 |
| Start date: | 25/04/2024 |
| Path: | C:\Windows\System32\WerFault.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff656d90000 |
| File size: | 570'736 bytes |
| MD5 hash: | FD27D9F6D02763BDE32511B5DF7FF7A0 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 12 |
| Start time: | 22:04:03 |
| Start date: | 25/04/2024 |
| Path: | C:\Windows\System32\rundll32.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff61b9b0000 |
| File size: | 71'680 bytes |
| MD5 hash: | EF3179D498793BF4234F708D3BE28633 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | false |
| Target ID: | 13 |
| Start time: | 22:04:06 |
| Start date: | 25/04/2024 |
| Path: | C:\Windows\System32\rundll32.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff61b9b0000 |
| File size: | 71'680 bytes |
| MD5 hash: | EF3179D498793BF4234F708D3BE28633 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 15 |
| Start time: | 22:04:07 |
| Start date: | 25/04/2024 |
| Path: | C:\Windows\System32\WerFault.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff656d90000 |
| File size: | 570'736 bytes |
| MD5 hash: | FD27D9F6D02763BDE32511B5DF7FF7A0 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 16 |
| Start time: | 22:04:09 |
| Start date: | 25/04/2024 |
| Path: | C:\Windows\System32\rundll32.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff61b9b0000 |
| File size: | 71'680 bytes |
| MD5 hash: | EF3179D498793BF4234F708D3BE28633 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 17 |
| Start time: | 22:04:09 |
| Start date: | 25/04/2024 |
| Path: | C:\Windows\System32\rundll32.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff61b9b0000 |
| File size: | 71'680 bytes |
| MD5 hash: | EF3179D498793BF4234F708D3BE28633 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | false |
| Target ID: | 18 |
| Start time: | 22:04:09 |
| Start date: | 25/04/2024 |
| Path: | C:\Windows\System32\rundll32.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff61b9b0000 |
| File size: | 71'680 bytes |
| MD5 hash: | EF3179D498793BF4234F708D3BE28633 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 21 |
| Start time: | 22:04:11 |
| Start date: | 25/04/2024 |
| Path: | C:\Windows\System32\WerFault.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff656d90000 |
| File size: | 570'736 bytes |
| MD5 hash: | FD27D9F6D02763BDE32511B5DF7FF7A0 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | true |
Function 000000018001E168 Relevance: 121.1, APIs: 51, Strings: 18, Instructions: 371libraryloaderCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0000000180002CA0 Relevance: 23.0, APIs: 11, Strings: 2, Instructions: 234libraryloaderCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00000001800013E0 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 470COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0000000180031C88 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 165COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 000000018002E754 Relevance: .1, Instructions: 126COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0000000180006740 Relevance: .1, Instructions: 51COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0000000180034340 Relevance: .0, Instructions: 32COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 000000018000B090 Relevance: .0, Instructions: 5COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 000000018000ABA0 Relevance: 143.7, APIs: 41, Strings: 41, Instructions: 169libraryloaderCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 000000018001EF98 Relevance: 28.1, APIs: 9, Strings: 7, Instructions: 60libraryloaderCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0000000180009F80 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 196libraryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 000000018000B970 Relevance: 22.8, APIs: 9, Strings: 4, Instructions: 61libraryloaderCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0000000180012E44 Relevance: 21.2, APIs: 14, Instructions: 235registrytimeCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0000000180018BFC Relevance: 19.5, APIs: 9, Strings: 2, Instructions: 247COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 000000018001E7E4 Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 66libraryloaderCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 000000018000D464 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 63libraryloaderCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0000000180021750 Relevance: 15.1, APIs: 10, Instructions: 125threadCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 000000018000C7C0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 63timeCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0000000180005310 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 93COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 000000018002CD3C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 86libraryloaderCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 000000018003694C Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 000000018002B244 Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 321COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0000000180003930 Relevance: 9.1, APIs: 1, Strings: 4, Instructions: 309COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0000000180026880 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 103threadCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0000000180016CAC Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 68threadCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 000000018002E078 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0000000180007790 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 195COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 000000018002B754 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 190COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0000000180016F60 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 157COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0000000180007210 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 150COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0000000180038D3C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 120COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 000000018001D2B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 000000018002BCC8 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 163COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 000000018002D534 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 159COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0000000180037B80 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 133COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 000000018002C110 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 117COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 000000018002AA44 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 112COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0000000180037494 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 102COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0000000180033E08 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0000000180013A04 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 97COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0000000180026CA0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 97COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0000000180023198 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0000000180031600 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 000000018002F3F8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0000000180029B1C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00000001800343B0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 33COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 000000018003159C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0000000180031548 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Execution Graph
| Execution Coverage: | 32.5% |
| Dynamic/Decrypted Code Coverage: | 100% |
| Signature Coverage: | 90.9% |
| Total number of Nodes: | 11 |
| Total number of Limit Nodes: | 1 |
Graph
Callgraph
Function 00000195B44600CE Relevance: 102.2, APIs: 8, Strings: 50, Instructions: 675networklibraryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Execution Graph
| Execution Coverage: | 32.5% |
| Dynamic/Decrypted Code Coverage: | 100% |
| Signature Coverage: | 0% |
| Total number of Nodes: | 11 |
| Total number of Limit Nodes: | 1 |
Graph
Callgraph
Function 0000020C5A8700CE Relevance: 102.2, APIs: 8, Strings: 50, Instructions: 675networklibraryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |