Windows Analysis Report mal.dll
Overview
General Information
Detection
Score: | 80 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
Process Tree |
---|
|
Malware Configuration |
---|
Threatname: Emotet |
---|
{"C2 list": ["46.55.222.11:443", "104.245.52.73:8080", "41.76.108.46:8080", "103.8.26.103:8080", "185.184.25.237:8080", "103.8.26.102:8080", "203.114.109.124:443", "45.118.115.99:8080", "178.79.147.66:8080", "58.227.42.236:80", "45.118.135.203:7080", "103.75.201.2:443", "195.154.133.20:443", "45.142.114.231:8080", "212.237.5.209:443", "207.38.84.195:8080", "104.251.214.46:8080", "212.237.17.99:8080", "212.237.56.116:7080", "216.158.226.206:443", "110.232.117.186:8080", "158.69.222.101:443", "107.182.225.142:8080", "176.104.106.96:8080", "81.0.236.90:443", "50.116.54.215:443", "138.185.72.26:8080", "51.68.175.8:8080", "210.57.217.132:8080"], "Public Key": ["RUNTMSAAAABAX3S2xNjcDD0fBno33Ln5t71eii+mofIPoXkNFOX1MeiwCh48iz97kB0mJjGGZXwardnDXKxI8GCHGNl0PFj5", "RUNLMSAAAADzozW1Di4r9DVWzQpMKT588RDdy7BPILP6AiDOTLYMHkSWvrQO5slbmr1OvZ2Pz+AQWzRMggQmAtO6rPH7nyx2"]}
Yara Overview |
---|
Memory Dumps |
---|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Emotet_1 | Yara detected Emotet | Joe Security | ||
JoeSecurity_Emotet_1 | Yara detected Emotet | Joe Security | ||
JoeSecurity_Emotet_1 | Yara detected Emotet | Joe Security | ||
JoeSecurity_Emotet_1 | Yara detected Emotet | Joe Security | ||
JoeSecurity_Emotet_1 | Yara detected Emotet | Joe Security | ||
Click to see the 11 entries |
Unpacked PEs |
---|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Emotet_1 | Yara detected Emotet | Joe Security | ||
JoeSecurity_Emotet_1 | Yara detected Emotet | Joe Security | ||
JoeSecurity_Emotet_1 | Yara detected Emotet | Joe Security | ||
JoeSecurity_Emotet_1 | Yara detected Emotet | Joe Security | ||
JoeSecurity_Emotet_1 | Yara detected Emotet | Joe Security | ||
Click to see the 25 entries |
Sigma Overview |
---|
No Sigma rule has matched |
---|
Jbx Signature Overview |
---|
Click to jump to signature section
AV Detection: |
---|
Found malware configuration | Show sources |
Source: | Malware Configuration Extractor: |
Multi AV Scanner detection for submitted file | Show sources |
Source: | ReversingLabs: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: |
Source: | Code function: | 3_2_6EA12FE7 |
Networking: |
---|
C2 URLs / IPs found in malware configuration | Show sources |
Source: | IPs: | ||
Source: | IPs: | ||
Source: | IPs: | ||
Source: | IPs: | ||
Source: | IPs: | ||
Source: | IPs: | ||
Source: | IPs: | ||
Source: | IPs: | ||
Source: | IPs: | ||
Source: | IPs: | ||
Source: | IPs: | ||
Source: | IPs: | ||
Source: | IPs: | ||
Source: | IPs: | ||
Source: | IPs: | ||
Source: | IPs: | ||
Source: | IPs: | ||
Source: | IPs: | ||
Source: | IPs: | ||
Source: | IPs: | ||
Source: | IPs: | ||
Source: | IPs: | ||
Source: | IPs: | ||
Source: | IPs: | ||
Source: | IPs: | ||
Source: | IPs: | ||
Source: | IPs: | ||
Source: | IPs: | ||
Source: | IPs: |
Source: | ASN Name: | ||
Source: | ASN Name: |
Source: | IP Address: | ||
Source: | IP Address: |
Source: | Network traffic detected: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
E-Banking Fraud: |
---|
Yara detected Emotet | Show sources |
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
System Summary: |
---|
Found detection on Joe Sandbox Cloud Basic with higher score | Show sources |
Source: | Joe Sandbox Cloud Basic: | Perma Link |
Source: | Static PE information: |
Source: | Process created: |
Source: | File deleted: | Jump to behavior |
Source: | File created: | Jump to behavior |
Source: | Code function: | 3_2_029CF699 | |
Source: | Code function: | 3_2_029CAEB9 | |
Source: | Code function: | 3_2_029D56A9 | |
Source: | Code function: | 3_2_029E06EF | |
Source: | Code function: | 3_2_029DBA18 | |
Source: | Code function: | 3_2_029D604E | |
Source: | Code function: | 3_2_029DED95 | |
Source: | Code function: | 3_2_029DE7DA | |
Source: | Code function: | 3_2_029D89DA | |
Source: | Code function: | 3_2_029D91F7 | |
Source: | Code function: | 3_2_029C5314 | |
Source: | Code function: | 3_2_029C8112 | |
Source: | Code function: | 3_2_029D3130 | |
Source: | Code function: | 3_2_029C8D59 | |
Source: | Code function: | 3_2_029C2B7C | |
Source: | Code function: | 3_2_029C196D | |
Source: | Code function: | 3_2_029CD899 | |
Source: | Code function: | 3_2_029CC69B | |
Source: | Code function: | 3_2_029C3085 | |
Source: | Code function: | 3_2_029D3ABE | |
Source: | Code function: | 3_2_029DB0BA | |
Source: | Code function: | 3_2_029C68AD | |
Source: | Code function: | 3_2_029D04A4 | |
Source: | Code function: | 3_2_029CF4A5 | |
Source: | Code function: | 3_2_029D7EDD | |
Source: | Code function: | 3_2_029E0AD3 | |
Source: | Code function: | 3_2_029C54C0 | |
Source: | Code function: | 3_2_029CE6FD | |
Source: | Code function: | 3_2_029E20F8 | |
Source: | Code function: | 3_2_029CBEF5 | |
Source: | Code function: | 3_2_029CA8E8 | |
Source: | Code function: | 3_2_029E2C16 | |
Source: | Code function: | 3_2_029D1C12 | |
Source: | Code function: | 3_2_029CF20D | |
Source: | Code function: | 3_2_029DCC3F | |
Source: | Code function: | 3_2_029C3E3B | |
Source: | Code function: | 3_2_029D0A37 | |
Source: | Code function: | 3_2_029D0824 | |
Source: | Code function: | 3_2_029D645F | |
Source: | Code function: | 3_2_029DE478 | |
Source: | Code function: | 3_2_029E1C71 | |
Source: | Code function: | 3_2_029E0C66 | |
Source: | Code function: | 3_2_029D6B91 | |
Source: | Code function: | 3_2_029C938F | |
Source: | Code function: | 3_2_029CF984 | |
Source: | Code function: | 3_2_029E1987 | |
Source: | Code function: | 3_2_029C7D87 | |
Source: | Code function: | 3_2_029C33A9 | |
Source: | Code function: | 3_2_029D77A7 | |
Source: | Code function: | 3_2_029DBFA1 | |
Source: | Code function: | 3_2_029D13DB | |
Source: | Code function: | 3_2_029D4DC5 | |
Source: | Code function: | 3_2_029D0FC5 | |
Source: | Code function: | 3_2_029C2DC5 | |
Source: | Code function: | 3_2_029C5DC3 | |
Source: | Code function: | 3_2_029C39C3 | |
Source: | Code function: | 3_2_029C6BFE | |
Source: | Code function: | 3_2_029DD5FE | |
Source: | Code function: | 3_2_029C1DF9 | |
Source: | Code function: | 3_2_029CB7EC | |
Source: | Code function: | 3_2_029CFBEF | |
Source: | Code function: | 3_2_029E35E3 | |
Source: | Code function: | 3_2_029D8518 | |
Source: | Code function: | 3_2_029C4716 | |
Source: | Code function: | 3_2_029D710D | |
Source: | Code function: | 3_2_029DD10B | |
Source: | Code function: | 3_2_029E3306 | |
Source: | Code function: | 3_2_029C7739 | |
Source: | Code function: | 3_2_029D473A | |
Source: | Code function: | 3_2_029CE336 | |
Source: | Code function: | 3_2_029DCF2C | |
Source: | Code function: | 3_2_029CB12E | |
Source: | Code function: | 3_2_029C6125 | |
Source: | Code function: | 3_2_029C635F | |
Source: | Code function: | 3_2_029E2D4F | |
Source: | Code function: | 3_2_029E314A | |
Source: | Code function: | 3_2_029DC145 | |
Source: | Code function: | 3_2_029C4F42 | |
Source: | Code function: | 3_2_029D5B7C | |
Source: | Code function: | 3_2_029C597D | |
Source: | Code function: | 3_2_029C2575 | |
Source: | Code function: | 3_2_029C2176 | |
Source: | Code function: | 3_2_029DC772 | |
Source: | Code function: | 3_2_029C996C | |
Source: | Code function: | 3_2_029C9565 | |
Source: | Code function: | 3_2_029C5166 | |
Source: | Code function: | 3_2_029CDD66 | |
Source: | Code function: | 3_2_029DF561 | |
Source: | Code function: | 3_2_029E2560 | |
Source: | Code function: | 3_2_6E9F5EA0 | |
Source: | Code function: | 3_2_6E9FA6D0 | |
Source: | Code function: | 3_2_6E9FE6E0 | |
Source: | Code function: | 3_2_6E9F66E0 | |
Source: | Code function: | 3_2_6EA00F10 | |
Source: | Code function: | 3_2_6E9F1C10 | |
Source: | Code function: | 3_2_6E9F9D50 | |
Source: | Code function: | 3_2_6EA10A61 | |
Source: | Code function: | 3_2_6E9FD380 | |
Source: | Code function: | 3_2_6E9F38C0 | |
Source: | Code function: | 3_2_6EA001D0 | |
Source: | Code function: | 6_2_02C306EF | |
Source: | Code function: | 6_2_02C2ED95 | |
Source: | Code function: | 6_2_02C154C0 | |
Source: | Code function: | 6_2_02C30AD3 | |
Source: | Code function: | 6_2_02C27EDD | |
Source: | Code function: | 6_2_02C1A8E8 | |
Source: | Code function: | 6_2_02C1BEF5 | |
Source: | Code function: | 6_2_02C320F8 | |
Source: | Code function: | 6_2_02C1E6FD | |
Source: | Code function: | 6_2_02C13085 | |
Source: | Code function: | 6_2_02C1F699 | |
Source: | Code function: | 6_2_02C1D899 | |
Source: | Code function: | 6_2_02C1C69B | |
Source: | Code function: | 6_2_02C1F4A5 | |
Source: | Code function: | 6_2_02C204A4 | |
Source: | Code function: | 6_2_02C256A9 | |
Source: | Code function: | 6_2_02C168AD | |
Source: | Code function: | 6_2_02C2B0BA | |
Source: | Code function: | 6_2_02C1AEB9 | |
Source: | Code function: | 6_2_02C23ABE | |
Source: | Code function: | 6_2_02C2604E | |
Source: | Code function: | 6_2_02C2645F | |
Source: | Code function: | 6_2_02C30C66 | |
Source: | Code function: | 6_2_02C31C71 | |
Source: | Code function: | 6_2_02C2E478 | |
Source: | Code function: | 6_2_02C1F20D | |
Source: | Code function: | 6_2_02C21C12 | |
Source: | Code function: | 6_2_02C32C16 | |
Source: | Code function: | 6_2_02C2BA18 | |
Source: | Code function: | 6_2_02C20824 | |
Source: | Code function: | 6_2_02C20A37 | |
Source: | Code function: | 6_2_02C13E3B | |
Source: | Code function: | 6_2_02C2CC3F | |
Source: | Code function: | 6_2_02C15DC3 | |
Source: | Code function: | 6_2_02C139C3 | |
Source: | Code function: | 6_2_02C12DC5 | |
Source: | Code function: | 6_2_02C24DC5 | |
Source: | Code function: | 6_2_02C20FC5 | |
Source: | Code function: | 6_2_02C2E7DA | |
Source: | Code function: | 6_2_02C289DA | |
Source: | Code function: | 6_2_02C213DB | |
Source: | Code function: | 6_2_02C335E3 | |
Source: | Code function: | 6_2_02C1B7EC | |
Source: | Code function: | 6_2_02C1FBEF | |
Source: | Code function: | 6_2_02C291F7 | |
Source: | Code function: | 6_2_02C11DF9 | |
Source: | Code function: | 6_2_02C2D5FE | |
Source: | Code function: | 6_2_02C16BFE | |
Source: | Code function: | 6_2_02C31987 | |
Source: | Code function: | 6_2_02C1F984 | |
Source: | Code function: | 6_2_02C17D87 | |
Source: | Code function: | 6_2_02C1938F | |
Source: | Code function: | 6_2_02C2BFA1 | |
Source: | Code function: | 6_2_02C277A7 | |
Source: | Code function: | 6_2_02C133A9 | |
Source: | Code function: | 6_2_02C14F42 | |
Source: | Code function: | 6_2_02C2C145 | |
Source: | Code function: | 6_2_02C3314A | |
Source: | Code function: | 6_2_02C32D4F | |
Source: | Code function: | 6_2_02C18D59 | |
Source: | Code function: | 6_2_02C1635F | |
Source: | Code function: | 6_2_02C2F561 | |
Source: | Code function: | 6_2_02C32560 | |
Source: | Code function: | 6_2_02C19565 | |
Source: | Code function: | 6_2_02C15166 | |
Source: | Code function: | 6_2_02C1DD66 | |
Source: | Code function: | 6_2_02C1196D | |
Source: | Code function: | 6_2_02C1996C | |
Source: | Code function: | 6_2_02C2C772 | |
Source: | Code function: | 6_2_02C12575 | |
Source: | Code function: | 6_2_02C12176 | |
Source: | Code function: | 6_2_02C1597D | |
Source: | Code function: | 6_2_02C12B7C | |
Source: | Code function: | 6_2_02C25B7C | |
Source: | Code function: | 6_2_02C33306 | |
Source: | Code function: | 6_2_02C2D10B | |
Source: | Code function: | 6_2_02C2710D | |
Source: | Code function: | 6_2_02C18112 | |
Source: | Code function: | 6_2_02C15314 | |
Source: | Code function: | 6_2_02C14716 | |
Source: | Code function: | 6_2_02C28518 | |
Source: | Code function: | 6_2_02C16125 | |
Source: | Code function: | 6_2_02C2CF2C | |
Source: | Code function: | 6_2_02C1B12E | |
Source: | Code function: | 6_2_02C23130 | |
Source: | Code function: | 6_2_02C1E336 | |
Source: | Code function: | 6_2_02C17739 | |
Source: | Code function: | 6_2_02C2473A |
Source: | Code function: | ||
Source: | Code function: |
Source: | Process Stats: |
Source: | ReversingLabs: |
Source: | Static PE information: |
Source: | Key opened: | Jump to behavior |
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior |
Source: | Key value queried: | Jump to behavior |
Source: | File created: | Jump to behavior |
Source: | Classification label: |
Source: | File read: | Jump to behavior |
Source: | Process created: |
Source: | Mutant created: | ||
Source: | Mutant created: | ||
Source: | Mutant created: |
Source: | File read: | Jump to behavior | ||
Source: | File read: | Jump to behavior |
Source: | Automated click: | ||
Source: | Automated click: | ||
Source: | Automated click: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: |
Source: | Code function: | 3_2_029C1527 | |
Source: | Code function: | 3_2_029C1527 | |
Source: | Code function: | 3_2_6EA19166 | |
Source: | Code function: | 6_2_02C11527 | |
Source: | Code function: | 6_2_02C11527 |
Source: | Code function: | 3_2_6E9FE4E0 |
Source: | PE file moved: | Jump to behavior |
Hooking and other Techniques for Hiding and Protection: |
---|
Hides that the sample has been downloaded from the Internet (zone.identifier) | Show sources |
Source: | File opened: | Jump to behavior |
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior |
Source: | Thread sleep time: | Jump to behavior |
Source: | File opened: | Jump to behavior |
Source: | Process information queried: | Jump to behavior |
Source: | Code function: | 3_2_6EA12FE7 |
Source: | File Volume queried: | Jump to behavior |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Code function: | 3_2_6EA129E6 |
Source: | Code function: | 3_2_6E9FE4E0 |
Source: | Code function: | 3_2_6E9F1290 |
Source: | Code function: | 3_2_029D4315 | |
Source: | Code function: | 3_2_6EA0C050 | |
Source: | Code function: | 3_2_6EA0BFE0 | |
Source: | Code function: | 3_2_6EA0BFE0 | |
Source: | Code function: | 3_2_6EA112CB | |
Source: | Code function: | 3_2_6EA1298C | |
Source: | Code function: | 6_2_02C24315 |
Source: | Process queried: | Jump to behavior | ||
Source: | Process queried: | Jump to behavior |
Source: | Code function: | 3_2_6EA0CB22 | |
Source: | Code function: | 3_2_6EA129E6 | |
Source: | Code function: | 3_2_6EA0D1CC |
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior |
Source: | Code function: | 3_2_6EA0CC44 |
Source: | Code function: | 3_2_6EA0CE15 |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Stealing of Sensitive Information: |
---|
Yara detected Emotet | Show sources |
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Mitre Att&ck Matrix |
---|
Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Valid Accounts | Native API1 | Path Interception | Process Injection12 | Masquerading2 | OS Credential Dumping | System Time Discovery1 | Remote Services | Archive Collected Data1 | Exfiltration Over Other Network Medium | Encrypted Channel1 | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | Modify System Partition |
Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | Boot or Logon Initialization Scripts | Virtualization/Sandbox Evasion3 | LSASS Memory | Security Software Discovery51 | Remote Desktop Protocol | Data from Removable Media | Exfiltration Over Bluetooth | Application Layer Protocol1 | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
Domain Accounts | At (Linux) | Logon Script (Windows) | Logon Script (Windows) | Process Injection12 | Security Account Manager | Virtualization/Sandbox Evasion3 | SMB/Windows Admin Shares | Data from Network Shared Drive | Automated Exfiltration | Steganography | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
Local Accounts | At (Windows) | Logon Script (Mac) | Logon Script (Mac) | Deobfuscate/Decode Files or Information1 | NTDS | Process Discovery2 | Distributed Component Object Model | Input Capture | Scheduled Transfer | Protocol Impersonation | SIM Card Swap | Carrier Billing Fraud | |
Cloud Accounts | Cron | Network Logon Script | Network Logon Script | Hidden Files and Directories1 | LSA Secrets | Remote System Discovery1 | SSH | Keylogging | Data Transfer Size Limits | Fallback Channels | Manipulate Device Communication | Manipulate App Store Rankings or Ratings | |
Replication Through Removable Media | Launchd | Rc.common | Rc.common | Obfuscated Files or Information2 | Cached Domain Credentials | File and Directory Discovery2 | VNC | GUI Input Capture | Exfiltration Over C2 Channel | Multiband Communication | Jamming or Denial of Service | Abuse Accessibility Features | |
External Remote Services | Scheduled Task | Startup Items | Startup Items | Rundll321 | DCSync | System Information Discovery33 | Windows Remote Management | Web Portal Capture | Exfiltration Over Alternative Protocol | Commonly Used Port | Rogue Wi-Fi Access Points | Data Encrypted for Impact | |
Drive-by Compromise | Command and Scripting Interpreter | Scheduled Task/Job | Scheduled Task/Job | File Deletion1 | Proc Filesystem | Network Service Scanning | Shared Webroot | Credential API Hooking | Exfiltration Over Symmetric Encrypted Non-C2 Protocol | Application Layer Protocol | Downgrade to Insecure Protocols | Generate Fraudulent Advertising Revenue |
Behavior Graph |
---|
Screenshots |
---|
Thumbnails
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Antivirus, Machine Learning and Genetic Malware Detection |
---|
Initial Sample |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
24% | ReversingLabs | Win32.Trojan.Midie |
Dropped Files |
---|
No Antivirus matches |
---|
Unpacked PE Files |
---|
Source | Detection | Scanner | Label | Link | Download |
---|---|---|---|---|---|
100% | Avira | HEUR/AGEN.1110387 | Download File | ||
100% | Avira | HEUR/AGEN.1110387 | Download File | ||
100% | Avira | HEUR/AGEN.1110387 | Download File | ||
100% | Avira | HEUR/AGEN.1110387 | Download File | ||
100% | Avira | HEUR/AGEN.1110387 | Download File | ||
100% | Avira | HEUR/AGEN.1110387 | Download File | ||
100% | Avira | HEUR/AGEN.1110387 | Download File | ||
100% | Avira | HEUR/AGEN.1110387 | Download File |
Domains |
---|
No Antivirus matches |
---|
URLs |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | Avira URL Cloud | safe |
Domains and IPs |
---|
Contacted Domains |
---|
No contacted domains info |
---|
URLs from Memory and Binaries |
---|
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false |
| low | ||
false | high | |||
false | high |
Contacted IPs |
---|
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
Public |
---|
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
195.154.133.20 | unknown | France | 12876 | OnlineSASFR | true | |
212.237.17.99 | unknown | Italy | 31034 | ARUBA-ASNIT | true | |
110.232.117.186 | unknown | Australia | 56038 | RACKCORP-APRackCorpAU | true | |
104.245.52.73 | unknown | United States | 63251 | METRO-WIRELESSUS | true | |
138.185.72.26 | unknown | Brazil | 264343 | EmpasoftLtdaMeBR | true | |
81.0.236.90 | unknown | Czech Republic | 15685 | CASABLANCA-ASInternetCollocationProviderCZ | true | |
45.118.115.99 | unknown | Indonesia | 131717 | IDNIC-CIFO-AS-IDPTCitraJelajahInformatikaID | true | |
103.75.201.2 | unknown | Thailand | 133496 | CDNPLUSCOLTD-AS-APCDNPLUSCOLTDTH | true | |
216.158.226.206 | unknown | United States | 19318 | IS-AS-1US | true | |
107.182.225.142 | unknown | United States | 32780 | HOSTINGSERVICES-INCUS | true | |
45.118.135.203 | unknown | Japan | 63949 | LINODE-APLinodeLLCUS | true | |
50.116.54.215 | unknown | United States | 63949 | LINODE-APLinodeLLCUS | true | |
51.68.175.8 | unknown | France | 16276 | OVHFR | true | |
103.8.26.102 | unknown | Malaysia | 132241 | SKSATECH1-MYSKSATECHNOLOGYSDNBHDMY | true | |
46.55.222.11 | unknown | Bulgaria | 34841 | BALCHIKNETBG | true | |
41.76.108.46 | unknown | South Africa | 327979 | DIAMATRIXZA | true | |
103.8.26.103 | unknown | Malaysia | 132241 | SKSATECH1-MYSKSATECHNOLOGYSDNBHDMY | true | |
178.79.147.66 | unknown | United Kingdom | 63949 | LINODE-APLinodeLLCUS | true | |
212.237.5.209 | unknown | Italy | 31034 | ARUBA-ASNIT | true | |
176.104.106.96 | unknown | Serbia | 198371 | NINETRS | true | |
207.38.84.195 | unknown | United States | 30083 | AS-30083-GO-DADDY-COM-LLCUS | true | |
212.237.56.116 | unknown | Italy | 31034 | ARUBA-ASNIT | true | |
45.142.114.231 | unknown | Germany | 44066 | DE-FIRSTCOLOwwwfirst-colonetDE | true | |
203.114.109.124 | unknown | Thailand | 131293 | TOT-LLI-AS-APTOTPublicCompanyLimitedTH | true | |
210.57.217.132 | unknown | Indonesia | 38142 | UNAIR-AS-IDUniversitasAirlanggaID | true | |
58.227.42.236 | unknown | Korea Republic of | 9318 | SKB-ASSKBroadbandCoLtdKR | true | |
185.184.25.237 | unknown | Turkey | 209711 | MUVHOSTTR | true | |
158.69.222.101 | unknown | Canada | 16276 | OVHFR | true | |
104.251.214.46 | unknown | United States | 54540 | INCERO-HVVCUS | true |
Private |
---|
IP |
---|
192.168.2.1 |
127.0.0.1 |
General Information |
---|
Joe Sandbox Version: | 34.0.0 Boulder Opal |
Analysis ID: | 532106 |
Start date: | 01.12.2021 |
Start time: | 18:36:43 |
Joe Sandbox Product: | CloudBasic |
Overall analysis duration: | 0h 10m 6s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Sample file name: | mal.dll |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211 |
Run name: | Run with higher sleep bypass |
Number of analysed new started processes analysed: | 22 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Detection: | MAL |
Classification: | mal80.troj.evad.winDLL@31/18@0/31 |
EGA Information: |
|
HDC Information: |
|
HCA Information: |
|
Cookbook Comments: |
|
Warnings: | Show All
|
Simulations |
---|
Behavior and APIs |
---|
Time | Type | Description |
---|---|---|
18:39:28 | API Interceptor |
Joe Sandbox View / Context |
---|
IPs |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
195.154.133.20 | Get hash | malicious | Browse | ||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
212.237.17.99 | Get hash | malicious | Browse | ||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse |
Domains |
---|
No context |
---|
ASN |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
ARUBA-ASNIT | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
OnlineSASFR | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
|
JA3 Fingerprints |
---|
No context |
---|
Dropped Files |
---|
No context |
---|
Created / dropped Files |
---|
Process: | C:\Windows\System32\svchost.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 1310720 |
Entropy (8bit): | 0.248598563745147 |
Encrypted: | false |
SSDEEP: | 1536:BJiRdfVzkZm3lyf49uyc0ga04PdHS9LrM/oVMUdSRU4m:BJiRdwfu2SRU4m |
MD5: | CEAE2DB47CE8C24ED5DADE99415E85A6 |
SHA1: | FE6069BE3FC50906B6D16E1B0467B3E76BACD4EE |
SHA-256: | 11C84C83DB6D353DC2D36623672967040E4AD44FD08A9223095A8BF47B156A5E |
SHA-512: | 73E2367BDF324F372E6FB12A15F195BF41368E8DF23BE450D948F839C87F95B05F25A6F2E9C5E83F6C916CDD19BFB19F4F668BD3C30049FF488923163049FBB3 |
Malicious: | false |
Preview: |
|
Process: | C:\Windows\System32\svchost.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 786432 |
Entropy (8bit): | 0.25066881879413755 |
Encrypted: | false |
SSDEEP: | 384:M+W0StseCJ48EApW0StseCJ48E2rTSjlK/ebmLerYSRSY1J2:TSB2nSB2RSjlK/+mLesOj1J2 |
MD5: | 2B910197B18D4E99EC3FCF8398C7C321 |
SHA1: | 713A0D479C03AC930151338D2C52EC4B0A2111D8 |
SHA-256: | 48A4FD15A60DCE4D772390B1DCCC1FB10B064A93F08DE88A2D9EA6A8C1993266 |
SHA-512: | 7BAB0E1273301135A63288533AD0DD7BA25CC3C446E9CDE4071DB243B1395192985BB82BD15B5EF2BBDF970236904CF2DF82C19FEAB8910966C2B3231BFC457F |
Malicious: | false |
Preview: |
|
Process: | C:\Windows\System32\svchost.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 16384 |
Entropy (8bit): | 0.07713236509382654 |
Encrypted: | false |
SSDEEP: | 3:Q/l1Ev4Cpcw8l/bJdAtiaU4CnEll3Vkttlmlnl:Q/lQ4Cpd8t45U4uM3 |
MD5: | D83879C90B026F0111D4AB358C4B1BC7 |
SHA1: | 8D403DAE39A0CF734E8C68C9B026AD5023CCC895 |
SHA-256: | B7D691FD806FFEBEB5FE84ADAC09B4EA23019E551071A75AB644DB8E3C9D9C78 |
SHA-512: | 7ADBBD19717DFAD92118C5B21985B1CD74E22ACD31B15250C60802D12D9CE536BD01ED730BE1D9F6EEA61DB360D6C53173140C25DE21E2358251B3FC05D88D9E |
Malicious: | false |
Preview: |
|
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 65536 |
Entropy (8bit): | 0.6738757938696471 |
Encrypted: | false |
SSDEEP: | 96:cueJk3ARKgZqyiy9hkoyt7JfapXIQcQ5c6A2cE2cw33+a+z+HbHgOVG4rmMOyWZQ:c4LiB7HnM28jjSq/u7sYS274ItW |
MD5: | 3979C938293636DFE1825F076E48B744 |
SHA1: | 2A0BDCA11089394BFBF79AD5085AEF011B333099 |
SHA-256: | A0C8A7850F565271357535E70DE6FBDF5F924CC5232D411CBB6BE67B80C614DF |
SHA-512: | 36A38DA82660A3F73A7AD611A75A80419E22568BE073062507E08190C1CAF085EB9459A28B1A9218935FA13C3E007662BD32E4D0727D8A5851118234AE94E4EB |
Malicious: | false |
Preview: |
|
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 65536 |
Entropy (8bit): | 0.6780496869404035 |
Encrypted: | false |
SSDEEP: | 96:/YFNUbYfMKgZqyFy9hk1Dg3fWpXIQcQic6fcEKcw3KW+a+z+HbHgOVG4rmMOyWZQ:QPUUfDiBFH8bQ5jSq/u7sYS274ItW |
MD5: | 253E67524E665CED7FCB680D0B15A679 |
SHA1: | 24639CE4E89EBE95A718F39E052B66EE1DB8571E |
SHA-256: | D735AF532B084C095252034F04EA6E719F558707D29D910C1AAC03E4434D78B6 |
SHA-512: | 6C524B0409FF6FEC5A18672AE22713F10264605A27EF509BACAD28FB8858B02B1229CEBE148A46BFCFA83D8F5DD5DDFFFDDC49879E9CF9247F79FBC36B69EC29 |
Malicious: | false |
Preview: |
|
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 4598 |
Entropy (8bit): | 4.474808152945533 |
Encrypted: | false |
SSDEEP: | 48:cvIwSD8zsPJgtWI9OzkaiWSC8Blb8fm8M4J2yzZFlT+q84WvuKcQIcQwQkd:uITfxFIajSN8JJNguKkwQkd |
MD5: | D74B9CA42FCB4FF47670DBB70126665D |
SHA1: | C713CE9910F32D106BDA790CB5B81050AFB6EA4E |
SHA-256: | 351496A5886658C4E4EAC55F0BA237EEC44C116671BD7983947295C19FD3B259 |
SHA-512: | 4794B84A709693530AD15FC706F662029230CF25AE8A83F08896FA1826DBF0B359E053F56265706028B07CC7FEC1C1B5B9851AEB59FA64188688A38AC6A8B1CE |
Malicious: | false |
Preview: |
|
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 1059516 |
Entropy (8bit): | 1.352706935657892 |
Encrypted: | false |
SSDEEP: | 1536:Gt1e8iM+a4YlSOTeBvftH4l48olYfvW0eYkp4GmC4XzcYpM6IcgPO:S17iM+hYlSbvftYHoieIZIlPO |
MD5: | 609F488A07CAB33EE4C369EC64AB8E68 |
SHA1: | 13F1F816D89247048761B91950FB0A6342295791 |
SHA-256: | ECDBC0A49FDF15A6886ED1056B4CA76D37D08D4C8A41036A4B6E2FC932FA4F24 |
SHA-512: | 11F2B75FFA6E5B0DE6AF9B8B4F20512D3ED40C59A5076452DC1BB2837817D62ECDB44622224F785A54532E18F9C679B74CA451CF65C6739392DC9BCE223B9C96 |
Malicious: | false |
Preview: |
|
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 8302 |
Entropy (8bit): | 3.6915284993016986 |
Encrypted: | false |
SSDEEP: | 192:Rrl7r3GLNi/al6q56YFNSUtugmfL8GSqCpDe89boZsfUUGYm:RrlsNi+686YvSUtugmfLrSNoyfNw |
MD5: | 1F87088A2C4B50685F9DF738D891EE0D |
SHA1: | C3AFE2940FCAE79DBF0F28CC6BB96B51671A5A8F |
SHA-256: | 93619AAB36DF73654B94426D43A83B7A0111F98AED5F22995DB9CEDD9FC70661 |
SHA-512: | 56B3EE353C0D6920650BE842CB90BBDF78AC03BE89E73E3D88FC58FE934B344D3377B9DCCE622C5E4B5A56EF5C43F750E7F6FC470A80DF7419D019C9D1F3AC00 |
Malicious: | false |
Preview: |
|
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 4558 |
Entropy (8bit): | 4.433540504001836 |
Encrypted: | false |
SSDEEP: | 48:cvIwSD8zsPJgtWI9OzkaiWSC8B58fm8M4J2yGtFw+q84tjCKcQIcQwQkd:uITfxFIajSNoJEoxCKkwQkd |
MD5: | 917A30CB8F45138C5B6CE4832BD64950 |
SHA1: | 462BCE590F4F8B964B444066E2A558AEA1A41822 |
SHA-256: | F37BFB12A9C8E0181148949B5B642904E89663392CC7658E5D6A02D1F36BDB41 |
SHA-512: | 8B95835D70E20375A89A272CDB69D67DCE858835C5911EBE14EE8A8EF3757AA1E6E0308DD1167C307523373AF4F4F6EE9DCA4E44ECB69D9DA722B50AAE36270B |
Malicious: | false |
Preview: |
|
Process: | C:\Windows\System32\svchost.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 51764 |
Entropy (8bit): | 3.066226886579781 |
Encrypted: | false |
SSDEEP: | 1536:znHBfC2qopFhm5NMFBqCAEzfnEbLt1Zy/yaD2kwxNog:znHBfC2qopFhm5NMFBqCAEzfnEbLtzyG |
MD5: | 0C82D3D4C22C53918FA237399AE6871C |
SHA1: | 4898B947854FDB7D7AF136F1B54CB6BCFA097933 |
SHA-256: | 23B4A7A2F4E5E85842A640A1CCC54ABA392E7A4E96DBDC871C413447DDA646EC |
SHA-512: | 5486DA1D4E56902CF9824653FD0D1294E7A8AD91935B79DFE1E0A558E3BCD2D5D3325DEEA1F17540CF364977A8117617758E4B3C44F6B350F9BD8F1A6065C2D5 |
Malicious: | false |
Preview: |
|
Process: | C:\Windows\System32\svchost.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 13340 |
Entropy (8bit): | 2.695643602908232 |
Encrypted: | false |
SSDEEP: | 96:9GiZYW8QuNj0Y5YLWlFiHIUYEZUwtFiIOkprwj/72a9fKLGZhIDo3:9jZDnehxT2a9fWGZeDo3 |
MD5: | 4F565AA7FF00770992EA2D46A65C181C |
SHA1: | E71996407985D1EFC7802A26A616CD6BCAFAD017 |
SHA-256: | 7D9388E1E756539E15D21F3233476519475F0546E654BA1DBEB23EB284091E4B |
SHA-512: | 65C13B833696C293743496B47B275318A99FC4C57879E211AB3D0DEE73BF7D7940C697976A7AAB7FF616007B474CF66E4A980776D2D2C0AB29D7F47582B6A3F8 |
Malicious: | false |
Preview: |
|
Process: | C:\Windows\System32\svchost.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 51386 |
Entropy (8bit): | 3.0669804346601217 |
Encrypted: | false |
SSDEEP: | 1536:YpH7qfTmlXLIta6T/yshq/wIGzI9o3Sv79yqlzRl:YpH7qfTmlXLIta6T/yshq/wIGzI9o3SL |
MD5: | 7AEB64E6732D8507B55CDB97065F5551 |
SHA1: | E336635236D2CA4885F0AF446932A888356E86EF |
SHA-256: | 7B2551D74FF3C3335954AB31B2B3591B17DB35B97C998AFBA5E675E85C52643A |
SHA-512: | 572BE12F411E2B7809F380A7E8EADF43D942BBCEB7A875E99EE242F60FE4A26966382E046DB7385BA727CC0A750CC1268EE7A2A7F962498187EA733DEEE93D85 |
Malicious: | false |
Preview: |
|
Process: | C:\Windows\System32\svchost.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 13340 |
Entropy (8bit): | 2.6960488456297536 |
Encrypted: | false |
SSDEEP: | 96:9GiZYWF5XUOYUY1WmiHGUYEZHGUtFikO8pWwPisaZefyl7Z+IGn3:9jZDLTlGuPaZefg7ZJGn3 |
MD5: | DE94B8774A8048437382D1A660F29AA9 |
SHA1: | 1A8665F56338D79BE34B9232DD84C5B565065CAE |
SHA-256: | 6E07764DD487971E78C9FF24B371410E8498F8143EEB163B9D167A15DC006283 |
SHA-512: | B201C8D8F965F33DB6F6EC16201323A4AA192CDC5FA4D6745FBBF1590284E66EBA634BF9E5512EEFED2C55CEE593B7E94671FFF678626D8D23A0A13A39C537D9 |
Malicious: | false |
Preview: |
|
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 26500 |
Entropy (8bit): | 2.499854907523872 |
Encrypted: | false |
SSDEEP: | 192:QxA1R8L2Oyej8VlR/395FyQorZxJjb5XcRJX+xS+u2xh9c9u:78Vbj1LJj1Xcv+xS+u2xX |
MD5: | 590591470D673CCE95BF4573423BCF62 |
SHA1: | 4AAB40C626AF3781AD5D0A67C0D8A571887859E5 |
SHA-256: | A51E1E0FD6D7C38020106070BE7FA729FD0E8DC15E191C4C27D83E1CD636EDDA |
SHA-512: | 2DFF7DAAB01486716915E7395DE249F5E8261E20EA957002D202606C2716AEE535FE4BAEC8BE44A1BD0DE82A1103A7642292C78D277F341240C4EB3481D3ECD7 |
Malicious: | false |
Preview: |
|
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 8342 |
Entropy (8bit): | 3.6998766295075085 |
Encrypted: | false |
SSDEEP: | 192:Rrl7r3GLNi/w6yBA6YFrSUIogmfsSznCpBN89bjZsfnhm:RrlsNio6r6YpSUIogmfsSzXjyfc |
MD5: | 6FF22358E066039C4E5F9D652B81942B |
SHA1: | 0CC99443BF6C6A1C36A9DE208E077B759FAAA2CA |
SHA-256: | 97AA98F872A9592C2687DBAE180859D4D54891CACF80F4494D8FFAAD5FC2F4C6 |
SHA-512: | B94048F34EC84C49044F17F4C17EB4CFA0E79400B99E9E85EF18268B53C8188B962E1EB3F3CB91E8CF7CEF44F47D1E855448EF8D7460AAC6EA08135EAC18B208 |
Malicious: | false |
Preview: |
|
Process: | C:\Windows\System32\svchost.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 55 |
Entropy (8bit): | 4.306461250274409 |
Encrypted: | false |
SSDEEP: | 3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y |
MD5: | DCA83F08D448911A14C22EBCACC5AD57 |
SHA1: | 91270525521B7FE0D986DB19747F47D34B6318AD |
SHA-256: | 2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9 |
SHA-512: | 96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA |
Malicious: | false |
Preview: |
|
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 1572864 |
Entropy (8bit): | 4.272985782131946 |
Encrypted: | false |
SSDEEP: | 12288:a3OEDNLIT7EuGX8LKyVySY9jugewol3v1TmymCBrDca+XrpsQRiu0:GOEDNLIT7EuGX8Gv |
MD5: | 54185C71541C66EA07E6DDE84B4C437A |
SHA1: | 61BBAC5E98BDC0CB940804F0D6A8CB468B9ABD78 |
SHA-256: | 07303B5CD2B6D05BC20136A5846EBE6CFD2E6850ED441124179D1C4ECD241419 |
SHA-512: | 48085F353E3430961FF9CC8A9E57AFDA948B3631E6C6ECA8F5DDD6EC49DF8FBEFA579B7C6EDF19CC2EA3C3948241285524050B4DD07CD6E37666404943758E5E |
Malicious: | false |
Preview: |
|
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 16384 |
Entropy (8bit): | 3.3978501417394353 |
Encrypted: | false |
SSDEEP: | 192:IZXfi1dkpA0sfYK5FSEsWftx12xgoJ4XBaJNSdkyFn6yvRrsf9WfYjdsiDoXzCH:+ve5Rftx12PJ4XB7FFn7eZd1DoXzCH |
MD5: | 43A63F75192D7286A2D714CB22AA13E3 |
SHA1: | 2E59B86D1E7967E0B713CAE9B65EBD9897CC506F |
SHA-256: | 2EE75911842651EE3E0492EA94DB6A7391AC8F7DA2DAC9AF8E5E8E89F2FF6EAF |
SHA-512: | CBB8698D79385AE8609DB7FE6EFDF845E652075A34C95AFABE69E111B5400404817A8BED9BCC4CA6BF1D5FB2D707E99AAA75355D3D79589CFC6E5521D668A187 |
Malicious: | false |
Preview: |
|
Static File Info |
---|
General | |
---|---|
File type: | |
Entropy (8bit): | 6.970959661903669 |
TrID: |
|
File name: | mal.dll |
File size: | 387072 |
MD5: | 9efbd03d5576686dd9f0678c09abe9fc |
SHA1: | 0b821e78137018bbf3f9c67d3b049e33d5b36ae5 |
SHA256: | 972f9350219dcc2df463f923ec5b559f4ab69f083da9ccbd0976c51bc19f3f5b |
SHA512: | fa2def2a793d79b63cf2c808c62e031544282bc3e01f97efa47b3114c702b004d767b818764f47c120007c680274ad9327587ac235186ee6e6d7bb168a19acc9 |
SSDEEP: | 6144:zBYrPMTsY8GR3j4fubnY6Zs/Bv6yM6aSTsfA2qL6jpXNcc6CEteuQJPIgtlpZ5L:yhmT4GbnYks/BJNWo2LjpScDEteuOIoZ |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........0...Q...Q...Q..E#...Q..E#...Q..E#...Q../$...Q...$...Q...$...Q...$...Q..E#...Q...Q...Q...Q...Q../$...Q../$...Q..Rich.Q......... |
File Icon |
---|
Icon Hash: | 74f0e4ecccdce0e4 |
Static PE Info |
---|
General | |
---|---|
Entrypoint: | 0x1001cac1 |
Entrypoint Section: | .text |
Digitally signed: | false |
Imagebase: | 0x10000000 |
Subsystem: | windows gui |
Image File Characteristics: | 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL, LARGE_ADDRESS_AWARE |
DLL Characteristics: | DYNAMIC_BASE, NX_COMPAT |
Time Stamp: | 0x61A73B52 [Wed Dec 1 09:07:30 2021 UTC] |
TLS Callbacks: | 0x1000c340 |
CLR (.Net) Version: | |
OS Version Major: | 6 |
OS Version Minor: | 0 |
File Version Major: | 6 |
File Version Minor: | 0 |
Subsystem Version Major: | 6 |
Subsystem Version Minor: | 0 |
Import Hash: | 609402ef170a35cc0e660d7d95ac10ce |
Entrypoint Preview |
---|
Instruction |
---|
push ebp |
mov ebp, esp |
cmp dword ptr [ebp+0Ch], 01h |
jne 00007FEB38C278C7h |
call 00007FEB38C27C58h |
push dword ptr [ebp+10h] |
push dword ptr [ebp+0Ch] |
push dword ptr [ebp+08h] |
call 00007FEB38C27773h |
add esp, 0Ch |
pop ebp |
retn 000Ch |
push ebp |
mov ebp, esp |
push dword ptr [ebp+08h] |
call 00007FEB38C2816Eh |
pop ecx |
pop ebp |
ret |
push ebp |
mov ebp, esp |
jmp 00007FEB38C278CFh |
push dword ptr [ebp+08h] |
call 00007FEB38C2BC54h |
pop ecx |
test eax, eax |
je 00007FEB38C278D1h |
push dword ptr [ebp+08h] |
call 00007FEB38C2BCD0h |
pop ecx |
test eax, eax |
je 00007FEB38C278A8h |
pop ebp |
ret |
cmp dword ptr [ebp+08h], FFFFFFFFh |
je 00007FEB38C28233h |
jmp 00007FEB38C28210h |
push ebp |
mov ebp, esp |
push 00000000h |
call dword ptr [1002A08Ch] |
push dword ptr [ebp+08h] |
call dword ptr [1002A088h] |
push C0000409h |
call dword ptr [1002A040h] |
push eax |
call dword ptr [1002A090h] |
pop ebp |
ret |
push ebp |
mov ebp, esp |
sub esp, 00000324h |
push 00000017h |
call dword ptr [1002A094h] |
test eax, eax |
je 00007FEB38C278C7h |
push 00000002h |
pop ecx |
int 29h |
mov dword ptr [1005E278h], eax |
mov dword ptr [1005E274h], ecx |
mov dword ptr [1005E270h], edx |
mov dword ptr [1005E26Ch], ebx |
mov dword ptr [1005E268h], esi |
mov dword ptr [1005E264h], edi |
mov word ptr [eax], es |
Data Directories |
---|
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x5b590 | 0x614 | .rdata |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x5bba4 | 0x3c | .rdata |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x60000 | 0x1bc0 | .reloc |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x5a1dc | 0x54 | .rdata |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x5a300 | 0x18 | .rdata |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x5a230 | 0x40 | .rdata |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x2a000 | 0x154 | .rdata |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Sections |
---|
Name | Virtual Address | Virtual Size | Raw Size | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|
.text | 0x1000 | 0x28bb4 | 0x28c00 | False | 0.53924822661 | data | 6.1540438823 | IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
.rdata | 0x2a000 | 0x32362 | 0x32400 | False | 0.817800645211 | data | 7.40644078277 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.data | 0x5d000 | 0x1ba4 | 0x1200 | False | 0.287109375 | data | 2.60484752417 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ |
.pdata | 0x5f000 | 0x4c4 | 0x600 | False | 0.360677083333 | AmigaOS bitmap font | 2.17228109861 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ |
.reloc | 0x60000 | 0x1bc0 | 0x1c00 | False | 0.7880859375 | data | 6.62631718459 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
Imports |
---|
DLL | Import |
---|---|
KERNEL32.dll | HeapFree, HeapReAlloc, GetProcessHeap, HeapAlloc, GetModuleHandleA, GetProcAddress, TlsGetValue, TlsSetValue, AcquireSRWLockExclusive, ReleaseSRWLockExclusive, AcquireSRWLockShared, ReleaseSRWLockShared, SetLastError, GetEnvironmentVariableW, GetLastError, GetCurrentDirectoryW, GetCurrentProcess, GetCurrentThread, RtlCaptureContext, ReleaseMutex, WaitForSingleObjectEx, LoadLibraryA, CreateMutexA, CloseHandle, GetStdHandle, GetConsoleMode, WriteFile, WriteConsoleW, TlsAlloc, GetCommandLineW, CreateFileA, GetTickCount64, CreateFileW, SetFilePointerEx, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TerminateProcess, IsProcessorFeaturePresent, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, GetStartupInfoW, GetModuleHandleW, RaiseException, RtlUnwind, InterlockedFlushSList, EncodePointer, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, TlsFree, FreeLibrary, LoadLibraryExW, ExitProcess, GetModuleHandleExW, GetModuleFileNameW, FindClose, FindFirstFileExW, FindNextFileW, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, GetCommandLineA, MultiByteToWideChar, WideCharToMultiByte, GetEnvironmentStringsW, FreeEnvironmentStringsW, LCMapStringW, GetFileType, GetStringTypeW, HeapSize, SetStdHandle, FlushFileBuffers, GetConsoleOutputCP, DecodePointer |
USER32.dll | GetDC, ReleaseDC, GetWindowRect |
Exports |
---|
Name | Ordinal | Address |
---|---|---|
Control_RunDLL | 1 | 0x100010a0 |
axamexdrqyrgb | 2 | 0x100017b0 |
bhramccfbdd | 3 | 0x10001690 |
bptyjtyr | 4 | 0x10001640 |
bxoqrnuua | 5 | 0x100016c0 |
cegjceivzmgdcffk | 6 | 0x100014e0 |
cgxpyqfkocm | 7 | 0x10001480 |
chjbtsnqmvl | 8 | 0x10001540 |
crfsijq | 9 | 0x10001730 |
empxfws | 10 | 0x10001590 |
fbgcvvbrlowsjsj | 11 | 0x10001550 |
fjhmprw | 12 | 0x10001660 |
gfqdajfucnxrv | 13 | 0x10001850 |
hcloldazhuvj | 14 | 0x10001790 |
idcumrbybo | 15 | 0x10001500 |
ihvpwdsfllpvrzy | 16 | 0x10001750 |
iuzqizpdhxqkmf | 17 | 0x100014c0 |
jaarlqsruhrwpipt | 18 | 0x100016e0 |
jndshbhgxdkvvtj | 19 | 0x10001600 |
jniijdleqsyajeis | 20 | 0x10001650 |
jtjqgma | 21 | 0x100016f0 |
kffxtbzhfgbqlu | 22 | 0x10001630 |
kwxkzdhqe | 23 | 0x100016d0 |
lidhnvsukgiuabh | 24 | 0x100016b0 |
ltcrkednwfkup | 25 | 0x10001820 |
lvrmqgtvhsegpbvmq | 26 | 0x10001770 |
mxvwvnerswyylp | 27 | 0x10001520 |
ndlmbjceavqdintmv | 28 | 0x100017d0 |
nvnriipkwrmxwsu | 29 | 0x10001510 |
oafxfavxmi | 30 | 0x10001570 |
ocwutlohg | 31 | 0x100014b0 |
olcklbdvo | 32 | 0x10001680 |
pawvqfmiz | 33 | 0x100015e0 |
pdmomnjmmryopqza | 34 | 0x10001560 |
plzkvjcbz | 35 | 0x10001710 |
poasqvltrkgvepng | 36 | 0x10001840 |
psjoyjhsrkg | 37 | 0x100015b0 |
qdimtzieldbl | 38 | 0x10001620 |
qzvngjfyuxpjag | 39 | 0x10001580 |
relsounb | 40 | 0x100016a0 |
rykebhcisi | 41 | 0x10001670 |
snrvgvzpjh | 42 | 0x100017c0 |
sqnfcfmocgbg | 43 | 0x10001740 |
sxgllzweihxqxi | 44 | 0x10001760 |
tgagxhhcfj | 45 | 0x10001780 |
thjyvtvttwpah | 46 | 0x10001830 |
uvypobslemtipv | 47 | 0x10001640 |
vgidwtjsbwpxkdxj | 48 | 0x100017a0 |
wahhdker | 49 | 0x100014a0 |
wamqmispvbxt | 50 | 0x100015f0 |
witvsjavqyw | 51 | 0x10001720 |
wopabadcwdizvwlgk | 52 | 0x10001490 |
wpzyecljz | 53 | 0x10001800 |
wukgfirfwilhu | 54 | 0x100015d0 |
xntbmrrxs | 55 | 0x100017f0 |
xsxwxreryufxwuhh | 56 | 0x10001700 |
xvgdevijtw | 57 | 0x10001610 |
ydvqidso | 58 | 0x100015c0 |
yggdjrsewuw | 59 | 0x100015a0 |
zaeqdmhaky | 60 | 0x100017e0 |
zakvwkjnk | 61 | 0x10001700 |
zqbggkzy | 62 | 0x100014f0 |
zqtdpertk | 63 | 0x100014d0 |
zshfybkvzv | 64 | 0x10001810 |
zxxopqyvfoesyhmup | 65 | 0x10001530 |
Network Behavior |
---|
No network behavior found |
---|
Code Manipulations |
---|
Statistics |
---|
CPU Usage |
---|
Click to jump to process
Memory Usage |
---|
Click to jump to process
High Level Behavior Distribution |
---|
back
Click to dive into process behavior distribution
Behavior |
---|
Click to jump to process
System Behavior |
---|
General |
---|
Start time: | 18:37:46 |
Start date: | 01/12/2021 |
Path: | C:\Windows\System32\loaddll32.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x10c0000 |
File size: | 893440 bytes |
MD5 hash: | 72FCD8FB0ADC38ED9050569AD673650E |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Yara matches: |
|
Reputation: | high |
General |
---|
Start time: | 18:37:46 |
Start date: | 01/12/2021 |
Path: | C:\Windows\SysWOW64\cmd.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0xd80000 |
File size: | 232960 bytes |
MD5 hash: | F3BDBE3BB6F734E357235F4D5898582D |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
General |
---|
Start time: | 18:37:47 |
Start date: | 01/12/2021 |
Path: | C:\Windows\SysWOW64\rundll32.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x2f0000 |
File size: | 61952 bytes |
MD5 hash: | D7CA562B0DB4F4DD0F03A89A1FDAD63D |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Yara matches: |
|
Reputation: | high |
General |
---|
Start time: | 18:37:47 |
Start date: | 01/12/2021 |
Path: | C:\Windows\SysWOW64\rundll32.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x2f0000 |
File size: | 61952 bytes |
MD5 hash: | D7CA562B0DB4F4DD0F03A89A1FDAD63D |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Yara matches: |
|
Reputation: | high |
General |
---|
Start time: | 18:37:51 |
Start date: | 01/12/2021 |
Path: | C:\Windows\SysWOW64\rundll32.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x2f0000 |
File size: | 61952 bytes |
MD5 hash: | D7CA562B0DB4F4DD0F03A89A1FDAD63D |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Yara matches: |
|
Reputation: | high |
General |
---|
Start time: | 18:37:59 |
Start date: | 01/12/2021 |
Path: | C:\Windows\SysWOW64\rundll32.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x2f0000 |
File size: | 61952 bytes |
MD5 hash: | D7CA562B0DB4F4DD0F03A89A1FDAD63D |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Yara matches: |
|
Reputation: | high |
General |
---|
Start time: | 18:39:26 |
Start date: | 01/12/2021 |
Path: | C:\Windows\System32\svchost.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff70d6e0000 |
File size: | 51288 bytes |
MD5 hash: | 32569E403279B3FD2EDB7EBD036273FA |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
General |
---|
Start time: | 18:40:08 |
Start date: | 01/12/2021 |
Path: | C:\Windows\SysWOW64\rundll32.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x2f0000 |
File size: | 61952 bytes |
MD5 hash: | D7CA562B0DB4F4DD0F03A89A1FDAD63D |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
General |
---|
Start time: | 18:40:11 |
Start date: | 01/12/2021 |
Path: | C:\Windows\SysWOW64\rundll32.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x2f0000 |
File size: | 61952 bytes |
MD5 hash: | D7CA562B0DB4F4DD0F03A89A1FDAD63D |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
General |
---|
Start time: | 18:40:15 |
Start date: | 01/12/2021 |
Path: | C:\Windows\SysWOW64\rundll32.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x2f0000 |
File size: | 61952 bytes |
MD5 hash: | D7CA562B0DB4F4DD0F03A89A1FDAD63D |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
General |
---|
Start time: | 18:40:27 |
Start date: | 01/12/2021 |
Path: | C:\Windows\SysWOW64\rundll32.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x2f0000 |
File size: | 61952 bytes |
MD5 hash: | D7CA562B0DB4F4DD0F03A89A1FDAD63D |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
General |
---|
Start time: | 18:40:27 |
Start date: | 01/12/2021 |
Path: | C:\Windows\System32\svchost.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff70d6e0000 |
File size: | 51288 bytes |
MD5 hash: | 32569E403279B3FD2EDB7EBD036273FA |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
General |
---|
Start time: | 18:40:28 |
Start date: | 01/12/2021 |
Path: | C:\Windows\SysWOW64\WerFault.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0xbc0000 |
File size: | 434592 bytes |
MD5 hash: | 9E2B8ACAD48ECCA55C0230D63623661B |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
General |
---|
Start time: | 18:40:30 |
Start date: | 01/12/2021 |
Path: | C:\Windows\SysWOW64\WerFault.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0xbc0000 |
File size: | 434592 bytes |
MD5 hash: | 9E2B8ACAD48ECCA55C0230D63623661B |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
General |
---|
Start time: | 18:40:40 |
Start date: | 01/12/2021 |
Path: | C:\Windows\SysWOW64\WerFault.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0xbc0000 |
File size: | 434592 bytes |
MD5 hash: | 9E2B8ACAD48ECCA55C0230D63623661B |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
General |
---|
Start time: | 18:40:42 |
Start date: | 01/12/2021 |
Path: | C:\Windows\SysWOW64\WerFault.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0xbc0000 |
File size: | 434592 bytes |
MD5 hash: | 9E2B8ACAD48ECCA55C0230D63623661B |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Disassembly |
---|
Code Analysis |
---|
Execution Graph |
---|
Execution Coverage: | 6.1% |
Dynamic/Decrypted Code Coverage: | 53.3% |
Signature Coverage: | 30.7% |
Total number of Nodes: | 486 |
Total number of Limit Nodes: | 49 |
Graph
Executed Functions |
---|
Control-flow Graph |
---|
C-Code - Quality: 96% |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph |
---|
C-Code - Quality: 98% |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph |
---|
C-Code - Quality: 94% |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph |
---|
C-Code - Quality: 98% |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph |
---|
C-Code - Quality: 93% |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph |
---|
C-Code - Quality: 59% |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph |
---|
C-Code - Quality: 98% |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph |
---|
C-Code - Quality: 98% |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph |
---|
C-Code - Quality: 99% |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 6EA0C050, Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 394filememoryCOMMONLIBRARYCODE
Control-flow Graph |
---|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph |
---|
C-Code - Quality: 98% |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 66% |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 6E9F1290, Relevance: 3.9, APIs: 3, Instructions: 137memoryCOMMONLIBRARYCODE
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 96% |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 88% |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 98% |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 87% |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 029C5314, Relevance: .0, Instructions: 50COMMONCrypto
C-Code - Quality: 91% |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph |
---|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph |
---|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 6E9FC2A0, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 9libraryloaderCOMMON
Control-flow Graph |
---|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 6E9FC320, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 9libraryloaderCOMMON
Control-flow Graph |
---|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 6EA14161, Relevance: 6.1, APIs: 4, Instructions: 74COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 029D9100, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 74processCOMMON
C-Code - Quality: 41% |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 58% |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 029CC38F, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 56serviceCOMMON
C-Code - Quality: 83% |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 029D4CFD, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 55memoryCOMMON
C-Code - Quality: 74% |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 029C55C0, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 54fileCOMMON
C-Code - Quality: 90% |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 029CC460, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 49memoryCOMMON
C-Code - Quality: 68% |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 029C7C11, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 44libraryCOMMON
C-Code - Quality: 80% |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 6EA0C7D4, Relevance: 3.1, APIs: 2, Instructions: 76COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 029D0207, Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 70stringCOMMON
C-Code - Quality: 70% |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 029D2D06, Relevance: 1.6, APIs: 1, Instructions: 74fileCOMMON
C-Code - Quality: 58% |
|
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 029E3231, Relevance: 1.6, APIs: 1, Instructions: 63COMMON
C-Code - Quality: 78% |
|
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 029D9038, Relevance: 1.6, APIs: 1, Instructions: 58COMMON
C-Code - Quality: 91% |
|
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 029CF3F7, Relevance: 1.5, APIs: 1, Instructions: 43COMMON
C-Code - Quality: 94% |
|
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 6EA12C26, Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 6EA122E9, Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Non-executed Functions |
---|
Function 6E9FD380, Relevance: 26.7, APIs: 14, Strings: 1, Instructions: 445memoryCOMMONCrypto
C-Code - Quality: 81% |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 6E9FE4E0, Relevance: 26.4, APIs: 9, Strings: 6, Instructions: 135libraryloadersynchronizationCOMMON
C-Code - Quality: 52% |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 6E9FE6E0, Relevance: 25.1, APIs: 9, Strings: 5, Instructions: 588libraryloaderCOMMONCrypto
C-Code - Quality: 52% |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 98% |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 91% |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 96% |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 96% |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 95% |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 99% |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 55% |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 91% |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 85% |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 99% |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 6E9F5EA0, Relevance: 10.9, Strings: 8, Instructions: 927COMMON
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 81% |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 94% |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 93% |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 83% |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 93% |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 92% |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 96% |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 89% |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 100% |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 90% |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 100% |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 94% |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 98% |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 100% |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 98% |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 99% |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 97% |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 95% |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 100% |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 99% |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 60% |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 94% |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 94% |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 100% |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 95% |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 100% |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 89% |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 95% |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 98% |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 83% |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 6E9F9D50, Relevance: 4.0, Strings: 3, Instructions: 233COMMON
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 91% |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 93% |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 92% |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 89% |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 100% |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 82% |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 6E9F1C10, Relevance: 2.8, Strings: 2, Instructions: 317COMMON
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 6E9F66E0, Relevance: 2.8, Strings: 2, Instructions: 252COMMON
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 93% |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 97% |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 98% |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 89% |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 96% |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 92% |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 90% |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 100% |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 89% |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 6EA0CC44, Relevance: 1.6, APIs: 1, Instructions: 144COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 6EA12FE7, Relevance: 1.6, APIs: 1, Instructions: 140COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 6EA00F10, Relevance: 1.6, Strings: 1, Instructions: 365COMMON
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 97% |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 94% |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 91% |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 92% |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 90% |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 100% |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 97% |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 94% |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 87% |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 95% |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 100% |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 6E9F38C0, Relevance: .5, Instructions: 489COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 029C6125, Relevance: .1, Instructions: 144COMMONCrypto
C-Code - Quality: 100% |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 029C5166, Relevance: .1, Instructions: 113COMMONCrypto
C-Code - Quality: 84% |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 029DE478, Relevance: .1, Instructions: 99COMMONCrypto
C-Code - Quality: 83% |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 029E0AD3, Relevance: .1, Instructions: 90COMMONCrypto
C-Code - Quality: 94% |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 029CF4A5, Relevance: .1, Instructions: 85COMMONCrypto
C-Code - Quality: 57% |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 029CF984, Relevance: .1, Instructions: 85COMMONCrypto
C-Code - Quality: 58% |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 029C938F, Relevance: .1, Instructions: 78COMMONCrypto
C-Code - Quality: 58% |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 029E2C16, Relevance: .1, Instructions: 75COMMONCrypto
C-Code - Quality: 81% |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 6EA0BFE0, Relevance: .0, Instructions: 37COMMONLIBRARYCODE
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 6EA1298C, Relevance: .0, Instructions: 22COMMONLIBRARYCODE
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 6EA112CB, Relevance: .0, Instructions: 12COMMONLIBRARYCODE
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 029D4315, Relevance: .0, Instructions: 2COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 6E9FDD30, Relevance: 42.5, APIs: 19, Strings: 5, Instructions: 451memorylibraryloaderCOMMON
C-Code - Quality: 74% |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 6E9FC700, Relevance: 32.0, APIs: 14, Strings: 4, Instructions: 477memoryCOMMON
C-Code - Quality: 69% |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 6E9FC6D0, Relevance: 24.9, APIs: 12, Strings: 2, Instructions: 409memoryCOMMON
C-Code - Quality: 64% |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 6EA0F6F6, Relevance: 16.1, APIs: 6, Strings: 3, Instructions: 304COMMONLIBRARYCODE
C-Code - Quality: 64% |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 6E9FC340, Relevance: 12.6, APIs: 10, Instructions: 125COMMON
C-Code - Quality: 58% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 6EA01BF0, Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 212fileCOMMON
C-Code - Quality: 59% |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 6E9FC4D0, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 95memoryCOMMON
C-Code - Quality: 45% |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 6E9F10A0, Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 141memoryCOMMON
C-Code - Quality: 74% |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 6EA02960, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111memoryCOMMON
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 6EA142BC, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 6E9FD000, Relevance: 8.8, APIs: 7, Instructions: 85memoryCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 6EA10422, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 62COMMONLIBRARYCODE
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 6EA112ED, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 6E9FC280, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 9libraryloaderCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 6E9FC2C0, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 9libraryloaderCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 6E9FC2E0, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 9libraryloaderCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 6E9FC260, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 9libraryloaderCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 6E9FC300, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 9libraryloaderCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 6EA16749, Relevance: 6.3, APIs: 4, Instructions: 338fileCOMMONLIBRARYCODE
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 6EA12D87, Relevance: 6.1, APIs: 4, Instructions: 82COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 6EA0FAA0, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Execution Graph |
---|
Execution Coverage: | 3.9% |
Dynamic/Decrypted Code Coverage: | 100% |
Signature Coverage: | 0% |
Total number of Nodes: | 1021 |
Total number of Limit Nodes: | 7 |
Graph
Executed Functions |
---|
Function 02C29100, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 74processCOMMON
Control-flow Graph |
---|
C-Code - Quality: 41% |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 02C20207, Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 70stringCOMMON
Control-flow Graph |
---|
C-Code - Quality: 70% |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 02C1F3F7, Relevance: 1.5, APIs: 1, Instructions: 43COMMON
Control-flow Graph |
---|
C-Code - Quality: 94% |
|
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Non-executed Functions |
---|