Play interactive tour
Edit tourWindows Analysis Report 2gyA5uNl6VPQUA.dll
Overview
General Information
| Sample Name: | 2gyA5uNl6VPQUA.dll |
| Analysis ID: | 532048 |
| MD5: | 5e20cb3466b66a9cdeac1ac74d9862e4 |
| SHA1: | 28ef4facb366de1fc7da62b975c8967997527c36 |
| SHA256: | 208939e34f46846c7c95383c6fea7813038b4dea87ea3819c157ccfbbf8aa09a |
| Tags: | dll |
| Infos: | |
Most interesting Screenshot:  | |
Detection
Emotet
| Score: | 76 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected Emotet
Changes security center settings (notifications, updates, antivirus, firewall)
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Uses 32bit PE files
One or more processes crash
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Deletes files inside the Windows folder
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to dynamically determine API calls
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
AV process strings found (often used to terminate AV products)
Contains functionality to read the PEB
Drops PE files to the windows directory (C:\Windows)
Checks if the current process is being debugged
Connects to several IPs in different countries
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Creates a process in suspended mode (likely to inject code)
Classification
Process Tree |
|---|
|
Malware Configuration |
|---|
Threatname: Emotet |
|---|
{"C2 list": ["46.55.222.11:443", "104.245.52.73:8080", "41.76.108.46:8080", "103.8.26.103:8080", "185.184.25.237:8080", "103.8.26.102:8080", "203.114.109.124:443", "45.118.115.99:8080", "178.79.147.66:8080", "58.227.42.236:80", "45.118.135.203:7080", "103.75.201.2:443", "195.154.133.20:443", "45.142.114.231:8080", "212.237.5.209:443", "207.38.84.195:8080", "104.251.214.46:8080", "212.237.17.99:8080", "212.237.56.116:7080", "216.158.226.206:443", "110.232.117.186:8080", "158.69.222.101:443", "107.182.225.142:8080", "176.104.106.96:8080", "81.0.236.90:443", "50.116.54.215:443", "138.185.72.26:8080", "51.68.175.8:8080", "210.57.217.132:8080"], "Public Key": ["RUNTMSAAAABAX3S2xNjcDD0fBno33Ln5t71eii+mofIPoXkNFOX1MeiwCh48iz97kB0mJjGGZXwardnDXKxI8GCHGNl0PFj5", "RUNLMSAAAADzozW1Di4r9DVWzQpMKT588RDdy7BPILP6AiDOTLYMHkSWvrQO5slbmr1OvZ2Pz+AQWzRMggQmAtO6rPH7nyx2"]}Yara Overview |
|---|
Memory Dumps |
|---|
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_Emotet_1 | Yara detected Emotet | Joe Security | ||
| JoeSecurity_Emotet_1 | Yara detected Emotet | Joe Security | ||
| JoeSecurity_Emotet_1 | Yara detected Emotet | Joe Security | ||
| JoeSecurity_Emotet_1 | Yara detected Emotet | Joe Security | ||
| JoeSecurity_Emotet_1 | Yara detected Emotet | Joe Security | ||
| Click to see the 11 entries | ||||
Unpacked PEs |
|---|
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_Emotet_1 | Yara detected Emotet | Joe Security | ||
| JoeSecurity_Emotet_1 | Yara detected Emotet | Joe Security | ||
| JoeSecurity_Emotet_1 | Yara detected Emotet | Joe Security | ||
| JoeSecurity_Emotet_1 | Yara detected Emotet | Joe Security | ||
| JoeSecurity_Emotet_1 | Yara detected Emotet | Joe Security | ||
| Click to see the 25 entries | ||||
Sigma Overview |
|---|
| No Sigma rule has matched |
|---|
Jbx Signature Overview |
|---|
Click to jump to signature section
Show All Signature Results
AV Detection: |   |
|---|
| Found malware configuration | Show sources | ||
| Source: | Malware Configuration Extractor: | ||
| Multi AV Scanner detection for submitted file | Show sources | ||
| Source: | Virustotal: | Perma Link | ||
| Source: | ReversingLabs: | |||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Code function: | 1_2_6EC02FE7 | |
| Source: | Code function: | 4_2_6EC02FE7 | |
Networking: | |
|---|
| C2 URLs / IPs found in malware configuration | Show sources | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | ASN Name: | ||
| Source: | ASN Name: | ||
| Source: | IP Address: | ||
| Source: | IP Address: | ||
| Source: | Network traffic detected: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
E-Banking Fraud: | |
|---|
| Yara detected Emotet | Show sources | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | Static PE information: | ||
| Source: | Process created: | ||
| Source: | File deleted: | Jump to behavior | ||
| Source: | File created: | Jump to behavior | ||
| Source: | Code function: | 1_2_6EBE5EA0 | |
| Source: | Code function: | 1_2_6EBEE6E0 | |
| Source: | Code function: | 1_2_6EBE66E0 | |
| Source: | Code function: | 1_2_6EBEA6D0 | |
| Source: | Code function: | 1_2_6EBF0F10 | |
| Source: | Code function: | 1_2_6EBE1C10 | |
| Source: | Code function: | 1_2_6EBE75F4 | |
| Source: | Code function: | 1_2_6EBE9D50 | |
| Source: | Code function: | 1_2_6EC00A61 | |
| Source: | Code function: | 1_2_6EBED380 | |
| Source: | Code function: | 1_2_6EBE38C0 | |
| Source: | Code function: | 1_2_6EBF01D0 | |
| Source: | Code function: | 4_2_02F406EF | |
| Source: | Code function: | 4_2_02F2AEB9 | |
| Source: | Code function: | 4_2_02F356A9 | |
| Source: | Code function: | 4_2_02F3604E | |
| Source: | Code function: | 4_2_02F3BA18 | |
| Source: | Code function: | 4_2_02F391F7 | |
| Source: | Code function: | 4_2_02F3E7DA | |
| Source: | Code function: | 4_2_02F389DA | |
| Source: | Code function: | 4_2_02F3ED95 | |
| Source: | Code function: | 4_2_02F22B7C | |
| Source: | Code function: | 4_2_02F2196D | |
| Source: | Code function: | 4_2_02F28D59 | |
| Source: | Code function: | 4_2_02F33130 | |
| Source: | Code function: | 4_2_02F28112 | |
| Source: | Code function: | 4_2_02F25314 | |
| Source: | Code function: | 4_2_02F2BEF5 | |
| Source: | Code function: | 4_2_02F420F8 | |
| Source: | Code function: | 4_2_02F2E6FD | |
| Source: | Code function: | 4_2_02F2A8E8 | |
| Source: | Code function: | 4_2_02F40AD3 | |
| Source: | Code function: | 4_2_02F37EDD | |
| Source: | Code function: | 4_2_02F254C0 | |
| Source: | Code function: | 4_2_02F3B0BA | |
| Source: | Code function: | 4_2_02F33ABE | |
| Source: | Code function: | 4_2_02F304A4 | |
| Source: | Code function: | 4_2_02F2F4A5 | |
| Source: | Code function: | 4_2_02F268AD | |
| Source: | Code function: | 4_2_02F2C69B | |
| Source: | Code function: | 4_2_02F2F699 | |
| Source: | Code function: | 4_2_02F2D899 | |
| Source: | Code function: | 4_2_02F23085 | |
| Source: | Code function: | 4_2_02F41C71 | |
| Source: | Code function: | 4_2_02F3E478 | |
| Source: | Code function: | 4_2_02F40C66 | |
| Source: | Code function: | 4_2_02F3645F | |
| Source: | Code function: | 4_2_02F30A37 | |
| Source: | Code function: | 4_2_02F23E3B | |
| Source: | Code function: | 4_2_02F3CC3F | |
| Source: | Code function: | 4_2_02F30824 | |
| Source: | Code function: | 4_2_02F31C12 | |
| Source: | Code function: | 4_2_02F42C16 | |
| Source: | Code function: | 4_2_02F2F20D | |
| Source: | Code function: | 4_2_02F21DF9 | |
| Source: | Code function: | 4_2_02F26BFE | |
| Source: | Code function: | 4_2_02F3D5FE | |
| Source: | Code function: | 4_2_02F435E3 | |
| Source: | Code function: | 4_2_02F2FBEF | |
| Source: | Code function: | 4_2_02F2B7EC | |
| Source: | Code function: | 4_2_02F313DB | |
| Source: | Code function: | 4_2_02F25DC3 | |
| Source: | Code function: | 4_2_02F239C3 | |
| Source: | Code function: | 4_2_02F34DC5 | |
| Source: | Code function: | 4_2_02F30FC5 | |
| Source: | Code function: | 4_2_02F22DC5 | |
| Source: | Code function: | 4_2_02F3BFA1 | |
| Source: | Code function: | 4_2_02F377A7 | |
| Source: | Code function: | 4_2_02F233A9 | |
| Source: | Code function: | 4_2_02F36B91 | |
| Source: | Code function: | 4_2_02F41987 | |
| Source: | Code function: | 4_2_02F27D87 | |
| Source: | Code function: | 4_2_02F2F984 | |
| Source: | Code function: | 4_2_02F2938F | |
| Source: | Code function: | 4_2_02F3C772 | |
| Source: | Code function: | 4_2_02F22176 | |
| Source: | Code function: | 4_2_02F22575 | |
| Source: | Code function: | 4_2_02F35B7C | |
| Source: | Code function: | 4_2_02F2597D | |
| Source: | Code function: | 4_2_02F3F561 | |
| Source: | Code function: | 4_2_02F25166 | |
| Source: | Code function: | 4_2_02F2DD66 | |
| Source: | Code function: | 4_2_02F42560 | |
| Source: | Code function: | 4_2_02F29565 | |
| Source: | Code function: | 4_2_02F2996C | |
| Source: | Code function: | 4_2_02F2635F | |
| Source: | Code function: | 4_2_02F24F42 | |
| Source: | Code function: | 4_2_02F3C145 | |
| Source: | Code function: | 4_2_02F42D4F | |
| Source: | Code function: | 4_2_02F4314A | |
| Source: | Code function: | 4_2_02F2E336 | |
| Source: | Code function: | 4_2_02F3473A | |
| Source: | Code function: | 4_2_02F27739 | |
| Source: | Code function: | 4_2_02F26125 | |
| Source: | Code function: | 4_2_02F2B12E | |
| Source: | Code function: | 4_2_02F3CF2C | |
| Source: | Code function: | 4_2_02F24716 | |
| Source: | Code function: | 4_2_02F38518 | |
| Source: | Code function: | 4_2_02F43306 | |
| Source: | Code function: | 4_2_02F3D10B | |
| Source: | Code function: | 4_2_02F3710D | |
| Source: | Code function: | 4_2_6EBE5EA0 | |
| Source: | Code function: | 4_2_6EBEE6E0 | |
| Source: | Code function: | 4_2_6EBE66E0 | |
| Source: | Code function: | 4_2_6EBEA6D0 | |
| Source: | Code function: | 4_2_6EBF0F10 | |
| Source: | Code function: | 4_2_6EBE1C10 | |
| Source: | Code function: | 4_2_6EBE75F4 | |
| Source: | Code function: | 4_2_6EBE9D50 | |
| Source: | Code function: | 4_2_6EC00A61 | |
| Source: | Code function: | 4_2_6EBED380 | |
| Source: | Code function: | 4_2_6EBE38C0 | |
| Source: | Code function: | 4_2_6EBF01D0 | |
| Source: | Code function: | 8_2_02C506EF | |
| Source: | Code function: | 8_2_02C4ED95 | |
| Source: | Code function: | 8_2_02C354C0 | |
| Source: | Code function: | 8_2_02C50AD3 | |
| Source: | Code function: | 8_2_02C47EDD | |
| Source: | Code function: | 8_2_02C3A8E8 | |
| Source: | Code function: | 8_2_02C3BEF5 | |
| Source: | Code function: | 8_2_02C520F8 | |
| Source: | Code function: | 8_2_02C3E6FD | |
| Source: | Code function: | 8_2_02C33085 | |
| Source: | Code function: | 8_2_02C3C69B | |
| Source: | Code function: | 8_2_02C3F699 | |
| Source: | Code function: | 8_2_02C3D899 | |
| Source: | Code function: | 8_2_02C404A4 | |
| Source: | Code function: | 8_2_02C3F4A5 | |
| Source: | Code function: | 8_2_02C456A9 | |
| Source: | Code function: | 8_2_02C368AD | |
| Source: | Code function: | 8_2_02C43ABE | |
| Source: | Code function: | 8_2_02C3AEB9 | |
| Source: | Code function: | 8_2_02C4B0BA | |
| Source: | Code function: | 8_2_02C4604E | |
| Source: | Code function: | 8_2_02C4645F | |
| Source: | Code function: | 8_2_02C50C66 | |
| Source: | Code function: | 8_2_02C51C71 | |
| Source: | Code function: | 8_2_02C4E478 | |
| Source: | Code function: | 8_2_02C3F20D | |
| Source: | Code function: | 8_2_02C52C16 | |
| Source: | Code function: | 8_2_02C41C12 | |
| Source: | Code function: | 8_2_02C4BA18 | |
| Source: | Code function: | 8_2_02C40824 | |
| Source: | Code function: | 8_2_02C40A37 | |
| Source: | Code function: | 8_2_02C33E3B | |
| Source: | Code function: | 8_2_02C4CC3F | |
| Source: | Code function: | 8_2_02C35DC3 | |
| Source: | Code function: | 8_2_02C339C3 | |
| Source: | Code function: | 8_2_02C44DC5 | |
| Source: | Code function: | 8_2_02C40FC5 | |
| Source: | Code function: | 8_2_02C32DC5 | |
| Source: | Code function: | 8_2_02C4E7DA | |
| Source: | Code function: | 8_2_02C489DA | |
| Source: | Code function: | 8_2_02C413DB | |
| Source: | Code function: | 8_2_02C535E3 | |
| Source: | Code function: | 8_2_02C3FBEF | |
| Source: | Code function: | 8_2_02C3B7EC | |
| Source: | Code function: | 8_2_02C491F7 | |
| Source: | Code function: | 8_2_02C31DF9 | |
| Source: | Code function: | 8_2_02C4D5FE | |
| Source: | Code function: | 8_2_02C36BFE | |
| Source: | Code function: | 8_2_02C51987 | |
| Source: | Code function: | 8_2_02C37D87 | |
| Source: | Code function: | 8_2_02C3F984 | |
| Source: | Code function: | 8_2_02C3938F | |
| Source: | Code function: | 8_2_02C477A7 | |
| Source: | Code function: | 8_2_02C4BFA1 | |
| Source: | Code function: | 8_2_02C333A9 | |
| Source: | Code function: | 8_2_02C34F42 | |
| Source: | Code function: | 8_2_02C4C145 | |
| Source: | Code function: | 8_2_02C52D4F | |
| Source: | Code function: | 8_2_02C5314A | |
| Source: | Code function: | 8_2_02C38D59 | |
| Source: | Code function: | 8_2_02C3635F | |
| Source: | Code function: | 8_2_02C4F561 | |
| Source: | Code function: | 8_2_02C35166 | |
| Source: | Code function: | 8_2_02C3DD66 | |
| Source: | Code function: | 8_2_02C52560 | |
| Source: | Code function: | 8_2_02C39565 | |
| Source: | Code function: | 8_2_02C3196D | |
| Source: | Code function: | 8_2_02C3996C | |
| Source: | Code function: | 8_2_02C32176 | |
| Source: | Code function: | 8_2_02C4C772 | |
| Source: | Code function: | 8_2_02C32575 | |
| Source: | Code function: | 8_2_02C45B7C | |
| Source: | Code function: | 8_2_02C3597D | |
| Source: | Code function: | 8_2_02C32B7C | |
| Source: | Code function: | 8_2_02C53306 | |
| Source: | Code function: | 8_2_02C4710D | |
| Source: | Code function: | 8_2_02C4D10B | |
| Source: | Code function: | 8_2_02C38112 | |
| Source: | Code function: | 8_2_02C34716 | |
| Source: | Code function: | 8_2_02C35314 | |
| Source: | Code function: | 8_2_02C48518 | |
| Source: | Code function: | 8_2_02C36125 | |
| Source: | Code function: | 8_2_02C4CF2C | |
| Source: | Code function: | 8_2_02C3B12E | |
| Source: | Code function: | 8_2_02C43130 | |
| Source: | Code function: | 8_2_02C3E336 | |
| Source: | Code function: | 8_2_02C37739 | |
| Source: | Code function: | 8_2_02C4473A | |
| Source: | Code function: | 9_2_006C06EF | |
| Source: | Code function: | 9_2_006BED95 | |
| Source: | Code function: | 9_2_006C0C66 | |
| Source: | Code function: | 9_2_006BE478 | |
| Source: | Code function: | 9_2_006C1C71 | |
| Source: | Code function: | 9_2_006B604E | |
| Source: | Code function: | 9_2_006B645F | |
| Source: | Code function: | 9_2_006B0824 | |
| Source: | Code function: | 9_2_006A3E3B | |
| Source: | Code function: | 9_2_006BCC3F | |
| Source: | Code function: | 9_2_006B0A37 | |
| Source: | Code function: | 9_2_006AF20D | |
| Source: | Code function: | 9_2_006BBA18 | |
| Source: | Code function: | 9_2_006B1C12 | |
| Source: | Code function: | 9_2_006C2C16 | |
| Source: | Code function: | 9_2_006AA8E8 | |
| Source: | Code function: | 9_2_006C20F8 | |
| Source: | Code function: | 9_2_006AE6FD | |
| Source: | Code function: | 9_2_006ABEF5 | |
| Source: | Code function: | 9_2_006A54C0 | |
| Source: | Code function: | 9_2_006B7EDD | |
| Source: | Code function: | 9_2_006C0AD3 | |
| Source: | Code function: | 9_2_006B56A9 | |
| Source: | Code function: | 9_2_006A68AD | |
| Source: | Code function: | 9_2_006B04A4 | |
| Source: | Code function: | 9_2_006AF4A5 | |
| Source: | Code function: | 9_2_006BB0BA | |
| Source: | Code function: | 9_2_006AAEB9 | |
| Source: | Code function: | 9_2_006B3ABE | |
| Source: | Code function: | 9_2_006A3085 | |
| Source: | Code function: | 9_2_006AC69B | |
| Source: | Code function: | 9_2_006AF699 | |
| Source: | Code function: | 9_2_006AD899 | |
| Source: | Code function: | 9_2_006A996C | |
| Source: | Code function: | 9_2_006A196D | |
| Source: | Code function: | 9_2_006BF561 | |
| Source: | Code function: | 9_2_006A5166 | |
| Source: | Code function: | 9_2_006ADD66 | |
| Source: | Code function: | 9_2_006C2560 | |
| Source: | Code function: | 9_2_006A9565 | |
| Source: | Code function: | 9_2_006A2B7C | |
| Source: | Code function: | 9_2_006B5B7C | |
| Source: | Code function: | 9_2_006A597D | |
| Source: | Code function: | 9_2_006BC772 | |
| Source: | Code function: | 9_2_006A2176 | |
| Source: | Code function: | 9_2_006A2575 | |
| Source: | Code function: | 9_2_006C2D4F | |
| Source: | Code function: | 9_2_006C314A | |
| Source: | Code function: | 9_2_006A4F42 | |
| Source: | Code function: | 9_2_006BC145 | |
| Source: | Code function: | 9_2_006A8D59 | |
| Source: | Code function: | 9_2_006A635F | |
| Source: | Code function: | 9_2_006AB12E | |
| Source: | Code function: | 9_2_006BCF2C | |
| Source: | Code function: | 9_2_006A6125 | |
| Source: | Code function: | 9_2_006B473A | |
| Source: | Code function: | 9_2_006A7739 | |
| Source: | Code function: | 9_2_006B3130 | |
| Source: | Code function: | 9_2_006AE336 | |
| Source: | Code function: | 9_2_006BD10B | |
| Source: | Code function: | 9_2_006B710D | |
| Source: | Code function: | 9_2_006C3306 | |
| Source: | Code function: | 9_2_006B8518 | |
| Source: | Code function: | 9_2_006A8112 | |
| Source: | Code function: | 9_2_006A4716 | |
| Source: | Code function: | 9_2_006A5314 | |
| Source: | Code function: | 9_2_006AFBEF | |
| Source: | Code function: | 9_2_006AB7EC | |
| Source: | Code function: | 9_2_006C35E3 | |
| Source: | Code function: | 9_2_006A1DF9 | |
| Source: | Code function: | 9_2_006A6BFE | |
| Source: | Code function: | 9_2_006BD5FE | |
| Source: | Code function: | 9_2_006B91F7 | |
| Source: | Code function: | 9_2_006A5DC3 | |
| Source: | Code function: | 9_2_006A39C3 | |
| Source: | Code function: | 9_2_006B4DC5 | |
| Source: | Code function: | 9_2_006B0FC5 | |
| Source: | Code function: | 9_2_006A2DC5 | |
| Source: | Code function: | 9_2_006B13DB | |
| Source: | Code function: | 9_2_006BE7DA | |
| Source: | Code function: | 9_2_006B89DA | |
| Source: | Code function: | 9_2_006A33A9 | |
| Source: | Code function: | 9_2_006BBFA1 | |
| Source: | Code function: | 9_2_006B77A7 | |
| Source: | Code function: | 9_2_006A938F | |
| Source: | Code function: | 9_2_006C1987 | |
| Source: | Code function: | 9_2_006A7D87 | |
| Source: | Code function: | 9_2_006AF984 | |
| Source: | Virustotal: | ||
| Source: | ReversingLabs: | ||
| Source: | Static PE information: | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Key value queried: | Jump to behavior | ||
| Source: | File created: | Jump to behavior | ||
| Source: | Classification label: | ||
| Source: | File read: | Jump to behavior | ||
| Source: | Process created: | ||
| Source: | Mutant created: | ||
| Source: | Mutant created: | ||
| Source: | Mutant created: | ||
| Source: | Automated click: | ||
| Source: | Automated click: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Code function: | 1_2_6EC09166 | |
| Source: | Code function: | 4_2_02F21527 | |
| Source: | Code function: | 4_2_02F21527 | |
| Source: | Code function: | 4_2_6EC09166 | |
| Source: | Code function: | 8_2_02C31527 | |
| Source: | Code function: | 8_2_02C31527 | |
| Source: | Code function: | 9_2_006A1527 | |
| Source: | Code function: | 9_2_006A1527 | |
| Source: | Code function: | 1_2_6EBEE4E0 | |
| Source: | PE file moved: | Jump to behavior | ||
Hooking and other Techniques for Hiding and Protection: | |
|---|
| Hides that the sample has been downloaded from the Internet (zone.identifier) | Show sources | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | Registry key monitored for changes: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Last function: | ||
| Source: | Code function: | 1_2_6EC02FE7 | |
| Source: | Code function: | 4_2_6EC02FE7 | |
| Source: | File Volume queried: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | Code function: | 1_2_6EC029E6 | |
| Source: | Code function: | 1_2_6EBEE4E0 | |
| Source: | Code function: | 1_2_6EBE1290 | |
| Source: | Code function: | 1_2_6EBFC050 | |
| Source: | Code function: | 1_2_6EBFBFE0 | |
| Source: | Code function: | 1_2_6EBFBFE0 | |
| Source: | Code function: | 1_2_6EC012CB | |
| Source: | Code function: | 1_2_6EC0298C | |
| Source: | Code function: | 4_2_02F34315 | |
| Source: | Code function: | 4_2_6EBFC050 | |
| Source: | Code function: | 4_2_6EBFBFE0 | |
| Source: | Code function: | 4_2_6EBFBFE0 | |
| Source: | Code function: | 4_2_6EC012CB | |
| Source: | Code function: | 4_2_6EC0298C | |
| Source: | Code function: | 8_2_02C44315 | |
| Source: | Code function: | 9_2_006B4315 | |
| Source: | Process queried: | Jump to behavior | ||
| Source: | Process queried: | Jump to behavior | ||
| Source: | Code function: | 1_2_6EBFCB22 | |
| Source: | Code function: | 1_2_6EC029E6 | |
| Source: | Code function: | 1_2_6EBFD1CC | |
| Source: | Code function: | 4_2_6EBFCB22 | |
| Source: | Code function: | 4_2_6EC029E6 | |
| Source: | Code function: | 4_2_6EBFD1CC | |
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Code function: | 1_2_6EBFCC44 | |
| Source: | Code function: | 1_2_6EBFCE15 | |
Lowering of HIPS / PFW / Operating System Security Settings: | |
|---|
| Changes security center settings (notifications, updates, antivirus, firewall) | Show sources | ||
| Source: | Key value created or modified: | Jump to behavior | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
Stealing of Sensitive Information: | |
|---|
| Yara detected Emotet | Show sources | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
Mitre Att&ck Matrix |
|---|
| Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Valid Accounts | Windows Management Instrumentation1 | Path Interception | Process Injection12 | Masquerading21 | OS Credential Dumping | System Time Discovery1 | Remote Services | Archive Collected Data1 | Exfiltration Over Other Network Medium | Encrypted Channel1 | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | Modify System Partition |
| Default Accounts | Native API1 | Boot or Logon Initialization Scripts | Boot or Logon Initialization Scripts | Disable or Modify Tools1 | LSASS Memory | Query Registry1 | Remote Desktop Protocol | Data from Removable Media | Exfiltration Over Bluetooth | Application Layer Protocol1 | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
| Domain Accounts | At (Linux) | Logon Script (Windows) | Logon Script (Windows) | Virtualization/Sandbox Evasion1 | Security Account Manager | Security Software Discovery51 | SMB/Windows Admin Shares | Data from Network Shared Drive | Automated Exfiltration | Steganography | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
| Local Accounts | At (Windows) | Logon Script (Mac) | Logon Script (Mac) | Process Injection12 | NTDS | Virtualization/Sandbox Evasion1 | Distributed Component Object Model | Input Capture | Scheduled Transfer | Protocol Impersonation | SIM Card Swap | Carrier Billing Fraud | |
| Cloud Accounts | Cron | Network Logon Script | Network Logon Script | Deobfuscate/Decode Files or Information1 | LSA Secrets | Process Discovery1 | SSH | Keylogging | Data Transfer Size Limits | Fallback Channels | Manipulate Device Communication | Manipulate App Store Rankings or Ratings | |
| Replication Through Removable Media | Launchd | Rc.common | Rc.common | Hidden Files and Directories1 | Cached Domain Credentials | File and Directory Discovery2 | VNC | GUI Input Capture | Exfiltration Over C2 Channel | Multiband Communication | Jamming or Denial of Service | Abuse Accessibility Features | |
| External Remote Services | Scheduled Task | Startup Items | Startup Items | Obfuscated Files or Information2 | DCSync | System Information Discovery13 | Windows Remote Management | Web Portal Capture | Exfiltration Over Alternative Protocol | Commonly Used Port | Rogue Wi-Fi Access Points | Data Encrypted for Impact | |
| Drive-by Compromise | Command and Scripting Interpreter | Scheduled Task/Job | Scheduled Task/Job | Rundll321 | Proc Filesystem | Network Service Scanning | Shared Webroot | Credential API Hooking | Exfiltration Over Symmetric Encrypted Non-C2 Protocol | Application Layer Protocol | Downgrade to Insecure Protocols | Generate Fraudulent Advertising Revenue | |
| Exploit Public-Facing Application | PowerShell | At (Linux) | At (Linux) | File Deletion1 | /etc/passwd and /etc/shadow | System Network Connections Discovery | Software Deployment Tools | Data Staged | Exfiltration Over Asymmetric Encrypted Non-C2 Protocol | Web Protocols | Rogue Cellular Base Station | Data Destruction |
Behavior Graph |
|---|
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetScreenshots |
|---|
Thumbnails
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Antivirus, Machine Learning and Genetic Malware Detection |
|---|
Initial Sample |
|---|
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 18% | Virustotal | Browse | ||
| 26% | ReversingLabs | Win32.Trojan.Midie |
Dropped Files |
|---|
| No Antivirus matches |
|---|
Unpacked PE Files |
|---|
| Source | Detection | Scanner | Label | Link | Download |
|---|---|---|---|---|---|
| 100% | Avira | HEUR/AGEN.1110387 | Download File | ||
| 100% | Avira | HEUR/AGEN.1110387 | Download File | ||
| 100% | Avira | HEUR/AGEN.1110387 | Download File | ||
| 100% | Avira | HEUR/AGEN.1110387 | Download File | ||
| 100% | Avira | HEUR/AGEN.1110387 | Download File | ||
| 100% | Avira | HEUR/AGEN.1110387 | Download File | ||
| 100% | Avira | HEUR/AGEN.1110387 | Download File | ||
| 100% | Avira | HEUR/AGEN.1110387 | Download File |
Domains |
|---|
| No Antivirus matches |
|---|
URLs |
|---|
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe |
Domains and IPs |
|---|
Contacted Domains |
|---|
| No contacted domains info |
|---|
URLs from Memory and Binaries |
|---|
| Name | Source | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high |
Contacted IPs |
|---|
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
Public |
|---|
| IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
|---|---|---|---|---|---|---|
| 195.154.133.20 | unknown | France | 12876 | OnlineSASFR | true | |
| 212.237.17.99 | unknown | Italy | 31034 | ARUBA-ASNIT | true | |
| 110.232.117.186 | unknown | Australia | 56038 | RACKCORP-APRackCorpAU | true | |
| 104.245.52.73 | unknown | United States | 63251 | METRO-WIRELESSUS | true | |
| 138.185.72.26 | unknown | Brazil | 264343 | EmpasoftLtdaMeBR | true | |
| 81.0.236.90 | unknown | Czech Republic | 15685 | CASABLANCA-ASInternetCollocationProviderCZ | true | |
| 45.118.115.99 | unknown | Indonesia | 131717 | IDNIC-CIFO-AS-IDPTCitraJelajahInformatikaID | true | |
| 103.75.201.2 | unknown | Thailand | 133496 | CDNPLUSCOLTD-AS-APCDNPLUSCOLTDTH | true | |
| 216.158.226.206 | unknown | United States | 19318 | IS-AS-1US | true | |
| 107.182.225.142 | unknown | United States | 32780 | HOSTINGSERVICES-INCUS | true | |
| 45.118.135.203 | unknown | Japan | 63949 | LINODE-APLinodeLLCUS | true | |
| 50.116.54.215 | unknown | United States | 63949 | LINODE-APLinodeLLCUS | true | |
| 51.68.175.8 | unknown | France | 16276 | OVHFR | true | |
| 103.8.26.102 | unknown | Malaysia | 132241 | SKSATECH1-MYSKSATECHNOLOGYSDNBHDMY | true | |
| 46.55.222.11 | unknown | Bulgaria | 34841 | BALCHIKNETBG | true | |
| 41.76.108.46 | unknown | South Africa | 327979 | DIAMATRIXZA | true | |
| 103.8.26.103 | unknown | Malaysia | 132241 | SKSATECH1-MYSKSATECHNOLOGYSDNBHDMY | true | |
| 178.79.147.66 | unknown | United Kingdom | 63949 | LINODE-APLinodeLLCUS | true | |
| 212.237.5.209 | unknown | Italy | 31034 | ARUBA-ASNIT | true | |
| 176.104.106.96 | unknown | Serbia | 198371 | NINETRS | true | |
| 207.38.84.195 | unknown | United States | 30083 | AS-30083-GO-DADDY-COM-LLCUS | true | |
| 212.237.56.116 | unknown | Italy | 31034 | ARUBA-ASNIT | true | |
| 45.142.114.231 | unknown | Germany | 44066 | DE-FIRSTCOLOwwwfirst-colonetDE | true | |
| 203.114.109.124 | unknown | Thailand | 131293 | TOT-LLI-AS-APTOTPublicCompanyLimitedTH | true | |
| 210.57.217.132 | unknown | Indonesia | 38142 | UNAIR-AS-IDUniversitasAirlanggaID | true | |
| 58.227.42.236 | unknown | Korea Republic of | 9318 | SKB-ASSKBroadbandCoLtdKR | true | |
| 185.184.25.237 | unknown | Turkey | 209711 | MUVHOSTTR | true | |
| 158.69.222.101 | unknown | Canada | 16276 | OVHFR | true | |
| 104.251.214.46 | unknown | United States | 54540 | INCERO-HVVCUS | true |
Private |
|---|
| IP |
|---|
| 192.168.2.1 |
General Information |
|---|
| Joe Sandbox Version: | 34.0.0 Boulder Opal |
| Analysis ID: | 532048 |
| Start date: | 01.12.2021 |
| Start time: | 17:28:01 |
| Joe Sandbox Product: | CloudBasic |
| Overall analysis duration: | 0h 11m 2s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Sample file name: | 2gyA5uNl6VPQUA.dll |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211 |
| Run name: | Run with higher sleep bypass |
| Number of analysed new started processes analysed: | 22 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Detection: | MAL |
| Classification: | mal76.troj.evad.winDLL@35/8@0/30 |
| EGA Information: | Failed |
| HDC Information: |
|
| HCA Information: |
|
| Cookbook Comments: |
|
| Warnings: | Show All
|
Simulations |
|---|
Behavior and APIs |
|---|
| Time | Type | Description |
|---|---|---|
| 17:30:29 | API Interceptor |
Joe Sandbox View / Context |
|---|
IPs |
|---|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
|---|---|---|---|---|---|
| 195.154.133.20 | Get hash | malicious | Browse | ||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| 212.237.17.99 | Get hash | malicious | Browse | ||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse |
Domains |
|---|
| No context |
|---|
ASN |
|---|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
|---|---|---|---|---|---|
| ARUBA-ASNIT | Get hash | malicious | Browse |
| |
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| OnlineSASFR | Get hash | malicious | Browse |
| |
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
|
JA3 Fingerprints |
|---|
| No context |
|---|
Dropped Files |
|---|
| No context |
|---|
Created / dropped Files |
|---|
| Process: | C:\Windows\System32\svchost.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 65536 |
| Entropy (8bit): | 0.11007315410389254 |
| Encrypted: | false |
| SSDEEP: | 12:261PjXm/Ey6q9995GNq3qQ10nMCldimE8eawHjcScrf:261Cl68sgLyMCldzE9BHjcd |
| MD5: | F509464584BDE228AC6200E4AAF46791 |
| SHA1: | 910529F0944A946D8A04101F68A7974FFC21AA2C |
| SHA-256: | 1EF2E59D09B4C131FA935931AEDF926EABA1A22C4BE340B643697D690FB22982 |
| SHA-512: | 2BC237F4E2FDB86A44478B6D9311150E7685E60BEA2620743E8E6C4A004ED20B38544D1676354EC7280B77BB20F69B66DD31F2EB2B7DFC4C3F93BA45BF7F6201 |
| Malicious: | false |
| Preview: |
|
| Process: | C:\Windows\System32\svchost.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 65536 |
| Entropy (8bit): | 0.1127203686131934 |
| Encrypted: | false |
| SSDEEP: | 12:80jXm/Ey6q9995c1miM3qQ10nMCldimE8eawHza1miINtCP:8xl68K1tMLyMCldzE9BHza1tIri |
| MD5: | 3E1816AC72E02624CA0A277C24E5AFCD |
| SHA1: | 0BC7E702D5E870AE4365D3BFAD3F28B107F0F1AE |
| SHA-256: | C8CF94490DF4D5F9310AAFFF0D788A63DD6FD1E56A8EF5990057A8041FB283AD |
| SHA-512: | 91AD8BC73D1B764707229A5FFF5CECABBBB915632CF65402E68147F58ADECEADEB030B10407419A8875AB7039AED56F395F5923739F5CC7B00979C265CD0E6E9 |
| Malicious: | false |
| Preview: |
|
| Process: | C:\Windows\System32\svchost.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 65536 |
| Entropy (8bit): | 0.11264702181093222 |
| Encrypted: | false |
| SSDEEP: | 12:8YjXm/Ey6q9995c1mK2P3qQ10nMCldimE8eawHza1mK0ssP:8Nl68K1iPLyMCldzE9BHza18 |
| MD5: | 0BD3A781A3DED6D0FDFBD5E332077DDE |
| SHA1: | 0D810BF920322816C05D5C666A777928490EC26B |
| SHA-256: | CA36BDFD0B937952C0839CC0EB8D030628EFA7D59F5E48C731B9B0B20D5923F6 |
| SHA-512: | 0B76F7304E044501254180F259C23B5E9F410150F6468574029D757FB2E845F1E98C8FA25D3B991CD4276718BDC010BA1AB60FB6603DC1FA051B048DB90F3D94 |
| Malicious: | false |
| Preview: |
|
| Process: | C:\Windows\System32\svchost.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 65536 |
| Entropy (8bit): | 0.11007315410389254 |
| Encrypted: | false |
| SSDEEP: | 12:261PjXm/Ey6q9995GNq3qQ10nMCldimE8eawHjcScrf:261Cl68sgLyMCldzE9BHjcd |
| MD5: | F509464584BDE228AC6200E4AAF46791 |
| SHA1: | 910529F0944A946D8A04101F68A7974FFC21AA2C |
| SHA-256: | 1EF2E59D09B4C131FA935931AEDF926EABA1A22C4BE340B643697D690FB22982 |
| SHA-512: | 2BC237F4E2FDB86A44478B6D9311150E7685E60BEA2620743E8E6C4A004ED20B38544D1676354EC7280B77BB20F69B66DD31F2EB2B7DFC4C3F93BA45BF7F6201 |
| Malicious: | false |
| Preview: |
|
| Process: | C:\Windows\System32\svchost.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 65536 |
| Entropy (8bit): | 0.1127203686131934 |
| Encrypted: | false |
| SSDEEP: | 12:80jXm/Ey6q9995c1miM3qQ10nMCldimE8eawHza1miINtCP:8xl68K1tMLyMCldzE9BHza1tIri |
| MD5: | 3E1816AC72E02624CA0A277C24E5AFCD |
| SHA1: | 0BC7E702D5E870AE4365D3BFAD3F28B107F0F1AE |
| SHA-256: | C8CF94490DF4D5F9310AAFFF0D788A63DD6FD1E56A8EF5990057A8041FB283AD |
| SHA-512: | 91AD8BC73D1B764707229A5FFF5CECABBBB915632CF65402E68147F58ADECEADEB030B10407419A8875AB7039AED56F395F5923739F5CC7B00979C265CD0E6E9 |
| Malicious: | false |
| Preview: |
|
| Process: | C:\Windows\System32\svchost.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 65536 |
| Entropy (8bit): | 0.11264702181093222 |
| Encrypted: | false |
| SSDEEP: | 12:8YjXm/Ey6q9995c1mK2P3qQ10nMCldimE8eawHza1mK0ssP:8Nl68K1iPLyMCldzE9BHza18 |
| MD5: | 0BD3A781A3DED6D0FDFBD5E332077DDE |
| SHA1: | 0D810BF920322816C05D5C666A777928490EC26B |
| SHA-256: | CA36BDFD0B937952C0839CC0EB8D030628EFA7D59F5E48C731B9B0B20D5923F6 |
| SHA-512: | 0B76F7304E044501254180F259C23B5E9F410150F6468574029D757FB2E845F1E98C8FA25D3B991CD4276718BDC010BA1AB60FB6603DC1FA051B048DB90F3D94 |
| Malicious: | false |
| Preview: |
|
| Process: | C:\Program Files\Windows Defender\MpCmdRun.exe |
| File Type: | |
| Category: | modified |
| Size (bytes): | 9062 |
| Entropy (8bit): | 3.1617821983611605 |
| Encrypted: | false |
| SSDEEP: | 192:cY+38+DJl+ibJ6+ioJJ+i3N+WtT+E9tD+Ett3d+E3zk+R:j+s+v+b+P+m+0+Q+q+T+R |
| MD5: | 1F848228A9E566D1A67D38C8FE9B378F |
| SHA1: | E75E77DD3FFD300A3379CF5EADEA0262D9E49DDD |
| SHA-256: | A9A59EC953B5242D3AC70E1336D94242065298DA0DB24DDF043F866FE0D12DAE |
| SHA-512: | D0DAA3E313E3C56C1F349B68859881E2BA15DBCA942BEE8CF919C2C02714128CF20689EF5A31045CC0AC5FF1E1603A419EED16BFC5912750B7A046C91BCA33FB |
| Malicious: | false |
| Preview: |
|
| Process: | C:\Windows\System32\svchost.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 12288 |
| Entropy (8bit): | 3.7907703522626073 |
| Encrypted: | false |
| SSDEEP: | 96:4CAMbAwo+lE5uI9c2YkUCp0I2lShhk/S4ZAT2BYFzOUMC0rJReC8l5hbMCWl5IbZ:Lxe7/p2wvn2COkaCiC1CYC9MCo |
| MD5: | 5621673E95B1159150EC48C66E1CE423 |
| SHA1: | D345CDE13248322172A7B2D4C5A3E79E25C801A3 |
| SHA-256: | A1F0EA666036D07976C3C831D6B406CBCE55E944C2C04A13ABB11A75FE1BFC7C |
| SHA-512: | 81471CDDFFC812FFA0EFB6F96ADF1433865B50E522D8771F0FB837998AF00A1AC2F0356E83FCD3F3C29DF30A6457D5EBF9F91471A6B3CC99B33A616947963913 |
| Malicious: | false |
| Preview: |
|
Static File Info |
|---|
General | |
|---|---|
| File type: | |
| Entropy (8bit): | 6.970960867517191 |
| TrID: |
|
| File name: | 2gyA5uNl6VPQUA.dll |
| File size: | 387072 |
| MD5: | 5e20cb3466b66a9cdeac1ac74d9862e4 |
| SHA1: | 28ef4facb366de1fc7da62b975c8967997527c36 |
| SHA256: | 208939e34f46846c7c95383c6fea7813038b4dea87ea3819c157ccfbbf8aa09a |
| SHA512: | 594039a003ac0c22a0a91c219c5cf50520994ead32f02efcfd8d79e57313c8ae041376fd0c3dcdfadf0472bee87363b28242a1d677e29cecb69127411fc6e722 |
| SSDEEP: | 6144:zBYrPMTsY8GR3j4fubnY6Zs/Bv6yM6aSTsfA2qL6jpXNcc6CEteuQJPIgtlpZ5L:yhmT4GbnYks/BJNWo2LjpScDEteuOIoZ |
| File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........0...Q...Q...Q..E#...Q..E#...Q..E#...Q../$...Q...$...Q...$...Q...$...Q..E#...Q...Q...Q...Q...Q../$...Q../$...Q..Rich.Q......... |
File Icon |
|---|
 | |
| Icon Hash: | 74f0e4ecccdce0e4 |
Static PE Info |
|---|
General | |
|---|---|
| Entrypoint: | 0x1001cac1 |
| Entrypoint Section: | .text |
| Digitally signed: | false |
| Imagebase: | 0x10000000 |
| Subsystem: | windows gui |
| Image File Characteristics: | 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL, LARGE_ADDRESS_AWARE |
| DLL Characteristics: | DYNAMIC_BASE, NX_COMPAT |
| Time Stamp: | 0x61A73B52 [Wed Dec 1 09:07:30 2021 UTC] |
| TLS Callbacks: | 0x1000c340 |
| CLR (.Net) Version: | |
| OS Version Major: | 6 |
| OS Version Minor: | 0 |
| File Version Major: | 6 |
| File Version Minor: | 0 |
| Subsystem Version Major: | 6 |
| Subsystem Version Minor: | 0 |
| Import Hash: | 609402ef170a35cc0e660d7d95ac10ce |
Entrypoint Preview |
|---|
| Instruction |
|---|
| push ebp |
| mov ebp, esp |
| cmp dword ptr [ebp+0Ch], 01h |
| jne 00007F7858DE2667h |
| call 00007F7858DE29F8h |
| push dword ptr [ebp+10h] |
| push dword ptr [ebp+0Ch] |
| push dword ptr [ebp+08h] |
| call 00007F7858DE2513h |
| add esp, 0Ch |
| pop ebp |
| retn 000Ch |
| push ebp |
| mov ebp, esp |
| push dword ptr [ebp+08h] |
| call 00007F7858DE2F0Eh |
| pop ecx |
| pop ebp |
| ret |
| push ebp |
| mov ebp, esp |
| jmp 00007F7858DE266Fh |
| push dword ptr [ebp+08h] |
| call 00007F7858DE69F4h |
| pop ecx |
| test eax, eax |
| je 00007F7858DE2671h |
| push dword ptr [ebp+08h] |
| call 00007F7858DE6A70h |
| pop ecx |
| test eax, eax |
| je 00007F7858DE2648h |
| pop ebp |
| ret |
| cmp dword ptr [ebp+08h], FFFFFFFFh |
| je 00007F7858DE2FD3h |
| jmp 00007F7858DE2FB0h |
| push ebp |
| mov ebp, esp |
| push 00000000h |
| call dword ptr [1002A08Ch] |
| push dword ptr [ebp+08h] |
| call dword ptr [1002A088h] |
| push C0000409h |
| call dword ptr [1002A040h] |
| push eax |
| call dword ptr [1002A090h] |
| pop ebp |
| ret |
| push ebp |
| mov ebp, esp |
| sub esp, 00000324h |
| push 00000017h |
| call dword ptr [1002A094h] |
| test eax, eax |
| je 00007F7858DE2667h |
| push 00000002h |
| pop ecx |
| int 29h |
| mov dword ptr [1005E278h], eax |
| mov dword ptr [1005E274h], ecx |
| mov dword ptr [1005E270h], edx |
| mov dword ptr [1005E26Ch], ebx |
| mov dword ptr [1005E268h], esi |
| mov dword ptr [1005E264h], edi |
| mov word ptr [eax], es |
Data Directories |
|---|
| Name | Virtual Address | Virtual Size | Is in Section |
|---|---|---|---|
| IMAGE_DIRECTORY_ENTRY_EXPORT | 0x5b590 | 0x614 | .rdata |
| IMAGE_DIRECTORY_ENTRY_IMPORT | 0x5bba4 | 0x3c | .rdata |
| IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x60000 | 0x1bc0 | .reloc |
| IMAGE_DIRECTORY_ENTRY_DEBUG | 0x5a1dc | 0x54 | .rdata |
| IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_TLS | 0x5a300 | 0x18 | .rdata |
| IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x5a230 | 0x40 | .rdata |
| IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IAT | 0x2a000 | 0x154 | .rdata |
| IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Sections |
|---|
| Name | Virtual Address | Virtual Size | Raw Size | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
|---|---|---|---|---|---|---|---|---|
| .text | 0x1000 | 0x28bb4 | 0x28c00 | False | 0.53924822661 | data | 6.1540438823 | IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
| .rdata | 0x2a000 | 0x32362 | 0x32400 | False | 0.817805503731 | data | 7.40645381596 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .data | 0x5d000 | 0x1ba4 | 0x1200 | False | 0.287109375 | data | 2.60484752417 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ |
| .pdata | 0x5f000 | 0x4c4 | 0x600 | False | 0.360677083333 | AmigaOS bitmap font | 2.17228109861 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ |
| .reloc | 0x60000 | 0x1bc0 | 0x1c00 | False | 0.7880859375 | data | 6.62631718459 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
Imports |
|---|
| DLL | Import |
|---|---|
| KERNEL32.dll | HeapFree, HeapReAlloc, GetProcessHeap, HeapAlloc, GetModuleHandleA, GetProcAddress, TlsGetValue, TlsSetValue, AcquireSRWLockExclusive, ReleaseSRWLockExclusive, AcquireSRWLockShared, ReleaseSRWLockShared, SetLastError, GetEnvironmentVariableW, GetLastError, GetCurrentDirectoryW, GetCurrentProcess, GetCurrentThread, RtlCaptureContext, ReleaseMutex, WaitForSingleObjectEx, LoadLibraryA, CreateMutexA, CloseHandle, GetStdHandle, GetConsoleMode, WriteFile, WriteConsoleW, TlsAlloc, GetCommandLineW, CreateFileA, GetTickCount64, CreateFileW, SetFilePointerEx, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TerminateProcess, IsProcessorFeaturePresent, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, GetStartupInfoW, GetModuleHandleW, RaiseException, RtlUnwind, InterlockedFlushSList, EncodePointer, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, TlsFree, FreeLibrary, LoadLibraryExW, ExitProcess, GetModuleHandleExW, GetModuleFileNameW, FindClose, FindFirstFileExW, FindNextFileW, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, GetCommandLineA, MultiByteToWideChar, WideCharToMultiByte, GetEnvironmentStringsW, FreeEnvironmentStringsW, LCMapStringW, GetFileType, GetStringTypeW, HeapSize, SetStdHandle, FlushFileBuffers, GetConsoleOutputCP, DecodePointer |
| USER32.dll | GetDC, ReleaseDC, GetWindowRect |
Exports |
|---|
| Name | Ordinal | Address |
|---|---|---|
| Control_RunDLL | 1 | 0x100010a0 |
| axamexdrqyrgb | 2 | 0x100017b0 |
| bhramccfbdd | 3 | 0x10001690 |
| bptyjtyr | 4 | 0x10001640 |
| bxoqrnuua | 5 | 0x100016c0 |
| cegjceivzmgdcffk | 6 | 0x100014e0 |
| cgxpyqfkocm | 7 | 0x10001480 |
| chjbtsnqmvl | 8 | 0x10001540 |
| crfsijq | 9 | 0x10001730 |
| empxfws | 10 | 0x10001590 |
| fbgcvvbrlowsjsj | 11 | 0x10001550 |
| fjhmprw | 12 | 0x10001660 |
| gfqdajfucnxrv | 13 | 0x10001850 |
| hcloldazhuvj | 14 | 0x10001790 |
| idcumrbybo | 15 | 0x10001500 |
| ihvpwdsfllpvrzy | 16 | 0x10001750 |
| iuzqizpdhxqkmf | 17 | 0x100014c0 |
| jaarlqsruhrwpipt | 18 | 0x100016e0 |
| jndshbhgxdkvvtj | 19 | 0x10001600 |
| jniijdleqsyajeis | 20 | 0x10001650 |
| jtjqgma | 21 | 0x100016f0 |
| kffxtbzhfgbqlu | 22 | 0x10001630 |
| kwxkzdhqe | 23 | 0x100016d0 |
| lidhnvsukgiuabh | 24 | 0x100016b0 |
| ltcrkednwfkup | 25 | 0x10001820 |
| lvrmqgtvhsegpbvmq | 26 | 0x10001770 |
| mxvwvnerswyylp | 27 | 0x10001520 |
| ndlmbjceavqdintmv | 28 | 0x100017d0 |
| nvnriipkwrmxwsu | 29 | 0x10001510 |
| oafxfavxmi | 30 | 0x10001570 |
| ocwutlohg | 31 | 0x100014b0 |
| olcklbdvo | 32 | 0x10001680 |
| pawvqfmiz | 33 | 0x100015e0 |
| pdmomnjmmryopqza | 34 | 0x10001560 |
| plzkvjcbz | 35 | 0x10001710 |
| poasqvltrkgvepng | 36 | 0x10001840 |
| psjoyjhsrkg | 37 | 0x100015b0 |
| qdimtzieldbl | 38 | 0x10001620 |
| qzvngjfyuxpjag | 39 | 0x10001580 |
| relsounb | 40 | 0x100016a0 |
| rykebhcisi | 41 | 0x10001670 |
| snrvgvzpjh | 42 | 0x100017c0 |
| sqnfcfmocgbg | 43 | 0x10001740 |
| sxgllzweihxqxi | 44 | 0x10001760 |
| tgagxhhcfj | 45 | 0x10001780 |
| thjyvtvttwpah | 46 | 0x10001830 |
| uvypobslemtipv | 47 | 0x10001640 |
| vgidwtjsbwpxkdxj | 48 | 0x100017a0 |
| wahhdker | 49 | 0x100014a0 |
| wamqmispvbxt | 50 | 0x100015f0 |
| witvsjavqyw | 51 | 0x10001720 |
| wopabadcwdizvwlgk | 52 | 0x10001490 |
| wpzyecljz | 53 | 0x10001800 |
| wukgfirfwilhu | 54 | 0x100015d0 |
| xntbmrrxs | 55 | 0x100017f0 |
| xsxwxreryufxwuhh | 56 | 0x10001700 |
| xvgdevijtw | 57 | 0x10001610 |
| ydvqidso | 58 | 0x100015c0 |
| yggdjrsewuw | 59 | 0x100015a0 |
| zaeqdmhaky | 60 | 0x100017e0 |
| zakvwkjnk | 61 | 0x10001700 |
| zqbggkzy | 62 | 0x100014f0 |
| zqtdpertk | 63 | 0x100014d0 |
| zshfybkvzv | 64 | 0x10001810 |
| zxxopqyvfoesyhmup | 65 | 0x10001530 |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library NodeNetwork Behavior |
|---|
| No network behavior found |
|---|
Code Manipulations |
|---|
Statistics |
|---|
CPU Usage |
|---|
Click to jump to process
Memory Usage |
|---|
Click to jump to process
Behavior |
|---|
Click to jump to process
System Behavior |
|---|
General |
|---|
| Start time: | 17:28:54 |
| Start date: | 01/12/2021 |
| Path: | C:\Windows\System32\svchost.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff70d6e0000 |
| File size: | 51288 bytes |
| MD5 hash: | 32569E403279B3FD2EDB7EBD036273FA |
| Has elevated privileges: | true |
| Has administrator privileges: | false |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
General |
|---|
| Start time: | 17:28:55 |
| Start date: | 01/12/2021 |
| Path: | C:\Windows\System32\loaddll32.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0xcf0000 |
| File size: | 893440 bytes |
| MD5 hash: | 72FCD8FB0ADC38ED9050569AD673650E |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Yara matches: |
|
| Reputation: | high |
General |
|---|
| Start time: | 17:28:55 |
| Start date: | 01/12/2021 |
| Path: | C:\Windows\System32\svchost.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff70d6e0000 |
| File size: | 51288 bytes |
| MD5 hash: | 32569E403279B3FD2EDB7EBD036273FA |
| Has elevated privileges: | true |
| Has administrator privileges: | false |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
General |
|---|
| Start time: | 17:28:55 |
| Start date: | 01/12/2021 |
| Path: | C:\Windows\SysWOW64\cmd.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0xd80000 |
| File size: | 232960 bytes |
| MD5 hash: | F3BDBE3BB6F734E357235F4D5898582D |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
General |
|---|
| Start time: | 17:28:55 |
| Start date: | 01/12/2021 |
| Path: | C:\Windows\SysWOW64\rundll32.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x8a0000 |
| File size: | 61952 bytes |
| MD5 hash: | D7CA562B0DB4F4DD0F03A89A1FDAD63D |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Yara matches: |
|
| Reputation: | high |
General |
|---|
| Start time: | 17:28:55 |
| Start date: | 01/12/2021 |
| Path: | C:\Windows\SysWOW64\rundll32.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x8a0000 |
| File size: | 61952 bytes |
| MD5 hash: | D7CA562B0DB4F4DD0F03A89A1FDAD63D |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Yara matches: |
|
| Reputation: | high |
General |
|---|
| Start time: | 17:28:55 |
| Start date: | 01/12/2021 |
| Path: | C:\Windows\System32\SgrmBroker.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff7e4d60000 |
| File size: | 163336 bytes |
| MD5 hash: | D3170A3F3A9626597EEE1888686E3EA6 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
General |
|---|
| Start time: | 17:28:56 |
| Start date: | 01/12/2021 |
| Path: | C:\Windows\System32\svchost.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff70d6e0000 |
| File size: | 51288 bytes |
| MD5 hash: | 32569E403279B3FD2EDB7EBD036273FA |
| Has elevated privileges: | false |
| Has administrator privileges: | false |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
General |
|---|
| Start time: | 17:29:00 |
| Start date: | 01/12/2021 |
| Path: | C:\Windows\SysWOW64\rundll32.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x8a0000 |
| File size: | 61952 bytes |
| MD5 hash: | D7CA562B0DB4F4DD0F03A89A1FDAD63D |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Yara matches: |
|
| Reputation: | high |
General |
|---|
| Start time: | 17:29:07 |
| Start date: | 01/12/2021 |
| Path: | C:\Windows\SysWOW64\rundll32.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x8a0000 |
| File size: | 61952 bytes |
| MD5 hash: | D7CA562B0DB4F4DD0F03A89A1FDAD63D |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Yara matches: |
|
| Reputation: | high |
General |
|---|
| Start time: | 17:29:09 |
| Start date: | 01/12/2021 |
| Path: | C:\Windows\System32\svchost.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff70d6e0000 |
| File size: | 51288 bytes |
| MD5 hash: | 32569E403279B3FD2EDB7EBD036273FA |
| Has elevated privileges: | true |
| Has administrator privileges: | false |
| Programmed in: | C, C++ or other language |
General |
|---|
| Start time: | 17:30:23 |
| Start date: | 01/12/2021 |
| Path: | C:\Program Files\Windows Defender\MpCmdRun.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff7702f0000 |
| File size: | 455656 bytes |
| MD5 hash: | A267555174BFA53844371226F482B86B |
| Has elevated privileges: | true |
| Has administrator privileges: | false |
| Programmed in: | C, C++ or other language |
General |
|---|
| Start time: | 17:30:26 |
| Start date: | 01/12/2021 |
| Path: | C:\Windows\System32\conhost.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff7f20f0000 |
| File size: | 625664 bytes |
| MD5 hash: | EA777DEEA782E8B4D7C7C33BBF8A4496 |
| Has elevated privileges: | true |
| Has administrator privileges: | false |
| Programmed in: | C, C++ or other language |
General |
|---|
| Start time: | 17:31:00 |
| Start date: | 01/12/2021 |
| Path: | C:\Windows\SysWOW64\rundll32.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x8a0000 |
| File size: | 61952 bytes |
| MD5 hash: | D7CA562B0DB4F4DD0F03A89A1FDAD63D |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
General |
|---|
| Start time: | 17:31:11 |
| Start date: | 01/12/2021 |
| Path: | C:\Windows\SysWOW64\rundll32.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x8a0000 |
| File size: | 61952 bytes |
| MD5 hash: | D7CA562B0DB4F4DD0F03A89A1FDAD63D |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
General |
|---|
| Start time: | 17:31:16 |
| Start date: | 01/12/2021 |
| Path: | C:\Windows\SysWOW64\rundll32.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x8a0000 |
| File size: | 61952 bytes |
| MD5 hash: | D7CA562B0DB4F4DD0F03A89A1FDAD63D |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
General |
|---|
| Start time: | 17:31:20 |
| Start date: | 01/12/2021 |
| Path: | C:\Windows\SysWOW64\rundll32.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x8a0000 |
| File size: | 61952 bytes |
| MD5 hash: | D7CA562B0DB4F4DD0F03A89A1FDAD63D |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
General |
|---|
| Start time: | 17:31:20 |
| Start date: | 01/12/2021 |
| Path: | C:\Windows\System32\svchost.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff70d6e0000 |
| File size: | 51288 bytes |
| MD5 hash: | 32569E403279B3FD2EDB7EBD036273FA |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
General |
|---|
| Start time: | 17:31:21 |
| Start date: | 01/12/2021 |
| Path: | C:\Windows\SysWOW64\WerFault.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x270000 |
| File size: | 434592 bytes |
| MD5 hash: | 9E2B8ACAD48ECCA55C0230D63623661B |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
General |
|---|
| Start time: | 17:31:33 |
| Start date: | 01/12/2021 |
| Path: | C:\Windows\SysWOW64\WerFault.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x270000 |
| File size: | 434592 bytes |
| MD5 hash: | 9E2B8ACAD48ECCA55C0230D63623661B |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
Disassembly |
|---|
Code Analysis |
|---|
Executed Functions |
|---|
Function 6EBFC050, Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 394filememoryCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 6EBFC8DB, Relevance: 10.6, APIs: 7, Instructions: 136COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 6EBFC98B, Relevance: 7.6, APIs: 5, Instructions: 87COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 6EBEC2A0, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 9libraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 6EBEC320, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 9libraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 6EC04161, Relevance: 6.1, APIs: 4, Instructions: 74COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 6EBFC7D4, Relevance: 3.1, APIs: 2, Instructions: 76COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 6EC0475C, Relevance: 3.1, APIs: 2, Instructions: 65COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 6EBFF3B1, Relevance: 1.5, APIs: 1, Instructions: 27COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 6EC01C23, Relevance: 1.5, APIs: 1, Instructions: 23COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 6EC02C26, Relevance: 1.3, APIs: 1, Instructions: 39memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 6EC022E9, Relevance: 1.3, APIs: 1, Instructions: 32memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 6EC0228A, Relevance: 1.3, APIs: 1, Instructions: 9COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Non-executed Functions |
|---|
Function 6EBED380, Relevance: 26.7, APIs: 14, Strings: 1, Instructions: 445memoryCOMMONCrypto
Download Yara Rule
| C-Code - Quality: 81% |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 6EBEE4E0, Relevance: 26.4, APIs: 9, Strings: 6, Instructions: 135libraryloadersynchronizationCOMMON
Download Yara Rule
| C-Code - Quality: 52% |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 6EBEE6E0, Relevance: 25.1, APIs: 9, Strings: 5, Instructions: 588libraryloaderCOMMONCrypto
Download Yara Rule
| C-Code - Quality: 52% |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 55% |
|
| Strings |
|
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 6EBE5EA0, Relevance: 10.9, Strings: 8, Instructions: 927COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 6EBFD1CC, Relevance: 6.1, APIs: 4, Instructions: 73COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 6EC029E6, Relevance: 4.6, APIs: 3, Instructions: 77COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 6EBE9D50, Relevance: 4.0, Strings: 3, Instructions: 233COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| Strings |
|
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 6EBE1C10, Relevance: 2.8, Strings: 2, Instructions: 317COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 6EBE66E0, Relevance: 2.8, Strings: 2, Instructions: 252COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 6EC00A61, Relevance: 1.8, APIs: 1, Instructions: 274COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 6EBFCC44, Relevance: 1.6, APIs: 1, Instructions: 144COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 6EC02FE7, Relevance: 1.6, APIs: 1, Instructions: 140COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 6EBF0F10, Relevance: 1.6, Strings: 1, Instructions: 365COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 6EBE38C0, Relevance: .5, Instructions: 489COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 6EBFBFE0, Relevance: .0, Instructions: 37COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 6EC0298C, Relevance: .0, Instructions: 22COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 6EC012CB, Relevance: .0, Instructions: 12COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 6EBEDD30, Relevance: 42.5, APIs: 19, Strings: 5, Instructions: 451memorylibraryloaderCOMMON
Download Yara Rule
| C-Code - Quality: 74% |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 6EBEC700, Relevance: 32.0, APIs: 14, Strings: 4, Instructions: 477memoryCOMMON
Download Yara Rule
| C-Code - Quality: 69% |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 6EBEC6D0, Relevance: 24.9, APIs: 12, Strings: 2, Instructions: 409memoryCOMMON
Download Yara Rule
| C-Code - Quality: 64% |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 64% |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 6EBEC340, Relevance: 12.6, APIs: 10, Instructions: 125COMMON
Download Yara Rule
| C-Code - Quality: 58% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 6EBF1BF0, Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 212fileCOMMON
Download Yara Rule
| C-Code - Quality: 59% |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 6EBEC4D0, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 95memoryCOMMON
Download Yara Rule
| C-Code - Quality: 45% |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 6EBE10A0, Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 141memoryCOMMON
Download Yara Rule
| C-Code - Quality: 74% |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 6EBF2960, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111memoryCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 6EBFF3BF, Relevance: 9.1, APIs: 6, Instructions: 60COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 6EBFBE60, Relevance: 9.0, APIs: 6, Instructions: 50COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 6EBED000, Relevance: 8.8, APIs: 7, Instructions: 85memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| Strings |
|
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 6EC012ED, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 6EBEC280, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 9libraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 6EBEC2E0, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 9libraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 6EBEC2C0, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 9libraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 6EBEC260, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 9libraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 6EBEC300, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 9libraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 6EC06749, Relevance: 6.3, APIs: 4, Instructions: 338fileCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 6EBF2470, Relevance: 6.2, APIs: 4, Instructions: 215COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 6EBFF49F, Relevance: 6.2, APIs: 4, Instructions: 168COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 6EC02D87, Relevance: 6.1, APIs: 4, Instructions: 82COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 6EC07EA6, Relevance: 6.0, APIs: 4, Instructions: 29COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Executed Functions |
|---|
Function 6EBFC050, Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 394filememoryCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 6EBFC8DB, Relevance: 10.6, APIs: 7, Instructions: 136COMMON
Download Yara Rule
| C-Code - Quality: 87% |
|
| APIs |
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 6EBFC98B, Relevance: 7.6, APIs: 5, Instructions: 87COMMON
Download Yara Rule
| C-Code - Quality: 89% |
|
| APIs |
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 6EBEC2A0, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 9libraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 6EBEC320, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 9libraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 6EC04161, Relevance: 6.1, APIs: 4, Instructions: 74COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 02F39100, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 74processCOMMON
Download Yara Rule
| C-Code - Quality: 41% |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 58% |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 02F2C38F, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 56serviceCOMMON
Download Yara Rule
| C-Code - Quality: 83% |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 02F34CFD, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 55memoryCOMMON
Download Yara Rule
| C-Code - Quality: 74% |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 02F255C0, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 54fileCOMMON
Download Yara Rule
| C-Code - Quality: 90% |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 02F27C11, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 44libraryCOMMON
Download Yara Rule
| C-Code - Quality: 80% |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 6EBFC7D4, Relevance: 3.1, APIs: 2, Instructions: 76COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 02F30207, Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 70stringCOMMON
Download Yara Rule
| C-Code - Quality: 70% |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 02F32D06, Relevance: 1.6, APIs: 1, Instructions: 74fileCOMMON
Download Yara Rule
| C-Code - Quality: 58% |
|
| APIs |
|
| Memory Dump Source |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 02F43231, Relevance: 1.6, APIs: 1, Instructions: 63COMMON
Download Yara Rule
| C-Code - Quality: 78% |
|
| APIs |
|
| Memory Dump Source |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 02F39038, Relevance: 1.6, APIs: 1, Instructions: 58COMMON
Download Yara Rule
| C-Code - Quality: 91% |
|
| APIs |
|
| Memory Dump Source |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 02F2F3F7, Relevance: 1.5, APIs: 1, Instructions: 43COMMON
Download Yara Rule
| C-Code - Quality: 94% |
|
| APIs |
|
| Memory Dump Source |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 6EC02C26, Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 6EC022E9, Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Non-executed Functions |
|---|
Function 6EBED380, Relevance: 26.7, APIs: 14, Strings: 1, Instructions: 445memoryCOMMONCrypto
Download Yara Rule
| C-Code - Quality: 81% |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 6EBE75F4, Relevance: 10.9, APIs: 2, Strings: 4, Instructions: 423COMMONCrypto
Download Yara Rule
| C-Code - Quality: 81% |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 6EBFD1CC, Relevance: 6.1, APIs: 4, Instructions: 73COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 6EBEDD30, Relevance: 42.5, APIs: 19, Strings: 5, Instructions: 451memorylibraryloaderCOMMON
Download Yara Rule
| C-Code - Quality: 74% |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 6EBEC700, Relevance: 32.0, APIs: 14, Strings: 4, Instructions: 477memoryCOMMON
Download Yara Rule
| C-Code - Quality: 69% |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 6EBEE4E0, Relevance: 26.4, APIs: 9, Strings: 6, Instructions: 135libraryloadersynchronizationCOMMON
Download Yara Rule
| C-Code - Quality: 52% |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 6EBEC6D0, Relevance: 24.9, APIs: 12, Strings: 2, Instructions: 409memoryCOMMON
Download Yara Rule
| C-Code - Quality: 64% |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 64% |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 6EBEC340, Relevance: 12.6, APIs: 10, Instructions: 125COMMON
Download Yara Rule
| C-Code - Quality: 58% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 6EBF1BF0, Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 212fileCOMMON
Download Yara Rule
| C-Code - Quality: 78% |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 6EBEC4D0, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 95memoryCOMMON
Download Yara Rule
| C-Code - Quality: 45% |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 6EBE10A0, Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 141memoryCOMMON
Download Yara Rule
| C-Code - Quality: 74% |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 64% |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 6EBF2960, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111memoryCOMMON
Download Yara Rule
| C-Code - Quality: 56% |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 100% |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 6EBFF3BF, Relevance: 9.1, APIs: 6, Instructions: 60COMMON
Download Yara Rule
| C-Code - Quality: 85% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 6EBFBE60, Relevance: 9.0, APIs: 6, Instructions: 50COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 84% |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 6EBED000, Relevance: 8.8, APIs: 7, Instructions: 85memoryCOMMON
Download Yara Rule
| C-Code - Quality: 55% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 100% |
|
| Strings |
|
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 100% |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 6EC012ED, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMON
Download Yara Rule
| C-Code - Quality: 25% |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 6EBEC280, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 9libraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 6EBEC2E0, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 9libraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 6EBEC2C0, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 9libraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 6EBEC260, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 9libraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 6EBEC300, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 9libraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 6EC06749, Relevance: 6.3, APIs: 4, Instructions: 338fileCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 6EBFF49F, Relevance: 6.2, APIs: 4, Instructions: 168COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 6EC02D87, Relevance: 6.1, APIs: 4, Instructions: 82COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 6EC07EA6, Relevance: 6.0, APIs: 4, Instructions: 29COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Executed Functions |
|---|
Function 02C49100, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 74processCOMMON
Download Yara Rule
| C-Code - Quality: 41% |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 02C40207, Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 70stringCOMMON
Download Yara Rule
| C-Code - Quality: 70% |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 02C3F3F7, Relevance: 1.5, APIs: 1, Instructions: 43COMMON
Download Yara Rule
| C-Code - Quality: 94% |
|
| APIs |
|
| Memory Dump Source |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Non-executed Functions |
|---|
Executed Functions |
|---|
Function 006B9100, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 74processCOMMON
Download Yara Rule
| C-Code - Quality: 41% |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 006B0207, Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 70stringCOMMON
Download Yara Rule
| C-Code - Quality: 70% |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 006AF3F7, Relevance: 1.5, APIs: 1, Instructions: 43COMMON
Download Yara Rule
| C-Code - Quality: 94% |
|
| APIs |
|
| Memory Dump Source |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Non-executed Functions |
|---|