Play interactive tour
Edit tourWindows Analysis Report DC2zX44MQr
Overview
General Information
| Sample Name: | DC2zX44MQr (renamed file extension from none to dll) |
| Analysis ID: | 492503 |
| MD5: | 94f8317b419e9476120b14a29d9b05d2 |
| SHA1: | f2b03dd4441f3808468bdbb8b26273cfb41b5298 |
| SHA256: | 2f10b593a5e04506d8050ebe39e28619199958a4f4bae0b9f3a1ee2af3d74862 |
| Tags: | Dridexexe |
| Infos: | |
Most interesting Screenshot:  | |
Detection
Dridex
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Yara detected Dridex unpacked file
Multi AV Scanner detection for submitted file
Benign windows process drops PE files
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Changes memory attributes in foreign processes to executable or writable
Machine Learning detection for sample
Queues an APC in another process (thread injection)
Machine Learning detection for dropped file
Uses Atom Bombing / ProGate to inject into other processes
Queries the volume information (name, serial number etc) of a device
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
PE file contains sections with non-standard names
Queries the installation date of Windows
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
Found dropped PE file which has not been started or loaded
Uses the system / local time for branch decision (may execute only at specific dates)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
PE file contains executable resources (Code or Archives)
Sample file is different than original file name gathered from version info
PE file contains an invalid checksum
PE file contains strange resources
Drops PE files
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Binary contains a suspicious time stamp
Potential key logger detected (key state polling based)
PE file contains more sections than normal
Uses Microsoft's Enhanced Cryptographic Provider
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Classification
Process Tree |
|---|
|
Malware Configuration |
|---|
| No configs have been found |
|---|
Yara Overview |
|---|
Memory Dumps |
|---|
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_Dridex_2 | Yara detected Dridex unpacked file | Joe Security | ||
| JoeSecurity_Dridex_2 | Yara detected Dridex unpacked file | Joe Security | ||
| JoeSecurity_Dridex_2 | Yara detected Dridex unpacked file | Joe Security | ||
| JoeSecurity_Dridex_2 | Yara detected Dridex unpacked file | Joe Security | ||
| JoeSecurity_Dridex_2 | Yara detected Dridex unpacked file | Joe Security | ||
| Click to see the 7 entries | ||||
Sigma Overview |
|---|
| No Sigma rule has matched |
|---|
Jbx Signature Overview |
|---|
Click to jump to signature section
Show All Signature Results
AV Detection: |   |
|---|
| Multi AV Scanner detection for submitted file | Show sources | ||
| Source: | Virustotal: | Perma Link | ||
| Source: | ReversingLabs: | |||
| Antivirus / Scanner detection for submitted sample | Show sources | ||
| Source: | Avira: | ||
| Antivirus detection for dropped file | Show sources | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Machine Learning detection for sample | Show sources | ||
| Source: | Joe Sandbox ML: | ||
| Machine Learning detection for dropped file | Show sources | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Code function: | 40_2_00007FF7A414F52C | |
| Source: | Code function: | 40_2_00007FF7A414F8FC | |
| Source: | Static PE information: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Code function: | 0_2_000000014005D290 | |
| Source: | Code function: | 38_2_00007FF776FABE54 | |
| Source: | Code function: | 38_2_00007FF776FB1BA0 | |
| Source: | String found in binary or memory: | ||
| Source: | Code function: | 28_2_00007FF7198411A0 | |
| Source: | Code function: | 33_2_00007FF792C3956C | |
E-Banking Fraud: | |
|---|
| Yara detected Dridex unpacked file | Show sources | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | Code function: | 0_2_0000000140034870 | |
| Source: | Code function: | 0_2_0000000140035270 | |
| Source: | Code function: | 0_2_0000000140048AC0 | |
| Source: | Code function: | 0_2_000000014005C340 | |
| Source: | Code function: | 0_2_0000000140065B80 | |
| Source: | Code function: | 0_2_000000014006A4B0 | |
| Source: | Code function: | 0_2_00000001400524B0 | |
| Source: | Code function: | 0_2_0000000140026CC0 | |
| Source: | Code function: | 0_2_000000014004BD40 | |
| Source: | Code function: | 0_2_00000001400495B0 | |
| Source: | Code function: | 0_2_0000000140036F30 | |
| Source: | Code function: | 0_2_0000000140069010 | |
| Source: | Code function: | 0_2_0000000140001010 | |
| Source: | Code function: | 0_2_0000000140066020 | |
| Source: | Code function: | 0_2_000000014002F840 | |
| Source: | Code function: | 0_2_000000014005D850 | |
| Source: | Code function: | 0_2_0000000140064080 | |
| Source: | Code function: | 0_2_0000000140010880 | |
| Source: | Code function: | 0_2_00000001400688A0 | |
| Source: | Code function: | 0_2_000000014002D0D0 | |
| Source: | Code function: | 0_2_00000001400018D0 | |
| Source: | Code function: | 0_2_0000000140016100 | |
| Source: | Code function: | 0_2_000000014001D100 | |
| Source: | Code function: | 0_2_000000014002A110 | |
| Source: | Code function: | 0_2_000000014001D910 | |
| Source: | Code function: | 0_2_0000000140015120 | |
| Source: | Code function: | 0_2_000000014000B120 | |
| Source: | Code function: | 0_2_000000014004F940 | |
| Source: | Code function: | 0_2_0000000140039140 | |
| Source: | Code function: | 0_2_0000000140023140 | |
| Source: | Code function: | 0_2_0000000140057950 | |
| Source: | Code function: | 0_2_000000014001E170 | |
| Source: | Code function: | 0_2_0000000140002980 | |
| Source: | Code function: | 0_2_00000001400611A0 | |
| Source: | Code function: | 0_2_00000001400389A0 | |
| Source: | Code function: | 0_2_00000001400381A0 | |
| Source: | Code function: | 0_2_000000014002E1B0 | |
| Source: | Code function: | 0_2_00000001400139D0 | |
| Source: | Code function: | 0_2_00000001400319F0 | |
| Source: | Code function: | 0_2_000000014002EA00 | |
| Source: | Code function: | 0_2_0000000140022A00 | |
| Source: | Code function: | 0_2_000000014003B220 | |
| Source: | Code function: | 0_2_0000000140067A40 | |
| Source: | Code function: | 0_2_0000000140069A50 | |
| Source: | Code function: | 0_2_0000000140007A60 | |
| Source: | Code function: | 0_2_000000014003AAC0 | |
| Source: | Code function: | 0_2_000000014003A2E0 | |
| Source: | Code function: | 0_2_0000000140062B00 | |
| Source: | Code function: | 0_2_0000000140018300 | |
| Source: | Code function: | 0_2_000000014002FB20 | |
| Source: | Code function: | 0_2_0000000140031340 | |
| Source: | Code function: | 0_2_0000000140022340 | |
| Source: | Code function: | 0_2_0000000140017B40 | |
| Source: | Code function: | 0_2_000000014000BB40 | |
| Source: | Code function: | 0_2_000000014004EB60 | |
| Source: | Code function: | 0_2_0000000140005370 | |
| Source: | Code function: | 0_2_000000014002CB80 | |
| Source: | Code function: | 0_2_000000014006B390 | |
| Source: | Code function: | 0_2_0000000140054BA0 | |
| Source: | Code function: | 0_2_0000000140033BB0 | |
| Source: | Code function: | 0_2_00000001400263C0 | |
| Source: | Code function: | 0_2_00000001400123C0 | |
| Source: | Code function: | 0_2_0000000140063BD0 | |
| Source: | Code function: | 0_2_00000001400663F0 | |
| Source: | Code function: | 0_2_0000000140023BF0 | |
| Source: | Code function: | 0_2_000000014006B41B | |
| Source: | Code function: | 0_2_000000014006B424 | |
| Source: | Code function: | 0_2_000000014006B42D | |
| Source: | Code function: | 0_2_000000014006B436 | |
| Source: | Code function: | 0_2_000000014006B43D | |
| Source: | Code function: | 0_2_0000000140024440 | |
| Source: | Code function: | 0_2_0000000140005C40 | |
| Source: | Code function: | 0_2_000000014006B446 | |
| Source: | Code function: | 0_2_000000014005F490 | |
| Source: | Code function: | 0_2_0000000140022D00 | |
| Source: | Code function: | 0_2_0000000140035520 | |
| Source: | Code function: | 0_2_0000000140019D20 | |
| Source: | Code function: | 0_2_0000000140030530 | |
| Source: | Code function: | 0_2_0000000140023530 | |
| Source: | Code function: | 0_2_0000000140031540 | |
| Source: | Code function: | 0_2_0000000140033540 | |
| Source: | Code function: | 0_2_000000014007BD50 | |
| Source: | Code function: | 0_2_0000000140078570 | |
| Source: | Code function: | 0_2_0000000140019580 | |
| Source: | Code function: | 0_2_00000001400205A0 | |
| Source: | Code function: | 0_2_0000000140025DB0 | |
| Source: | Code function: | 0_2_0000000140071DC0 | |
| Source: | Code function: | 0_2_000000014000C5C0 | |
| Source: | Code function: | 0_2_000000014002DDE0 | |
| Source: | Code function: | 0_2_0000000140031DF0 | |
| Source: | Code function: | 0_2_000000014000DDF0 | |
| Source: | Code function: | 0_2_0000000140001620 | |
| Source: | Code function: | 0_2_0000000140018630 | |
| Source: | Code function: | 0_2_0000000140032650 | |
| Source: | Code function: | 0_2_0000000140064E80 | |
| Source: | Code function: | 0_2_0000000140016E80 | |
| Source: | Code function: | 0_2_0000000140007EA0 | |
| Source: | Code function: | 0_2_00000001400286B0 | |
| Source: | Code function: | 0_2_0000000140006EB0 | |
| Source: | Code function: | 0_2_00000001400276C0 | |
| Source: | Code function: | 0_2_000000014002FEC0 | |
| Source: | Code function: | 0_2_000000014002EED0 | |
| Source: | Code function: | 0_2_000000014002B6E0 | |
| Source: | Code function: | 0_2_0000000140053F20 | |
| Source: | Code function: | 0_2_0000000140022730 | |
| Source: | Code function: | 0_2_0000000140029780 | |
| Source: | Code function: | 0_2_0000000140018F80 | |
| Source: | Code function: | 0_2_000000014003EFB0 | |
| Source: | Code function: | 0_2_00000001400067B0 | |
| Source: | Code function: | 0_2_00000001400667D0 | |
| Source: | Code function: | 0_2_0000000140060FE0 | |
| Source: | Code function: | 25_2_00007FF644D52BA0 | |
| Source: | Code function: | 25_2_00007FF644D522B0 | |
| Source: | Code function: | 28_2_00007FF719844AA4 | |
| Source: | Code function: | 28_2_00007FF7198416F8 | |
| Source: | Code function: | 28_2_00007FF71984B230 | |
| Source: | Code function: | 28_2_00007FF719849A10 | |
| Source: | Code function: | 28_2_00007FF7198418D0 | |
| Source: | Code function: | 33_2_00007FF792C32FD0 | |
| Source: | Code function: | 33_2_00007FF792C37F6C | |
| Source: | Code function: | 33_2_00007FF792C36890 | |
| Source: | Code function: | 33_2_00007FF792C34830 | |
| Source: | Code function: | 35_2_00007FF6CB0231D0 | |
| Source: | Code function: | 38_2_00007FF776FB2438 | |
| Source: | Code function: | 38_2_00007FF776FA6848 | |
| Source: | Code function: | 38_2_00007FF776FB0A58 | |
| Source: | Code function: | 38_2_00007FF776FA7EFC | |
| Source: | Code function: | 38_2_00007FF776FA2F54 | |
| Source: | Code function: | 38_2_00007FF776FAE368 | |
| Source: | Code function: | 38_2_00007FF776FACFF0 | |
| Source: | Code function: | 40_2_00007FF7A40E39A0 | |
| Source: | Code function: | 40_2_00007FF7A40E8DF0 | |
| Source: | Code function: | 40_2_00007FF7A40E35EC | |
| Source: | Code function: | 40_2_00007FF7A40ECE08 | |
| Source: | Code function: | 40_2_00007FF7A4161690 | |
| Source: | Code function: | 40_2_00007FF7A40DDA8C | |
| Source: | Code function: | 40_2_00007FF7A40EEAB4 | |
| Source: | Code function: | 40_2_00007FF7A40D4EC4 | |
| Source: | Code function: | 40_2_00007FF7A40F12E0 | |
| Source: | Code function: | 40_2_00007FF7A4114320 | |
| Source: | Code function: | 40_2_00007FF7A40D6B94 | |
| Source: | Code function: | 40_2_00007FF7A40E77C0 | |
| Source: | Code function: | 40_2_00007FF7A40D5410 | |
| Source: | Code function: | 40_2_00007FF7A40E8060 | |
| Source: | Code function: | 40_2_00007FF7A40EA858 | |
| Source: | Code function: | 40_2_00007FF7A40E84C0 | |
| Source: | Code function: | 40_2_00007FF7A40E64DC | |
| Source: | Code function: | 0_2_0000000140046C90 | |
| Source: | Code function: | 0_2_000000014006A4B0 | |
| Source: | Code function: | 28_2_00007FF71984A2C8 | |
| Source: | Code function: | 28_2_00007FF719849640 | |
| Source: | Code function: | 33_2_00007FF792C338C0 | |
| Source: | Code function: | 33_2_00007FF792C3C164 | |
| Source: | Code function: | 38_2_00007FF776FB2438 | |
| Source: | Code function: | 38_2_00007FF776FA82EC | |
| Source: | Code function: | 38_2_00007FF776FB1F54 | |
| Source: | Code function: | 38_2_00007FF776FAE368 | |
| Source: | Code function: | 38_2_00007FF776FA8404 | |
| Source: | Static PE information: | ||
| Source: | Binary or memory string: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Virustotal: | ||
| Source: | ReversingLabs: | ||
| Source: | Static PE information: | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Key value queried: | Jump to behavior | ||
| Source: | File created: | Jump to behavior | ||
| Source: | Classification label: | ||
| Source: | Code function: | 19_2_00007FF686901A1C | |
| Source: | Code function: | 38_2_00007FF776FADE98 | |
| Source: | Code function: | 25_2_00007FF644D541EC | |
| Source: | Code function: | 38_2_00007FF776FA1A70 | |
| Source: | Process created: | ||
| Source: | Mutant created: | ||
| Source: | Mutant created: | ||
| Source: | Code function: | 28_2_00007FF719846A78 | |
| Source: | Static PE information: | ||
| Source: | Static file information: | ||
| Source: | Static PE information: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Code function: | 0_2_0000000140056A4E | |
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Code function: | 40_2_00007FF7A40EBEA0 | |
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | File created: | Jump to dropped file | ||
| Source: | File created: | Jump to dropped file | ||
| Source: | File created: | Jump to dropped file | ||
| Source: | File created: | Jump to dropped file | ||
| Source: | File created: | Jump to dropped file | ||
| Source: | File created: | Jump to dropped file | ||
| Source: | File created: | Jump to dropped file | ||
| Source: | File created: | Jump to dropped file | ||
| Source: | File created: | Jump to dropped file | ||
| Source: | File created: | Jump to dropped file | ||
| Source: | File created: | Jump to dropped file | ||
| Source: | File created: | Jump to dropped file | ||
| Source: | File created: | Jump to dropped file | ||
| Source: | File created: | Jump to dropped file | ||
| Source: | File created: | Jump to dropped file | ||
| Source: | File created: | Jump to dropped file | ||
| Source: | File created: | Jump to dropped file | ||
| Source: | File created: | Jump to dropped file | ||
| Source: | File created: | Jump to dropped file | ||
| Source: | File created: | Jump to dropped file | ||
| Source: | Code function: | 40_2_00007FF7A415C560 | |
| Source: | Code function: | 40_2_00007FF7A40DF5A4 | |
| Source: | Code function: | 40_2_00007FF7A40E39A0 | |
| Source: | Code function: | 40_2_00007FF7A40DCE48 | |
| Source: | Code function: | 40_2_00007FF7A40D9A6C | |
| Source: | Code function: | 40_2_00007FF7A40DCF28 | |
| Source: | Code function: | 40_2_00007FF7A40E1B44 | |
| Source: | Code function: | 40_2_00007FF7A40E2F5C | |
| Source: | Code function: | 40_2_00007FF7A40E2884 | |
| Source: | Code function: | 40_2_00007FF7A40E04F8 | |
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Thread sleep count: | Jump to behavior | ||
| Source: | Last function: | ||
| Source: | Last function: | ||
| Source: | Dropped PE file which has not been started: | Jump to dropped file | ||
| Source: | Dropped PE file which has not been started: | Jump to dropped file | ||
| Source: | Dropped PE file which has not been started: | Jump to dropped file | ||
| Source: | Dropped PE file which has not been started: | Jump to dropped file | ||
| Source: | Dropped PE file which has not been started: | Jump to dropped file | ||
| Source: | Code function: | 38_2_00007FF776FA7BC4 | |
| Source: | Process information queried: | Jump to behavior | ||
| Source: | Code function: | 0_2_000000014005C340 | |
| Source: | Code function: | 0_2_000000014005D290 | |
| Source: | Code function: | 38_2_00007FF776FABE54 | |
| Source: | Code function: | 38_2_00007FF776FB1BA0 | |
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Code function: | 35_2_00007FF6CB022110 | |
| Source: | Code function: | 40_2_00007FF7A40EBEA0 | |
| Source: | Code function: | 25_2_00007FF644D51124 | |
| Source: | Code function: | 0_2_0000000140048AC0 | |
| Source: | Code function: | 19_2_00007FF686902780 | |
| Source: | Code function: | 19_2_00007FF686902AB4 | |
| Source: | Code function: | 25_2_00007FF644D57330 | |
| Source: | Code function: | 25_2_00007FF644D575B4 | |
| Source: | Code function: | 28_2_00007FF71984CD10 | |
| Source: | Code function: | 28_2_00007FF71984CF30 | |
| Source: | Code function: | 33_2_00007FF792C3C98C | |
| Source: | Code function: | 33_2_00007FF792C3C710 | |
| Source: | Code function: | 35_2_00007FF6CB026340 | |
| Source: | Code function: | 35_2_00007FF6CB026630 | |
| Source: | Code function: | 38_2_00007FF776FB2B00 | |
| Source: | Code function: | 38_2_00007FF776FB3140 | |
| Source: | Code function: | 40_2_00007FF7A41F2264 | |
HIPS / PFW / Operating System Protection Evasion: | |
|---|
| Benign windows process drops PE files | Show sources | ||
| Source: | File created: | Jump to dropped file | ||
| Changes memory attributes in foreign processes to executable or writable | Show sources | ||
| Source: | Memory protected: | Jump to behavior | ||
| Source: | Memory protected: | Jump to behavior | ||
| Source: | Memory protected: | Jump to behavior | ||
| Queues an APC in another process (thread injection) | Show sources | ||
| Source: | Thread APC queued: | Jump to behavior | ||
| Uses Atom Bombing / ProGate to inject into other processes | Show sources | ||
| Source: | Atom created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Code function: | 38_2_00007FF776FAAE50 | |
| Source: | Code function: | 28_2_00007FF7198450A4 | |
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | |||
| Source: | Queries volume information: | |||
| Source: | Queries volume information: | |||
| Source: | Queries volume information: | |||
| Source: | Queries volume information: | |||
| Source: | Queries volume information: | |||
| Source: | Code function: | 28_2_00007FF7198498E8 | |
| Source: | Code function: | 33_2_00007FF792C32EA8 | |
| Source: | Key value queried: | Jump to behavior | ||
| Source: | Key value queried: | Jump to behavior | ||
| Source: | Code function: | 19_2_00007FF686902910 | |
| Source: | Code function: | 40_2_00007FF7A41EF5EC | |
| Source: | Code function: | 25_2_00007FF644D54A50 | |
| Source: | Code function: | 19_2_00007FF6869021B8 | |
| Source: | Code function: | 19_2_00007FF6869022F0 | |
| Source: | Code function: | 25_2_00007FF644D56AB4 | |
| Source: | Code function: | 28_2_00007FF71984B230 | |
| Source: | Code function: | 28_2_00007FF71984A8A0 | |
| Source: | Code function: | 28_2_00007FF71984C7B0 | |
| Source: | Code function: | 33_2_00007FF792C35B60 | |
| Source: | Code function: | 33_2_00007FF792C34830 | |
| Source: | Code function: | 33_2_00007FF792C33EA4 | |
Mitre Att&ck Matrix |
|---|
| Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Valid Accounts | Native API1 | Windows Service1 | Windows Service1 | Masquerading1 | Input Capture1 | System Time Discovery11 | Remote Services | Input Capture1 | Exfiltration Over Other Network Medium | Encrypted Channel2 | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | Modify System Partition |
| Default Accounts | Exploitation for Client Execution1 | Boot or Logon Initialization Scripts | Process Injection312 | Virtualization/Sandbox Evasion1 | LSASS Memory | Security Software Discovery21 | Remote Desktop Protocol | Archive Collected Data1 | Exfiltration Over Bluetooth | Junk Data | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
| Domain Accounts | At (Linux) | Logon Script (Windows) | Logon Script (Windows) | Process Injection312 | Security Account Manager | Virtualization/Sandbox Evasion1 | SMB/Windows Admin Shares | Data from Network Shared Drive | Automated Exfiltration | Steganography | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
| Local Accounts | At (Windows) | Logon Script (Mac) | Logon Script (Mac) | Obfuscated Files or Information2 | NTDS | Process Discovery3 | Distributed Component Object Model | Input Capture | Scheduled Transfer | Protocol Impersonation | SIM Card Swap | Carrier Billing Fraud | |
| Cloud Accounts | Cron | Network Logon Script | Network Logon Script | Rundll321 | LSA Secrets | Application Window Discovery1 | SSH | Keylogging | Data Transfer Size Limits | Fallback Channels | Manipulate Device Communication | Manipulate App Store Rankings or Ratings | |
| Replication Through Removable Media | Launchd | Rc.common | Rc.common | Software Packing2 | Cached Domain Credentials | Account Discovery1 | VNC | GUI Input Capture | Exfiltration Over C2 Channel | Multiband Communication | Jamming or Denial of Service | Abuse Accessibility Features | |
| External Remote Services | Scheduled Task | Startup Items | Startup Items | Timestomp1 | DCSync | System Owner/User Discovery1 | Windows Remote Management | Web Portal Capture | Exfiltration Over Alternative Protocol | Commonly Used Port | Rogue Wi-Fi Access Points | Data Encrypted for Impact | |
| Drive-by Compromise | Command and Scripting Interpreter | Scheduled Task/Job | Scheduled Task/Job | Indicator Removal from Tools | Proc Filesystem | File and Directory Discovery1 | Shared Webroot | Credential API Hooking | Exfiltration Over Symmetric Encrypted Non-C2 Protocol | Application Layer Protocol | Downgrade to Insecure Protocols | Generate Fraudulent Advertising Revenue | |
| Exploit Public-Facing Application | PowerShell | At (Linux) | At (Linux) | Masquerading | /etc/passwd and /etc/shadow | System Information Discovery35 | Software Deployment Tools | Data Staged | Exfiltration Over Asymmetric Encrypted Non-C2 Protocol | Web Protocols | Rogue Cellular Base Station | Data Destruction |
Behavior Graph |
|---|
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetScreenshots |
|---|
Thumbnails
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Antivirus, Machine Learning and Genetic Malware Detection |
|---|
Initial Sample |
|---|
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 68% | Virustotal | Browse | ||
| 80% | ReversingLabs | Win64.Infostealer.Dridex | ||
| 100% | Avira | HEUR/AGEN.1114452 | ||
| 100% | Joe Sandbox ML |
Dropped Files |
|---|
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 100% | Avira | TR/Crypt.ZPACK.Gen | ||
| 100% | Avira | HEUR/AGEN.1114452 | ||
| 100% | Avira | HEUR/AGEN.1114452 | ||
| 100% | Avira | TR/Crypt.ZPACK.Gen | ||
| 100% | Avira | HEUR/AGEN.1114452 | ||
| 100% | Avira | HEUR/AGEN.1114452 | ||
| 100% | Avira | TR/Crypt.ZPACK.Gen | ||
| 100% | Avira | HEUR/AGEN.1114452 | ||
| 100% | Avira | TR/Crypt.ZPACK.Gen | ||
| 100% | Avira | TR/Crypt.ZPACK.Gen | ||
| 100% | Joe Sandbox ML | |||
| 100% | Joe Sandbox ML | |||
| 100% | Joe Sandbox ML | |||
| 100% | Joe Sandbox ML | |||
| 100% | Joe Sandbox ML | |||
| 100% | Joe Sandbox ML | |||
| 100% | Joe Sandbox ML | |||
| 100% | Joe Sandbox ML | |||
| 100% | Joe Sandbox ML | |||
| 100% | Joe Sandbox ML | |||
| 0% | Virustotal | Browse | ||
| 0% | Metadefender | Browse | ||
| 0% | ReversingLabs | |||
| 0% | Metadefender | Browse | ||
| 0% | ReversingLabs | |||
| 0% | Metadefender | Browse | ||
| 0% | ReversingLabs | |||
| 0% | Metadefender | Browse | ||
| 0% | ReversingLabs |
Unpacked PE Files |
|---|
| Source | Detection | Scanner | Label | Link | Download |
|---|---|---|---|---|---|
| 100% | Avira | TR/Crypt.XPACK.Gen | Download File | ||
| 100% | Avira | TR/Crypt.XPACK.Gen | Download File | ||
| 100% | Avira | TR/Crypt.XPACK.Gen | Download File | ||
| 100% | Avira | TR/Crypt.XPACK.Gen | Download File | ||
| 100% | Avira | TR/Crypt.XPACK.Gen | Download File | ||
| 100% | Avira | TR/Crypt.XPACK.Gen | Download File | ||
| 100% | Avira | TR/Crypt.XPACK.Gen | Download File | ||
| 100% | Avira | TR/Crypt.XPACK.Gen | Download File | ||
| 100% | Avira | TR/Crypt.XPACK.Gen | Download File | ||
| 100% | Avira | TR/Crypt.XPACK.Gen | Download File | ||
| 100% | Avira | TR/Crypt.XPACK.Gen | Download File | ||
| 100% | Avira | TR/Crypt.XPACK.Gen | Download File |
Domains |
|---|
| No Antivirus matches |
|---|
URLs |
|---|
| No Antivirus matches |
|---|
Domains and IPs |
|---|
Contacted Domains |
|---|
| No contacted domains info |
|---|
URLs from Memory and Binaries |
|---|
| Name | Source | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|
| false | high |
Contacted IPs |
|---|
| No contacted IP infos |
|---|
General Information |
|---|
| Joe Sandbox Version: | 33.0.0 White Diamond |
| Analysis ID: | 492503 |
| Start date: | 28.09.2021 |
| Start time: | 19:13:08 |
| Joe Sandbox Product: | CloudBasic |
| Overall analysis duration: | 0h 14m 18s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Sample file name: | DC2zX44MQr (renamed file extension from none to dll) |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211 |
| Number of analysed new started processes analysed: | 41 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Detection: | MAL |
| Classification: | mal100.troj.evad.winDLL@45/21@0/0 |
| EGA Information: | Failed |
| HDC Information: |
|
| HCA Information: | Failed |
| Cookbook Comments: |
|
| Warnings: | Show All
|
Simulations |
|---|
Behavior and APIs |
|---|
| No simulations |
|---|
Joe Sandbox View / Context |
|---|
Created / dropped Files |
|---|
| Process: | C:\Windows\explorer.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 1523712 |
| Entropy (8bit): | 5.861496486431302 |
| Encrypted: | false |
| SSDEEP: | 12288:ZVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1sr:YfP7fWsK5z9A+WGAW+V5SB6Ct4bnb |
| MD5: | C63D9096C976C275357356F7A08F8CDE |
| SHA1: | 1C35F2161C931B04E8A41D42C9CD1CA76D8FE41E |
| SHA-256: | AF746CDAE49B2A4E18F9BCC2517DA92AD8FEED1FE1F4D96EE15B1D6E003C8852 |
| SHA-512: | 84944B6F7E59E957437EC02B3E555AC0833163DC1F19EBC0DE518AF89245310E49EF4C87396641C0B41A73E1DF352D4BA8831EDE20AD424365F4AAFC4D8C1346 |
| Malicious: | true |
| Antivirus: |
|
| Preview: |
|
| Process: | C:\Windows\explorer.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 32256 |
| Entropy (8bit): | 5.250876383836324 |
| Encrypted: | false |
| SSDEEP: | 768:ghunFhykO4aAvnsvpzte5+Ql0/iqmjjn:58kO4asshu+Q+/Ojjn |
| MD5: | 1643D5735213BC89C0012F0E48253765 |
| SHA1: | D076D701929F1F269D34C8FD7BD1BAB4DAF42A9D |
| SHA-256: | 4176FA24D56BB870316D07BD7211BC8A797394F77DCC12B35FFEBAA0326525D2 |
| SHA-512: | F0BD45FE66EDC6F615C0125C1AE81E657CA26544544769651AB0623DD3C724F96D9D78835EF6B1D15083D1BB9D501F6DC48487DDA5C361CAFA96022D5F33A43F |
| Malicious: | false |
| Antivirus: | |
| Preview: |
|
| Process: | C:\Windows\explorer.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 1523712 |
| Entropy (8bit): | 5.861475842348347 |
| Encrypted: | false |
| SSDEEP: | 12288:5VI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ12Bh:4fP7fWsK5z9A+WGAW+V5SB6Ct4bnb2 |
| MD5: | 1B515CB5B54D379E258F3BE018F2DCC5 |
| SHA1: | 448821262C4B6775152F3D1FC3F70A125A7A4A78 |
| SHA-256: | 65E9D5DC7D6ECAB9FEB419B641726C56772C951270750ECC51317C305AB62CAC |
| SHA-512: | 5A0A16531FFEE2A563933EE571C913D1EF2557D3C57EC177D27F8798438062C828EC7D4BFACD32E315F5D150239A3029B67C1B99D6B391461F3C1E6E88E6A7EB |
| Malicious: | false |
| Preview: |
|
| Process: | C:\Windows\explorer.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 98304 |
| Entropy (8bit): | 5.996546491031358 |
| Encrypted: | false |
| SSDEEP: | 1536:3bo99g4+4G8mMM+nCA+o6UJMUHznV80KCt1p7Gx:LXH4GvNKAUHR80KCt/G |
| MD5: | C91CCEF3884CFDE746B4BAEF5F1BC75C |
| SHA1: | 9A7E17BA64FE1842E904D4019D9BB9B005E61E55 |
| SHA-256: | E6C9C88491EF6FB4B4DAFAC3276C8E2A3B2BC3C4D7825F4EAA3AC99E1801195B |
| SHA-512: | 431754EC35871B2ED1F5E9FC621F24B6187720C0562D0ABDC9232A063DA1E8419A07CDC1740A3B433A80BA15FF25F0EAE0E5B331985A7B8ABC9CE8E73CBC210E |
| Malicious: | false |
| Antivirus: |
|
| Preview: |
|
| Process: | C:\Windows\explorer.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 1523712 |
| Entropy (8bit): | 5.861361447985384 |
| Encrypted: | false |
| SSDEEP: | 12288:cVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1m5:pfP7fWsK5z9A+WGAW+V5SB6Ct4bnb |
| MD5: | 0E2C09A45BC0ED953B1A20E3DDD9D186 |
| SHA1: | 80317AB8392B224A9091359C0A16DA40D35053F5 |
| SHA-256: | 2E2F9B6F590F13C1834BA38AFFE06DAA48AA7A0994EEE493D5011B336B0CC6A9 |
| SHA-512: | 9F9EA4D4E62D0863212B227B2DF45BFD751D43BC5E674BADD730DDB1FD0E67AC9F99D0B4F8B209B0B4AA73467DDCEB29075E6BEFA7C9620A3CA056E00DD0C8F5 |
| Malicious: | false |
| Preview: |
|
| Process: | C:\Windows\explorer.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 43472 |
| Entropy (8bit): | 6.224421457593777 |
| Encrypted: | false |
| SSDEEP: | 768:+pH9d9NT4uJO0qK/lEbrDGe2gfBTDxxsg652PIBmRncHiDgcZd3cxe1PIc:EzNT4GpHaTDvst2gmRnVdZVcgPIc |
| MD5: | F0C8675F98E397383A112CC8ED5B97DA |
| SHA1: | 644A87D9CEE0BC576402573224F6695AA45196D3 |
| SHA-256: | 0E9C85E4833BB1BF45CB66AA3B021A2CDA6074333C2217F8FFB5360B63719374 |
| SHA-512: | ABF6B2BB5BB48C1C2E54C01656D3C448E8CD4159686F285D67CFF805A757FFAF6B0D7D9DD579786B739AD90ECB1FB6D43A181CBEBBC27FEA3504D48B61C10A5C |
| Malicious: | false |
| Antivirus: |
|
| Preview: |
|
| Process: | C:\Windows\explorer.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 107008 |
| Entropy (8bit): | 6.213211715541241 |
| Encrypted: | false |
| SSDEEP: | 1536:jZPv9YEIT8g15BZNWNBWNK5/FzUJmufD6o6ffv+Difx1P4dirH+Z3sUS+CvilU/s:lPBLBBbWDwff22J1Puq+y+HUk |
| MD5: | 0BF1E2262C95164A0B244174167FBD85 |
| SHA1: | 81BD08AD31BF2665F298406F843924588BB7606B |
| SHA-256: | 6B35C354C480D232A96EF73EABA268EF7D94F30A3D3A1161B69081B048A27E29 |
| SHA-512: | FD01664A377359E72A67F52E8DFFDD237E24F8ACC158B3A478F71CAAC1CE2EDDB19B15E1FC66CB73E77DDED564D6A98FD3064BDA20419D8C949505457721BF5C |
| Malicious: | false |
| Antivirus: |
|
| Preview: |
|
| Process: | C:\Windows\explorer.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 1241088 |
| Entropy (8bit): | 5.503813896207835 |
| Encrypted: | false |
| SSDEEP: | 12288:hVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:QfP7fWsK5z9A+WGAW+V5SB6Ct4bnb |
| MD5: | F2A29CC94479DC03351404004C40E18A |
| SHA1: | 778E570E30ABD2DCAEFEDCC2D24F35F81D56AC5E |
| SHA-256: | BB734D97EF436A89FC93C426141CDE1A5A73C73B7E10CBEB667105C44823CA5E |
| SHA-512: | 7758DDA6DC6D6E1AE63A6F7D84C1EBA50470DAD48052A4AA7609BDF4AB33BF5253FB7368F0A78747F78D19F4D77E0ACD7DE9DE53B42C3863159513ABB031988A |
| Malicious: | true |
| Antivirus: |
|
| Preview: |
|
| Process: | C:\Windows\explorer.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 92160 |
| Entropy (8bit): | 5.664138088677901 |
| Encrypted: | false |
| SSDEEP: | 1536:D/BmrFjio5/vzDSPwiEKi3xGyibqZ3qOT3:9mp5SwiEKWZiTo3 |
| MD5: | E23643C785D498FF73B5C9D7EA173C3D |
| SHA1: | 56296F1D29FC2DCBFAA1D991C87B10968C6D3882 |
| SHA-256: | 40F423488FC0C13DED29109F8CC1C0D2CCE52ECB1BD01939EF774FE31014E0F4 |
| SHA-512: | 22E29A06F19E2DA941A707B8DA7115E0F5962617295CC36395A8E9B2A98F0239B6519B4BF4AB1DC671DEF8CD558E8F59F4E50C63130D392D1E085BBF6B710914 |
| Malicious: | false |
| Preview: |
|
| Process: | C:\Windows\explorer.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 1265664 |
| Entropy (8bit): | 5.5179792497477465 |
| Encrypted: | false |
| SSDEEP: | 12288:0VI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1hBB:xfP7fWsK5z9A+WGAW+V5SB6Ct4bnb7 |
| MD5: | ACAA18F0CA1472EBA6752C43A76F63D4 |
| SHA1: | 1BD14A5CB0788853667F25EE5DC84DBABFB1E69A |
| SHA-256: | 7BBCEA1DD21373D8A86FD2A6048971967CA3E410A7D5799222474DF7A97D66AB |
| SHA-512: | FA56F548843551898F932B285D83ED3238138F246E0FA642EC6719C5886DDF4B71A1D65A04707EA0301B767543CB8C8EA3DAA478C98D4039B5FAB35183B0E57B |
| Malicious: | true |
| Antivirus: |
|
| Preview: |
|
| Process: | C:\Windows\explorer.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 1241088 |
| Entropy (8bit): | 5.497178010630534 |
| Encrypted: | false |
| SSDEEP: | 12288:kVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:BfP7fWsK5z9A+WGAW+V5SB6Ct4bnb |
| MD5: | 092BC1900DB5A3970E41A4A850EC783E |
| SHA1: | D89437CB8A48260E34A0D0C44768F7662CAEB2F4 |
| SHA-256: | F151BAEF206217841A78357977495815717409F349365DB9FFD4DB6166E83CDD |
| SHA-512: | 414B9DFE04E94B275A48EFE03DA688A0AAF80B0DFF9B461A29C92E4D8E5799371A937F5B13F520B16ABD465E29F1D38713DB1C825F4BB282CC9BAF1868C6F51B |
| Malicious: | true |
| Antivirus: |
|
| Preview: |
|
| Process: | C:\Windows\explorer.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 3640832 |
| Entropy (8bit): | 5.884402821447862 |
| Encrypted: | false |
| SSDEEP: | 98304:q8yNOTNEpZxGb+ZPgN6tYDNBMe+8noqvEYw0n2WFfZT+xgsLOsMg:q8yNOTNEpZxk+ZIN6tYDNBMe+8noqvEB |
| MD5: | 3FBB5CD8829E9533D0FF5819DB0444C0 |
| SHA1: | A4A6E4E50421E57EA4745BA44568B107A9369447 |
| SHA-256: | 043870DBAB955C1851E1710D941495357383A08F3F30DD3E3A1945583A85E0CA |
| SHA-512: | 349459CCF4DDFB0B05B066869C99088BA3012930D5BBC3ED1C9E4CF6400687B1EFE698C5B1734BF6FF299F6C65DD7A71A2709D3773E9E96F6FDE659F5D883F48 |
| Malicious: | false |
| Preview: |
|
| Process: | C:\Windows\explorer.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 304640 |
| Entropy (8bit): | 6.843015704242449 |
| Encrypted: | false |
| SSDEEP: | 6144:E/Odkrq1AlGra6uFz2LJGRg4kLNnei36cw:As5+FCdUc |
| MD5: | F87F2E5EBF3FFBA39DF1621B5F8689B5 |
| SHA1: | B4E358BF1BE0DF6D341CA1BC949867D94F13EC07 |
| SHA-256: | 06780477637707BEA6317AE81D059A4D75B101542ADFA6DC855287EAEDFC822A |
| SHA-512: | 6E8D60C17396260791898A2914422AFFF2921A4C3D924F56C83ED117B683D3F3AEFB15E234600F3B5375A47C0C6A13F6160B0638CA91663D29DC56067EB5E5B7 |
| Malicious: | false |
| Preview: |
|
| Process: | C:\Windows\explorer.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 1241088 |
| Entropy (8bit): | 5.496643926580779 |
| Encrypted: | false |
| SSDEEP: | 12288:QVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:VfP7fWsK5z9A+WGAW+V5SB6Ct4bnb |
| MD5: | D3FE50240DC0CB29FD1626AD60D27A33 |
| SHA1: | 4CDC09987F4ED88D1A133E384A150AA6B079A9A0 |
| SHA-256: | 7AEAAA41996A44EA2A028D695DF30580802B65D8D4B9A3FB26CAE91EFA00E3CF |
| SHA-512: | 70903C4596F5AE1CE905E3CACCCAB75F82A5148766CD002ED4414C63179CDECB34898DF791FF439BB56F20571453057CCB443F93B19A9101D6E3C7FCF7C7905F |
| Malicious: | true |
| Antivirus: |
|
| Preview: |
|
| Process: | C:\Windows\explorer.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 1241088 |
| Entropy (8bit): | 5.4946364596901 |
| Encrypted: | false |
| SSDEEP: | 12288:RVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:gfP7fWsK5z9A+WGAW+V5SB6Ct4bnb |
| MD5: | 5361D083DFF1152C4481BAA13FFA6689 |
| SHA1: | 68DACC124F275798E5511A815304311F4CC17014 |
| SHA-256: | 67DB65C41FEFBE51F18ED9F1A8C6BC09BDEEE7D5507F82446CFA5B7EB8E83F8F |
| SHA-512: | D500FB3985B472D0AC44A1E78D855FD52CBD5607063D5D451F3DEBA1B6D26FA486B90289E71847D0E3E6F1ECBFD374740656FF3DFB94765FCD092EE0CB64FC85 |
| Malicious: | true |
| Antivirus: |
|
| Preview: |
|
| Process: | C:\Windows\explorer.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 600576 |
| Entropy (8bit): | 6.4861677167766665 |
| Encrypted: | false |
| SSDEEP: | 12288:B2mS50ICmAX+ASa8wd9Nkmw6cD8pellpco//EH1:B2mlmeFSa8wd9NStApeCoXEH |
| MD5: | 3B8262EB45E790BF7FA648CEE2CCCB7B |
| SHA1: | EDDD81D1B3FD2EE99E42A43B25BD74D39BB850BC |
| SHA-256: | D1225E9FD2834BD2EF84EADAA4126020D20F4A0F50321440190C3896E69BD5D8 |
| SHA-512: | A3709D39372CDB6D9C9E58932144CE8BA437C2134EFC9BCD2531708C1515CBAEA5929C220DF25D76785F7594BC5F8541E6ED5330EA3CA12E87C4DA5A2171C435 |
| Malicious: | false |
| Preview: |
|
| Process: | C:\Windows\explorer.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 1245184 |
| Entropy (8bit): | 5.502578344059862 |
| Encrypted: | false |
| SSDEEP: | 12288:8VI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:JfP7fWsK5z9A+WGAW+V5SB6Ct4bnb |
| MD5: | 9E94BC8A0688A10E6CEA3FD9A924C09E |
| SHA1: | 11342B809DF3914361510FE0FE1734804CA268DB |
| SHA-256: | 7984FB0BE2E6A704A2C2299A0519AA14A3CB475B95DEC8C836D054FB8783984A |
| SHA-512: | 0A8BED06C8D8C732AF3639D5261BDDF96895521BA7C2A523B4F7377FA53CE94DF06F2AAD9B47E1B0619A320462BD487DFC32194869E72E0F81FBE822690129DA |
| Malicious: | true |
| Antivirus: |
|
| Preview: |
|
| Process: | C:\Windows\explorer.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 209312 |
| Entropy (8bit): | 6.796289498157116 |
| Encrypted: | false |
| SSDEEP: | 6144:swTMBboFMSuc/9NPXWPJROo/wVJyB60OHyLC7vs:swTMB02SD/mXO64c2Hyw |
| MD5: | FF214585BF10206E21EA8EBA202FACFD |
| SHA1: | 1ED4AE92D235497F62610078D51105C4634AFADE |
| SHA-256: | C48C430EB07ACC2FF8BDDD6057F5C9F72C2E83F67478F1E4A1792AF866711538 |
| SHA-512: | 24073F60B886C58F227769B2DD7D1439DF841784E43E753265DA761801FDA58FBEEDAC4A642E0A6ABDA40A6263153FAA1A9540DF6D35E38BF0EE5327EA55B4FE |
| Malicious: | false |
| Preview: |
|
| Process: | C:\Windows\explorer.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 43008 |
| Entropy (8bit): | 5.898730459072675 |
| Encrypted: | false |
| SSDEEP: | 768:2nweYBCOBU+khtTMstnGUEqbfynaDWVVVFZ5i7t4AYRyF:TiaU+1qDya6VV7Z5SudyF |
| MD5: | 0795B6F790F8E52D55F39E593E9C5BBA |
| SHA1: | 6A9991A1762AAC176E3F47AB210CC121E038E4F9 |
| SHA-256: | DF5B698983C3F08265F2FB0B74046CD7E68568190F329C8331CCA4761256D33B |
| SHA-512: | 72D332EBDD1B9B40E18F565DACC200E5B710A91D803D536A0CF127C74622EED12A5EC855B9040F4A1FA8A44584E4E97E7E6C490B88DB3BDAFE61EA3FBF26AB59 |
| Malicious: | false |
| Preview: |
|
| Process: | C:\Windows\explorer.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 1245184 |
| Entropy (8bit): | 5.512898849354316 |
| Encrypted: | false |
| SSDEEP: | 12288:4VI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:tfP7fWsK5z9A+WGAW+V5SB6Ct4bnb |
| MD5: | 4CD034EF892E4ACE84DE2EDF40C5C4F8 |
| SHA1: | 6DC79223A1CBE044E2E4071A301980B19FA3C9BC |
| SHA-256: | 3C508E30EA6B7182E35ADCBC610F7B434B658859871082F4E63F56E7F1A44E2F |
| SHA-512: | 5D7955CBFC760BA57987ABD973CFCED4C8EFE48BD753A25357285041AEF3D4CA2159407BFAB63CE291BFBC791A098CE903E440DE39AC44822C2A5FD41D3AD70A |
| Malicious: | true |
| Antivirus: |
|
| Preview: |
|
| Process: | C:\Windows\explorer.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 4462 |
| Entropy (8bit): | 5.486322521408924 |
| Encrypted: | false |
| SSDEEP: | 48:eBYynUf3KN7ms4dD24d7eDM36jhJQM4BYynU2QMR6CTj5iJWo49pYCUzMmKpH1:eusI3KN2D24ZeDkiwus3/R6WwIo6vo8V |
| MD5: | E6110DEC2D5794F12E28864B52AA17DF |
| SHA1: | 35BB21C92A1977140B7EC8A0F80AC6FD1947B230 |
| SHA-256: | 48CEBC917B864CB68722E1960DDB91D86D4BBAB294CC735FD1FB834B5759E03E |
| SHA-512: | 4E24FF2F1DAEF75435B1BF9F9D3EC1E3B2BFD1FAA4C2C2811FF518E5FA531235F07E47281A33A6D75FB363AF4A0221E512FE9CD565402FEFF1DFC1ED529D1625 |
| Malicious: | false |
| Preview: |
|
Static File Info |
|---|
General | |
|---|---|
| File type: | |
| Entropy (8bit): | 5.507980268942348 |
| TrID: |
|
| File name: | DC2zX44MQr.dll |
| File size: | 1236992 |
| MD5: | 94f8317b419e9476120b14a29d9b05d2 |
| SHA1: | f2b03dd4441f3808468bdbb8b26273cfb41b5298 |
| SHA256: | 2f10b593a5e04506d8050ebe39e28619199958a4f4bae0b9f3a1ee2af3d74862 |
| SHA512: | 73edd03df050bf72249dafdc8e0c71884d236e713b871c5e8ce9c825937ba1c8447ae791e39400a1d7b5af77aa5ec5d01b6db356003e9616ed7d24e7f78b24a3 |
| SSDEEP: | 12288:+VI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:jfP7fWsK5z9A+WGAW+V5SB6Ct4bnb |
| File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............|...|...|....K.#}...'...}......{}....X.#}....f..|....g..}..*...a|.......}....N..}..*...E}..[.I.E|...'..U}....N.+}..[.K.P|. |
File Icon |
|---|
 | |
| Icon Hash: | 74f0e4ecccdce0e4 |
Static PE Info |
|---|
General | |
|---|---|
| Entrypoint: | 0x140041070 |
| Entrypoint Section: | .text |
| Digitally signed: | false |
| Imagebase: | 0x140000000 |
| Subsystem: | windows cui |
| Image File Characteristics: | EXECUTABLE_IMAGE, DLL, LARGE_ADDRESS_AWARE |
| DLL Characteristics: | TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA |
| Time Stamp: | 0x5E4E44CC [Thu Feb 20 08:35:24 2020 UTC] |
| TLS Callbacks: | |
| CLR (.Net) Version: | |
| OS Version Major: | 5 |
| OS Version Minor: | 0 |
| File Version Major: | 5 |
| File Version Minor: | 0 |
| Subsystem Version Major: | 5 |
| Subsystem Version Minor: | 0 |
| Import Hash: | 6668be91e2c948b183827f040944057f |
Entrypoint Preview |
|---|
| Instruction |
|---|
| dec eax |
| xor eax, eax |
| dec eax |
| add eax, 5Ah |
| dec eax |
| mov dword ptr [00073D82h], ecx |
| dec eax |
| lea ecx, dword ptr [FFFFECABh] |
| dec eax |
| mov dword ptr [00073D7Ch], edx |
| dec eax |
| add eax, ecx |
| dec esp |
| mov dword ptr [00073D92h], ecx |
| dec esp |
| mov dword ptr [00073DA3h], ebp |
| dec esp |
| mov dword ptr [00073D7Ch], eax |
| dec esp |
| mov dword ptr [00073D85h], edi |
| dec esp |
| mov dword ptr [00073D86h], esi |
| dec esp |
| mov dword ptr [00073D8Fh], esp |
| dec eax |
| mov ecx, eax |
| dec eax |
| sub ecx, 5Ah |
| dec eax |
| mov dword ptr [00073D89h], esi |
| dec eax |
| test eax, eax |
| je 00007F3530BCA48Fh |
| dec eax |
| mov dword ptr [00073D45h], esp |
| dec eax |
| mov dword ptr [00073D36h], ebp |
| dec eax |
| mov dword ptr [00073D7Fh], ebx |
| dec eax |
| mov dword ptr [00073D70h], edi |
| dec eax |
| test eax, eax |
| je 00007F3530BCA46Eh |
| jmp ecx |
| dec eax |
| add edi, ecx |
| dec eax |
| mov dword ptr [FFFFEC37h], ecx |
| dec eax |
| xor ecx, eax |
| jmp ecx |
| retn 0008h |
| ud2 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| push ebx |
| dec eax |
| sub esp, 00000080h |
| mov eax, F957B016h |
| mov byte ptr [esp+7Fh], 00000037h |
| mov edx, dword ptr [esp+78h] |
| inc ecx |
| mov eax, edx |
| inc ecx |
| or eax, 5D262B0Ch |
| inc esp |
| mov dword ptr [esp+78h], eax |
| dec eax |
| mov dword ptr [eax+eax+00h], 00000000h |
Rich Headers |
|---|
| Programming Language: |
|
Data Directories |
|---|
| Name | Virtual Address | Virtual Size | Is in Section |
|---|---|---|---|
| IMAGE_DIRECTORY_ENTRY_EXPORT | 0x12d010 | 0x19f | .xmo |
| IMAGE_DIRECTORY_ENTRY_IMPORT | 0xa6390 | 0xa0 | .rdata |
| IMAGE_DIRECTORY_ENTRY_RESOURCE | 0xc0000 | 0x468 | .rsrc |
| IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BASERELOC | 0xc1000 | 0x2324 | .reloc |
| IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IAT | 0x42000 | 0xc0 | .rdata |
| IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Sections |
|---|
| Name | Virtual Address | Virtual Size | Raw Size | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
|---|---|---|---|---|---|---|---|---|
| .text | 0x1000 | 0x40796 | 0x41000 | False | 0.776085486779 | data | 7.73364605679 | IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
| .rdata | 0x42000 | 0x64fcb | 0x65000 | False | 0.702262047494 | data | 7.86510283498 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .data | 0xa7000 | 0x178b8 | 0x18000 | False | 0.0694580078125 | data | 3.31515306295 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ |
| .pdata | 0xbf000 | 0x12c | 0x1000 | False | 0.06005859375 | PEX Binary Archive | 0.581723022719 | IMAGE_SCN_TYPE_DSECT, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .rsrc | 0xc0000 | 0x880 | 0x1000 | False | 0.139892578125 | data | 1.23838501563 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .reloc | 0xc1000 | 0x2324 | 0x3000 | False | 0.0498046875 | data | 4.65321444248 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
| .qkm | 0xc4000 | 0x74a | 0x1000 | False | 0.00634765625 | data | 0.0 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .cvjb | 0xc5000 | 0x1e66 | 0x2000 | False | 0.0037841796875 | data | 0.0 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .tlmkv | 0xc7000 | 0xbde | 0x1000 | False | 0.00634765625 | data | 0.0 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .wucsxe | 0xc8000 | 0x45174 | 0x46000 | False | 0.0010498046875 | data | 0.0 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .wnx | 0x10e000 | 0x8fe | 0x1000 | False | 0.00634765625 | data | 0.0 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .weqy | 0x10f000 | 0x8fe | 0x1000 | False | 0.00634765625 | data | 0.0 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .yby | 0x110000 | 0x1278 | 0x2000 | False | 0.0037841796875 | data | 0.0 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .ormx | 0x112000 | 0xbde | 0x1000 | False | 0.00634765625 | data | 0.0 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .dhclu | 0x113000 | 0x23b | 0x1000 | False | 0.00634765625 | data | 0.0 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .xmiul | 0x114000 | 0x23b | 0x1000 | False | 0.00634765625 | data | 0.0 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .tlwcxe | 0x115000 | 0x13e | 0x1000 | False | 0.00634765625 | data | 0.0 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .get | 0x116000 | 0xbde | 0x1000 | False | 0.00634765625 | data | 0.0 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .hzrd | 0x117000 | 0x1124 | 0x2000 | False | 0.0037841796875 | data | 0.0 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .qzu | 0x119000 | 0x736 | 0x1000 | False | 0.00634765625 | data | 0.0 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .nhglos | 0x11a000 | 0x1af | 0x1000 | False | 0.00634765625 | data | 0.0 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .itzo | 0x11b000 | 0x23b | 0x1000 | False | 0.00634765625 | data | 0.0 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .nmsaom | 0x11c000 | 0x23b | 0x1000 | False | 0.00634765625 | data | 0.0 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .rvhi | 0x11d000 | 0x1af | 0x1000 | False | 0.00634765625 | data | 0.0 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .ucrzce | 0x11e000 | 0x389 | 0x1000 | False | 0.00634765625 | data | 0.0 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .ijc | 0x11f000 | 0xbf6 | 0x1000 | False | 0.00634765625 | data | 0.0 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .ohvs | 0x120000 | 0x13e | 0x1000 | False | 0.00634765625 | data | 0.0 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .rlvrc | 0x121000 | 0x1ee | 0x1000 | False | 0.00634765625 | data | 0.0 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .yjv | 0x122000 | 0xbde | 0x1000 | False | 0.00634765625 | data | 0.0 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .clbcyy | 0x123000 | 0x13e | 0x1000 | False | 0.00634765625 | data | 0.0 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .xcyn | 0x124000 | 0x8fe | 0x1000 | False | 0.00634765625 | data | 0.0 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .boqx | 0x125000 | 0x389 | 0x1000 | False | 0.00634765625 | data | 0.0 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .rnlia | 0x126000 | 0x389 | 0x1000 | False | 0.00634765625 | data | 0.0 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .ctip | 0x127000 | 0x5a7 | 0x1000 | False | 0.00634765625 | data | 0.0 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .fkv | 0x128000 | 0x1124 | 0x2000 | False | 0.0037841796875 | data | 0.0 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .pczrv | 0x12a000 | 0x23b | 0x1000 | False | 0.00634765625 | data | 0.0 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .ibglr | 0x12b000 | 0x3fe | 0x1000 | False | 0.00634765625 | data | 0.0 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .uirkq | 0x12c000 | 0x3ba | 0x1000 | False | 0.00634765625 | data | 0.0 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .xmo | 0x12d000 | 0x1af | 0x1000 | False | 0.070068359375 | data | 0.884469413236 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
Resources |
|---|
| Name | RVA | Size | Type | Language | Country |
|---|---|---|---|---|---|
| RT_VERSION | 0xc00a0 | 0x370 | data | English | United States |
| RT_MANIFEST | 0xc0410 | 0x56 | ASCII text, with CRLF line terminators | English | United States |
Imports |
|---|
| DLL | Import |
|---|---|
| USER32.dll | LookupIconIdFromDirectoryEx, WaitForInputIdle, GetParent, GetFocus |
| SETUPAPI.dll | CM_Get_Resource_Conflict_DetailsW |
| KERNEL32.dll | DeleteCriticalSection, DeleteTimerQueue, TerminateJobObject, GetFileInformationByHandle, GetThreadLocale, GetNamedPipeServerProcessId, GetConsoleFontSize |
| GDI32.dll | CreateBitmapIndirect, GetPolyFillMode |
| CRYPT32.dll | CertGetCTLContextProperty |
| ADVAPI32.dll | AddAccessDeniedObjectAce |
| SHLWAPI.dll | ChrCmpIW |
Exports |
|---|
| Name | Ordinal | Address |
|---|---|---|
| DisplaySYSDMCPL | 1 | 0x1400186ec |
| EditEnvironmentVariables | 2 | 0x140014580 |
| EditUserProfiles | 3 | 0x140001768 |
| EnableExecuteProtectionSupportW | 4 | 0x140037da0 |
| ModifyExecuteProtectionSupportW | 5 | 0x140030704 |
| NoExecuteAddFileOptOutList | 6 | 0x14002a1c0 |
| NoExecuteAddFileOptOutListW | 7 | 0x140035ddc |
| NoExecuteProcessExceptionW | 8 | 0x1400164c4 |
| NoExecuteRemoveFileOptOutList | 9 | 0x140015998 |
| NoExecuteRemoveFileOptOutListW | 10 | 0x14001a104 |
Version Infos |
|---|
| Description | Data |
|---|---|
| LegalCopyright | Microsoft Corporation. All rights reserv |
| InternalName | bitsp |
| FileVersion | 7.5.7600.16385 (win7_rtm.090713- |
| CompanyName | Microsoft Corporati |
| ProductName | Microsoft Windows Operating S |
| ProductVersion | 6.1.7600 |
| FileDescription | Background Intellig |
| OriginalFilename | kbdy |
| Translation | 0x0409 0x04b0 |
Possible Origin |
|---|
| Language of compilation system | Country where language is spoken | Map |
|---|---|---|
| English | United States |  |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library NodeNetwork Behavior |
|---|
Network Port Distribution |
|---|
UDP Packets |
|---|
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Sep 28, 2021 19:14:14.984349012 CEST | 60338 | 53 | 192.168.2.7 | 8.8.8.8 |
| Sep 28, 2021 19:14:15.018414021 CEST | 53 | 60338 | 8.8.8.8 | 192.168.2.7 |
| Sep 28, 2021 19:14:31.646061897 CEST | 58717 | 53 | 192.168.2.7 | 8.8.8.8 |
| Sep 28, 2021 19:14:31.671478033 CEST | 53 | 58717 | 8.8.8.8 | 192.168.2.7 |
| Sep 28, 2021 19:14:52.503011942 CEST | 59762 | 53 | 192.168.2.7 | 8.8.8.8 |
| Sep 28, 2021 19:14:52.521750927 CEST | 53 | 59762 | 8.8.8.8 | 192.168.2.7 |
| Sep 28, 2021 19:14:55.160108089 CEST | 54329 | 53 | 192.168.2.7 | 8.8.8.8 |
| Sep 28, 2021 19:14:55.179826021 CEST | 53 | 54329 | 8.8.8.8 | 192.168.2.7 |
| Sep 28, 2021 19:14:55.268310070 CEST | 58052 | 53 | 192.168.2.7 | 8.8.8.8 |
| Sep 28, 2021 19:14:55.312179089 CEST | 53 | 58052 | 8.8.8.8 | 192.168.2.7 |
| Sep 28, 2021 19:14:56.556112051 CEST | 54008 | 53 | 192.168.2.7 | 8.8.8.8 |
| Sep 28, 2021 19:14:56.575474977 CEST | 53 | 54008 | 8.8.8.8 | 192.168.2.7 |
| Sep 28, 2021 19:14:57.998117924 CEST | 59451 | 53 | 192.168.2.7 | 8.8.8.8 |
| Sep 28, 2021 19:14:58.017493010 CEST | 53 | 59451 | 8.8.8.8 | 192.168.2.7 |
| Sep 28, 2021 19:14:58.487844944 CEST | 52914 | 53 | 192.168.2.7 | 8.8.8.8 |
| Sep 28, 2021 19:14:58.505630016 CEST | 53 | 52914 | 8.8.8.8 | 192.168.2.7 |
| Sep 28, 2021 19:14:58.975784063 CEST | 64569 | 53 | 192.168.2.7 | 8.8.8.8 |
| Sep 28, 2021 19:14:58.995593071 CEST | 53 | 64569 | 8.8.8.8 | 192.168.2.7 |
| Sep 28, 2021 19:14:59.912367105 CEST | 52816 | 53 | 192.168.2.7 | 8.8.8.8 |
| Sep 28, 2021 19:14:59.934814930 CEST | 53 | 52816 | 8.8.8.8 | 192.168.2.7 |
| Sep 28, 2021 19:15:00.325953007 CEST | 50781 | 53 | 192.168.2.7 | 8.8.8.8 |
| Sep 28, 2021 19:15:00.361572981 CEST | 53 | 50781 | 8.8.8.8 | 192.168.2.7 |
| Sep 28, 2021 19:15:00.684242010 CEST | 54230 | 53 | 192.168.2.7 | 8.8.8.8 |
| Sep 28, 2021 19:15:00.701716900 CEST | 53 | 54230 | 8.8.8.8 | 192.168.2.7 |
| Sep 28, 2021 19:15:01.393390894 CEST | 54911 | 53 | 192.168.2.7 | 8.8.8.8 |
| Sep 28, 2021 19:15:01.412703991 CEST | 53 | 54911 | 8.8.8.8 | 192.168.2.7 |
| Sep 28, 2021 19:15:02.618539095 CEST | 49958 | 53 | 192.168.2.7 | 8.8.8.8 |
| Sep 28, 2021 19:15:02.637355089 CEST | 53 | 49958 | 8.8.8.8 | 192.168.2.7 |
| Sep 28, 2021 19:15:03.714611053 CEST | 50860 | 53 | 192.168.2.7 | 8.8.8.8 |
| Sep 28, 2021 19:15:03.774904013 CEST | 53 | 50860 | 8.8.8.8 | 192.168.2.7 |
| Sep 28, 2021 19:15:04.471513987 CEST | 50452 | 53 | 192.168.2.7 | 8.8.8.8 |
| Sep 28, 2021 19:15:04.506480932 CEST | 53 | 50452 | 8.8.8.8 | 192.168.2.7 |
| Sep 28, 2021 19:15:05.449511051 CEST | 59730 | 53 | 192.168.2.7 | 8.8.8.8 |
| Sep 28, 2021 19:15:05.470241070 CEST | 53 | 59730 | 8.8.8.8 | 192.168.2.7 |
| Sep 28, 2021 19:15:10.173793077 CEST | 59310 | 53 | 192.168.2.7 | 8.8.8.8 |
| Sep 28, 2021 19:15:10.193933010 CEST | 53 | 59310 | 8.8.8.8 | 192.168.2.7 |
| Sep 28, 2021 19:15:30.005969048 CEST | 51919 | 53 | 192.168.2.7 | 8.8.8.8 |
| Sep 28, 2021 19:15:30.023964882 CEST | 53 | 51919 | 8.8.8.8 | 192.168.2.7 |
| Sep 28, 2021 19:15:37.120172977 CEST | 64296 | 53 | 192.168.2.7 | 8.8.8.8 |
| Sep 28, 2021 19:15:37.139909983 CEST | 56680 | 53 | 192.168.2.7 | 8.8.8.8 |
| Sep 28, 2021 19:15:37.150744915 CEST | 53 | 64296 | 8.8.8.8 | 192.168.2.7 |
| Sep 28, 2021 19:15:37.166969061 CEST | 53 | 56680 | 8.8.8.8 | 192.168.2.7 |
| Sep 28, 2021 19:15:56.290057898 CEST | 58820 | 53 | 192.168.2.7 | 8.8.8.8 |
| Sep 28, 2021 19:15:56.325064898 CEST | 53 | 58820 | 8.8.8.8 | 192.168.2.7 |
| Sep 28, 2021 19:15:58.319705963 CEST | 60983 | 53 | 192.168.2.7 | 8.8.8.8 |
| Sep 28, 2021 19:15:58.339636087 CEST | 53 | 60983 | 8.8.8.8 | 192.168.2.7 |
| Sep 28, 2021 19:16:33.391506910 CEST | 49247 | 53 | 192.168.2.7 | 8.8.8.8 |
| Sep 28, 2021 19:16:33.411485910 CEST | 53 | 49247 | 8.8.8.8 | 192.168.2.7 |
| Sep 28, 2021 19:17:30.636225939 CEST | 52286 | 53 | 192.168.2.7 | 8.8.8.8 |
| Sep 28, 2021 19:17:30.670250893 CEST | 53 | 52286 | 8.8.8.8 | 192.168.2.7 |
Code Manipulations |
|---|
Statistics |
|---|
CPU Usage |
|---|
Click to jump to process
Memory Usage |
|---|
Click to jump to process
High Level Behavior Distribution |
|---|
back
Click to dive into process behavior distribution
Behavior |
|---|
Click to jump to process
System Behavior |
|---|
General |
|---|
| Start time: | 19:14:06 |
| Start date: | 28/09/2021 |
| Path: | C:\Windows\System32\loaddll64.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff7eaf80000 |
| File size: | 1136128 bytes |
| MD5 hash: | E0CC9D126C39A9D2FA1CAD5027EBBD18 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Yara matches: |
|
| Reputation: | moderate |
General |
|---|
| Start time: | 19:14:06 |
| Start date: | 28/09/2021 |
| Path: | C:\Windows\System32\cmd.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff7bf140000 |
| File size: | 273920 bytes |
| MD5 hash: | 4E2ACF4F8A396486AB4268C94A6A245F |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
General |
|---|
| Start time: | 19:14:07 |
| Start date: | 28/09/2021 |
| Path: | C:\Windows\System32\rundll32.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff775bc0000 |
| File size: | 69632 bytes |
| MD5 hash: | 73C519F050C20580F8A62C849D49215A |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Yara matches: |
|
| Reputation: | high |
General |
|---|
| Start time: | 19:14:07 |
| Start date: | 28/09/2021 |
| Path: | C:\Windows\System32\rundll32.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff775bc0000 |
| File size: | 69632 bytes |
| MD5 hash: | 73C519F050C20580F8A62C849D49215A |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Yara matches: |
|
| Reputation: | high |
General |
|---|
| Start time: | 19:14:08 |
| Start date: | 28/09/2021 |
| Path: | C:\Windows\explorer.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff662bf0000 |
| File size: | 3933184 bytes |
| MD5 hash: | AD5296B280E8F522A8A897C96BAB0E1D |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
General |
|---|
| Start time: | 19:14:10 |
| Start date: | 28/09/2021 |
| Path: | C:\Windows\System32\rundll32.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff775bc0000 |
| File size: | 69632 bytes |
| MD5 hash: | 73C519F050C20580F8A62C849D49215A |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Yara matches: |
|
| Reputation: | high |
General |
|---|
| Start time: | 19:14:14 |
| Start date: | 28/09/2021 |
| Path: | C:\Windows\System32\rundll32.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff775bc0000 |
| File size: | 69632 bytes |
| MD5 hash: | 73C519F050C20580F8A62C849D49215A |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Yara matches: |
|
| Reputation: | high |
General |
|---|
| Start time: | 19:14:46 |
| Start date: | 28/09/2021 |
| Path: | C:\Windows\System32\DmNotificationBroker.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff67baa0000 |
| File size: | 32256 bytes |
| MD5 hash: | 1643D5735213BC89C0012F0E48253765 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | moderate |
General |
|---|
| Start time: | 19:14:51 |
| Start date: | 28/09/2021 |
| Path: | C:\Users\user\AppData\Local\EwdQnyo\DmNotificationBroker.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff686900000 |
| File size: | 32256 bytes |
| MD5 hash: | 1643D5735213BC89C0012F0E48253765 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Yara matches: |
|
| Antivirus matches: | |
| Reputation: | moderate |
General |
|---|
| Start time: | 19:15:03 |
| Start date: | 28/09/2021 |
| Path: | C:\Windows\System32\RdpSa.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff794d50000 |
| File size: | 43008 bytes |
| MD5 hash: | 0795B6F790F8E52D55F39E593E9C5BBA |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
General |
|---|
| Start time: | 19:15:03 |
| Start date: | 28/09/2021 |
| Path: | C:\Users\user\AppData\Local\zLYZkwYH\RdpSa.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff644d50000 |
| File size: | 43008 bytes |
| MD5 hash: | 0795B6F790F8E52D55F39E593E9C5BBA |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Yara matches: |
|
General |
|---|
| Start time: | 19:15:16 |
| Start date: | 28/09/2021 |
| Path: | C:\Windows\System32\Utilman.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff728540000 |
| File size: | 98304 bytes |
| MD5 hash: | C91CCEF3884CFDE746B4BAEF5F1BC75C |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
General |
|---|
| Start time: | 19:15:20 |
| Start date: | 28/09/2021 |
| Path: | C:\Users\user\AppData\Local\KbLvcSLVf\Utilman.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff719840000 |
| File size: | 98304 bytes |
| MD5 hash: | C91CCEF3884CFDE746B4BAEF5F1BC75C |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Yara matches: |
|
| Antivirus matches: |
|
General |
|---|
| Start time: | 19:15:34 |
| Start date: | 28/09/2021 |
| Path: | C:\Windows\System32\EaseOfAccessDialog.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff6cc0e0000 |
| File size: | 304640 bytes |
| MD5 hash: | F87F2E5EBF3FFBA39DF1621B5F8689B5 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
General |
|---|
| Start time: | 19:15:34 |
| Start date: | 28/09/2021 |
| Path: | C:\Users\user\AppData\Local\rm4w0\EaseOfAccessDialog.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff792c30000 |
| File size: | 304640 bytes |
| MD5 hash: | F87F2E5EBF3FFBA39DF1621B5F8689B5 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Yara matches: |
|
General |
|---|
| Start time: | 19:15:46 |
| Start date: | 28/09/2021 |
| Path: | C:\Windows\System32\DevicePairingWizard.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff74a2d0000 |
| File size: | 92160 bytes |
| MD5 hash: | E23643C785D498FF73B5C9D7EA173C3D |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
General |
|---|
| Start time: | 19:15:52 |
| Start date: | 28/09/2021 |
| Path: | C:\Users\user\AppData\Local\mJLa\DevicePairingWizard.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff6cb020000 |
| File size: | 92160 bytes |
| MD5 hash: | E23643C785D498FF73B5C9D7EA173C3D |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Yara matches: |
|
General |
|---|
| Start time: | 19:16:04 |
| Start date: | 28/09/2021 |
| Path: | C:\Windows\System32\wermgr.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff62a2c0000 |
| File size: | 209312 bytes |
| MD5 hash: | FF214585BF10206E21EA8EBA202FACFD |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
General |
|---|
| Start time: | 19:16:05 |
| Start date: | 28/09/2021 |
| Path: | C:\Users\user\AppData\Local\xlPP\wermgr.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff776fa0000 |
| File size: | 209312 bytes |
| MD5 hash: | FF214585BF10206E21EA8EBA202FACFD |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Yara matches: |
|
General |
|---|
| Start time: | 19:16:17 |
| Start date: | 28/09/2021 |
| Path: | C:\Windows\System32\mstsc.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff7f3970000 |
| File size: | 3640832 bytes |
| MD5 hash: | 3FBB5CD8829E9533D0FF5819DB0444C0 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
General |
|---|
| Start time: | 19:16:18 |
| Start date: | 28/09/2021 |
| Path: | C:\Users\user\AppData\Local\pZCYq8TUy\mstsc.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff7a40d0000 |
| File size: | 3640832 bytes |
| MD5 hash: | 3FBB5CD8829E9533D0FF5819DB0444C0 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Yara matches: |
|
Disassembly |
|---|
Code Analysis |
|---|
Executed Functions |
|---|
Function 00000001400495B0, Relevance: 8.7, APIs: 2, Strings: 2, Instructions: 1727COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0000000140036F30, Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 222COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 000000014005C340, Relevance: 6.1, APIs: 1, Strings: 2, Instructions: 886COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 000000014004BD40, Relevance: 6.0, APIs: 1, Strings: 2, Instructions: 789COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 000000014005D290, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 108COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| Strings |
|
| Memory Dump Source |
|
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0000000140048AC0, Relevance: 1.7, APIs: 1, Instructions: 185libraryloaderCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00000001400524B0, Relevance: .8, Instructions: 815COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0000000140065B80, Relevance: .2, Instructions: 183COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0000000140034870, Relevance: .2, Instructions: 170COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0000000140061360, Relevance: 6.3, APIs: 4, Instructions: 290registryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 000000014005F9F0, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 57COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| Memory Dump Source |
|
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 000000014005DBB9, Relevance: 3.1, APIs: 2, Instructions: 79filetimeCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 000000014005DBD2, Relevance: 3.1, APIs: 2, Instructions: 77filetimeCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 000000014005DBE8, Relevance: 3.1, APIs: 2, Instructions: 76filetimeCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0000000140060D10, Relevance: 3.1, APIs: 2, Instructions: 76registryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 000000014005DBF8, Relevance: 3.1, APIs: 2, Instructions: 73filetimeCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 000000014005FDA0, Relevance: 1.6, APIs: 1, Instructions: 144synchronizationCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0000000140060BA0, Relevance: 1.5, APIs: 1, Instructions: 44registryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Non-executed Functions |
|---|
| Strings |
|
| Memory Dump Source |
|
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| Strings |
|
| Memory Dump Source |
|
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| Strings |
|
| Memory Dump Source |
|
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| Strings |
|
| Memory Dump Source |
|
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| Strings |
|
| Memory Dump Source |
|
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| Strings |
|
| Memory Dump Source |
|
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| Strings |
|
| Memory Dump Source |
|
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| Strings |
|
| Memory Dump Source |
|
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| Strings |
|
| Memory Dump Source |
|
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| Strings |
|
| Memory Dump Source |
|
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| Strings |
|
| Memory Dump Source |
|
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| Strings |
|
| Memory Dump Source |
|
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| Memory Dump Source |
|
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| Memory Dump Source |
|
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| Strings |
|
| Memory Dump Source |
|
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| Strings |
|
| Memory Dump Source |
|
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| Strings |
|
| Memory Dump Source |
|
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| Strings |
|
| Memory Dump Source |
|
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| Strings |
|
| Memory Dump Source |
|
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| Strings |
|
| Memory Dump Source |
|
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| Strings |
|
| Memory Dump Source |
|
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| Strings |
|
| Memory Dump Source |
|
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| Strings |
|
| Memory Dump Source |
|
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| Strings |
|
| Memory Dump Source |
|
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| Strings |
|
| Memory Dump Source |
|
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 000000014004F940, Relevance: .9, Instructions: 873COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0000000140053F20, Relevance: .8, Instructions: 808COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0000000140054BA0, Relevance: .8, Instructions: 797COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0000000140016E80, Relevance: .7, Instructions: 739COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 000000014004EB60, Relevance: .7, Instructions: 687COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 000000014007BD50, Relevance: .7, Instructions: 677COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 000000014003B220, Relevance: .6, Instructions: 645COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0000000140024440, Relevance: .6, Instructions: 566COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0000000140018630, Relevance: .6, Instructions: 558COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0000000140023BF0, Relevance: .5, Instructions: 545COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00000001400123C0, Relevance: .5, Instructions: 544COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 000000014000B120, Relevance: .5, Instructions: 531COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00000001400381A0, Relevance: .5, Instructions: 525COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 000000014003A2E0, Relevance: .5, Instructions: 521COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 000000014006B390, Relevance: .5, Instructions: 458COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 000000014000DDF0, Relevance: .5, Instructions: 456COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0000000140005C40, Relevance: .4, Instructions: 450COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0000000140067A40, Relevance: .4, Instructions: 440COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 000000014000BB40, Relevance: .4, Instructions: 438COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0000000140069010, Relevance: .4, Instructions: 431COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 000000014001E170, Relevance: .4, Instructions: 401COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 000000014002FEC0, Relevance: .4, Instructions: 392COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0000000140002980, Relevance: .4, Instructions: 389COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0000000140018F80, Relevance: .4, Instructions: 376COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0000000140010880, Relevance: .4, Instructions: 372COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 000000014001D910, Relevance: .4, Instructions: 369COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0000000140033540, Relevance: .4, Instructions: 364COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0000000140017B40, Relevance: .3, Instructions: 331COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 000000014002CB80, Relevance: .3, Instructions: 331COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00000001400018D0, Relevance: .3, Instructions: 320COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 000000014003AAC0, Relevance: .3, Instructions: 312COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0000000140064080, Relevance: .3, Instructions: 304COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 000000014002D0D0, Relevance: .3, Instructions: 298COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0000000140030530, Relevance: .3, Instructions: 294COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 000000014002A110, Relevance: .3, Instructions: 291COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 000000014005F490, Relevance: .3, Instructions: 281COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0000000140022D00, Relevance: .3, Instructions: 281COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0000000140031540, Relevance: .3, Instructions: 274COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0000000140062B00, Relevance: .3, Instructions: 270COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 000000014006B41B, Relevance: .3, Instructions: 258COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0000000140066020, Relevance: .3, Instructions: 255COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0000000140007A60, Relevance: .3, Instructions: 255COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 000000014006B43D, Relevance: .2, Instructions: 250COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 000000014006B424, Relevance: .2, Instructions: 248COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 000000014006B42D, Relevance: .2, Instructions: 248COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 000000014006B436, Relevance: .2, Instructions: 248COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 000000014006B446, Relevance: .2, Instructions: 248COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0000000140069A50, Relevance: .2, Instructions: 236COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0000000140001010, Relevance: .2, Instructions: 229COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 000000014002EA00, Relevance: .2, Instructions: 221COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0000000140018300, Relevance: .2, Instructions: 211COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 000000014002E1B0, Relevance: .2, Instructions: 210COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 000000014003EFB0, Relevance: .2, Instructions: 207COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00000001400276C0, Relevance: .2, Instructions: 202COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0000000140064E80, Relevance: .2, Instructions: 194COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0000000140016100, Relevance: .2, Instructions: 184COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0000000140032650, Relevance: .2, Instructions: 183COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00000001400663F0, Relevance: .2, Instructions: 181COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 000000014005D850, Relevance: .2, Instructions: 169COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0000000140001620, Relevance: .2, Instructions: 166COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00000001400319F0, Relevance: .2, Instructions: 155COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00000001400688A0, Relevance: .2, Instructions: 150COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0000000140022730, Relevance: .1, Instructions: 140COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0000000140031340, Relevance: .1, Instructions: 132COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 000000014002F840, Relevance: .1, Instructions: 125COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 000000014002DDE0, Relevance: .1, Instructions: 125COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0000000140060FE0, Relevance: .1, Instructions: 122COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00000001400611A0, Relevance: .1, Instructions: 121COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0000000140022A00, Relevance: .1, Instructions: 118COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00000001400286B0, Relevance: .1, Instructions: 112COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0000000140022340, Relevance: .1, Instructions: 108COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0000000140063BD0, Relevance: .1, Instructions: 88COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0000000140005370, Relevance: .1, Instructions: 77COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0000000140007EA0, Relevance: .1, Instructions: 72COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Executed Functions |
|---|
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Non-executed Functions |
|---|
Executed Functions |
|---|
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Non-executed Functions |
|---|
Executed Functions |
|---|
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Non-executed Functions |
|---|
Executed Functions |
|---|
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Non-executed Functions |
|---|
Analysis Process: DmNotificationBroker.exe PID: 6464 Parent PID: 3292 DmNotificationBroker.exeCOMMON
Executed Functions |
|---|
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Non-executed Functions |
|---|
Function 00007FF686901A1C, Relevance: 18.1, APIs: 12, Instructions: 140windowthreadcomCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF686902910, Relevance: 9.0, APIs: 6, Instructions: 50timethreadCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF6869017CC, Relevance: 33.4, APIs: 16, Strings: 3, Instructions: 148COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF686901188, Relevance: 21.1, APIs: 14, Instructions: 149synchronizationthreadCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF686901440, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 56COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Executed Functions |
|---|
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Non-executed Functions |
|---|
Function 00007FF644D52BA0, Relevance: 47.7, APIs: 22, Strings: 5, Instructions: 446fileregistrysleepCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF644D522B0, Relevance: 38.8, APIs: 18, Strings: 4, Instructions: 315registrymemorywindowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF644D56AB4, Relevance: 21.2, APIs: 5, Strings: 7, Instructions: 189COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF644D541EC, Relevance: 13.7, APIs: 9, Instructions: 151windowCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF644D565E0, Relevance: 34.8, APIs: 23, Instructions: 292memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF644D53C60, Relevance: 28.3, APIs: 7, Strings: 9, Instructions: 337memoryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF644D511BC, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 133memoryregistryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF644D55390, Relevance: 12.5, APIs: 2, Strings: 5, Instructions: 237COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF644D516BC, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 169memorytimeCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF644D51F70, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 142COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF644D54FB0, Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 215COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF644D574C0, Relevance: 9.0, APIs: 6, Instructions: 50timethreadCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF644D537B0, Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 197COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF644D51980, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 158timeCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF644D54BCC, Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 147COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF644D521A8, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 30libraryloaderCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF644D52824, Relevance: 7.6, APIs: 5, Instructions: 106timewindowCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF644D514D8, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 119timeCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF644D54440, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 98registryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF644D53304, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 93comCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF644D53B24, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 76COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF644D513F0, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 60COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF644D545DC, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 103registryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Executed Functions |
|---|
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Non-executed Functions |
|---|
Function 00007FF7198418D0, Relevance: 80.9, APIs: 37, Strings: 9, Instructions: 425registrymemoryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF71984A8A0, Relevance: 59.8, APIs: 24, Strings: 10, Instructions: 274COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF719844AA4, Relevance: 42.2, APIs: 21, Strings: 3, Instructions: 235COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF7198416F8, Relevance: 29.9, APIs: 11, Strings: 6, Instructions: 101sleepCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF71984A2C8, Relevance: 9.1, APIs: 6, Instructions: 133comnativeCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF719845700, Relevance: 35.3, APIs: 10, Strings: 10, Instructions: 270registryfileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF719849110, Relevance: 19.7, APIs: 13, Instructions: 175registryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF71984A6C0, Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 114COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF7198454F0, Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 124registryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF719847908, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47threadCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF7198426C0, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 135registryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF71984D0D0, Relevance: 9.0, APIs: 6, Instructions: 50timethreadCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF7198452D0, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 72registryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF719846EB8, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 65COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF71984950C, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 35COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF7198446AC, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 104registryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |