Windows
Analysis Report
bscHLGMyjW
Overview
General Information
Detection
Score: | 92 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
- System is w10x64
- loaddll32.exe (PID: 7008 cmdline:
loaddll32. exe "C:\Us ers\user\D esktop\bsc HLGMyjW.dl l" MD5: 7DEB5DB86C0AC789123DEC286286B938) - cmd.exe (PID: 7032 cmdline:
cmd.exe /C rundll32. exe "C:\Us ers\user\D esktop\bsc HLGMyjW.dl l",#1 MD5: F3BDBE3BB6F734E357235F4D5898582D) - rundll32.exe (PID: 7052 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\bscH LGMyjW.dll ",#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D) - regsvr32.exe (PID: 7040 cmdline:
regsvr32.e xe /s C:\U sers\user\ Desktop\bs cHLGMyjW.d ll MD5: 426E7499F6A7346F0410DEAD0805586B) - regsvr32.exe (PID: 7140 cmdline:
C:\Windows \SysWOW64\ regsvr32.e xe /s "C:\ Windows\Sy sWOW64\Mjz wixkz\jiug g.vcz" MD5: 426E7499F6A7346F0410DEAD0805586B) - rundll32.exe (PID: 7064 cmdline:
rundll32.e xe C:\User s\user\Des ktop\bscHL GMyjW.dll, DllRegiste rServer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D) - rundll32.exe (PID: 7164 cmdline:
rundll32.e xe C:\User s\user\Des ktop\bscHL GMyjW.dll, DllUnregis terServerr MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
- svchost.exe (PID: 5504 cmdline:
C:\Windows \System32\ svchost.ex e -k netsv cs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
- svchost.exe (PID: 6412 cmdline:
C:\Windows \System32\ svchost.ex e -k Local SystemNetw orkRestric ted -p -s NcbService MD5: 32569E403279B3FD2EDB7EBD036273FA)
- svchost.exe (PID: 7068 cmdline:
C:\Windows \System32\ svchost.ex e -k netsv cs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
- svchost.exe (PID: 5600 cmdline:
C:\Windows \System32\ svchost.ex e -k netsv cs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
- svchost.exe (PID: 2320 cmdline:
C:\Windows \System32\ svchost.ex e -k netsv cs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
- svchost.exe (PID: 1640 cmdline:
C:\Windows \System32\ svchost.ex e -k netsv cs -p -s B ITS MD5: 32569E403279B3FD2EDB7EBD036273FA)
- svchost.exe (PID: 7164 cmdline:
C:\Windows \system32\ svchost.ex e -k wusvc s -p -s Wa aSMedicSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
- cleanup
{"C2 list": ["216.131.66.3:1", "192.16.0.0:1484", "216.64.72.3:1", "248.38.74.3:1", "255.255.255.255:3", "156.4.0.0:1", "108.4.0.0:1", "152.4.0.0:1", "124.4.0.0:1", "180.4.0.0:1", "184.4.0.0:1", "128.4.0.0:1", "148.4.0.0:1", "208.185.68.3:1", "40.38.70.3:48", "32.137.69.3:48", "103.240.2.0:4300", "112.135.10.118:5", "91.240.2.0:4600", "108.240.2.0:3484", "114.240.2.0:2956", "120.240.2.0:4600", "224.120.66.3:1", "135.52.4.0:4828", "220.194.66.52:443"]}
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Emotet | Yara detected Emotet | Joe Security | ||
JoeSecurity_Emotet_1 | Yara detected Emotet | Joe Security | ||
JoeSecurity_Emotet | Yara detected Emotet | Joe Security | ||
JoeSecurity_Emotet_1 | Yara detected Emotet | Joe Security | ||
JoeSecurity_Emotet | Yara detected Emotet | Joe Security | ||
Click to see the 11 entries |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Emotet | Yara detected Emotet | Joe Security | ||
JoeSecurity_Emotet_1 | Yara detected Emotet | Joe Security | ||
JoeSecurity_Emotet | Yara detected Emotet | Joe Security | ||
JoeSecurity_Emotet_1 | Yara detected Emotet | Joe Security | ||
JoeSecurity_Emotet | Yara detected Emotet | Joe Security | ||
Click to see the 19 entries |
Timestamp: | 192.168.2.746.55.222.11498564432404334 07/20/22-01:08:26.357523 |
SID: | 2404334 |
Source Port: | 49856 |
Destination Port: | 443 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 192.168.2.7131.100.24.23149895802404306 07/20/22-01:10:07.675221 |
SID: | 2404306 |
Source Port: | 49895 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 192.168.2.751.91.76.894976280802404338 07/20/22-01:06:44.834560 |
SID: | 2404338 |
Source Port: | 49762 |
Destination Port: | 8080 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Click to jump to signature section
AV Detection |
---|
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: |
Source: | Malware Configuration Extractor: |
Source: | Static PE information: |
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: |
Networking |
---|
Source: | Network Connect: | Jump to behavior | ||
Source: | Network Connect: | Jump to behavior | ||
Source: | Network Connect: | Jump to behavior | ||
Source: | Network Connect: | Jump to behavior | ||
Source: | Network Connect: | Jump to behavior | ||
Source: | Network Connect: | Jump to behavior | ||
Source: | Network Connect: | Jump to behavior | ||
Source: | Network Connect: | Jump to behavior | ||
Source: | Network Connect: | Jump to behavior | ||
Source: | Network Connect: | Jump to behavior | ||
Source: | Network Connect: | Jump to behavior | ||
Source: | Network Connect: | Jump to behavior | ||
Source: | Network Connect: | Jump to behavior | ||
Source: | Network Connect: | Jump to behavior | ||
Source: | Network Connect: | Jump to behavior |
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: |
Source: | IPs: | ||
Source: | IPs: | ||
Source: | IPs: | ||
Source: | IPs: | ||
Source: | IPs: | ||
Source: | IPs: | ||
Source: | IPs: | ||
Source: | IPs: | ||
Source: | IPs: | ||
Source: | IPs: | ||
Source: | IPs: | ||
Source: | IPs: | ||
Source: | IPs: | ||
Source: | IPs: | ||
Source: | IPs: | ||
Source: | IPs: | ||
Source: | IPs: | ||
Source: | IPs: | ||
Source: | IPs: | ||
Source: | IPs: | ||
Source: | IPs: | ||
Source: | IPs: | ||
Source: | IPs: | ||
Source: | IPs: | ||
Source: | IPs: |
Source: | ASN Name: |
Source: | JA3 fingerprint: |
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: |
Source: | IP Address: |
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: |
Source: | Network traffic detected: |
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: |
Source: | HTTP traffic detected: |
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: |
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: |
Source: | Code function: | 3_2_10042C39 |
E-Banking Fraud |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Source: | Static PE information: |
Source: | File deleted: | Jump to behavior |
Source: | File created: | Jump to behavior |
Source: | Code function: | 2_2_1006C116 | |
Source: | Code function: | 2_2_1006BA52 | |
Source: | Code function: | 2_2_1005D3D0 | |
Source: | Code function: | 2_2_1006DBE5 | |
Source: | Code function: | 2_2_1005FBE9 | |
Source: | Code function: | 2_2_10044502 | |
Source: | Code function: | 2_2_1006B510 | |
Source: | Code function: | 3_2_1006C116 | |
Source: | Code function: | 3_2_1006BA52 | |
Source: | Code function: | 3_2_1005D3D0 | |
Source: | Code function: | 3_2_1006DBE5 | |
Source: | Code function: | 3_2_1005FBE9 | |
Source: | Code function: | 3_2_10044502 | |
Source: | Code function: | 3_2_1006B510 | |
Source: | Code function: | 3_2_10059E00 | |
Source: | Code function: | 3_2_10060E5C | |
Source: | Code function: | 3_2_1005DE78 | |
Source: | Code function: | 3_2_10068EBE | |
Source: | Code function: | 3_2_1005871A | |
Source: | Code function: | 3_2_1006AFCE |
Source: | Binary or memory string: |
Source: | Static PE information: |
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior |
Source: | Static PE information: |
Source: | Key opened: | Jump to behavior |
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior |
Source: | Key value queried: | Jump to behavior |
Source: | Classification label: |
Source: | File read: | Jump to behavior |
Source: | Process created: |
Source: | Code function: | 2_2_1003F1BA |
Source: | File read: | Jump to behavior | ||
Source: | File read: | Jump to behavior | ||
Source: | File read: | Jump to behavior | ||
Source: | File read: | Jump to behavior | ||
Source: | File read: | Jump to behavior | ||
Source: | File read: | Jump to behavior | ||
Source: | File read: | Jump to behavior |
Source: | Automated click: | ||
Source: | Automated click: |
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Code function: | 2_2_1005812A | |
Source: | Code function: | 2_2_10059DF4 | |
Source: | Code function: | 3_2_1005812A | |
Source: | Code function: | 3_2_10059DF4 |
Source: | Code function: | 2_2_10066A27 |
Source: | Static PE information: |
Source: | Process created: |
Source: | PE file moved: | Jump to behavior |
Hooking and other Techniques for Hiding and Protection |
---|
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior |
Source: | Code function: | 2_2_1003A200 | |
Source: | Code function: | 2_2_10040404 | |
Source: | Code function: | 3_2_1003A200 | |
Source: | Code function: | 3_2_10040404 |
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior |
Malware Analysis System Evasion |
---|
Source: | System information queried: | Jump to behavior |
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior |
Source: | Evasive API call chain: | graph_2-13286 |
Source: | File opened: | Jump to behavior |
Source: | API coverage: | ||
Source: | API coverage: |
Source: | Process information queried: | Jump to behavior |
Source: | API call chain: | graph_2-13287 | ||
Source: | API call chain: | graph_3-20776 | ||
Source: | API call chain: | graph_3-20710 |
Source: | File Volume queried: | Jump to behavior |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Code function: | 2_2_1005E81A |
Source: | Code function: | 2_2_10066A27 |
Source: | Code function: | 2_2_10057D4F |
Source: | Process queried: | Jump to behavior |
Source: | Code function: | 2_2_1005E81A | |
Source: | Code function: | 2_2_10057102 | |
Source: | Code function: | 2_2_100643A7 | |
Source: | Code function: | 3_2_1005E81A | |
Source: | Code function: | 3_2_10057102 | |
Source: | Code function: | 3_2_100643A7 |
HIPS / PFW / Operating System Protection Evasion |
---|
Source: | Network Connect: | Jump to behavior | ||
Source: | Network Connect: | Jump to behavior | ||
Source: | Network Connect: | Jump to behavior | ||
Source: | Network Connect: | Jump to behavior | ||
Source: | Network Connect: | Jump to behavior | ||
Source: | Network Connect: | Jump to behavior | ||
Source: | Network Connect: | Jump to behavior | ||
Source: | Network Connect: | Jump to behavior | ||
Source: | Network Connect: | Jump to behavior | ||
Source: | Network Connect: | Jump to behavior | ||
Source: | Network Connect: | Jump to behavior | ||
Source: | Network Connect: | Jump to behavior | ||
Source: | Network Connect: | Jump to behavior | ||
Source: | Network Connect: | Jump to behavior | ||
Source: | Network Connect: | Jump to behavior |
Source: | Process created: | Jump to behavior |
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior |
Source: | Code function: | 2_2_1003C980 | |
Source: | Code function: | 2_2_1006D5D7 | |
Source: | Code function: | 3_2_1003C980 | |
Source: | Code function: | 3_2_1006D5D7 | |
Source: | Code function: | 3_2_1006EE9C |
Source: | Code function: | 2_2_10067B4E |
Source: | Key value queried: | Jump to behavior |
Source: | Code function: | 2_2_10062032 |
Source: | Code function: | 3_2_10065EBC |
Source: | Code function: | 2_2_10057D4F |
Source: | Binary or memory string: |
Stealing of Sensitive Information |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Valid Accounts | 2 Native API | 1 DLL Side-Loading | 1 DLL Side-Loading | 1 Deobfuscate/Decode Files or Information | 1 Input Capture | 2 System Time Discovery | Remote Services | 1 Archive Collected Data | Exfiltration Over Other Network Medium | 3 Ingress Tool Transfer | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | Modify System Partition |
Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | 111 Process Injection | 2 Obfuscated Files or Information | LSASS Memory | 1 File and Directory Discovery | Remote Desktop Protocol | 1 Input Capture | Exfiltration Over Bluetooth | 11 Encrypted Channel | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
Domain Accounts | At (Linux) | Logon Script (Windows) | Logon Script (Windows) | 1 DLL Side-Loading | Security Account Manager | 45 System Information Discovery | SMB/Windows Admin Shares | Data from Network Shared Drive | Automated Exfiltration | 1 Non-Standard Port | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
Local Accounts | At (Windows) | Logon Script (Mac) | Logon Script (Mac) | 1 File Deletion | NTDS | 151 Security Software Discovery | Distributed Component Object Model | Input Capture | Scheduled Transfer | 2 Non-Application Layer Protocol | SIM Card Swap | Carrier Billing Fraud | |
Cloud Accounts | Cron | Network Logon Script | Network Logon Script | 2 Masquerading | LSA Secrets | 13 Virtualization/Sandbox Evasion | SSH | Keylogging | Data Transfer Size Limits | 13 Application Layer Protocol | Manipulate Device Communication | Manipulate App Store Rankings or Ratings | |
Replication Through Removable Media | Launchd | Rc.common | Rc.common | 13 Virtualization/Sandbox Evasion | Cached Domain Credentials | 1 Process Discovery | VNC | GUI Input Capture | Exfiltration Over C2 Channel | Multiband Communication | Jamming or Denial of Service | Abuse Accessibility Features | |
External Remote Services | Scheduled Task | Startup Items | Startup Items | 111 Process Injection | DCSync | 1 Application Window Discovery | Windows Remote Management | Web Portal Capture | Exfiltration Over Alternative Protocol | Commonly Used Port | Rogue Wi-Fi Access Points | Data Encrypted for Impact | |
Drive-by Compromise | Command and Scripting Interpreter | Scheduled Task/Job | Scheduled Task/Job | 1 Hidden Files and Directories | Proc Filesystem | 1 Remote System Discovery | Shared Webroot | Credential API Hooking | Exfiltration Over Symmetric Encrypted Non-C2 Protocol | Application Layer Protocol | Downgrade to Insecure Protocols | Generate Fraudulent Advertising Revenue | |
Exploit Public-Facing Application | PowerShell | At (Linux) | At (Linux) | 1 Regsvr32 | /etc/passwd and /etc/shadow | System Network Connections Discovery | Software Deployment Tools | Data Staged | Exfiltration Over Asymmetric Encrypted Non-C2 Protocol | Web Protocols | Rogue Cellular Base Station | Data Destruction | |
Supply Chain Compromise | AppleScript | At (Windows) | At (Windows) | 1 Rundll32 | Network Sniffing | Process Discovery | Taint Shared Content | Local Data Staging | Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol | File Transfer Protocols | Data Encrypted for Impact |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link | Download |
---|---|---|---|---|---|
100% | Avira | HEUR/AGEN.1215461 | Download File | ||
100% | Avira | TR/Crypt.XPACK.Gen | Download File | ||
100% | Avira | HEUR/AGEN.1215461 | Download File | ||
100% | Avira | HEUR/AGEN.1215461 | Download File | ||
100% | Avira | HEUR/AGEN.1215461 | Download File | ||
100% | Avira | TR/Crypt.XPACK.Gen | Download File | ||
100% | Avira | TR/Crypt.XPACK.Gen | Download File | ||
100% | Avira | TR/Crypt.XPACK.Gen | Download File |
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
100% | Avira URL Cloud | malware | ||
100% | Avira URL Cloud | malware | ||
0% | Avira URL Cloud | safe | ||
100% | Avira URL Cloud | malware | ||
100% | Avira URL Cloud | malware | ||
100% | Avira URL Cloud | malware | ||
0% | Avira URL Cloud | safe | ||
100% | Avira URL Cloud | malware | ||
0% | Avira URL Cloud | safe | ||
100% | Avira URL Cloud | malware | ||
100% | Avira URL Cloud | malware | ||
100% | Avira URL Cloud | malware | ||
100% | Avira URL Cloud | malware | ||
100% | Avira URL Cloud | malware | ||
0% | Avira URL Cloud | safe | ||
100% | Avira URL Cloud | malware | ||
100% | Avira URL Cloud | malware | ||
100% | Avira URL Cloud | malware | ||
100% | Avira URL Cloud | malware | ||
100% | Avira URL Cloud | malware | ||
100% | Avira URL Cloud | malware | ||
100% | Avira URL Cloud | malware | ||
100% | Avira URL Cloud | malware | ||
100% | Avira URL Cloud | malware | ||
100% | Avira URL Cloud | malware | ||
100% | Avira URL Cloud | malware | ||
100% | Avira URL Cloud | malware | ||
100% | Avira URL Cloud | malware | ||
0% | URL Reputation | safe | ||
100% | Avira URL Cloud | malware | ||
100% | Avira URL Cloud | malware | ||
100% | Avira URL Cloud | malware | ||
100% | Avira URL Cloud | malware | ||
100% | Avira URL Cloud | malware | ||
0% | Avira URL Cloud | safe | ||
100% | Avira URL Cloud | malware | ||
100% | Avira URL Cloud | malware | ||
100% | Avira URL Cloud | malware | ||
100% | Avira URL Cloud | malware | ||
100% | Avira URL Cloud | malware | ||
100% | Avira URL Cloud | malware | ||
0% | Avira URL Cloud | safe | ||
0% | URL Reputation | safe | ||
100% | Avira URL Cloud | malware | ||
100% | Avira URL Cloud | malware | ||
100% | Avira URL Cloud | malware | ||
100% | Avira URL Cloud | malware | ||
100% | Avira URL Cloud | malware | ||
0% | Avira URL Cloud | safe | ||
100% | Avira URL Cloud | malware | ||
100% | Avira URL Cloud | malware | ||
100% | Avira URL Cloud | malware | ||
0% | Avira URL Cloud | safe | ||
100% | Avira URL Cloud | malware | ||
100% | Avira URL Cloud | malware | ||
100% | Avira URL Cloud | malware | ||
0% | URL Reputation | safe | ||
100% | Avira URL Cloud | malware | ||
100% | Avira URL Cloud | malware | ||
0% | Avira URL Cloud | safe | ||
100% | Avira URL Cloud | malware | ||
100% | Avira URL Cloud | malware | ||
100% | Avira URL Cloud | malware | ||
100% | Avira URL Cloud | malware | ||
100% | Avira URL Cloud | malware | ||
0% | URL Reputation | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
100% | Avira URL Cloud | malware | ||
100% | Avira URL Cloud | malware | ||
100% | Avira URL Cloud | malware | ||
100% | Avira URL Cloud | malware | ||
100% | Avira URL Cloud | malware | ||
0% | URL Reputation | safe | ||
100% | Avira URL Cloud | malware | ||
100% | Avira URL Cloud | malware | ||
100% | Avira URL Cloud | malware | ||
100% | Avira URL Cloud | malware | ||
100% | Avira URL Cloud | malware | ||
100% | Avira URL Cloud | malware | ||
0% | URL Reputation | safe | ||
100% | Avira URL Cloud | malware | ||
100% | Avira URL Cloud | malware | ||
0% | Avira URL Cloud | safe |
Name | Malicious | Antivirus Detection | Reputation |
---|---|---|---|
true |
| unknown | |
true |
| unknown |
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
true |
| unknown | ||
true |
| unknown | ||
false |
| unknown | ||
true |
| unknown | ||
true |
| unknown | ||
true |
| unknown | ||
false |
| unknown | ||
true |
| unknown | ||
false |
| unknown | ||
true |
| unknown | ||
true |
| unknown | ||
true |
| unknown | ||
true |
| unknown | ||
false |
| unknown | ||
true |
| unknown | ||
true |
| unknown | ||
true |
| unknown | ||
true |
| unknown | ||
true |
| unknown | ||
true |
| unknown | ||
true |
| unknown | ||
true |
| unknown | ||
true |
| unknown | ||
true |
| unknown | ||
true |
| unknown | ||
true |
| unknown | ||
true |
| unknown | ||
false | high | |||
false |
| unknown | ||
true |
| unknown | ||
true |
| unknown | ||
true |
| unknown | ||
true |
| unknown | ||
true |
| unknown | ||
false |
| unknown | ||
true |
| unknown | ||
true |
| unknown | ||
true |
| unknown | ||
true |
| unknown | ||
true |
| unknown | ||
true |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
true |
| unknown | ||
true |
| unknown | ||
true |
| unknown | ||
true |
| unknown | ||
true |
| unknown | ||
false |
| unknown | ||
true |
| unknown | ||
true |
| unknown | ||
true |
| unknown | ||
false |
| low | ||
true |
| unknown | ||
true |
| unknown | ||
true |
| unknown | ||
false |
| unknown | ||
true |
| unknown | ||
true |
| unknown | ||
false |
| unknown | ||
true |
| unknown | ||
true |
| unknown | ||
true |
| unknown | ||
false | high | |||
true |
| unknown | ||
true |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
true |
| unknown | ||
true |
| unknown | ||
true |
| unknown | ||
true |
| unknown | ||
false |
| unknown | ||
true |
| unknown | ||
true |
| unknown | ||
true |
| unknown | ||
true |
| unknown | ||
true |
| unknown | ||
true |
| unknown | ||
false |
| unknown | ||
true |
| unknown | ||
true |
| unknown | ||
false |
| unknown |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
248.38.74.3 | unknown | Reserved | unknown | unknown | true | |
208.185.68.3 | unknown | United States | 396173 | SWA-W11-MKT-INETUS | true | |
185.157.82.211 | unknown | Poland | 42927 | S-NET-ASPL | true | |
216.131.66.3 | unknown | United States | 22781 | RBLHSTUS | true | |
180.4.0.0 | unknown | Japan | 4713 | OCNNTTCommunicationsCorporationJP | true | |
79.172.212.216 | unknown | Hungary | 61998 | SZERVERPLEXHU | true | |
114.240.2.0 | unknown | China | 4808 | CHINA169-BJChinaUnicomBeijingProvinceNetworkCN | true | |
220.194.66.52 | unknown | China | 4837 | CHINA169-BACKBONECHINAUNICOMChina169BackboneCN | true | |
91.240.2.0 | unknown | United Kingdom | 198863 | CUP-ASGB | true | |
173.254.208.91 | unknown | United States | 8100 | ASN-QUADRANET-GLOBALUS | true | |
206.188.212.92 | unknown | United States | 55002 | DEFENSE-NETUS | true | |
40.38.70.3 | unknown | United States | 4249 | LILLY-ASUS | true | |
135.52.4.0 | unknown | United States | 54614 | CIKTELECOM-CABLECA | true | |
51.91.7.5 | unknown | France | 16276 | OVHFR | true | |
32.137.69.3 | unknown | United States | 2686 | ATGS-MMD-ASUS | true | |
108.240.2.0 | unknown | United States | 7018 | ATT-INTERNET4US | true | |
148.4.0.0 | unknown | United States | 6074 | LIUNETUS | true | |
108.4.0.0 | unknown | United States | 701 | UUNETUS | true | |
192.16.0.0 | unknown | United States | 14153 | EDGECAST-IRUS | true | |
149.56.128.192 | unknown | Canada | 16276 | OVHFR | true | |
128.4.0.0 | unknown | United States | 2 | UDEL-DCNUS | true | |
120.240.2.0 | unknown | China | 56040 | CMNET-GUANGDONG-APChinaMobilecommunicationscorporation | true | |
131.100.24.231 | unknown | Brazil | 61635 | GOPLEXTELECOMUNICACOESEINTERNETLTDA-MEBR | true | |
156.4.0.0 | unknown | United States | 29975 | VODACOM-ZA | true | |
184.4.0.0 | unknown | United States | 5778 | CENTURYLINK-LEGACY-EMBARQ-RCMTUS | true | |
46.55.222.11 | unknown | Bulgaria | 34841 | BALCHIKNETBG | true | |
51.91.76.89 | unknown | France | 16276 | OVHFR | true | |
103.240.2.0 | unknown | unknown | 7575 | AARNET-AS-APAustralianAcademicandResearchNetworkAARNe | true | |
160.16.218.63 | unknown | Japan | 9370 | SAKURA-BSAKURAInternetIncJP | true | |
224.120.66.3 | unknown | Reserved | unknown | unknown | true | |
192.99.251.50 | unknown | Canada | 16276 | OVHFR | true | |
216.64.72.3 | unknown | United States | 7029 | WINDSTREAMUS | true | |
124.4.0.0 | unknown | India | 18302 | SKG_NW-AS-KRSKTelecomKR | true | |
112.135.10.118 | unknown | Sri Lanka | 9329 | SLTINT-AS-APSriLankaTelecomInternetLK | true | |
152.4.0.0 | unknown | United States | 81 | NCRENUS | true | |
159.8.59.82 | unknown | United States | 36351 | SOFTLAYERUS | true | |
120.50.40.183 | unknown | Singapore | 17547 | M1NET-SG-APM1NETLTDSG | true | |
58.227.42.236 | unknown | Korea Republic of | 9318 | SKB-ASSKBroadbandCoLtdKR | true | |
103.221.221.247 | unknown | Viet Nam | 18403 | FPT-AS-APTheCorporationforFinancingPromotingTechnolo | true |
IP |
---|
192.168.2.1 |
127.0.0.1 |
Joe Sandbox Version: | 35.0.0 Citrine |
Analysis ID: | 669372 |
Start date and time: 20/07/202201:05:12 | 2022-07-20 01:05:12 +02:00 |
Joe Sandbox Product: | CloudBasic |
Overall analysis duration: | 0h 13m 57s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Sample file name: | bscHLGMyjW (renamed file extension from none to dll) |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211 |
Number of analysed new started processes analysed: | 31 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Detection: | MAL |
Classification: | mal92.troj.evad.winDLL@20/4@0/41 |
EGA Information: |
|
HDC Information: |
|
HCA Information: |
|
Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): MpCmdRun.exe, taskhostw.exe, audiodg.exe, BackgroundTransferHost.exe, UpdateNotificationMgr.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, UsoClient.exe, wuapihost.exe
- Excluded IPs from analysis (whitelisted): 8.248.137.254, 8.238.85.254, 8.248.145.254, 8.248.119.254, 8.241.126.121, 20.223.24.244, 23.211.4.86, 40.119.249.228, 51.11.168.232, 8.248.135.254, 8.248.149.254, 8.238.189.126, 8.253.207.120
- Excluded domains from analysis (whitelisted): fg.download.windowsupdate.com.c.footprint.net, settings-prod-sea-2.southeastasia.cloudapp.azure.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com, go.microsoft.com, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, login.live.com, sls.update.microsoft.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, settings-prod-uks-1.uksouth.cloudapp.azure.com, prod.fs.microsoft.com.akadns.net, www.bing.com, client.wns.windows.com, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, neu-displaycatalogrp.useroor.bigcatalog.commerce.microsoft.com, ctldl.windowsupdate.com, e1723.g.akamaiedge.net, settings-win.data.microsoft.com, wu-bg-shim.trafficmanager.net, atm-settingsfe-prod-weighted.trafficmanager.net, ris.api.iris.microsoft.com, store-images.s-microsoft.com, displaycatalog-rp.md.mp.microsoft.com.akadns.net
- Not all processes where analyzed, report is missing behavior information
- Report creation exceeded maximum time and may have missing disassembly code information.
- Report size exceeded maximum capacity and may have missing behavior information.
- Report size getting too big, too many NtOpenKeyEx calls found.
- Report size getting too big, too many NtProtectVirtualMemory calls found.
- Report size getting too big, too many NtQueryValueKey calls found.
- VT rate limit hit for: bscHLGMyjW.dll
Time | Type | Description |
---|---|---|
01:07:56 | API Interceptor |
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
185.157.82.211 | Get hash | malicious | Browse | ||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse |
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
SWA-W11-MKT-INETUS | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
51c64c77e60f3980eea90869b68c58a8 | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
|
Process: | C:\Windows\System32\svchost.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 786432 |
Entropy (8bit): | 0.250704057018144 |
Encrypted: | false |
SSDEEP: | 384:E+W0StseCJ48EApW0StseCJ48E2rTSjlK/ebmLerYSRSY1J2:7SB2nSB2RSjlK/+mLesOj1J2 |
MD5: | 1C4553ECE074FAF7C1CBD4589F778FE5 |
SHA1: | 56C3A250F1414B3FB0CFCD7098A3AD0F67906F07 |
SHA-256: | 0EC64C6E3DC500EBBD29D2518A2F2ABEEADBF9B99D2685C3E2D9522AD2BF43E0 |
SHA-512: | A60EF4D10A72D99E42F98BC60091FA709209332D538EA9104A4CFEAEFDF7A3B4ACCDFDB3DE58AA56576A7BB84399F45F46D06274AA31B5564FE4122533B03BC3 |
Malicious: | false |
Preview: |
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506
Download File
Process: | C:\Windows\SysWOW64\regsvr32.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 61712 |
Entropy (8bit): | 7.995044632446497 |
Encrypted: | true |
SSDEEP: | 1536:gzjJiDImMsrjCtGLaexX/zL09mX/lZHIxs:gPJiDI/sr0Hexv/0S/zx |
MD5: | 589C442FC7A0C70DCA927115A700D41E |
SHA1: | 66A07DACE3AFBFD1AA07A47E6875BEAB62C4BB31 |
SHA-256: | 2E5CB72E9EB43BAAFB6C6BFCC573AAC92F49A8064C483F9D378A9E8E781A526A |
SHA-512: | 1B5FA79E52BE495C42CF49618441FB7012E28C02E7A08A91DA9213DB3AB810F0E83485BC1DD5F625A47D0BA7CFCDD5EA50ACC9A8DCEBB39F048C40F01E94155B |
Malicious: | false |
Preview: |
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506
Download File
Process: | C:\Windows\SysWOW64\regsvr32.exe |
File Type: | |
Category: | modified |
Size (bytes): | 326 |
Entropy (8bit): | 3.1050968086786974 |
Encrypted: | false |
SSDEEP: | 6:kKP1v+N+SkQlPlEGYRMY9z+4KlDA3RUeWlEZ21:nFNkPlE99SNxAhUeE1 |
MD5: | 99CD07B7CBA64F60AD1D768E8D35793A |
SHA1: | CD04042624DC329DB9D704FA6EFFBA8A68793268 |
SHA-256: | EE7BDD31B8346C7B1B251091563660CBB4FE2264D9F4AAB59441200717484E53 |
SHA-512: | 48250248B491A37EC381D3D023EC70E0D2E2431CAB87782EDE0B631A8BE7441CB6254122858B538C086E95F46999492124552A6487BAB413A7A19EBEFFDE5D7E |
Malicious: | false |
Preview: |
Process: | C:\Windows\System32\svchost.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 55 |
Entropy (8bit): | 4.306461250274409 |
Encrypted: | false |
SSDEEP: | 3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y |
MD5: | DCA83F08D448911A14C22EBCACC5AD57 |
SHA1: | 91270525521B7FE0D986DB19747F47D34B6318AD |
SHA-256: | 2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9 |
SHA-512: | 96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA |
Malicious: | false |
Preview: |
File type: | |
Entropy (8bit): | 6.571573688089068 |
TrID: |
|
File name: | bscHLGMyjW.dll |
File size: | 942080 |
MD5: | 853c4a8922ffe407962ed618f5e5050b |
SHA1: | 7d46327d257ff52b5c380b521cd28935d65c4bc7 |
SHA256: | 8c58876a208132d6ed84b2d63416bde9efa590e9ae0246a4f668bcebdc04b7a1 |
SHA512: | d5607fe37a1670acab8e13acfa3d7f0be2ac4d9a733a83e303a88f33f5e4a11ee0399a9438713bce73434b51a7f3ac0d7bf22535f2e76fd723dad2b830145fb2 |
SSDEEP: | 12288:1HINAbFJ0qIOft0qsDCTOteq/XhkUqKJzlB/ooM5M7VesLZkl:qNyJTIOfADYOEgoUuoM5M7VesLZ |
TLSH: | 9F15E74279838E34F11F03B0DD43121AB61F9E50FA51553EABB872AAAF307A17DD921D |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......aa..%...%...%......./.......2...%...3...............................$.......$.......$...Rich%...................PE..L...7.;b... |
Icon Hash: | 71b018ccc6577131 |
Entrypoint: | 0x1005801e |
Entrypoint Section: | .text |
Digitally signed: | false |
Imagebase: | 0x10000000 |
Subsystem: | windows gui |
Image File Characteristics: | EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL |
DLL Characteristics: | |
Time Stamp: | 0x623B8F37 [Wed Mar 23 21:20:55 2022 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 4 |
OS Version Minor: | 0 |
File Version Major: | 4 |
File Version Minor: | 0 |
Subsystem Version Major: | 4 |
Subsystem Version Minor: | 0 |
Import Hash: | 39f0c91492ecdee129a7efdc73aac29f |
Instruction |
---|
cmp dword ptr [esp+08h], 01h |
jne 00007FECA09D74A7h |
call 00007FECA09E14ADh |
push dword ptr [esp+04h] |
mov ecx, dword ptr [esp+10h] |
mov edx, dword ptr [esp+0Ch] |
call 00007FECA09D7392h |
pop ecx |
retn 000Ch |
push eax |
push dword ptr fs:[00000000h] |
lea eax, dword ptr [esp+0Ch] |
sub esp, dword ptr [esp+0Ch] |
push ebx |
push esi |
push edi |
mov dword ptr [eax], ebp |
mov ebp, eax |
mov eax, dword ptr [1008675Ch] |
xor eax, ebp |
push eax |
push dword ptr [ebp-04h] |
mov dword ptr [ebp-04h], FFFFFFFFh |
lea eax, dword ptr [ebp-0Ch] |
mov dword ptr fs:[00000000h], eax |
ret |
push eax |
push dword ptr fs:[00000000h] |
lea eax, dword ptr [esp+0Ch] |
sub esp, dword ptr [esp+0Ch] |
push ebx |
push esi |
push edi |
mov dword ptr [eax], ebp |
mov ebp, eax |
mov eax, dword ptr [1008675Ch] |
xor eax, ebp |
push eax |
mov dword ptr [ebp-10h], esp |
push dword ptr [ebp-04h] |
mov dword ptr [ebp-04h], FFFFFFFFh |
lea eax, dword ptr [ebp-0Ch] |
mov dword ptr fs:[00000000h], eax |
ret |
push eax |
push dword ptr fs:[00000000h] |
lea eax, dword ptr [esp+0Ch] |
sub esp, dword ptr [esp+0Ch] |
push ebx |
push esi |
push edi |
mov dword ptr [eax], ebp |
mov ebp, eax |
mov eax, dword ptr [1008675Ch] |
xor eax, ebp |
push eax |
mov dword ptr [ebp-10h], eax |
push dword ptr [ebp-04h] |
mov dword ptr [ebp-04h], FFFFFFFFh |
lea eax, dword ptr [ebp-0Ch] |
mov dword ptr fs:[00000000h], eax |
ret |
push eax |
push dword ptr fs:[00000000h] |
Programming Language: |
|
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x84b60 | 0x73 | .rdata |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x82efc | 0xdc | .rdata |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x8c000 | 0x45d70 | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0xd2000 | 0x132f8 | .reloc |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x7cdc0 | 0x40 | .rdata |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x72000 | 0x55c | .rdata |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x82e74 | 0x40 | .rdata |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Name | Virtual Address | Virtual Size | Raw Size | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|
.text | 0x1000 | 0x70e79 | 0x71000 | False | 0.33150407909292035 | data | 6.159544480920374 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
.rdata | 0x72000 | 0x12bd3 | 0x13000 | False | 0.39717824835526316 | data | 5.546150396900126 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.data | 0x85000 | 0x6b98 | 0x3000 | False | 0.301025390625 | data | 4.396397855204817 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.rsrc | 0x8c000 | 0x45d70 | 0x46000 | False | 0.5704938616071429 | data | 6.319202698969252 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.reloc | 0xd2000 | 0x1784e | 0x18000 | False | 0.4889424641927083 | data | 6.127097386348335 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
Name | RVA | Size | Type | Language | Country |
---|---|---|---|---|---|
0x8cc88 | 0x20800 | data | English | United States | |
RT_CURSOR | 0xad488 | 0x134 | data | English | United States |
RT_CURSOR | 0xad5bc | 0xb4 | data | English | United States |
RT_CURSOR | 0xad670 | 0x134 | AmigaOS bitmap font | English | United States |
RT_CURSOR | 0xad7a4 | 0x134 | data | English | United States |
RT_CURSOR | 0xad8d8 | 0x134 | data | English | United States |
RT_CURSOR | 0xada0c | 0x134 | data | English | United States |
RT_CURSOR | 0xadb40 | 0x134 | data | English | United States |
RT_CURSOR | 0xadc74 | 0x134 | data | English | United States |
RT_CURSOR | 0xadda8 | 0x134 | data | English | United States |
RT_CURSOR | 0xadedc | 0x134 | data | English | United States |
RT_CURSOR | 0xae010 | 0x134 | data | English | United States |
RT_CURSOR | 0xae144 | 0x134 | data | English | United States |
RT_CURSOR | 0xae278 | 0x134 | AmigaOS bitmap font | English | United States |
RT_CURSOR | 0xae3ac | 0x134 | data | English | United States |
RT_CURSOR | 0xae4e0 | 0x134 | data | English | United States |
RT_CURSOR | 0xae614 | 0x134 | data | English | United States |
RT_BITMAP | 0xae748 | 0xb8 | data | English | United States |
RT_BITMAP | 0xae800 | 0x144 | data | English | United States |
RT_ICON | 0xae944 | 0x2e8 | dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 67108992, next used block 3293332676 | English | United States |
RT_ICON | 0xaec2c | 0x128 | GLS_BINARY_LSB_FIRST | English | United States |
RT_ICON | 0xaed54 | 0x10828 | dBase III DBT, version number 0, next free block index 40 | English | United States |
RT_ICON | 0xbf57c | 0x10828 | dBase III DBT, version number 0, next free block index 40 | English | United States |
RT_DIALOG | 0xcfda4 | 0x11a | data | English | United States |
RT_DIALOG | 0xcfec0 | 0x182 | data | English | United States |
RT_DIALOG | 0xd0044 | 0xe8 | data | English | United States |
RT_DIALOG | 0xd012c | 0x34 | data | English | United States |
RT_STRING | 0xd0160 | 0x4a | data | English | United States |
RT_STRING | 0xd01ac | 0x82 | data | English | United States |
RT_STRING | 0xd0230 | 0x2a | data | English | United States |
RT_STRING | 0xd025c | 0x192 | data | English | United States |
RT_STRING | 0xd03f0 | 0x4e2 | data | English | United States |
RT_STRING | 0xd08d4 | 0x31a | data | English | United States |
RT_STRING | 0xd0bf0 | 0x2dc | data | English | United States |
RT_STRING | 0xd0ecc | 0x8a | data | English | United States |
RT_STRING | 0xd0f58 | 0xac | data | English | United States |
RT_STRING | 0xd1004 | 0xde | data | English | United States |
RT_STRING | 0xd10e4 | 0x4c4 | data | English | United States |
RT_STRING | 0xd15a8 | 0x264 | data | English | United States |
RT_STRING | 0xd180c | 0x2c | data | English | United States |
RT_STRING | 0xd1838 | 0x42 | data | English | United States |
RT_GROUP_CURSOR | 0xd187c | 0x22 | Lotus unknown worksheet or configuration, revision 0x2 | English | United States |
RT_GROUP_CURSOR | 0xd18a0 | 0x14 | Lotus unknown worksheet or configuration, revision 0x1 | English | United States |
RT_GROUP_CURSOR | 0xd18b4 | 0x14 | Lotus unknown worksheet or configuration, revision 0x1 | English | United States |
RT_GROUP_CURSOR | 0xd18c8 | 0x14 | Lotus unknown worksheet or configuration, revision 0x1 | English | United States |
RT_GROUP_CURSOR | 0xd18dc | 0x14 | Lotus unknown worksheet or configuration, revision 0x1 | English | United States |
RT_GROUP_CURSOR | 0xd18f0 | 0x14 | Lotus unknown worksheet or configuration, revision 0x1 | English | United States |
RT_GROUP_CURSOR | 0xd1904 | 0x14 | Lotus unknown worksheet or configuration, revision 0x1 | English | United States |
RT_GROUP_CURSOR | 0xd1918 | 0x14 | Lotus unknown worksheet or configuration, revision 0x1 | English | United States |
RT_GROUP_CURSOR | 0xd192c | 0x14 | Lotus unknown worksheet or configuration, revision 0x1 | English | United States |
RT_GROUP_CURSOR | 0xd1940 | 0x14 | Lotus unknown worksheet or configuration, revision 0x1 | English | United States |
RT_GROUP_CURSOR | 0xd1954 | 0x14 | Lotus unknown worksheet or configuration, revision 0x1 | English | United States |
RT_GROUP_CURSOR | 0xd1968 | 0x14 | Lotus unknown worksheet or configuration, revision 0x1 | English | United States |
RT_GROUP_CURSOR | 0xd197c | 0x14 | Lotus unknown worksheet or configuration, revision 0x1 | English | United States |
RT_GROUP_CURSOR | 0xd1990 | 0x14 | Lotus unknown worksheet or configuration, revision 0x1 | English | United States |
RT_GROUP_CURSOR | 0xd19a4 | 0x14 | Lotus unknown worksheet or configuration, revision 0x1 | English | United States |
RT_GROUP_ICON | 0xd19b8 | 0x22 | data | English | United States |
RT_GROUP_ICON | 0xd19dc | 0x14 | data | English | United States |
RT_GROUP_ICON | 0xd19f0 | 0x14 | data | English | United States |
RT_VERSION | 0xd1a04 | 0x314 | data | English | United States |
RT_MANIFEST | 0xd1d18 | 0x56 | ASCII text, with CRLF line terminators | English | United States |
DLL | Import |
---|---|
KERNEL32.dll | HeapFree, HeapAlloc, GetCommandLineA, GetProcessHeap, RaiseException, HeapReAlloc, HeapSize, VirtualProtect, VirtualAlloc, GetSystemInfo, VirtualQuery, TerminateProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, Sleep, HeapDestroy, HeapCreate, VirtualFree, GetStdHandle, GetModuleFileNameA, SetHandleCount, GetFileType, GetStartupInfoA, FreeEnvironmentStringsA, RtlUnwind, FreeEnvironmentStringsW, GetEnvironmentStringsW, QueryPerformanceCounter, GetSystemTimeAsFileTime, GetCPInfo, GetACP, GetOEMCP, GetTimeZoneInformation, GetLocaleInfoA, GetConsoleCP, GetConsoleMode, LCMapStringA, LCMapStringW, GetStringTypeA, GetStringTypeW, SetStdHandle, WriteConsoleA, GetConsoleOutputCP, WriteConsoleW, CreateFileA, SetEnvironmentVariableA, GetTickCount, GetFileTime, GetFileAttributesW, FileTimeToLocalFileTime, FileTimeToSystemTime, lstrlenA, CreateFileW, GetFullPathNameW, GetVolumeInformationW, FindFirstFileW, FindClose, GetCurrentProcess, DuplicateHandle, GetFileSize, SetEndOfFile, UnlockFile, LockFile, FlushFileBuffers, SetFilePointer, WriteFile, ReadFile, GetThreadLocale, InterlockedIncrement, TlsFree, DeleteCriticalSection, LocalReAlloc, TlsSetValue, TlsAlloc, InitializeCriticalSection, GlobalHandle, GlobalReAlloc, EnterCriticalSection, TlsGetValue, LeaveCriticalSection, LocalAlloc, GlobalFlags, WritePrivateProfileStringW, FormatMessageW, LocalFree, MulDiv, GetModuleHandleA, InterlockedDecrement, lstrlenW, GlobalFindAtomW, CompareStringW, LoadLibraryA, GetVersionExA, GlobalUnlock, GlobalFree, FreeResource, GetCurrentProcessId, GetLastError, SetLastError, GlobalAddAtomW, CloseHandle, GetCurrentThread, GetCurrentThreadId, ConvertDefaultLocale, GetModuleFileNameW, GetVersion, EnumResourceLanguagesW, lstrcmpA, GetLocaleInfoW, LoadLibraryW, WideCharToMultiByte, CompareStringA, MultiByteToWideChar, InterlockedExchange, GlobalLock, lstrcmpW, GlobalAlloc, FreeLibrary, GlobalDeleteAtom, GetModuleHandleW, GetProcAddress, LoadResource, LockResource, SizeofResource, FindResourceW, GetEnvironmentStrings, ExitProcess |
USER32.dll | RegisterClipboardFormatW, PostThreadMessageW, ReleaseCapture, LoadCursorW, SetCapture, EndPaint, BeginPaint, GetWindowDC, ReleaseDC, GetDC, ClientToScreen, GrayStringW, DrawTextExW, DrawTextW, TabbedTextOutW, DestroyMenu, ShowWindow, MoveWindow, SetWindowTextW, IsDialogMessageW, RegisterWindowMessageW, SendDlgItemMessageW, SendDlgItemMessageA, WinHelpW, IsChild, GetCapture, GetClassLongW, GetClassNameW, MessageBeep, GetPropW, RemovePropW, SetFocus, GetWindowTextW, GetForegroundWindow, GetTopWindow, UnhookWindowsHookEx, GetMessageTime, GetMessagePos, MapWindowPoints, SetForegroundWindow, UpdateWindow, GetMenu, GetSubMenu, GetMenuItemID, GetMenuItemCount, CreateWindowExW, GetClassInfoExW, GetClassInfoW, RegisterClassW, GetSysColor, AdjustWindowRectEx, EqualRect, CopyRect, PtInRect, GetDlgCtrlID, DefWindowProcW, CallWindowProcW, SetWindowLongW, OffsetRect, IntersectRect, SystemParametersInfoA, GetWindowPlacement, GetWindowRect, GetWindow, SetWindowContextHelpId, MapDialogRect, SetWindowPos, GetDesktopWindow, SetActiveWindow, CreateDialogIndirectParamW, DestroyWindow, IsWindow, GetDlgItem, GetNextDlgTabItem, EndDialog, GetWindowThreadProcessId, GetWindowLongW, GetLastActivePopup, IsWindowEnabled, MessageBoxW, GetNextDlgGroupItem, InvalidateRgn, SetRect, IsRectEmpty, CopyAcceleratorTableW, CharNextW, CharUpperW, SetPropW, GetSysColorBrush, SetCursor, SetWindowsHookExW, CallNextHookEx, GetMessageW, TranslateMessage, DispatchMessageW, GetActiveWindow, IsWindowVisible, GetKeyState, PeekMessageW, GetCursorPos, ValidateRect, SetMenuItemBitmaps, GetMenuCheckMarkDimensions, GetFocus, ModifyMenuW, GetMenuState, EnableMenuItem, CheckMenuItem, PostMessageW, PostQuitMessage, InvalidateRect, LoadBitmapW, GetParent, GetClientRect, IsIconic, DrawIcon, GetSystemMetrics, SendMessageW, GetSystemMenu, AppendMenuW, LoadIconW, EnableWindow, UnregisterClassA |
GDI32.dll | ScaleWindowExtEx, GetWindowExtEx, ExtSelectClipRgn, DeleteDC, GetStockObject, GetDeviceCaps, SetWindowExtEx, GetBkColor, GetTextColor, CreateRectRgnIndirect, GetRgnBox, GetMapMode, GetViewportExtEx, DeleteObject, ScaleViewportExtEx, SetViewportExtEx, OffsetViewportOrgEx, SetViewportOrgEx, SelectObject, Escape, TextOutW, RectVisible, PtVisible, BitBlt, SetMapMode, RestoreDC, SaveDC, ExtTextOutW, SetBkColor, SetTextColor, GetClipBox, CreateBitmap, GetPixel, GetObjectW, CreateCompatibleDC, CreateCompatibleBitmap, SetPixelV |
comdlg32.dll | GetFileTitleW |
WINSPOOL.DRV | DocumentPropertiesW, OpenPrinterW, ClosePrinter |
ADVAPI32.dll | RegSetValueExW, RegCreateKeyExW, RegQueryValueW, RegOpenKeyW, RegEnumKeyW, RegDeleteKeyW, RegOpenKeyExW, RegQueryValueExW, RegCloseKey |
SHLWAPI.dll | PathFindFileNameW, PathStripToRootW, PathFindExtensionW, PathIsUNCW |
oledlg.dll | OleUIBusyW |
ole32.dll | OleInitialize, CoFreeUnusedLibraries, OleUninitialize, CreateILockBytesOnHGlobal, StgCreateDocfileOnILockBytes, StgOpenStorageOnILockBytes, CoGetClassObject, CoRevokeClassObject, CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, CLSIDFromProgID, OleIsCurrentClipboard, OleFlushClipboard, CoRegisterMessageFilter |
OLEAUT32.dll | VariantCopy, SysAllocString, SafeArrayDestroy, SystemTimeToVariantTime, VariantTimeToSystemTime, OleCreateFontIndirect, SysStringLen, VariantInit, VariantChangeType, VariantClear, SysAllocStringLen, SysFreeString |
Name | Ordinal | Address |
---|---|---|
DllRegisterServer | 1 | 0x10039b80 |
DllUnregisterServerr | 2 | 0x10039bc0 |
Language of compilation system | Country where language is spoken | Map |
---|---|---|
English | United States |
Timestamp | Protocol | SID | Message | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|---|---|---|
192.168.2.746.55.222.11498564432404334 07/20/22-01:08:26.357523 | TCP | 2404334 | ET CNC Feodo Tracker Reported CnC Server TCP group 18 | 49856 | 443 | 192.168.2.7 | 46.55.222.11 |
192.168.2.7131.100.24.23149895802404306 07/20/22-01:10:07.675221 | TCP | 2404306 | ET CNC Feodo Tracker Reported CnC Server TCP group 4 | 49895 | 80 | 192.168.2.7 | 131.100.24.231 |
192.168.2.751.91.76.894976280802404338 07/20/22-01:06:44.834560 | TCP | 2404338 | ET CNC Feodo Tracker Reported CnC Server TCP group 20 | 49762 | 8080 | 192.168.2.7 | 51.91.76.89 |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Jul 20, 2022 01:06:44.834559917 CEST | 49762 | 8080 | 192.168.2.7 | 51.91.76.89 |
Jul 20, 2022 01:06:44.856633902 CEST | 8080 | 49762 | 51.91.76.89 | 192.168.2.7 |
Jul 20, 2022 01:06:45.503371000 CEST | 49762 | 8080 | 192.168.2.7 | 51.91.76.89 |
Jul 20, 2022 01:06:45.523595095 CEST | 8080 | 49762 | 51.91.76.89 | 192.168.2.7 |
Jul 20, 2022 01:06:46.206505060 CEST | 49762 | 8080 | 192.168.2.7 | 51.91.76.89 |
Jul 20, 2022 01:06:46.226511955 CEST | 8080 | 49762 | 51.91.76.89 | 192.168.2.7 |
Jul 20, 2022 01:06:46.242204905 CEST | 49763 | 8080 | 192.168.2.7 | 173.254.208.91 |
Jul 20, 2022 01:06:46.406214952 CEST | 8080 | 49763 | 173.254.208.91 | 192.168.2.7 |
Jul 20, 2022 01:06:46.909936905 CEST | 49763 | 8080 | 192.168.2.7 | 173.254.208.91 |
Jul 20, 2022 01:06:47.073618889 CEST | 8080 | 49763 | 173.254.208.91 | 192.168.2.7 |
Jul 20, 2022 01:06:47.722201109 CEST | 49763 | 8080 | 192.168.2.7 | 173.254.208.91 |
Jul 20, 2022 01:06:47.891154051 CEST | 8080 | 49763 | 173.254.208.91 | 192.168.2.7 |
Jul 20, 2022 01:06:47.906995058 CEST | 49764 | 443 | 192.168.2.7 | 149.56.128.192 |
Jul 20, 2022 01:06:47.907058001 CEST | 443 | 49764 | 149.56.128.192 | 192.168.2.7 |
Jul 20, 2022 01:06:47.908020020 CEST | 49764 | 443 | 192.168.2.7 | 149.56.128.192 |
Jul 20, 2022 01:06:47.930125952 CEST | 49764 | 443 | 192.168.2.7 | 149.56.128.192 |
Jul 20, 2022 01:06:47.930171013 CEST | 443 | 49764 | 149.56.128.192 | 192.168.2.7 |
Jul 20, 2022 01:06:48.282975912 CEST | 443 | 49764 | 149.56.128.192 | 192.168.2.7 |
Jul 20, 2022 01:06:48.283132076 CEST | 49764 | 443 | 192.168.2.7 | 149.56.128.192 |
Jul 20, 2022 01:06:48.685695887 CEST | 49764 | 443 | 192.168.2.7 | 149.56.128.192 |
Jul 20, 2022 01:06:48.685745955 CEST | 443 | 49764 | 149.56.128.192 | 192.168.2.7 |
Jul 20, 2022 01:06:48.685997963 CEST | 443 | 49764 | 149.56.128.192 | 192.168.2.7 |
Jul 20, 2022 01:06:48.686086893 CEST | 49764 | 443 | 192.168.2.7 | 149.56.128.192 |
Jul 20, 2022 01:06:48.690339088 CEST | 49764 | 443 | 192.168.2.7 | 149.56.128.192 |
Jul 20, 2022 01:06:48.736499071 CEST | 443 | 49764 | 149.56.128.192 | 192.168.2.7 |
Jul 20, 2022 01:07:22.296195030 CEST | 49764 | 443 | 192.168.2.7 | 149.56.128.192 |
Jul 20, 2022 01:07:22.771351099 CEST | 49783 | 80 | 192.168.2.7 | 120.50.40.183 |
Jul 20, 2022 01:07:25.808518887 CEST | 49783 | 80 | 192.168.2.7 | 120.50.40.183 |
Jul 20, 2022 01:07:31.819861889 CEST | 49783 | 80 | 192.168.2.7 | 120.50.40.183 |
Jul 20, 2022 01:07:44.009496927 CEST | 49792 | 8080 | 192.168.2.7 | 160.16.218.63 |
Jul 20, 2022 01:07:47.149231911 CEST | 49792 | 8080 | 192.168.2.7 | 160.16.218.63 |
Jul 20, 2022 01:07:53.290525913 CEST | 49792 | 8080 | 192.168.2.7 | 160.16.218.63 |
Jul 20, 2022 01:08:05.308933020 CEST | 49822 | 8080 | 192.168.2.7 | 206.188.212.92 |
Jul 20, 2022 01:08:08.312422991 CEST | 49822 | 8080 | 192.168.2.7 | 206.188.212.92 |
Jul 20, 2022 01:08:14.312891006 CEST | 49822 | 8080 | 192.168.2.7 | 206.188.212.92 |
Jul 20, 2022 01:08:26.357522964 CEST | 49856 | 443 | 192.168.2.7 | 46.55.222.11 |
Jul 20, 2022 01:08:26.357578039 CEST | 443 | 49856 | 46.55.222.11 | 192.168.2.7 |
Jul 20, 2022 01:08:26.357676029 CEST | 49856 | 443 | 192.168.2.7 | 46.55.222.11 |
Jul 20, 2022 01:08:26.359740019 CEST | 49856 | 443 | 192.168.2.7 | 46.55.222.11 |
Jul 20, 2022 01:08:26.359776020 CEST | 443 | 49856 | 46.55.222.11 | 192.168.2.7 |
Jul 20, 2022 01:08:26.532005072 CEST | 443 | 49856 | 46.55.222.11 | 192.168.2.7 |
Jul 20, 2022 01:08:26.532187939 CEST | 49856 | 443 | 192.168.2.7 | 46.55.222.11 |
Jul 20, 2022 01:08:26.630074024 CEST | 49856 | 443 | 192.168.2.7 | 46.55.222.11 |
Jul 20, 2022 01:08:26.630100012 CEST | 443 | 49856 | 46.55.222.11 | 192.168.2.7 |
Jul 20, 2022 01:08:26.630712032 CEST | 443 | 49856 | 46.55.222.11 | 192.168.2.7 |
Jul 20, 2022 01:08:26.630785942 CEST | 49856 | 443 | 192.168.2.7 | 46.55.222.11 |
Jul 20, 2022 01:08:26.631612062 CEST | 49856 | 443 | 192.168.2.7 | 46.55.222.11 |
Jul 20, 2022 01:08:26.672494888 CEST | 443 | 49856 | 46.55.222.11 | 192.168.2.7 |
Jul 20, 2022 01:08:26.804231882 CEST | 443 | 49856 | 46.55.222.11 | 192.168.2.7 |
Jul 20, 2022 01:08:26.804380894 CEST | 49856 | 443 | 192.168.2.7 | 46.55.222.11 |
Jul 20, 2022 01:08:26.804405928 CEST | 443 | 49856 | 46.55.222.11 | 192.168.2.7 |
Jul 20, 2022 01:08:26.804501057 CEST | 49856 | 443 | 192.168.2.7 | 46.55.222.11 |
Jul 20, 2022 01:08:26.804526091 CEST | 443 | 49856 | 46.55.222.11 | 192.168.2.7 |
Jul 20, 2022 01:08:26.804562092 CEST | 443 | 49856 | 46.55.222.11 | 192.168.2.7 |
Jul 20, 2022 01:08:26.804629087 CEST | 49856 | 443 | 192.168.2.7 | 46.55.222.11 |
Jul 20, 2022 01:08:26.804647923 CEST | 49856 | 443 | 192.168.2.7 | 46.55.222.11 |
Jul 20, 2022 01:08:26.827383995 CEST | 49856 | 443 | 192.168.2.7 | 46.55.222.11 |
Jul 20, 2022 01:08:26.827428102 CEST | 443 | 49856 | 46.55.222.11 | 192.168.2.7 |
Jul 20, 2022 01:08:26.827442884 CEST | 49856 | 443 | 192.168.2.7 | 46.55.222.11 |
Jul 20, 2022 01:08:26.827522993 CEST | 49856 | 443 | 192.168.2.7 | 46.55.222.11 |
Jul 20, 2022 01:08:26.874392986 CEST | 49857 | 8080 | 192.168.2.7 | 79.172.212.216 |
Jul 20, 2022 01:08:26.907696962 CEST | 8080 | 49857 | 79.172.212.216 | 192.168.2.7 |
Jul 20, 2022 01:08:27.407752991 CEST | 49857 | 8080 | 192.168.2.7 | 79.172.212.216 |
Jul 20, 2022 01:08:27.441828012 CEST | 8080 | 49857 | 79.172.212.216 | 192.168.2.7 |
Jul 20, 2022 01:08:27.954648972 CEST | 49857 | 8080 | 192.168.2.7 | 79.172.212.216 |
Jul 20, 2022 01:08:27.989011049 CEST | 8080 | 49857 | 79.172.212.216 | 192.168.2.7 |
Jul 20, 2022 01:08:27.993065119 CEST | 49858 | 8080 | 192.168.2.7 | 103.221.221.247 |
Jul 20, 2022 01:08:28.205580950 CEST | 8080 | 49858 | 103.221.221.247 | 192.168.2.7 |
Jul 20, 2022 01:08:28.720330954 CEST | 49858 | 8080 | 192.168.2.7 | 103.221.221.247 |
Jul 20, 2022 01:08:28.933847904 CEST | 8080 | 49858 | 103.221.221.247 | 192.168.2.7 |
Jul 20, 2022 01:08:29.439251900 CEST | 49858 | 8080 | 192.168.2.7 | 103.221.221.247 |
Jul 20, 2022 01:08:29.650430918 CEST | 8080 | 49858 | 103.221.221.247 | 192.168.2.7 |
Jul 20, 2022 01:08:29.655344963 CEST | 49859 | 80 | 192.168.2.7 | 58.227.42.236 |
Jul 20, 2022 01:08:32.642461061 CEST | 49859 | 80 | 192.168.2.7 | 58.227.42.236 |
Jul 20, 2022 01:08:38.643042088 CEST | 49859 | 80 | 192.168.2.7 | 58.227.42.236 |
Jul 20, 2022 01:08:50.653744936 CEST | 49884 | 443 | 192.168.2.7 | 192.99.251.50 |
Jul 20, 2022 01:08:50.653812885 CEST | 443 | 49884 | 192.99.251.50 | 192.168.2.7 |
Jul 20, 2022 01:08:50.653953075 CEST | 49884 | 443 | 192.168.2.7 | 192.99.251.50 |
Jul 20, 2022 01:08:50.654799938 CEST | 49884 | 443 | 192.168.2.7 | 192.99.251.50 |
Jul 20, 2022 01:08:50.654838085 CEST | 443 | 49884 | 192.99.251.50 | 192.168.2.7 |
Jul 20, 2022 01:09:22.978303909 CEST | 49884 | 443 | 192.168.2.7 | 192.99.251.50 |
Jul 20, 2022 01:09:23.103354931 CEST | 49890 | 8080 | 192.168.2.7 | 185.157.82.211 |
Jul 20, 2022 01:09:26.115669966 CEST | 49890 | 8080 | 192.168.2.7 | 185.157.82.211 |
Jul 20, 2022 01:09:32.131822109 CEST | 49890 | 8080 | 192.168.2.7 | 185.157.82.211 |
Jul 20, 2022 01:09:44.142637968 CEST | 49893 | 8080 | 192.168.2.7 | 159.8.59.82 |
Jul 20, 2022 01:09:47.148674011 CEST | 49893 | 8080 | 192.168.2.7 | 159.8.59.82 |
Jul 20, 2022 01:09:53.156699896 CEST | 49893 | 8080 | 192.168.2.7 | 159.8.59.82 |
Jul 20, 2022 01:10:05.302692890 CEST | 49894 | 8080 | 192.168.2.7 | 51.91.7.5 |
Jul 20, 2022 01:10:05.330826998 CEST | 8080 | 49894 | 51.91.7.5 | 192.168.2.7 |
Jul 20, 2022 01:10:05.837692022 CEST | 49894 | 8080 | 192.168.2.7 | 51.91.7.5 |
Jul 20, 2022 01:10:05.868336916 CEST | 8080 | 49894 | 51.91.7.5 | 192.168.2.7 |
Jul 20, 2022 01:10:06.384687901 CEST | 49894 | 8080 | 192.168.2.7 | 51.91.7.5 |
Jul 20, 2022 01:10:06.413839102 CEST | 8080 | 49894 | 51.91.7.5 | 192.168.2.7 |
Jul 20, 2022 01:10:07.675220966 CEST | 49895 | 80 | 192.168.2.7 | 131.100.24.231 |
Jul 20, 2022 01:10:07.809349060 CEST | 80 | 49895 | 131.100.24.231 | 192.168.2.7 |
Jul 20, 2022 01:10:07.809556961 CEST | 49895 | 80 | 192.168.2.7 | 131.100.24.231 |
Jul 20, 2022 01:10:07.963644981 CEST | 49895 | 80 | 192.168.2.7 | 131.100.24.231 |
Jul 20, 2022 01:10:08.096733093 CEST | 80 | 49895 | 131.100.24.231 | 192.168.2.7 |
Jul 20, 2022 01:10:08.117975950 CEST | 80 | 49895 | 131.100.24.231 | 192.168.2.7 |
Jul 20, 2022 01:10:08.118000984 CEST | 80 | 49895 | 131.100.24.231 | 192.168.2.7 |
Jul 20, 2022 01:10:08.118088007 CEST | 49895 | 80 | 192.168.2.7 | 131.100.24.231 |
Jul 20, 2022 01:10:09.987339973 CEST | 49895 | 80 | 192.168.2.7 | 131.100.24.231 |
Jul 20, 2022 01:10:10.124428988 CEST | 80 | 49895 | 131.100.24.231 | 192.168.2.7 |
Jul 20, 2022 01:10:10.124530077 CEST | 49895 | 80 | 192.168.2.7 | 131.100.24.231 |
Jul 20, 2022 01:10:10.125487089 CEST | 49895 | 80 | 192.168.2.7 | 131.100.24.231 |
Jul 20, 2022 01:10:10.298785925 CEST | 80 | 49895 | 131.100.24.231 | 192.168.2.7 |
Jul 20, 2022 01:10:10.833700895 CEST | 80 | 49895 | 131.100.24.231 | 192.168.2.7 |
Jul 20, 2022 01:10:10.835207939 CEST | 49895 | 80 | 192.168.2.7 | 131.100.24.231 |
Jul 20, 2022 01:10:13.834009886 CEST | 80 | 49895 | 131.100.24.231 | 192.168.2.7 |
Jul 20, 2022 01:10:13.834055901 CEST | 80 | 49895 | 131.100.24.231 | 192.168.2.7 |
Jul 20, 2022 01:10:13.834258080 CEST | 49895 | 80 | 192.168.2.7 | 131.100.24.231 |
Jul 20, 2022 01:10:24.978050947 CEST | 49895 | 80 | 192.168.2.7 | 131.100.24.231 |
Jul 20, 2022 01:10:24.978131056 CEST | 49895 | 80 | 192.168.2.7 | 131.100.24.231 |
Jul 20, 2022 01:10:25.115024090 CEST | 80 | 49895 | 131.100.24.231 | 192.168.2.7 |
Jul 20, 2022 01:10:25.115293980 CEST | 49895 | 80 | 192.168.2.7 | 131.100.24.231 |
Timestamp | Source IP | Dest IP | Checksum | Code | Type |
---|---|---|---|---|---|
Jul 20, 2022 01:07:22.943972111 CEST | 120.50.40.183 | 192.168.2.7 | 60b5 | (Unknown) | Destination Unreachable |
Jul 20, 2022 01:07:25.979613066 CEST | 120.50.40.183 | 192.168.2.7 | 60b5 | (Unknown) | Destination Unreachable |
Jul 20, 2022 01:07:31.993840933 CEST | 120.50.40.183 | 192.168.2.7 | 60b5 | (Unknown) | Destination Unreachable |
|
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
0 | 192.168.2.7 | 49764 | 149.56.128.192 | 443 | C:\Windows\SysWOW64\regsvr32.exe |
Timestamp | kBytes transferred | Direction | Data |
---|
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
1 | 192.168.2.7 | 49856 | 46.55.222.11 | 443 | C:\Windows\SysWOW64\regsvr32.exe |
Timestamp | kBytes transferred | Direction | Data |
---|
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
2 | 192.168.2.7 | 49895 | 131.100.24.231 | 80 | C:\Windows\SysWOW64\regsvr32.exe |
Timestamp | kBytes transferred | Direction | Data |
---|---|---|---|
Jul 20, 2022 01:10:07.963644981 CEST | 10847 | OUT | |
Jul 20, 2022 01:10:08.117975950 CEST | 10848 | IN | |
Jul 20, 2022 01:10:08.118000984 CEST | 10848 | IN | |
Jul 20, 2022 01:10:09.987339973 CEST | 10914 | OUT | |
Jul 20, 2022 01:10:10.124428988 CEST | 10914 | IN | |
Jul 20, 2022 01:10:10.125487089 CEST | 10915 | OUT | |
Jul 20, 2022 01:10:10.833700895 CEST | 10916 | IN | |
Jul 20, 2022 01:10:13.834009886 CEST | 10916 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
0 | 192.168.2.7 | 49764 | 149.56.128.192 | 443 | C:\Windows\SysWOW64\regsvr32.exe |
Timestamp | kBytes transferred | Direction | Data |
---|---|---|---|
2022-07-19 23:06:48 UTC | 0 | OUT |
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
1 | 192.168.2.7 | 49856 | 46.55.222.11 | 443 | C:\Windows\SysWOW64\regsvr32.exe |
Timestamp | kBytes transferred | Direction | Data |
---|---|---|---|
2022-07-19 23:08:26 UTC | 0 | OUT | |
2022-07-19 23:08:26 UTC | 0 | IN | |
2022-07-19 23:08:26 UTC | 0 | IN |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
Target ID: | 0 |
Start time: | 01:06:25 |
Start date: | 20/07/2022 |
Path: | C:\Windows\System32\loaddll32.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x320000 |
File size: | 116736 bytes |
MD5 hash: | 7DEB5DB86C0AC789123DEC286286B938 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Target ID: | 1 |
Start time: | 01:06:25 |
Start date: | 20/07/2022 |
Path: | C:\Windows\SysWOW64\cmd.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0xdd0000 |
File size: | 232960 bytes |
MD5 hash: | F3BDBE3BB6F734E357235F4D5898582D |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Target ID: | 2 |
Start time: | 01:06:25 |
Start date: | 20/07/2022 |
Path: | C:\Windows\SysWOW64\regsvr32.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x970000 |
File size: | 20992 bytes |
MD5 hash: | 426E7499F6A7346F0410DEAD0805586B |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Yara matches: |
|
Reputation: | high |
Target ID: | 3 |
Start time: | 01:06:26 |
Start date: | 20/07/2022 |
Path: | C:\Windows\SysWOW64\rundll32.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x13e0000 |
File size: | 61952 bytes |
MD5 hash: | D7CA562B0DB4F4DD0F03A89A1FDAD63D |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Yara matches: |
|
Reputation: | high |
Target ID: | 4 |
Start time: | 01:06:26 |
Start date: | 20/07/2022 |
Path: | C:\Windows\SysWOW64\rundll32.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x13e0000 |
File size: | 61952 bytes |
MD5 hash: | D7CA562B0DB4F4DD0F03A89A1FDAD63D |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Yara matches: |
|
Reputation: | high |
Target ID: | 5 |
Start time: | 01:06:29 |
Start date: | 20/07/2022 |
Path: | C:\Windows\SysWOW64\regsvr32.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x970000 |
File size: | 20992 bytes |
MD5 hash: | 426E7499F6A7346F0410DEAD0805586B |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Yara matches: |
|
Reputation: | high |
Target ID: | 6 |
Start time: | 01:06:30 |
Start date: | 20/07/2022 |
Path: | C:\Windows\SysWOW64\rundll32.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x13e0000 |
File size: | 61952 bytes |
MD5 hash: | D7CA562B0DB4F4DD0F03A89A1FDAD63D |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Target ID: | 10 |
Start time: | 01:06:50 |
Start date: | 20/07/2022 |
Path: | C:\Windows\System32\svchost.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff7e8070000 |
File size: | 51288 bytes |
MD5 hash: | 32569E403279B3FD2EDB7EBD036273FA |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Target ID: | 13 |
Start time: | 01:07:03 |
Start date: | 20/07/2022 |
Path: | C:\Windows\System32\svchost.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff7e8070000 |
File size: | 51288 bytes |
MD5 hash: | 32569E403279B3FD2EDB7EBD036273FA |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Target ID: | 15 |
Start time: | 01:07:13 |
Start date: | 20/07/2022 |
Path: | C:\Windows\System32\svchost.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff7e8070000 |
File size: | 51288 bytes |
MD5 hash: | 32569E403279B3FD2EDB7EBD036273FA |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Target ID: | 19 |
Start time: | 01:07:36 |
Start date: | 20/07/2022 |
Path: | C:\Windows\System32\svchost.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff7e8070000 |
File size: | 51288 bytes |
MD5 hash: | 32569E403279B3FD2EDB7EBD036273FA |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Target ID: | 21 |
Start time: | 01:07:51 |
Start date: | 20/07/2022 |
Path: | C:\Windows\System32\svchost.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff7e8070000 |
File size: | 51288 bytes |
MD5 hash: | 32569E403279B3FD2EDB7EBD036273FA |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Target ID: | 25 |
Start time: | 01:08:07 |
Start date: | 20/07/2022 |
Path: | C:\Windows\System32\svchost.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff7e8070000 |
File size: | 51288 bytes |
MD5 hash: | 32569E403279B3FD2EDB7EBD036273FA |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Target ID: | 30 |
Start time: | 01:08:54 |
Start date: | 20/07/2022 |
Path: | C:\Windows\System32\svchost.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff7e8070000 |
File size: | 51288 bytes |
MD5 hash: | 32569E403279B3FD2EDB7EBD036273FA |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Execution Graph
Execution Coverage: | 9.5% |
Dynamic/Decrypted Code Coverage: | 0% |
Signature Coverage: | 10.8% |
Total number of Nodes: | 836 |
Total number of Limit Nodes: | 18 |
Graph
Control-flow Graph
C-Code - Quality: 80% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 100572C8 Relevance: 7.5, APIs: 5, Instructions: 44memoryCOMMONLIBRARYCODE
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 100182E0 Relevance: 7.0, APIs: 2, Instructions: 4499COMMON
Control-flow Graph
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 100234D0 Relevance: 3.1, APIs: 1, Instructions: 1628COMMON
Control-flow Graph
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 1005CC1E Relevance: 3.0, APIs: 2, Instructions: 28memoryCOMMONLIBRARYCODE
Control-flow Graph
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 10035110 Relevance: 1.5, APIs: 1, Instructions: 44COMMON
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 1000AE80 Relevance: 1.3, APIs: 1, Instructions: 11COMMON
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 1003C980 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 70libraryCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 10040404 Relevance: 4.5, APIs: 3, Instructions: 37COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 1005FBE9 Relevance: 2.1, APIs: 1, Instructions: 645COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 1003F1BA Relevance: 1.5, APIs: 1, Instructions: 12COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 1003A200 Relevance: 1.5, APIs: 1, Instructions: 11windowCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 10044502 Relevance: .4, Instructions: 445COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 1003CBF5 Relevance: 44.0, APIs: 20, Strings: 5, Instructions: 227registrylibraryloaderCOMMON
C-Code - Quality: 84% |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 100402B0 Relevance: 29.8, APIs: 8, Strings: 9, Instructions: 81libraryloaderCOMMON
C-Code - Quality: 86% |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 45% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 10042210 Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 176windowCOMMON
C-Code - Quality: 89% |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 1003C303 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 56libraryloaderCOMMON
C-Code - Quality: 100% |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 1005C455 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 46libraryloaderCOMMONLIBRARYCODE
C-Code - Quality: 87% |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 97% |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 94% |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 1004802C Relevance: 13.6, APIs: 9, Instructions: 96memoryCOMMON
C-Code - Quality: 91% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 66% |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 98% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 1004296A Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON
C-Code - Quality: 100% |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 10051A50 Relevance: 10.6, APIs: 7, Instructions: 86windowCOMMON
C-Code - Quality: 79% |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 100478BC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 65registryCOMMON
C-Code - Quality: 100% |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 1003FD0F Relevance: 9.3, APIs: 6, Instructions: 255memoryCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 1003E588 Relevance: 9.1, APIs: 6, Instructions: 68COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 10047B97 Relevance: 9.0, APIs: 6, Instructions: 45COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 100531E6 Relevance: 7.6, APIs: 5, Instructions: 58COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 10053274 Relevance: 7.6, APIs: 5, Instructions: 58COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 10047A1A Relevance: 7.6, APIs: 5, Instructions: 53stringCOMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 1004931A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 109stringCOMMON
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 1005091A Relevance: 6.2, APIs: 4, Instructions: 173windowCOMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 10053CDC Relevance: 6.1, APIs: 4, Instructions: 132timeCOMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 10045A51 Relevance: 6.1, APIs: 4, Instructions: 103windowCOMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 1004A159 Relevance: 6.1, APIs: 4, Instructions: 72COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 1004F33A Relevance: 6.1, APIs: 4, Instructions: 70COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 1003ECD9 Relevance: 6.1, APIs: 4, Instructions: 57COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 1004DD0D Relevance: 6.1, APIs: 4, Instructions: 52COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 10048BA6 Relevance: 6.1, APIs: 4, Instructions: 51COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 100431B3 Relevance: 6.0, APIs: 4, Instructions: 49COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 10042B27 Relevance: 6.0, APIs: 4, Instructions: 48COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 10045474 Relevance: 6.0, APIs: 4, Instructions: 42COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 100483AE Relevance: 5.0, APIs: 4, Instructions: 37COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 10047D07 Relevance: 5.0, APIs: 4, Instructions: 31COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Execution Graph
Execution Coverage: | 19.9% |
Dynamic/Decrypted Code Coverage: | 0% |
Signature Coverage: | 0.2% |
Total number of Nodes: | 502 |
Total number of Limit Nodes: | 14 |
Graph
Function 100351A0 Relevance: 26.4, APIs: 9, Strings: 4, Instructions: 3610COMMONLIBRARYCODE
Control-flow Graph
C-Code - Quality: 89% |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 10047E7A Relevance: 16.6, APIs: 11, Instructions: 103memoryCOMMONLIBRARYCODE
Control-flow Graph
C-Code - Quality: 80% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 100572C8 Relevance: 7.5, APIs: 5, Instructions: 44memoryCOMMONLIBRARYCODE
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 1005CC1E Relevance: 3.0, APIs: 2, Instructions: 28memoryCOMMONLIBRARYCODE
Control-flow Graph
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 1000AE80 Relevance: 1.3, APIs: 1, Instructions: 11COMMON
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 1003C980 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 70libraryCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 1003CBF5 Relevance: 45.7, APIs: 21, Strings: 5, Instructions: 227registrylibraryloaderCOMMON
C-Code - Quality: 84% |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 1005C72E Relevance: 40.4, APIs: 18, Strings: 5, Instructions: 109libraryloadermemoryCOMMONLIBRARYCODE
C-Code - Quality: 91% |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 100402B0 Relevance: 29.8, APIs: 8, Strings: 9, Instructions: 81libraryloaderCOMMON
C-Code - Quality: 86% |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 86% |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 45% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 10051FC8 Relevance: 26.0, APIs: 17, Instructions: 452windowkeyboardCOMMON
C-Code - Quality: 83% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 10042210 Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 176windowCOMMON
C-Code - Quality: 89% |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 1003C303 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 56libraryloaderCOMMON
C-Code - Quality: 100% |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 1003EFCC Relevance: 16.6, APIs: 11, Instructions: 139COMMON
C-Code - Quality: 94% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 1005C455 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 46libraryloaderCOMMONLIBRARYCODE
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 1004802C Relevance: 13.6, APIs: 9, Instructions: 96memoryCOMMONLIBRARYCODE
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 1004847F Relevance: 12.0, APIs: 8, Instructions: 38COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 1003E1C2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117registryCOMMON
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 1004296A Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 10051A50 Relevance: 10.6, APIs: 7, Instructions: 86windowCOMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 100478BC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 65registryCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 1004843B Relevance: 10.5, APIs: 7, Instructions: 29COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 1005481C Relevance: 9.2, APIs: 6, Instructions: 249stringCOMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 1003E588 Relevance: 9.1, APIs: 6, Instructions: 68COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 10047B97 Relevance: 9.0, APIs: 6, Instructions: 45COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 1003D66C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 92windowCOMMON
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 100531E6 Relevance: 7.6, APIs: 5, Instructions: 58COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 10053274 Relevance: 7.6, APIs: 5, Instructions: 58COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 10047A1A Relevance: 7.6, APIs: 5, Instructions: 53stringCOMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 1004931A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 109stringCOMMON
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 100439BA Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 39libraryloaderCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 1005F7D7 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37libraryloaderCOMMONLIBRARYCODE
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 1004FE44 Relevance: 6.3, APIs: 4, Instructions: 309memoryCOMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 1005091A Relevance: 6.2, APIs: 4, Instructions: 173windowCOMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 10053CDC Relevance: 6.1, APIs: 4, Instructions: 132timeCOMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 10045A51 Relevance: 6.1, APIs: 4, Instructions: 103windowCOMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 1004873F Relevance: 6.1, APIs: 4, Instructions: 88COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 1004A159 Relevance: 6.1, APIs: 4, Instructions: 72COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 1004F33A Relevance: 6.1, APIs: 4, Instructions: 70COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 1004769F Relevance: 6.1, APIs: 4, Instructions: 58windowCOMMONLIBRARYCODE
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 1003ECD9 Relevance: 6.1, APIs: 4, Instructions: 57COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 1003CF6F Relevance: 6.1, APIs: 4, Instructions: 56threadCOMMONLIBRARYCODE
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 10044486 Relevance: 6.1, APIs: 4, Instructions: 55windowCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 1003F724 Relevance: 6.1, APIs: 4, Instructions: 55COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 1004DD0D Relevance: 6.1, APIs: 4, Instructions: 52COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 10048BA6 Relevance: 6.1, APIs: 4, Instructions: 51COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 1003D501 Relevance: 6.0, APIs: 4, Instructions: 50windowCOMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 100431B3 Relevance: 6.0, APIs: 4, Instructions: 49COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 10042B27 Relevance: 6.0, APIs: 4, Instructions: 48COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 10045474 Relevance: 6.0, APIs: 4, Instructions: 42COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 1003F12B Relevance: 6.0, APIs: 4, Instructions: 32COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |