Edit tour
Windows
Analysis Report
pzG0rkIchr.exe
Overview
General Information
| Sample Name: | pzG0rkIchr.exe (renamed file extension from exe to dll) |
| Analysis ID: | 752975 |
| MD5: | d6ef4778f7dc9c31a0a2a989ef42d2fd |
| SHA1: | 5dad8394ef37d5a006674589754f7a3187d303b1 |
| SHA256: | 54de1f2c26a63a8f6b7f8d5de99f8ebd4093959ab07f027db1985d0652258736 |
| Tags: | exeLDR4 |
| Infos: |  |
 | |
Detection
Ursnif
| Score: | 84 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Yara detected Ursnif
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Antivirus detection for URL or domain
Snort IDS alert for network traffic
Performs DNS queries to domains with low reputation
One or more processes crash
Contains functionality to check if a debugger is running (IsDebuggerPresent)
May sleep (evasive loops) to hinder dynamic analysis
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Tries to load missing DLLs
Checks if the current process is being debugged
Registers a DLL
Launches processes in debugging mode, may be used to hinder debugging
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Classification
- System is w10x64
loaddll64.exe (PID: 492 cmdline: loaddll64. exe "C:\Us ers\user\D esktop\pzG 0rkIchr.dl l" MD5: C676FC0263EDD17D4CE7D644B8F3FCD6) 
conhost.exe (PID: 5284 cmdline: C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - cmd.exe (PID: 5156 cmdline:
cmd.exe /C rundll32. exe "C:\Us ers\user\D esktop\pzG 0rkIchr.dl l",#1 MD5: 4E2ACF4F8A396486AB4268C94A6A245F) 
rundll32.exe (PID: 1228 cmdline: rundll32.e xe "C:\Use rs\user\De sktop\pzG0 rkIchr.dll ",#1 MD5: 73C519F050C20580F8A62C849D49215A) - regsvr32.exe (PID: 5172 cmdline:
regsvr32.e xe /s C:\U sers\user\ Desktop\pz G0rkIchr.d ll MD5: D78B75FC68247E8A63ACBA846182740E) - rundll32.exe (PID: 400 cmdline:
rundll32.e xe C:\User s\user\Des ktop\pzG0r kIchr.dll, DllRegiste rServer MD5: 73C519F050C20580F8A62C849D49215A) - rundll32.exe (PID: 2100 cmdline:
rundll32.e xe C:\User s\user\Des ktop\pzG0r kIchr.dll, ItsnPq5v MD5: 73C519F050C20580F8A62C849D49215A) 
WerFault.exe (PID: 5904 cmdline: C:\Windows \system32\ WerFault.e xe -u -p 2 100 -s 304 MD5: 2AFFE478D86272288BBEF5A00BBEF6A0) - WerFault.exe (PID: 5968 cmdline:
C:\Windows \system32\ WerFault.e xe -u -p 2 100 -s 304 MD5: 2AFFE478D86272288BBEF5A00BBEF6A0) - rundll32.exe (PID: 1308 cmdline:
rundll32.e xe C:\User s\user\Des ktop\pzG0r kIchr.dll, QlqYo259k MD5: 73C519F050C20580F8A62C849D49215A) - WerFault.exe (PID: 5188 cmdline:
C:\Windows \system32\ WerFault.e xe -u -p 1 308 -s 304 MD5: 2AFFE478D86272288BBEF5A00BBEF6A0) - WerFault.exe (PID: 3260 cmdline:
C:\Windows \system32\ WerFault.e xe -u -p 1 308 -s 304 MD5: 2AFFE478D86272288BBEF5A00BBEF6A0)
- cleanup
{"c2_domain": ["https://gigimas.xyz", "https://reaso.xyz"], "botnet": "202206061", "aes key": "eq2opFFpGzpd2p9t", "sleep time": "20", "request time": "30", "host keep time": "120", "host shift time": "120"}| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_Ursnifv4 | Yara detected Ursnif | Joe Security | ||
| JoeSecurity_Ursnifv4 | Yara detected Ursnif | Joe Security | ||
| JoeSecurity_Ursnifv4 | Yara detected Ursnif | Joe Security | ||
| JoeSecurity_Ursnifv4 | Yara detected Ursnif | Joe Security |
⊘No Sigma rule has matched
| Timestamp: | 192.168.2.48.8.8.864906532039645 11/24/22-05:22:35.810533 |
| SID: | 2039645 |
| Source Port: | 64906 |
| Destination Port: | 53 |
| Protocol: | UDP |
| Classtype: | A Network Trojan was detected |
| Timestamp: | 192.168.2.48.8.8.861007532039645 11/24/22-05:20:02.978332 |
| SID: | 2039645 |
| Source Port: | 61007 |
| Destination Port: | 53 |
| Protocol: | UDP |
| Classtype: | A Network Trojan was detected |
| Timestamp: | 192.168.2.48.8.8.861124532039645 11/24/22-05:21:04.451832 |
| SID: | 2039645 |
| Source Port: | 61124 |
| Destination Port: | 53 |
| Protocol: | UDP |
| Classtype: | A Network Trojan was detected |
| Timestamp: | 192.168.2.48.8.8.859444532039645 11/24/22-05:21:34.871041 |
| SID: | 2039645 |
| Source Port: | 59444 |
| Destination Port: | 53 |
| Protocol: | UDP |
| Classtype: | A Network Trojan was detected |
| Timestamp: | 192.168.2.48.8.8.855570532039645 11/24/22-05:22:05.359167 |
| SID: | 2039645 |
| Source Port: | 55570 |
| Destination Port: | 53 |
| Protocol: | UDP |
| Classtype: | A Network Trojan was detected |
| Timestamp: | 192.168.2.48.8.8.860686532039645 11/24/22-05:20:33.386749 |
| SID: | 2039645 |
| Source Port: | 60686 |
| Destination Port: | 53 |
| Protocol: | UDP |
| Classtype: | A Network Trojan was detected |
| Timestamp: | 192.168.2.48.8.8.859446532039645 11/24/22-05:23:06.390786 |
| SID: | 2039645 |
| Source Port: | 59446 |
| Destination Port: | 53 |
| Protocol: | UDP |
| Classtype: | A Network Trojan was detected |
Click to jump to signature section
Show All Signature Results
AV Detection |   |
|---|
| Source: | ReversingLabs: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Malware Configuration Extractor: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Code function: | 0_2_00007FF88C07FB70 | |
| Source: | Code function: | 3_2_00007FF88C07FB70 | |
| Source: | Code function: | 6_2_00007FF88C07FB70 | |
Networking | |
|---|
| Source: | Network Connect: | Jump to behavior | ||
| Source: | Domain query: | |||
| Source: | Snort IDS: | ||
| Source: | Snort IDS: | ||
| Source: | Snort IDS: | ||
| Source: | Snort IDS: | ||
| Source: | Snort IDS: | ||
| Source: | Snort IDS: | ||
| Source: | Snort IDS: | ||
| Source: | DNS query: | ||
| Source: | DNS query: | ||
| Source: | DNS query: | ||
| Source: | DNS query: | ||
| Source: | DNS query: | ||
| Source: | DNS query: | ||
| Source: | DNS query: | ||
| Source: | ASN Name: | ||
| Source: | IP Address: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | DNS traffic detected: | ||
Key, Mouse, Clipboard, Microphone and Screen Capturing | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
E-Banking Fraud | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | Process created: | ||
| Source: | Code function: | 0_2_0000027ED37137E0 | |
| Source: | Code function: | 0_2_0000027ED3715638 | |
| Source: | Code function: | 0_2_0000027ED371A918 | |
| Source: | Code function: | 0_2_0000027ED3716DF0 | |
| Source: | Code function: | 0_2_0000027ED3717FD4 | |
| Source: | Code function: | 0_2_0000027ED3713CD8 | |
| Source: | Code function: | 0_2_0000027ED37131C0 | |
| Source: | Code function: | 0_2_0000027ED37134A4 | |
| Source: | Code function: | 0_2_0000027ED3719D6C | |
| Source: | Code function: | 0_2_0000027ED3714540 | |
| Source: | Code function: | 0_2_0000027ED371204C | |
| Source: | Code function: | 0_2_00007FF88C076D50 | |
| Source: | Code function: | 0_2_00007FF88C075840 | |
| Source: | Code function: | 0_2_00007FF88C071520 | |
| Source: | Code function: | 0_2_00007FF88C088D50 | |
| Source: | Code function: | 0_2_00007FF88C090D70 | |
| Source: | Code function: | 0_2_00007FF88C07F964 | |
| Source: | Code function: | 0_2_00007FF88C08B9B0 | |
| Source: | Code function: | 0_2_00007FF88C0875E0 | |
| Source: | Code function: | 0_2_00007FF88C081E14 | |
| Source: | Code function: | 0_2_00007FF88C08F290 | |
| Source: | Code function: | 0_2_00007FF88C0742A0 | |
| Source: | Code function: | 0_2_00007FF88C0776E0 | |
| Source: | Code function: | 0_2_00007FF88C071B10 | |
| Source: | Code function: | 0_2_00007FF88C08B370 | |
| Source: | Code function: | 0_2_00007FF88C079BA0 | |
| Source: | Code function: | 0_2_00007FF88C0783C0 | |
| Source: | Code function: | 0_2_00007FF88C086808 | |
| Source: | Code function: | 0_2_00007FF88C076820 | |
| Source: | Code function: | 0_2_00007FF88C074C80 | |
| Source: | Code function: | 0_2_00007FF88C07DCAC | |
| Source: | Code function: | 0_2_00007FF88C0790B0 | |
| Source: | Code function: | 0_2_00007FF88C075CC0 | |
| Source: | Code function: | 0_2_00007FF88C08F8F0 | |
| Source: | Code function: | 0_2_00007FF88C0898F0 | |
| Source: | Code function: | 3_2_003D37E0 | |
| Source: | Code function: | 3_2_003D5638 | |
| Source: | Code function: | 3_2_003DA918 | |
| Source: | Code function: | 3_2_003D9D6C | |
| Source: | Code function: | 3_2_003D204C | |
| Source: | Code function: | 3_2_003D4540 | |
| Source: | Code function: | 3_2_003D34A4 | |
| Source: | Code function: | 3_2_003D6DF0 | |
| Source: | Code function: | 3_2_003D3CD8 | |
| Source: | Code function: | 3_2_003D7FD4 | |
| Source: | Code function: | 3_2_003D31C0 | |
| Source: | Code function: | 3_2_00007FF88C076D50 | |
| Source: | Code function: | 3_2_00007FF88C075840 | |
| Source: | Code function: | 3_2_00007FF88C071520 | |
| Source: | Code function: | 3_2_00007FF88C088D50 | |
| Source: | Code function: | 3_2_00007FF88C090D70 | |
| Source: | Code function: | 3_2_00007FF88C07F964 | |
| Source: | Code function: | 3_2_00007FF88C08B9B0 | |
| Source: | Code function: | 3_2_00007FF88C0875E0 | |
| Source: | Code function: | 3_2_00007FF88C081E14 | |
| Source: | Code function: | 3_2_00007FF88C08F290 | |
| Source: | Code function: | 3_2_00007FF88C0742A0 | |
| Source: | Code function: | 3_2_00007FF88C0776E0 | |
| Source: | Code function: | 3_2_00007FF88C071B10 | |
| Source: | Code function: | 3_2_00007FF88C08B370 | |
| Source: | Code function: | 3_2_00007FF88C079BA0 | |
| Source: | Code function: | 3_2_00007FF88C0783C0 | |
| Source: | Code function: | 3_2_00007FF88C086808 | |
| Source: | Code function: | 3_2_00007FF88C076820 | |
| Source: | Code function: | 3_2_00007FF88C074C80 | |
| Source: | Code function: | 3_2_00007FF88C07DCAC | |
| Source: | Code function: | 3_2_00007FF88C0790B0 | |
| Source: | Code function: | 3_2_00007FF88C075CC0 | |
| Source: | Code function: | 3_2_00007FF88C08F8F0 | |
| Source: | Code function: | 3_2_00007FF88C0898F0 | |
| Source: | Code function: | 4_2_0000021DD93337E0 | |
| Source: | Code function: | 4_2_0000021DD9333CD8 | |
| Source: | Code function: | 4_2_0000021DD93331C0 | |
| Source: | Code function: | 4_2_0000021DD9335638 | |
| Source: | Code function: | 4_2_0000021DD9339D6C | |
| Source: | Code function: | 4_2_0000021DD93334A4 | |
| Source: | Code function: | 4_2_0000021DD9336DF0 | |
| Source: | Code function: | 4_2_0000021DD9337FD4 | |
| Source: | Code function: | 4_2_0000021DD933A918 | |
| Source: | Code function: | 4_2_0000021DD9334540 | |
| Source: | Code function: | 4_2_0000021DD933204C | |
| Source: | Code function: | 5_2_000001F71CC037E0 | |
| Source: | Code function: | 5_2_000001F71CC03CD8 | |
| Source: | Code function: | 5_2_000001F71CC06DF0 | |
| Source: | Code function: | 5_2_000001F71CC034A4 | |
| Source: | Code function: | 5_2_000001F71CC031C0 | |
| Source: | Code function: | 5_2_000001F71CC07FD4 | |
| Source: | Code function: | 5_2_000001F71CC09D6C | |
| Source: | Code function: | 5_2_000001F71CC0A918 | |
| Source: | Code function: | 5_2_000001F71CC05638 | |
| Source: | Code function: | 5_2_000001F71CC04540 | |
| Source: | Code function: | 5_2_000001F71CC0204C | |
| Source: | Code function: | 6_2_00007FF88C071520 | |
| Source: | Code function: | 6_2_00007FF88C088D50 | |
| Source: | Code function: | 6_2_00007FF88C076D50 | |
| Source: | Code function: | 6_2_00007FF88C090D70 | |
| Source: | Code function: | 6_2_00007FF88C07F964 | |
| Source: | Code function: | 6_2_00007FF88C08B9B0 | |
| Source: | Code function: | 6_2_00007FF88C0875E0 | |
| Source: | Code function: | 6_2_00007FF88C081E14 | |
| Source: | Code function: | 6_2_00007FF88C08F290 | |
| Source: | Code function: | 6_2_00007FF88C0742A0 | |
| Source: | Code function: | 6_2_00007FF88C0776E0 | |
| Source: | Code function: | 6_2_00007FF88C071B10 | |
| Source: | Code function: | 6_2_00007FF88C08B370 | |
| Source: | Code function: | 6_2_00007FF88C079BA0 | |
| Source: | Code function: | 6_2_00007FF88C0783C0 | |
| Source: | Code function: | 6_2_00007FF88C086808 | |
| Source: | Code function: | 6_2_00007FF88C076820 | |
| Source: | Code function: | 6_2_00007FF88C075840 | |
| Source: | Code function: | 6_2_00007FF88C074C80 | |
| Source: | Code function: | 6_2_00007FF88C07DCAC | |
| Source: | Code function: | 6_2_00007FF88C0790B0 | |
| Source: | Code function: | 6_2_00007FF88C075CC0 | |
| Source: | Code function: | 6_2_00007FF88C08F8F0 | |
| Source: | Code function: | 6_2_00007FF88C0898F0 | |
| Source: | Code function: | 0_2_0000027ED371A0AC | |
| Source: | Code function: | 3_2_003DA0AC | |
| Source: | Code function: | 4_2_0000021DD933A0AC | |
| Source: | Code function: | 5_2_000001F71CC0A0AC | |
| Source: | Section loaded: | Jump to behavior | ||
| Source: | ReversingLabs: | ||
| Source: | Static PE information: | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | File created: | Jump to behavior | ||
| Source: | Classification label: | ||
| Source: | Process created: | ||
| Source: | Mutant created: | ||
| Source: | Mutant created: | ||
| Source: | Mutant created: | ||
| Source: | Mutant created: | ||
| Source: | File read: | Jump to behavior | ||
| Source: | File read: | Jump to behavior | ||
| Source: | File read: | Jump to behavior | ||
| Source: | File read: | Jump to behavior | ||
| Source: | File read: | Jump to behavior | ||
| Source: | File read: | Jump to behavior | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Code function: | 0_2_00007FF88C08B9B0 | |
| Source: | Process created: | ||
Hooking and other Techniques for Hiding and Protection | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Last function: | ||
| Source: | Last function: | ||
| Source: | API coverage: | ||
| Source: | Code function: | 0_2_00007FF88C07FB70 | |
| Source: | Code function: | 3_2_00007FF88C07FB70 | |
| Source: | Code function: | 6_2_00007FF88C07FB70 | |
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | API call chain: | graph_0-10633 | ||
| Source: | API call chain: | graph_0-10376 | ||
| Source: | API call chain: | graph_0-10371 | ||
| Source: | API call chain: | |||
| Source: | API call chain: | |||
| Source: | API call chain: | |||
| Source: | API call chain: | |||
| Source: | API call chain: | |||
| Source: | API call chain: | |||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Code function: | 0_2_00007FF88C07E374 | |
| Source: | Code function: | 0_2_00007FF88C08B9B0 | |
| Source: | Code function: | 0_2_00007FF88C0711F0 | |
| Source: | Process queried: | Jump to behavior | ||
| Source: | Process queried: | Jump to behavior | ||
| Source: | Process queried: | Jump to behavior | ||
| Source: | Process queried: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Code function: | 0_2_00007FF88C086DA4 | |
| Source: | Code function: | 0_2_00007FF88C07E374 | |
| Source: | Code function: | 0_2_00007FF88C07BC0C | |
| Source: | Code function: | 3_2_00007FF88C086DA4 | |
| Source: | Code function: | 3_2_00007FF88C07E374 | |
| Source: | Code function: | 3_2_00007FF88C07BC0C | |
| Source: | Code function: | 6_2_00007FF88C086DA4 | |
| Source: | Code function: | 6_2_00007FF88C07E374 | |
| Source: | Code function: | 6_2_00007FF88C07BC0C | |
HIPS / PFW / Operating System Protection Evasion | |
|---|
| Source: | Network Connect: | Jump to behavior | ||
| Source: | Domain query: | |||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Code function: | 0_2_00007FF88C0865F0 | |
| Source: | Key value queried: | Jump to behavior | ||
| Source: | Code function: | 0_2_00007FF88C08ED60 | |
| Source: | Code function: | 0_2_00007FF88C07BB08 | |
Stealing of Sensitive Information | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
Remote Access Functionality | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Valid Accounts | 1 Native API | 1 DLL Side-Loading | 112 Process Injection | 1 Disable or Modify Tools | OS Credential Dumping | 1 System Time Discovery | Remote Services | 1 Archive Collected Data | Exfiltration Over Other Network Medium | 12 Encrypted Channel | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | Modify System Partition |
| Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | 1 DLL Side-Loading | 21 Virtualization/Sandbox Evasion | LSASS Memory | 31 Security Software Discovery | Remote Desktop Protocol | Data from Removable Media | Exfiltration Over Bluetooth | 1 Non-Application Layer Protocol | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
| Domain Accounts | At (Linux) | Logon Script (Windows) | Logon Script (Windows) | 112 Process Injection | Security Account Manager | 21 Virtualization/Sandbox Evasion | SMB/Windows Admin Shares | Data from Network Shared Drive | Automated Exfiltration | 2 Application Layer Protocol | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
| Local Accounts | At (Windows) | Logon Script (Mac) | Logon Script (Mac) | 1 Regsvr32 | NTDS | 1 Remote System Discovery | Distributed Component Object Model | Input Capture | Scheduled Transfer | Protocol Impersonation | SIM Card Swap | Carrier Billing Fraud | |
| Cloud Accounts | Cron | Network Logon Script | Network Logon Script | 1 Rundll32 | LSA Secrets | 1 File and Directory Discovery | SSH | Keylogging | Data Transfer Size Limits | Fallback Channels | Manipulate Device Communication | Manipulate App Store Rankings or Ratings | |
| Replication Through Removable Media | Launchd | Rc.common | Rc.common | 1 DLL Side-Loading | Cached Domain Credentials | 13 System Information Discovery | VNC | GUI Input Capture | Exfiltration Over C2 Channel | Multiband Communication | Jamming or Denial of Service | Abuse Accessibility Features |
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetThis section contains all screenshots as thumbnails, including those not shown in the slideshow.
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 73% | ReversingLabs | Win64.Trojan.Tnega |
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 100% | Avira URL Cloud | malware |
| Name | IP | Active | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|---|
| gigimas.xyz | 185.250.148.35 | true | true | unknown |
| Name | Source | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| low | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
| IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
|---|---|---|---|---|---|---|
| 185.250.148.35 | gigimas.xyz | Russian Federation | 48430 | FIRSTDC-ASRU | true |
| Joe Sandbox Version: | 36.0.0 Rainbow Opal |
| Analysis ID: | 752975 |
| Start date and time: | 2022-11-24 05:18:08 +01:00 |
| Joe Sandbox Product: | CloudBasic |
| Overall analysis duration: | 0h 9m 27s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Sample file name: | pzG0rkIchr.exe (renamed file extension from exe to dll) |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211 |
| Number of analysed new started processes analysed: | 20 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Detection: | MAL |
| Classification: | mal84.troj.evad.winDLL@22/8@7/1 |
| EGA Information: |
|
| HDC Information: |
|
| HCA Information: |
|
| Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, WerFault.exe, WMIADAP.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe
- Excluded IPs from analysis (whitelisted): 52.182.143.212
- Excluded domains from analysis (whitelisted): onedsblobprdcus15.centralus.cloudapp.azure.com, login.live.com, blobcollector.events.data.trafficmanager.net, watson.telemetry.microsoft.com
- Not all processes where analyzed, report is missing behavior information
- Report size exceeded maximum capacity and may have missing behavior information.
- VT rate limit hit for: pzG0rkIchr.dll
| Time | Type | Description |
|---|---|---|
| 05:19:48 | API Interceptor | |
| 05:19:49 | API Interceptor | |
| 05:20:02 | API Interceptor |
| Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
|---|---|---|---|---|---|
| 185.250.148.35 | Get hash | malicious | Browse | ||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse |
| Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
|---|---|---|---|---|---|
| gigimas.xyz | Get hash | malicious | Browse |
| |
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
|---|---|---|---|---|---|
| FIRSTDC-ASRU | Get hash | malicious | Browse |
| |
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
|
⊘No context
⊘No context
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_pzG_5df03237c245e7792ae728ba7af47d1bed8c47f7_4f0e5919_16399239\Report.wer
Download File
| Process: | C:\Windows\System32\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 65536 |
| Entropy (8bit): | 0.7600039551007107 |
| Encrypted: | false |
| SSDEEP: | 96:6TFZZFigJPnyqjs55P7HfipXIQcQHc6CcEm6cw3I/XaXz+HbHgSQgJPbpIDV9wO7:snigJKKH5Gs60j0I/u7swS274ltC |
| MD5: | BD5C8925F7120E1292DBD4961E9F2AB2 |
| SHA1: | 997623AC245EEC6535D175E199A180D43E9282FC |
| SHA-256: | 0B242B11BC21F42FD27F1BDD633316DA3694606201E59C3C3CCC3593345C8B7A |
| SHA-512: | 8075C625810E044C3224941D33DD97830E1EC5397E416AFC0DCCCB749580837F7629D7DDDCD531D39423195F82DCF2DF3060474F749789A977EF7DB655E65581 |
| Malicious: | false |
| Preview: |
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_pzG_f6b0ff3966a3d6c74191edf638977ebb42334d7_4f0e5919_156d919c\Report.wer
Download File
| Process: | C:\Windows\System32\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 65536 |
| Entropy (8bit): | 0.7599992295897045 |
| Encrypted: | false |
| SSDEEP: | 96:icFXVFiXJPnybjs55P7Hf5pXIQcQdc6/RcEccw3+XaXz+HbHgSQgJPbpIDV9wOyk:71iXJKIHz9mAj0I/u7swS274ltC |
| MD5: | 1E8445DB848C561B6CB8CBEF60359786 |
| SHA1: | 00E829DA03ACB0B24004E2C2E45E7D439352BF8D |
| SHA-256: | 8F94F06BC63F693379833D7156EC4C3E65788BD94BC7470C12EF985AED723EBD |
| SHA-512: | 72C3DE3F22801E3947FDC86690B8A63175DC9EFCF7503AF898485A380B6941C42E55F965658B3F799051283C10C4823F5C0C2DE8EFE293C9904D117487FDA1D2 |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\System32\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 56070 |
| Entropy (8bit): | 1.7075050210528775 |
| Encrypted: | false |
| SSDEEP: | 192:rlRq3OC5I6Pdfek5ka0LGuO3bcmXJBjz2RdYnUQDfERORDNKyB4RSOnR:pCDck5DbRD |
| MD5: | 1A5AA058B4E8ACA002D6B153E7C3B88E |
| SHA1: | B722FD3B879CCAD5D57716D5D375355C05AC1AA4 |
| SHA-256: | 4C914A886A7765E4A814BD13405293A39423A4BB8A6EE712B7D48B0E3086A3F9 |
| SHA-512: | 010E25A468C02F293CEBCAF7FA64CF746F6716571837CAD3BC35877EC74F8808B352E2DBC3CE080FF502E1CE8ED8EF02F69F4953C48FFC0537CC6363A68EA782 |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\System32\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 54966 |
| Entropy (8bit): | 1.7301605700636602 |
| Encrypted: | false |
| SSDEEP: | 192:kl9crsOC5We/Q7NLbBjD4z5s0mE6liAU3Oq:amC8e/Q7d1V0m |
| MD5: | A57C13F28721473003BE444D7239D372 |
| SHA1: | 10C6496461E1C6113B6FF62120CA7D83CC17216A |
| SHA-256: | EBF7FC039C185490580CF4BB3044B63044A13DD5305F7755AC858779DDFCD9FA |
| SHA-512: | 814B8BD3E2333F3084A46553787236EE0C5C0B71EA62B6636836254D80939B593CC3AE58EABC8CD3DDAE9620CAC53AF5550504734A192F8BADBE8BA98EEA582A |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\System32\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 8526 |
| Entropy (8bit): | 3.696693878810589 |
| Encrypted: | false |
| SSDEEP: | 192:Rrl7r3GLNiWpWiN6Y+TagmfQYSl2G+prD89b4oCafaIm:RrlsNiYWiN6YKagmfQYSlR4FafE |
| MD5: | 891C13F961FC9780F58F08B88D03FE00 |
| SHA1: | 7AC38531C1F3F85ED591B419A1C0C9D560DE4B1B |
| SHA-256: | B04D603146FD1D2F17D6588066AA48A86D85B511E7D88380393C69F9BCC4575C |
| SHA-512: | 3D766FCF4F2835FD6750E5BED7331A27EF548BB8C9D729E7B3D3AD8AA09677360AE67F5F2887B1D8057FEBFC622505A4A179A2F07B31E87FBDCEFD4B42C2B477 |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\System32\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 8524 |
| Entropy (8bit): | 3.6955697518324317 |
| Encrypted: | false |
| SSDEEP: | 192:Rrl7r3GLNivSLis6Y+ZagmfQhSGG+pr889b4IOfxIm:RrlsNiqLis6YgagmfQhSM4Zfr |
| MD5: | 64CB5AA88613858B4078E5BB14479AE6 |
| SHA1: | 138C49AF256A227F26D86557778AADF52F016EFB |
| SHA-256: | 1001101306104ACE07059DB78333327804781A7FBC4E59CBC7DEB3AC14A27E8E |
| SHA-512: | 32B368E68F5C667FE75F2B36BECB8680A2D39960E69878D527CAC83B1356126C7BFA04C9645E17A0ACCC7482F244DC7A5571186F0B5F7371D39FF7579A2F5F69 |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\System32\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 4733 |
| Entropy (8bit): | 4.474599386008591 |
| Encrypted: | false |
| SSDEEP: | 48:cvIwSD8zsA+JgtBI9XlVWgc8sqYjRTq8fm8M4JCXCOFFVyq85m27UZESC5S+d:uITf3NGgrsqYlTfJ8xVv+d |
| MD5: | CDE8A3EB67D3F603A55F6BCA1C15EA67 |
| SHA1: | 9425363A7B60C24BB7466FEAA6C38D60B86C084D |
| SHA-256: | F2E7CAB0595409E2A61035A46D0DF145C3CCCDC99C2FE8FDB7BBF04B590ED7F9 |
| SHA-512: | BC28D09B0C638843187EDB12E207B49C15A1F99917950FC5E748FEC26F62376E8AFDA47C3BBBEDB80F52FC38BF4C8FE02AA0232816274B4B291A576CD030FACC |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\System32\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 4733 |
| Entropy (8bit): | 4.478085829501657 |
| Encrypted: | false |
| SSDEEP: | 48:cvIwSD8zsA+JgtBI9XlVWgc8sqYjF8fm8M4JCXCOCFUyq85m2skUZESC5Sjd:uITf3NGgrsqYeJuzTVvjd |
| MD5: | 0BD2A0E70F01F1D342661314591029DC |
| SHA1: | CFA327EBD0E02AEAA2F23AB3EA938AA843FB71F5 |
| SHA-256: | A8350E49452A0A6A302EF0A3BA63447E4F1C64FF6C2335E22D1B53DE654A27D5 |
| SHA-512: | 6CA8CB1FA55453B637117B22CC0C474110CFE03BCFD602657AEE4F778B4072F8623D5CF32193183DF148F8A5630996B0926C499700F663552898C875774CD12A |
| Malicious: | false |
| Preview: |
| File type: | |
| Entropy (8bit): | 6.637392883592079 |
| TrID: |
|
| File name: | pzG0rkIchr.dll |
| File size: | 290568 |
| MD5: | d6ef4778f7dc9c31a0a2a989ef42d2fd |
| SHA1: | 5dad8394ef37d5a006674589754f7a3187d303b1 |
| SHA256: | 54de1f2c26a63a8f6b7f8d5de99f8ebd4093959ab07f027db1985d0652258736 |
| SHA512: | 997b57424364ff661d80ca6efc5b7e91f2204d1ed7c4d784ee7d6134bc06952c993de038d6a25c71a7949b08ddd8cc5d167f8c753379f69ee1b6b49342fafa63 |
| SSDEEP: | 6144:wHyvumb1p7CC8VoxOJbceNOHI2Tse2RTggR/Znv+yit:Smbrgu2so2TVwcK/ZnG/t |
| TLSH: | ED54BF41F3D904A6D9138D3D8857562BEBF13C212214DA5F8B50C36A6F37BA1E739B22 |
| File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......!5..eT..eT..eT....Z.`T....X..T....Y.hT..^...bT..^...qT..^...uT....`.fT..eT...T......gT......dT......dT..RicheT..........PE..d.. |
 | |
| Icon Hash: | 74f0e4ecccdce0e4 |
| Entrypoint: | 0x18000b6ec |
| Entrypoint Section: | .text |
| Digitally signed: | true |
| Imagebase: | 0x180000000 |
| Subsystem: | windows gui |
| Image File Characteristics: | EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, DLL |
| DLL Characteristics: | HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT |
| Time Stamp: | 0x62C42DD7 [Tue Jul 5 12:25:59 2022 UTC] |
| TLS Callbacks: | |
| CLR (.Net) Version: | |
| OS Version Major: | 6 |
| OS Version Minor: | 0 |
| File Version Major: | 6 |
| File Version Minor: | 0 |
| Subsystem Version Major: | 6 |
| Subsystem Version Minor: | 0 |
| Import Hash: | 4270d9bbb54b179372d82277269282e6 |
| Signature Valid: | true |
| Signature Issuer: | CN=Sectigo Public Code Signing CA R36, O=Sectigo Limited, C=GB |
| Signature Validation Error: | The operation completed successfully |
| Error Number: | 0 |
| Not Before, Not After |
|
| Subject Chain |
|
| Version: | 3 |
| Thumbprint MD5: | 71834A68FD130C9D08796B4F19A6FC67 |
| Thumbprint SHA-1: | CA69087AAAA087346202AD16228337130511C4C5 |
| Thumbprint SHA-256: | F13E4801E13898E839183E3305E1DDA7F4C0EBF6EAF7553E18C1DDD4EDC94470 |
| Serial: | 2F96A89BFEC6E44DD224E8FD7E72D9BB |
| Instruction |
|---|
| dec eax |
| mov dword ptr [esp+08h], ebx |
| dec eax |
| mov dword ptr [esp+10h], esi |
| push edi |
| dec eax |
| sub esp, 20h |
| dec ecx |
| mov edi, eax |
| mov ebx, edx |
| dec eax |
| mov esi, ecx |
| cmp edx, 01h |
| jne 00007FE818B824F7h |
| call 00007FE818B828F0h |
| dec esp |
| mov eax, edi |
| mov edx, ebx |
| dec eax |
| mov ecx, esi |
| dec eax |
| mov ebx, dword ptr [esp+30h] |
| dec eax |
| mov esi, dword ptr [esp+38h] |
| dec eax |
| add esp, 20h |
| pop edi |
| jmp 00007FE818B8236Ch |
| int3 |
| int3 |
| int3 |
| dec eax |
| sub esp, 28h |
| call 00007FE818B82D88h |
| test eax, eax |
| je 00007FE818B82513h |
| dec eax |
| mov eax, dword ptr [00000030h] |
| dec eax |
| mov ecx, dword ptr [eax+08h] |
| jmp 00007FE818B824F7h |
| dec eax |
| cmp ecx, eax |
| je 00007FE818B82506h |
| xor eax, eax |
| dec eax |
| cmpxchg dword ptr [00038A68h], ecx |
| jne 00007FE818B824E0h |
| xor al, al |
| dec eax |
| add esp, 28h |
| ret |
| mov al, 01h |
| jmp 00007FE818B824E9h |
| int3 |
| int3 |
| int3 |
| dec eax |
| sub esp, 28h |
| call 00007FE818B82D4Ch |
| test eax, eax |
| je 00007FE818B824F9h |
| call 00007FE818B82B6Fh |
| jmp 00007FE818B8250Bh |
| call 00007FE818B82D34h |
| mov ecx, eax |
| call 00007FE818B844A1h |
| test eax, eax |
| je 00007FE818B824F6h |
| xor al, al |
| jmp 00007FE818B824F9h |
| call 00007FE818B84828h |
| mov al, 01h |
| dec eax |
| add esp, 28h |
| ret |
| dec eax |
| sub esp, 28h |
| xor ecx, ecx |
| call 00007FE818B82636h |
| test al, al |
| setne al |
| dec eax |
| add esp, 28h |
| ret |
| int3 |
| int3 |
| Programming Language: |
|
| Name | Virtual Address | Virtual Size | Is in Section |
|---|---|---|---|
| IMAGE_DIRECTORY_ENTRY_EXPORT | 0x371c0 | 0x94 | .rdata |
| IMAGE_DIRECTORY_ENTRY_IMPORT | 0x37254 | 0x28 | .rdata |
| IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x46000 | 0x15cc | .pdata |
| IMAGE_DIRECTORY_ENTRY_SECURITY | 0x44600 | 0x2908 | |
| IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x49000 | 0x618 | .reloc |
| IMAGE_DIRECTORY_ENTRY_DEBUG | 0x34dd0 | 0x1c | .rdata |
| IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x34df0 | 0x94 | .rdata |
| IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IAT | 0x23000 | 0x2a8 | .rdata |
| IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
| Name | Virtual Address | Virtual Size | Raw Size | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
|---|---|---|---|---|---|---|---|---|
| .text | 0x1000 | 0x21390 | 0x21400 | False | 0.6091694078947368 | zlib compressed data | 6.321988758719223 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
| .rdata | 0x23000 | 0x14b40 | 0x14c00 | False | 0.5551228350903614 | data | 5.589680054404924 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .data | 0x38000 | 0xd378 | 0xc200 | False | 0.581286243556701 | data | 4.475772855701728 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .pdata | 0x46000 | 0x15cc | 0x1600 | False | 0.49556107954545453 | data | 5.3249872988992655 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .gfids | 0x48000 | 0x94 | 0x200 | False | 0.248046875 | data | 1.4095612964443904 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .reloc | 0x49000 | 0x618 | 0x800 | False | 0.54150390625 | data | 4.760086879502757 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
| DLL | Import |
|---|---|
| KERNEL32.dll | CreateFileA, LockFile, ReadFile, SetEndOfFile, UnlockFile, CloseHandle, PeekNamedPipe, HeapCreate, HeapAlloc, HeapFree, GetProcessHeap, HeapWalk, InitializeCriticalSection, EnterCriticalSection, LeaveCriticalSection, TryEnterCriticalSection, DeleteCriticalSection, WaitForSingleObject, ExitProcess, CreateThread, VirtualAlloc, GetProcAddress, CreateFileMappingA, LoadLibraryA, CreateNamedPipeA, CallNamedPipeA, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, IsDebuggerPresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStartupInfoW, IsProcessorFeaturePresent, GetModuleHandleW, RtlUnwindEx, InterlockedFlushSList, GetLastError, SetLastError, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, FreeLibrary, LoadLibraryExW, GetCurrentProcess, TerminateProcess, GetModuleHandleExW, GetModuleFileNameA, MultiByteToWideChar, WideCharToMultiByte, LCMapStringW, FindClose, FindFirstFileExA, FindNextFileA, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, GetStdHandle, GetFileType, GetStringTypeW, CreateFileW, HeapSize, HeapReAlloc, SetStdHandle, FlushFileBuffers, WriteFile, GetConsoleCP, GetConsoleMode, ReadConsoleW, SetFilePointerEx, WriteConsoleW, RaiseException |
| Name | Ordinal | Address |
|---|---|---|
| DllRegisterServer | 1 | 0x180002380 |
| ItsnPq5v | 2 | 0x180002390 |
| QlqYo259k | 3 | 0x180017c20 |
| XeFnYZ409 | 4 | 0x1800175e0 |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library Node| Timestamp | Protocol | SID | Message | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|---|---|---|
| 192.168.2.48.8.8.864906532039645 11/24/22-05:22:35.810533 | UDP | 2039645 | ET TROJAN Observed DNS Query to Ursnif Domain (gigimas .xyz) | 64906 | 53 | 192.168.2.4 | 8.8.8.8 |
| 192.168.2.48.8.8.861007532039645 11/24/22-05:20:02.978332 | UDP | 2039645 | ET TROJAN Observed DNS Query to Ursnif Domain (gigimas .xyz) | 61007 | 53 | 192.168.2.4 | 8.8.8.8 |
| 192.168.2.48.8.8.861124532039645 11/24/22-05:21:04.451832 | UDP | 2039645 | ET TROJAN Observed DNS Query to Ursnif Domain (gigimas .xyz) | 61124 | 53 | 192.168.2.4 | 8.8.8.8 |
| 192.168.2.48.8.8.859444532039645 11/24/22-05:21:34.871041 | UDP | 2039645 | ET TROJAN Observed DNS Query to Ursnif Domain (gigimas .xyz) | 59444 | 53 | 192.168.2.4 | 8.8.8.8 |
| 192.168.2.48.8.8.855570532039645 11/24/22-05:22:05.359167 | UDP | 2039645 | ET TROJAN Observed DNS Query to Ursnif Domain (gigimas .xyz) | 55570 | 53 | 192.168.2.4 | 8.8.8.8 |
| 192.168.2.48.8.8.860686532039645 11/24/22-05:20:33.386749 | UDP | 2039645 | ET TROJAN Observed DNS Query to Ursnif Domain (gigimas .xyz) | 60686 | 53 | 192.168.2.4 | 8.8.8.8 |
| 192.168.2.48.8.8.859446532039645 11/24/22-05:23:06.390786 | UDP | 2039645 | ET TROJAN Observed DNS Query to Ursnif Domain (gigimas .xyz) | 59446 | 53 | 192.168.2.4 | 8.8.8.8 |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Nov 24, 2022 05:20:03.012599945 CET | 49706 | 443 | 192.168.2.4 | 185.250.148.35 |
| Nov 24, 2022 05:20:03.012650967 CET | 443 | 49706 | 185.250.148.35 | 192.168.2.4 |
| Nov 24, 2022 05:20:03.012737036 CET | 49706 | 443 | 192.168.2.4 | 185.250.148.35 |
| Nov 24, 2022 05:20:03.016460896 CET | 49706 | 443 | 192.168.2.4 | 185.250.148.35 |
| Nov 24, 2022 05:20:03.016508102 CET | 443 | 49706 | 185.250.148.35 | 192.168.2.4 |
| Nov 24, 2022 05:20:03.072525024 CET | 443 | 49706 | 185.250.148.35 | 192.168.2.4 |
| Nov 24, 2022 05:20:03.074080944 CET | 49707 | 443 | 192.168.2.4 | 185.250.148.35 |
| Nov 24, 2022 05:20:03.074155092 CET | 443 | 49707 | 185.250.148.35 | 192.168.2.4 |
| Nov 24, 2022 05:20:03.074337959 CET | 49707 | 443 | 192.168.2.4 | 185.250.148.35 |
| Nov 24, 2022 05:20:03.075628996 CET | 49707 | 443 | 192.168.2.4 | 185.250.148.35 |
| Nov 24, 2022 05:20:03.075655937 CET | 443 | 49707 | 185.250.148.35 | 192.168.2.4 |
| Nov 24, 2022 05:20:03.131845951 CET | 443 | 49707 | 185.250.148.35 | 192.168.2.4 |
| Nov 24, 2022 05:20:03.133225918 CET | 49708 | 443 | 192.168.2.4 | 185.250.148.35 |
| Nov 24, 2022 05:20:03.133289099 CET | 443 | 49708 | 185.250.148.35 | 192.168.2.4 |
| Nov 24, 2022 05:20:03.133398056 CET | 49708 | 443 | 192.168.2.4 | 185.250.148.35 |
| Nov 24, 2022 05:20:03.134278059 CET | 49708 | 443 | 192.168.2.4 | 185.250.148.35 |
| Nov 24, 2022 05:20:03.134324074 CET | 443 | 49708 | 185.250.148.35 | 192.168.2.4 |
| Nov 24, 2022 05:20:03.191957951 CET | 443 | 49708 | 185.250.148.35 | 192.168.2.4 |
| Nov 24, 2022 05:20:03.193757057 CET | 49709 | 443 | 192.168.2.4 | 185.250.148.35 |
| Nov 24, 2022 05:20:03.193816900 CET | 443 | 49709 | 185.250.148.35 | 192.168.2.4 |
| Nov 24, 2022 05:20:03.193898916 CET | 49709 | 443 | 192.168.2.4 | 185.250.148.35 |
| Nov 24, 2022 05:20:03.194484949 CET | 49709 | 443 | 192.168.2.4 | 185.250.148.35 |
| Nov 24, 2022 05:20:03.194506884 CET | 443 | 49709 | 185.250.148.35 | 192.168.2.4 |
| Nov 24, 2022 05:20:03.250332117 CET | 443 | 49709 | 185.250.148.35 | 192.168.2.4 |
| Nov 24, 2022 05:20:33.407180071 CET | 49710 | 443 | 192.168.2.4 | 185.250.148.35 |
| Nov 24, 2022 05:20:33.407258034 CET | 443 | 49710 | 185.250.148.35 | 192.168.2.4 |
| Nov 24, 2022 05:20:33.407423019 CET | 49710 | 443 | 192.168.2.4 | 185.250.148.35 |
| Nov 24, 2022 05:20:33.408660889 CET | 49710 | 443 | 192.168.2.4 | 185.250.148.35 |
| Nov 24, 2022 05:20:33.408710957 CET | 443 | 49710 | 185.250.148.35 | 192.168.2.4 |
| Nov 24, 2022 05:20:33.463525057 CET | 443 | 49710 | 185.250.148.35 | 192.168.2.4 |
| Nov 24, 2022 05:20:33.465197086 CET | 49711 | 443 | 192.168.2.4 | 185.250.148.35 |
| Nov 24, 2022 05:20:33.465265036 CET | 443 | 49711 | 185.250.148.35 | 192.168.2.4 |
| Nov 24, 2022 05:20:33.465380907 CET | 49711 | 443 | 192.168.2.4 | 185.250.148.35 |
| Nov 24, 2022 05:20:33.466645002 CET | 49711 | 443 | 192.168.2.4 | 185.250.148.35 |
| Nov 24, 2022 05:20:33.466680050 CET | 443 | 49711 | 185.250.148.35 | 192.168.2.4 |
| Nov 24, 2022 05:20:33.522078991 CET | 443 | 49711 | 185.250.148.35 | 192.168.2.4 |
| Nov 24, 2022 05:20:33.525345087 CET | 49712 | 443 | 192.168.2.4 | 185.250.148.35 |
| Nov 24, 2022 05:20:33.525413036 CET | 443 | 49712 | 185.250.148.35 | 192.168.2.4 |
| Nov 24, 2022 05:20:33.525672913 CET | 49712 | 443 | 192.168.2.4 | 185.250.148.35 |
| Nov 24, 2022 05:20:33.526755095 CET | 49712 | 443 | 192.168.2.4 | 185.250.148.35 |
| Nov 24, 2022 05:20:33.526801109 CET | 443 | 49712 | 185.250.148.35 | 192.168.2.4 |
| Nov 24, 2022 05:20:33.582118988 CET | 443 | 49712 | 185.250.148.35 | 192.168.2.4 |
| Nov 24, 2022 05:20:33.585807085 CET | 49713 | 443 | 192.168.2.4 | 185.250.148.35 |
| Nov 24, 2022 05:20:33.585897923 CET | 443 | 49713 | 185.250.148.35 | 192.168.2.4 |
| Nov 24, 2022 05:20:33.586055040 CET | 49713 | 443 | 192.168.2.4 | 185.250.148.35 |
| Nov 24, 2022 05:20:33.586787939 CET | 49713 | 443 | 192.168.2.4 | 185.250.148.35 |
| Nov 24, 2022 05:20:33.586810112 CET | 443 | 49713 | 185.250.148.35 | 192.168.2.4 |
| Nov 24, 2022 05:20:33.641958952 CET | 443 | 49713 | 185.250.148.35 | 192.168.2.4 |
| Nov 24, 2022 05:21:04.485233068 CET | 49714 | 443 | 192.168.2.4 | 185.250.148.35 |
| Nov 24, 2022 05:21:04.485310078 CET | 443 | 49714 | 185.250.148.35 | 192.168.2.4 |
| Nov 24, 2022 05:21:04.485480070 CET | 49714 | 443 | 192.168.2.4 | 185.250.148.35 |
| Nov 24, 2022 05:21:04.486561060 CET | 49714 | 443 | 192.168.2.4 | 185.250.148.35 |
| Nov 24, 2022 05:21:04.486601114 CET | 443 | 49714 | 185.250.148.35 | 192.168.2.4 |
| Nov 24, 2022 05:21:04.541218996 CET | 443 | 49714 | 185.250.148.35 | 192.168.2.4 |
| Nov 24, 2022 05:21:04.542530060 CET | 49715 | 443 | 192.168.2.4 | 185.250.148.35 |
| Nov 24, 2022 05:21:04.542584896 CET | 443 | 49715 | 185.250.148.35 | 192.168.2.4 |
| Nov 24, 2022 05:21:04.542787075 CET | 49715 | 443 | 192.168.2.4 | 185.250.148.35 |
| Nov 24, 2022 05:21:04.543291092 CET | 49715 | 443 | 192.168.2.4 | 185.250.148.35 |
| Nov 24, 2022 05:21:04.543320894 CET | 443 | 49715 | 185.250.148.35 | 192.168.2.4 |
| Nov 24, 2022 05:21:04.598916054 CET | 443 | 49715 | 185.250.148.35 | 192.168.2.4 |
| Nov 24, 2022 05:21:04.600245953 CET | 49716 | 443 | 192.168.2.4 | 185.250.148.35 |
| Nov 24, 2022 05:21:04.600316048 CET | 443 | 49716 | 185.250.148.35 | 192.168.2.4 |
| Nov 24, 2022 05:21:04.600423098 CET | 49716 | 443 | 192.168.2.4 | 185.250.148.35 |
| Nov 24, 2022 05:21:04.600950003 CET | 49716 | 443 | 192.168.2.4 | 185.250.148.35 |
| Nov 24, 2022 05:21:04.600979090 CET | 443 | 49716 | 185.250.148.35 | 192.168.2.4 |
| Nov 24, 2022 05:21:04.668997049 CET | 443 | 49716 | 185.250.148.35 | 192.168.2.4 |
| Nov 24, 2022 05:21:04.685195923 CET | 49717 | 443 | 192.168.2.4 | 185.250.148.35 |
| Nov 24, 2022 05:21:04.685261965 CET | 443 | 49717 | 185.250.148.35 | 192.168.2.4 |
| Nov 24, 2022 05:21:04.685632944 CET | 49717 | 443 | 192.168.2.4 | 185.250.148.35 |
| Nov 24, 2022 05:21:04.686243057 CET | 49717 | 443 | 192.168.2.4 | 185.250.148.35 |
| Nov 24, 2022 05:21:04.686269045 CET | 443 | 49717 | 185.250.148.35 | 192.168.2.4 |
| Nov 24, 2022 05:21:04.742952108 CET | 443 | 49717 | 185.250.148.35 | 192.168.2.4 |
| Nov 24, 2022 05:21:34.890145063 CET | 49718 | 443 | 192.168.2.4 | 185.250.148.35 |
| Nov 24, 2022 05:21:34.890221119 CET | 443 | 49718 | 185.250.148.35 | 192.168.2.4 |
| Nov 24, 2022 05:21:34.890311956 CET | 49718 | 443 | 192.168.2.4 | 185.250.148.35 |
| Nov 24, 2022 05:21:34.891124010 CET | 49718 | 443 | 192.168.2.4 | 185.250.148.35 |
| Nov 24, 2022 05:21:34.891169071 CET | 443 | 49718 | 185.250.148.35 | 192.168.2.4 |
| Nov 24, 2022 05:21:34.949980021 CET | 443 | 49718 | 185.250.148.35 | 192.168.2.4 |
| Nov 24, 2022 05:21:34.951565027 CET | 49719 | 443 | 192.168.2.4 | 185.250.148.35 |
| Nov 24, 2022 05:21:34.951642990 CET | 443 | 49719 | 185.250.148.35 | 192.168.2.4 |
| Nov 24, 2022 05:21:34.951733112 CET | 49719 | 443 | 192.168.2.4 | 185.250.148.35 |
| Nov 24, 2022 05:21:34.952301979 CET | 49719 | 443 | 192.168.2.4 | 185.250.148.35 |
| Nov 24, 2022 05:21:34.952337027 CET | 443 | 49719 | 185.250.148.35 | 192.168.2.4 |
| Nov 24, 2022 05:21:35.007440090 CET | 443 | 49719 | 185.250.148.35 | 192.168.2.4 |
| Nov 24, 2022 05:21:35.008912086 CET | 49720 | 443 | 192.168.2.4 | 185.250.148.35 |
| Nov 24, 2022 05:21:35.008971930 CET | 443 | 49720 | 185.250.148.35 | 192.168.2.4 |
| Nov 24, 2022 05:21:35.009077072 CET | 49720 | 443 | 192.168.2.4 | 185.250.148.35 |
| Nov 24, 2022 05:21:35.009592056 CET | 49720 | 443 | 192.168.2.4 | 185.250.148.35 |
| Nov 24, 2022 05:21:35.009608984 CET | 443 | 49720 | 185.250.148.35 | 192.168.2.4 |
| Nov 24, 2022 05:21:35.066533089 CET | 443 | 49720 | 185.250.148.35 | 192.168.2.4 |
| Nov 24, 2022 05:21:35.083612919 CET | 49721 | 443 | 192.168.2.4 | 185.250.148.35 |
| Nov 24, 2022 05:21:35.083692074 CET | 443 | 49721 | 185.250.148.35 | 192.168.2.4 |
| Nov 24, 2022 05:21:35.083832026 CET | 49721 | 443 | 192.168.2.4 | 185.250.148.35 |
| Nov 24, 2022 05:21:35.084454060 CET | 49721 | 443 | 192.168.2.4 | 185.250.148.35 |
| Nov 24, 2022 05:21:35.084505081 CET | 443 | 49721 | 185.250.148.35 | 192.168.2.4 |
| Nov 24, 2022 05:21:35.141772032 CET | 443 | 49721 | 185.250.148.35 | 192.168.2.4 |
| Nov 24, 2022 05:22:05.380898952 CET | 49722 | 443 | 192.168.2.4 | 185.250.148.35 |
| Nov 24, 2022 05:22:05.380964041 CET | 443 | 49722 | 185.250.148.35 | 192.168.2.4 |
| Nov 24, 2022 05:22:05.381064892 CET | 49722 | 443 | 192.168.2.4 | 185.250.148.35 |
| Nov 24, 2022 05:22:05.382277966 CET | 49722 | 443 | 192.168.2.4 | 185.250.148.35 |
| Nov 24, 2022 05:22:05.382314920 CET | 443 | 49722 | 185.250.148.35 | 192.168.2.4 |
| Nov 24, 2022 05:22:05.438138962 CET | 443 | 49722 | 185.250.148.35 | 192.168.2.4 |
| Nov 24, 2022 05:22:05.455518007 CET | 49723 | 443 | 192.168.2.4 | 185.250.148.35 |
| Nov 24, 2022 05:22:05.455600977 CET | 443 | 49723 | 185.250.148.35 | 192.168.2.4 |
| Nov 24, 2022 05:22:05.455710888 CET | 49723 | 443 | 192.168.2.4 | 185.250.148.35 |
| Nov 24, 2022 05:22:05.458941936 CET | 49723 | 443 | 192.168.2.4 | 185.250.148.35 |
| Nov 24, 2022 05:22:05.458985090 CET | 443 | 49723 | 185.250.148.35 | 192.168.2.4 |
| Nov 24, 2022 05:22:05.514117002 CET | 443 | 49723 | 185.250.148.35 | 192.168.2.4 |
| Nov 24, 2022 05:22:05.520054102 CET | 49724 | 443 | 192.168.2.4 | 185.250.148.35 |
| Nov 24, 2022 05:22:05.520131111 CET | 443 | 49724 | 185.250.148.35 | 192.168.2.4 |
| Nov 24, 2022 05:22:05.520246029 CET | 49724 | 443 | 192.168.2.4 | 185.250.148.35 |
| Nov 24, 2022 05:22:05.521112919 CET | 49724 | 443 | 192.168.2.4 | 185.250.148.35 |
| Nov 24, 2022 05:22:05.521135092 CET | 443 | 49724 | 185.250.148.35 | 192.168.2.4 |
| Nov 24, 2022 05:22:05.579657078 CET | 443 | 49724 | 185.250.148.35 | 192.168.2.4 |
| Nov 24, 2022 05:22:05.581623077 CET | 49725 | 443 | 192.168.2.4 | 185.250.148.35 |
| Nov 24, 2022 05:22:05.581677914 CET | 443 | 49725 | 185.250.148.35 | 192.168.2.4 |
| Nov 24, 2022 05:22:05.581792116 CET | 49725 | 443 | 192.168.2.4 | 185.250.148.35 |
| Nov 24, 2022 05:22:05.582617998 CET | 49725 | 443 | 192.168.2.4 | 185.250.148.35 |
| Nov 24, 2022 05:22:05.582637072 CET | 443 | 49725 | 185.250.148.35 | 192.168.2.4 |
| Nov 24, 2022 05:22:05.638403893 CET | 443 | 49725 | 185.250.148.35 | 192.168.2.4 |
| Nov 24, 2022 05:22:35.831705093 CET | 49726 | 443 | 192.168.2.4 | 185.250.148.35 |
| Nov 24, 2022 05:22:35.831753016 CET | 443 | 49726 | 185.250.148.35 | 192.168.2.4 |
| Nov 24, 2022 05:22:35.831830025 CET | 49726 | 443 | 192.168.2.4 | 185.250.148.35 |
| Nov 24, 2022 05:22:35.832879066 CET | 49726 | 443 | 192.168.2.4 | 185.250.148.35 |
| Nov 24, 2022 05:22:35.832906008 CET | 443 | 49726 | 185.250.148.35 | 192.168.2.4 |
| Nov 24, 2022 05:22:35.888338089 CET | 443 | 49726 | 185.250.148.35 | 192.168.2.4 |
| Nov 24, 2022 05:22:35.889817953 CET | 49727 | 443 | 192.168.2.4 | 185.250.148.35 |
| Nov 24, 2022 05:22:35.889899969 CET | 443 | 49727 | 185.250.148.35 | 192.168.2.4 |
| Nov 24, 2022 05:22:35.890064955 CET | 49727 | 443 | 192.168.2.4 | 185.250.148.35 |
| Nov 24, 2022 05:22:35.890661955 CET | 49727 | 443 | 192.168.2.4 | 185.250.148.35 |
| Nov 24, 2022 05:22:35.890711069 CET | 443 | 49727 | 185.250.148.35 | 192.168.2.4 |
| Nov 24, 2022 05:22:35.947293997 CET | 443 | 49727 | 185.250.148.35 | 192.168.2.4 |
| Nov 24, 2022 05:22:35.948555946 CET | 49728 | 443 | 192.168.2.4 | 185.250.148.35 |
| Nov 24, 2022 05:22:35.948637009 CET | 443 | 49728 | 185.250.148.35 | 192.168.2.4 |
| Nov 24, 2022 05:22:35.948796034 CET | 49728 | 443 | 192.168.2.4 | 185.250.148.35 |
| Nov 24, 2022 05:22:35.949640989 CET | 49728 | 443 | 192.168.2.4 | 185.250.148.35 |
| Nov 24, 2022 05:22:35.949681997 CET | 443 | 49728 | 185.250.148.35 | 192.168.2.4 |
| Nov 24, 2022 05:22:36.007163048 CET | 443 | 49728 | 185.250.148.35 | 192.168.2.4 |
| Nov 24, 2022 05:22:36.023938894 CET | 49729 | 443 | 192.168.2.4 | 185.250.148.35 |
| Nov 24, 2022 05:22:36.023996115 CET | 443 | 49729 | 185.250.148.35 | 192.168.2.4 |
| Nov 24, 2022 05:22:36.024108887 CET | 49729 | 443 | 192.168.2.4 | 185.250.148.35 |
| Nov 24, 2022 05:22:36.025345087 CET | 49729 | 443 | 192.168.2.4 | 185.250.148.35 |
| Nov 24, 2022 05:22:36.025382042 CET | 443 | 49729 | 185.250.148.35 | 192.168.2.4 |
| Nov 24, 2022 05:22:36.080106020 CET | 443 | 49729 | 185.250.148.35 | 192.168.2.4 |
| Nov 24, 2022 05:23:06.409924984 CET | 49730 | 443 | 192.168.2.4 | 185.250.148.35 |
| Nov 24, 2022 05:23:06.409976006 CET | 443 | 49730 | 185.250.148.35 | 192.168.2.4 |
| Nov 24, 2022 05:23:06.410056114 CET | 49730 | 443 | 192.168.2.4 | 185.250.148.35 |
| Nov 24, 2022 05:23:06.411086082 CET | 49730 | 443 | 192.168.2.4 | 185.250.148.35 |
| Nov 24, 2022 05:23:06.411104918 CET | 443 | 49730 | 185.250.148.35 | 192.168.2.4 |
| Nov 24, 2022 05:23:06.465995073 CET | 443 | 49730 | 185.250.148.35 | 192.168.2.4 |
| Nov 24, 2022 05:23:06.469316959 CET | 49731 | 443 | 192.168.2.4 | 185.250.148.35 |
| Nov 24, 2022 05:23:06.469379902 CET | 443 | 49731 | 185.250.148.35 | 192.168.2.4 |
| Nov 24, 2022 05:23:06.469492912 CET | 49731 | 443 | 192.168.2.4 | 185.250.148.35 |
| Nov 24, 2022 05:23:06.470561028 CET | 49731 | 443 | 192.168.2.4 | 185.250.148.35 |
| Nov 24, 2022 05:23:06.470582008 CET | 443 | 49731 | 185.250.148.35 | 192.168.2.4 |
| Nov 24, 2022 05:23:06.525172949 CET | 443 | 49731 | 185.250.148.35 | 192.168.2.4 |
| Nov 24, 2022 05:23:06.530029058 CET | 49732 | 443 | 192.168.2.4 | 185.250.148.35 |
| Nov 24, 2022 05:23:06.530122042 CET | 443 | 49732 | 185.250.148.35 | 192.168.2.4 |
| Nov 24, 2022 05:23:06.530237913 CET | 49732 | 443 | 192.168.2.4 | 185.250.148.35 |
| Nov 24, 2022 05:23:06.531049967 CET | 49732 | 443 | 192.168.2.4 | 185.250.148.35 |
| Nov 24, 2022 05:23:06.531092882 CET | 443 | 49732 | 185.250.148.35 | 192.168.2.4 |
| Nov 24, 2022 05:23:06.586215019 CET | 443 | 49732 | 185.250.148.35 | 192.168.2.4 |
| Nov 24, 2022 05:23:06.591008902 CET | 49733 | 443 | 192.168.2.4 | 185.250.148.35 |
| Nov 24, 2022 05:23:06.591080904 CET | 443 | 49733 | 185.250.148.35 | 192.168.2.4 |
| Nov 24, 2022 05:23:06.591201067 CET | 49733 | 443 | 192.168.2.4 | 185.250.148.35 |
| Nov 24, 2022 05:23:06.592061043 CET | 49733 | 443 | 192.168.2.4 | 185.250.148.35 |
| Nov 24, 2022 05:23:06.592088938 CET | 443 | 49733 | 185.250.148.35 | 192.168.2.4 |
| Nov 24, 2022 05:23:06.646756887 CET | 443 | 49733 | 185.250.148.35 | 192.168.2.4 |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Nov 24, 2022 05:20:02.978332043 CET | 61007 | 53 | 192.168.2.4 | 8.8.8.8 |
| Nov 24, 2022 05:20:02.997380018 CET | 53 | 61007 | 8.8.8.8 | 192.168.2.4 |
| Nov 24, 2022 05:20:33.386749029 CET | 60686 | 53 | 192.168.2.4 | 8.8.8.8 |
| Nov 24, 2022 05:20:33.404028893 CET | 53 | 60686 | 8.8.8.8 | 192.168.2.4 |
| Nov 24, 2022 05:21:04.451832056 CET | 61124 | 53 | 192.168.2.4 | 8.8.8.8 |
| Nov 24, 2022 05:21:04.469230890 CET | 53 | 61124 | 8.8.8.8 | 192.168.2.4 |
| Nov 24, 2022 05:21:34.871041059 CET | 59444 | 53 | 192.168.2.4 | 8.8.8.8 |
| Nov 24, 2022 05:21:34.888430119 CET | 53 | 59444 | 8.8.8.8 | 192.168.2.4 |
| Nov 24, 2022 05:22:05.359167099 CET | 55570 | 53 | 192.168.2.4 | 8.8.8.8 |
| Nov 24, 2022 05:22:05.377713919 CET | 53 | 55570 | 8.8.8.8 | 192.168.2.4 |
| Nov 24, 2022 05:22:35.810533047 CET | 64906 | 53 | 192.168.2.4 | 8.8.8.8 |
| Nov 24, 2022 05:22:35.829649925 CET | 53 | 64906 | 8.8.8.8 | 192.168.2.4 |
| Nov 24, 2022 05:23:06.390785933 CET | 59446 | 53 | 192.168.2.4 | 8.8.8.8 |
| Nov 24, 2022 05:23:06.408032894 CET | 53 | 59446 | 8.8.8.8 | 192.168.2.4 |
| Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|
| Nov 24, 2022 05:20:02.978332043 CET | 192.168.2.4 | 8.8.8.8 | 0x362c | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Nov 24, 2022 05:20:33.386749029 CET | 192.168.2.4 | 8.8.8.8 | 0x306e | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Nov 24, 2022 05:21:04.451832056 CET | 192.168.2.4 | 8.8.8.8 | 0xfd4e | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Nov 24, 2022 05:21:34.871041059 CET | 192.168.2.4 | 8.8.8.8 | 0xbb49 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Nov 24, 2022 05:22:05.359167099 CET | 192.168.2.4 | 8.8.8.8 | 0xe9a0 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Nov 24, 2022 05:22:35.810533047 CET | 192.168.2.4 | 8.8.8.8 | 0x374b | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Nov 24, 2022 05:23:06.390785933 CET | 192.168.2.4 | 8.8.8.8 | 0x8724 | Standard query (0) | A (IP address) | IN (0x0001) | false |
| Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|---|---|
| Nov 24, 2022 05:20:02.997380018 CET | 8.8.8.8 | 192.168.2.4 | 0x362c | No error (0) | 185.250.148.35 | A (IP address) | IN (0x0001) | false | ||
| Nov 24, 2022 05:20:33.404028893 CET | 8.8.8.8 | 192.168.2.4 | 0x306e | No error (0) | 185.250.148.35 | A (IP address) | IN (0x0001) | false | ||
| Nov 24, 2022 05:21:04.469230890 CET | 8.8.8.8 | 192.168.2.4 | 0xfd4e | No error (0) | 185.250.148.35 | A (IP address) | IN (0x0001) | false | ||
| Nov 24, 2022 05:21:34.888430119 CET | 8.8.8.8 | 192.168.2.4 | 0xbb49 | No error (0) | 185.250.148.35 | A (IP address) | IN (0x0001) | false | ||
| Nov 24, 2022 05:22:05.377713919 CET | 8.8.8.8 | 192.168.2.4 | 0xe9a0 | No error (0) | 185.250.148.35 | A (IP address) | IN (0x0001) | false | ||
| Nov 24, 2022 05:22:35.829649925 CET | 8.8.8.8 | 192.168.2.4 | 0x374b | No error (0) | 185.250.148.35 | A (IP address) | IN (0x0001) | false | ||
| Nov 24, 2022 05:23:06.408032894 CET | 8.8.8.8 | 192.168.2.4 | 0x8724 | No error (0) | 185.250.148.35 | A (IP address) | IN (0x0001) | false |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
| Target ID: | 0 |
| Start time: | 05:19:01 |
| Start date: | 24/11/2022 |
| Path: | C:\Windows\System32\loaddll64.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff72b830000 |
| File size: | 139776 bytes |
| MD5 hash: | C676FC0263EDD17D4CE7D644B8F3FCD6 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Target ID: | 1 |
| Start time: | 05:19:02 |
| Start date: | 24/11/2022 |
| Path: | C:\Windows\System32\conhost.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff7c72c0000 |
| File size: | 625664 bytes |
| MD5 hash: | EA777DEEA782E8B4D7C7C33BBF8A4496 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Target ID: | 2 |
| Start time: | 05:19:02 |
| Start date: | 24/11/2022 |
| Path: | C:\Windows\System32\cmd.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff632260000 |
| File size: | 273920 bytes |
| MD5 hash: | 4E2ACF4F8A396486AB4268C94A6A245F |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Target ID: | 3 |
| Start time: | 05:19:02 |
| Start date: | 24/11/2022 |
| Path: | C:\Windows\System32\regsvr32.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff762150000 |
| File size: | 24064 bytes |
| MD5 hash: | D78B75FC68247E8A63ACBA846182740E |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Target ID: | 4 |
| Start time: | 05:19:02 |
| Start date: | 24/11/2022 |
| Path: | C:\Windows\System32\rundll32.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff736ed0000 |
| File size: | 69632 bytes |
| MD5 hash: | 73C519F050C20580F8A62C849D49215A |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Target ID: | 5 |
| Start time: | 05:19:02 |
| Start date: | 24/11/2022 |
| Path: | C:\Windows\System32\rundll32.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff736ed0000 |
| File size: | 69632 bytes |
| MD5 hash: | 73C519F050C20580F8A62C849D49215A |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Target ID: | 6 |
| Start time: | 05:19:07 |
| Start date: | 24/11/2022 |
| Path: | C:\Windows\System32\rundll32.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff736ed0000 |
| File size: | 69632 bytes |
| MD5 hash: | 73C519F050C20580F8A62C849D49215A |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Target ID: | 9 |
| Start time: | 05:19:12 |
| Start date: | 24/11/2022 |
| Path: | C:\Windows\System32\rundll32.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff736ed0000 |
| File size: | 69632 bytes |
| MD5 hash: | 73C519F050C20580F8A62C849D49215A |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Target ID: | 11 |
| Start time: | 05:19:18 |
| Start date: | 24/11/2022 |
| Path: | C:\Windows\System32\WerFault.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff69db50000 |
| File size: | 494488 bytes |
| MD5 hash: | 2AFFE478D86272288BBEF5A00BBEF6A0 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Target ID: | 12 |
| Start time: | 05:19:23 |
| Start date: | 24/11/2022 |
| Path: | C:\Windows\System32\WerFault.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff69db50000 |
| File size: | 494488 bytes |
| MD5 hash: | 2AFFE478D86272288BBEF5A00BBEF6A0 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Target ID: | 13 |
| Start time: | 05:19:27 |
| Start date: | 24/11/2022 |
| Path: | C:\Windows\System32\WerFault.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff69db50000 |
| File size: | 494488 bytes |
| MD5 hash: | 2AFFE478D86272288BBEF5A00BBEF6A0 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Target ID: | 14 |
| Start time: | 05:19:42 |
| Start date: | 24/11/2022 |
| Path: | C:\Windows\System32\WerFault.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff69db50000 |
| File size: | 494488 bytes |
| MD5 hash: | 2AFFE478D86272288BBEF5A00BBEF6A0 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
Execution Graph
| Execution Coverage: | 10.1% |
| Dynamic/Decrypted Code Coverage: | 43.7% |
| Signature Coverage: | 24.5% |
| Total number of Nodes: | 1467 |
| Total number of Limit Nodes: | 28 |
Graph
Function 0000027ED37137E0 Relevance: 10.8, APIs: 7, Instructions: 333memoryregistryCOMMONCrypto
Download Yara Rule
Control-flow Graph
| C-Code - Quality: 38% |
|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF88C0711F0 Relevance: 4.7, APIs: 3, Instructions: 157memoryfileCOMMON
Download Yara Rule
Control-flow Graph
| C-Code - Quality: 23% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0000027ED371A0AC Relevance: 3.1, APIs: 2, Instructions: 105filenativeCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF88C076D50 Relevance: 1.4, APIs: 1, Instructions: 190memoryCOMMONCrypto
Download Yara Rule
| C-Code - Quality: 60% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF88C075840 Relevance: .2, Instructions: 238COMMONCrypto
Download Yara Rule
| C-Code - Quality: 59% |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
| C-Code - Quality: 100% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF88C072380 Relevance: 17.9, APIs: 4, Strings: 6, Instructions: 434memoryCOMMON
Download Yara Rule
Control-flow Graph
| C-Code - Quality: 40% |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0000027ED3714DB4 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 102memoryCOMMON
Download Yara Rule
Control-flow Graph
| C-Code - Quality: 34% |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF88C087C20 Relevance: 7.7, APIs: 5, Instructions: 219memoryfileCOMMON
Download Yara Rule
Control-flow Graph
| C-Code - Quality: 35% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF88C08A4A0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 128memoryfileCOMMON
Download Yara Rule
Control-flow Graph
| C-Code - Quality: 58% |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF88C072A70 Relevance: 6.2, APIs: 1, Strings: 3, Instructions: 159memoryCOMMON
Download Yara Rule
Control-flow Graph
| C-Code - Quality: 50% |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0000027ED371A7A0 Relevance: 6.1, APIs: 4, Instructions: 88memorysynchronizationCOMMON
Download Yara Rule
Control-flow Graph
| C-Code - Quality: 29% |
|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF88C089F80 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 248pipeCOMMON
Download Yara Rule
Control-flow Graph
| C-Code - Quality: 35% |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF88C074820 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 221libraryCOMMON
Download Yara Rule
Control-flow Graph
| C-Code - Quality: 93% |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF88C07D734 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 107COMMON
Download Yara Rule
Control-flow Graph
| C-Code - Quality: 52% |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF88C080CF8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70COMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
| C-Code - Quality: 65% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF88C07A970 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 247synchronizationCOMMON
Download Yara Rule
| C-Code - Quality: 66% |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 100% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 29% |
|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF88C07E154 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMONLIBRARYCODE
Download Yara Rule
| C-Code - Quality: 37% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 73% |
|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 55% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 41% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 71% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF88C074C80 Relevance: 19.8, APIs: 9, Strings: 2, Instructions: 565filelibrarymemoryCOMMONCrypto
Download Yara Rule
| C-Code - Quality: 76% |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0000027ED3716DF0 Relevance: 15.3, APIs: 7, Strings: 3, Instructions: 303memoryCOMMONCrypto
Download Yara Rule
| C-Code - Quality: 35% |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0000027ED3715638 Relevance: 11.5, APIs: 9, Instructions: 252memoryCOMMONCrypto
Download Yara Rule
| C-Code - Quality: 15% |
|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF88C07E374 Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE
Download Yara Rule
| C-Code - Quality: 65% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0000027ED3717FD4 Relevance: 7.7, APIs: 2, Strings: 3, Instructions: 170memoryCOMMONCrypto
Download Yara Rule
| C-Code - Quality: 38% |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF88C07F964 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 164COMMONCrypto
Download Yara Rule
| C-Code - Quality: 64% |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0000027ED37131C0 Relevance: 3.9, APIs: 3, Instructions: 195memoryCOMMONCrypto
Download Yara Rule
| C-Code - Quality: 24% |
|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0000027ED371204C Relevance: 3.9, APIs: 3, Instructions: 163memoryCOMMONCrypto
Download Yara Rule
| C-Code - Quality: 31% |
|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0000027ED37134A4 Relevance: 3.9, APIs: 3, Instructions: 160memoryCOMMONCrypto
Download Yara Rule
| C-Code - Quality: 29% |
|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF88C079BA0 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 315threadCOMMONCrypto
Download Yara Rule
| C-Code - Quality: 100% |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF88C0790B0 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 263COMMONCrypto
Download Yara Rule
| C-Code - Quality: 30% |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF88C07FB70 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 97COMMON
Download Yara Rule
| C-Code - Quality: 100% |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF88C08B9B0 Relevance: 3.3, APIs: 2, Instructions: 285libraryloaderCOMMONCrypto
Download Yara Rule
| C-Code - Quality: 56% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF88C08F8F0 Relevance: 3.2, Strings: 2, Instructions: 737COMMONCrypto
Download Yara Rule
| C-Code - Quality: 75% |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF88C086808 Relevance: 3.2, APIs: 2, Instructions: 227COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0000027ED3713CD8 Relevance: 2.7, Strings: 2, Instructions: 174COMMONCrypto
Download Yara Rule
| C-Code - Quality: 31% |
|
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF88C0776E0 Relevance: 1.8, Strings: 1, Instructions: 555COMMONCrypto
Download Yara Rule
| C-Code - Quality: 75% |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 50% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 87% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF88C0783C0 Relevance: 1.7, Strings: 1, Instructions: 408COMMONCrypto
Download Yara Rule
| C-Code - Quality: 23% |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF88C090D70 Relevance: 1.6, Strings: 1, Instructions: 375COMMONCrypto
Download Yara Rule
| C-Code - Quality: 96% |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF88C0898F0 Relevance: 1.6, Strings: 1, Instructions: 313COMMONCrypto
Download Yara Rule
| C-Code - Quality: 41% |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0000027ED3719D6C Relevance: 1.5, APIs: 1, Instructions: 210memoryCOMMONCrypto
Download Yara Rule
| C-Code - Quality: 67% |
|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF88C07DCAC Relevance: 1.4, Strings: 1, Instructions: 139COMMONLIBRARYCODECrypto
Download Yara Rule
| C-Code - Quality: 53% |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0000027ED371A918 Relevance: .6, Instructions: 616COMMONCrypto
Download Yara Rule
| C-Code - Quality: 56% |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF88C075CC0 Relevance: .6, Instructions: 614COMMONCrypto
Download Yara Rule
| C-Code - Quality: 57% |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF88C08B370 Relevance: .3, Instructions: 345COMMONCrypto
Download Yara Rule
| C-Code - Quality: 96% |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF88C088D50 Relevance: .3, Instructions: 341COMMONCrypto
Download Yara Rule
| C-Code - Quality: 96% |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF88C071520 Relevance: .3, Instructions: 330COMMONCrypto
Download Yara Rule
| C-Code - Quality: 98% |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF88C0742A0 Relevance: .3, Instructions: 302COMMONCrypto
Download Yara Rule
| C-Code - Quality: 96% |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF88C076820 Relevance: .3, Instructions: 259COMMONCrypto
Download Yara Rule
| C-Code - Quality: 57% |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF88C08F290 Relevance: .2, Instructions: 221COMMONCrypto
Download Yara Rule
| C-Code - Quality: 98% |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF88C071B10 Relevance: .2, Instructions: 200COMMONCrypto
Download Yara Rule
| C-Code - Quality: 35% |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF88C0875E0 Relevance: .2, Instructions: 181COMMONCrypto
Download Yara Rule
| C-Code - Quality: 100% |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0000027ED3714540 Relevance: .2, Instructions: 177COMMONCrypto
Download Yara Rule
| C-Code - Quality: 55% |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF88C0865F0 Relevance: .0, Instructions: 32COMMON
Download Yara Rule
| C-Code - Quality: 86% |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF88C07E9E0 Relevance: 22.9, APIs: 1, Strings: 12, Instructions: 197COMMON
Download Yara Rule
| C-Code - Quality: 87% |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 39% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 86% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0000027ED3711BFC Relevance: 10.7, APIs: 5, Strings: 2, Instructions: 216memoryCOMMON
Download Yara Rule
| C-Code - Quality: 17% |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF88C07D47C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29libraryloaderCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 46% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 20% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF88C07F320 Relevance: 7.6, APIs: 5, Instructions: 114libraryloaderCOMMONLIBRARYCODE
Download Yara Rule
| C-Code - Quality: 36% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 32% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF88C086400 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
Download Yara Rule
| C-Code - Quality: 85% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF88C084898 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 100fileCOMMON
Download Yara Rule
| C-Code - Quality: 16% |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 19% |
|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0000027ED3712DC4 Relevance: 6.2, APIs: 3, Strings: 1, Instructions: 192memoryCOMMON
Download Yara Rule
| C-Code - Quality: 41% |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 87% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF88C07F0D4 Relevance: 6.0, APIs: 4, Instructions: 43COMMONLIBRARYCODE
Download Yara Rule
| C-Code - Quality: 68% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 003D37E0 Relevance: 10.8, APIs: 7, Instructions: 333memoryregistryCOMMONCrypto
Download Yara Rule
Control-flow Graph
| C-Code - Quality: 50% |
|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF88C076D50 Relevance: 1.4, APIs: 1, Instructions: 190memoryCOMMONCrypto
Download Yara Rule
| C-Code - Quality: 60% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
| C-Code - Quality: 100% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF88C072380 Relevance: 17.9, APIs: 4, Strings: 6, Instructions: 434memoryCOMMON
Download Yara Rule
Control-flow Graph
| C-Code - Quality: 40% |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 003D4DB4 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 102memoryCOMMON
Download Yara Rule
Control-flow Graph
| C-Code - Quality: 59% |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF88C087C20 Relevance: 7.7, APIs: 5, Instructions: 219memoryfileCOMMON
Download Yara Rule
Control-flow Graph
| C-Code - Quality: 35% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF88C08A4A0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 128memoryfileCOMMON
Download Yara Rule
Control-flow Graph
| C-Code - Quality: 58% |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF88C072A70 Relevance: 6.2, APIs: 1, Strings: 3, Instructions: 159memoryCOMMON
Download Yara Rule
Control-flow Graph
| C-Code - Quality: 50% |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 003DA7A0 Relevance: 6.1, APIs: 4, Instructions: 88memorysynchronizationCOMMON
Download Yara Rule
Control-flow Graph
| C-Code - Quality: 30% |
|
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF88C089F80 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 248pipeCOMMON
Download Yara Rule
Control-flow Graph
| C-Code - Quality: 35% |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF88C074820 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 221libraryCOMMON
Download Yara Rule
Control-flow Graph
| C-Code - Quality: 93% |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF88C0711F0 Relevance: 4.7, APIs: 3, Instructions: 157filememoryCOMMON
Download Yara Rule
Control-flow Graph
| C-Code - Quality: 23% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
| C-Code - Quality: 65% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF88C07A970 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 247synchronizationCOMMON
Download Yara Rule
Control-flow Graph
| C-Code - Quality: 66% |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 100% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 003D40F8 Relevance: 2.6, APIs: 2, Instructions: 131memoryCOMMON
Download Yara Rule
| C-Code - Quality: 16% |
|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 100% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 003D5FC8 Relevance: 1.6, APIs: 1, Instructions: 54libraryCOMMON
Download Yara Rule
| C-Code - Quality: 31% |
|
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 71% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF88C07E26C Relevance: 1.5, APIs: 1, Instructions: 36memoryCOMMONLIBRARYCODE
Download Yara Rule
| C-Code - Quality: 37% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 003D6958 Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON
Download Yara Rule
| C-Code - Quality: 92% |
|
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 55% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 41% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 71% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 003D6DF0 Relevance: 15.3, APIs: 7, Strings: 3, Instructions: 303memoryCOMMONCrypto
Download Yara Rule
| C-Code - Quality: 36% |
|
| APIs |
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 28% |
|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF88C07E374 Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE
Download Yara Rule
| C-Code - Quality: 65% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 003D7FD4 Relevance: 7.7, APIs: 2, Strings: 3, Instructions: 170memoryCOMMONCrypto
Download Yara Rule
| C-Code - Quality: 46% |
|
| APIs |
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF88C07F964 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 164COMMONCrypto
Download Yara Rule
| C-Code - Quality: 64% |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF88C07E9E0 Relevance: 22.9, APIs: 1, Strings: 12, Instructions: 197COMMON
Download Yara Rule
| C-Code - Quality: 87% |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 39% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 86% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 003D1BFC Relevance: 10.7, APIs: 5, Strings: 2, Instructions: 216memoryCOMMON
Download Yara Rule
| C-Code - Quality: 32% |
|
| APIs |
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF88C07D47C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29libraryloaderCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 46% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 20% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF88C07F320 Relevance: 7.6, APIs: 5, Instructions: 114libraryloaderCOMMONLIBRARYCODE
Download Yara Rule
| C-Code - Quality: 36% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 32% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF88C086400 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
Download Yara Rule
| C-Code - Quality: 85% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF88C084898 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 100fileCOMMON
Download Yara Rule
| C-Code - Quality: 16% |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 003DA238 Relevance: 6.4, APIs: 5, Instructions: 127memoryCOMMON
Download Yara Rule
| C-Code - Quality: 22% |
|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 003D2DC4 Relevance: 6.2, APIs: 3, Strings: 1, Instructions: 192memoryCOMMON
Download Yara Rule
| C-Code - Quality: 40% |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 87% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF88C07F0D4 Relevance: 6.0, APIs: 4, Instructions: 43COMMONLIBRARYCODE
Download Yara Rule
| C-Code - Quality: 68% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF88C07D734 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 107COMMON
Download Yara Rule
| C-Code - Quality: 52% |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF88C080CF8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 003D5EE8 Relevance: 5.1, APIs: 4, Instructions: 64memoryCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0000021DD9335638 Relevance: 15.3, APIs: 10, Instructions: 252memoryCOMMONCrypto
Download Yara Rule
Control-flow Graph
| C-Code - Quality: 17% |
|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0000021DD93337E0 Relevance: 12.3, APIs: 8, Instructions: 333memoryregistryinjectionCOMMONCrypto
Download Yara Rule
Control-flow Graph
| C-Code - Quality: 39% |
|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0000021DD93331C0 Relevance: 3.9, APIs: 3, Instructions: 195memoryCOMMONCrypto
Download Yara Rule
Control-flow Graph
| C-Code - Quality: 24% |
|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0000021DD933A0AC Relevance: 3.1, APIs: 2, Instructions: 105filenativeCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0000021DD9339D6C Relevance: 1.5, APIs: 1, Instructions: 210memoryCOMMONCrypto
Download Yara Rule
| C-Code - Quality: 67% |
|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0000021DD9331BFC Relevance: 10.7, APIs: 5, Strings: 2, Instructions: 216memoryCOMMON
Download Yara Rule
Control-flow Graph
| C-Code - Quality: 17% |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0000021DD9334DB4 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 102memoryCOMMON
Download Yara Rule
Control-flow Graph
| C-Code - Quality: 34% |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
| C-Code - Quality: 19% |
|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0000021DD9332DC4 Relevance: 6.2, APIs: 3, Strings: 1, Instructions: 192memoryCOMMON
Download Yara Rule
Control-flow Graph
| C-Code - Quality: 41% |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0000021DD9337CF4 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 94memoryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0000021DD933A7A0 Relevance: 4.6, APIs: 3, Instructions: 88memorysynchronizationCOMMON
Download Yara Rule
Control-flow Graph
| C-Code - Quality: 19% |
|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
| C-Code - Quality: 59% |
|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
| C-Code - Quality: 54% |
|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 29% |
|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 24% |
|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 37% |
|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 73% |
|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 66% |
|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 25% |
|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0000021DD9336DF0 Relevance: 15.3, APIs: 7, Strings: 3, Instructions: 303memoryCOMMONCrypto
Download Yara Rule
| C-Code - Quality: 35% |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0000021DD9337FD4 Relevance: 7.7, APIs: 2, Strings: 3, Instructions: 170memoryCOMMONCrypto
Download Yara Rule
| C-Code - Quality: 38% |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 000001F71CC037E0 Relevance: 10.8, APIs: 7, Instructions: 333memoryregistryCOMMONCrypto
Download Yara Rule
Control-flow Graph
| C-Code - Quality: 38% |
|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 000001F71CC0A0AC Relevance: 3.1, APIs: 2, Instructions: 105filenativeCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 000001F71CC04DB4 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 102memoryCOMMON
Download Yara Rule
Control-flow Graph
| C-Code - Quality: 34% |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 000001F71CC0A7A0 Relevance: 6.1, APIs: 4, Instructions: 88memorysynchronizationCOMMON
Download Yara Rule
Control-flow Graph
| C-Code - Quality: 29% |
|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
| C-Code - Quality: 29% |
|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
| C-Code - Quality: 73% |
|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 000001F71CC06DF0 Relevance: 15.3, APIs: 7, Strings: 3, Instructions: 303memoryCOMMONCrypto
Download Yara Rule
Control-flow Graph
| C-Code - Quality: 35% |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 000001F71CC05638 Relevance: 11.5, APIs: 9, Instructions: 252memoryCOMMONCrypto
Download Yara Rule
Control-flow Graph
| C-Code - Quality: 15% |
|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 000001F71CC07FD4 Relevance: 7.7, APIs: 2, Strings: 3, Instructions: 170memoryCOMMONCrypto
Download Yara Rule
Control-flow Graph
| C-Code - Quality: 38% |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 000001F71CC01BFC Relevance: 10.7, APIs: 5, Strings: 2, Instructions: 216memoryCOMMON
Download Yara Rule
Control-flow Graph
| C-Code - Quality: 17% |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
| C-Code - Quality: 19% |
|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 000001F71CC02DC4 Relevance: 6.2, APIs: 3, Strings: 1, Instructions: 192memoryCOMMON
Download Yara Rule
Control-flow Graph
| C-Code - Quality: 41% |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
| C-Code - Quality: 100% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF88C07D734 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 107COMMON
Download Yara Rule
Control-flow Graph
| C-Code - Quality: 52% |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
| C-Code - Quality: 65% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
| C-Code - Quality: 71% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF88C07E26C Relevance: 1.5, APIs: 1, Instructions: 36memoryCOMMONLIBRARYCODE
Download Yara Rule
Control-flow Graph
| C-Code - Quality: 37% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF88C07E374 Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE
Download Yara Rule
| C-Code - Quality: 65% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF88C07F964 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 164COMMONCrypto
Download Yara Rule
| C-Code - Quality: 64% |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF88C07E9E0 Relevance: 22.9, APIs: 1, Strings: 12, Instructions: 197COMMON
Download Yara Rule
Control-flow Graph
| C-Code - Quality: 87% |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF88C072380 Relevance: 17.9, APIs: 4, Strings: 6, Instructions: 434memoryCOMMON
Download Yara Rule
| C-Code - Quality: 40% |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 39% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 86% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF88C07D47C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29libraryloaderCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 46% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 20% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF88C07F320 Relevance: 7.6, APIs: 5, Instructions: 114libraryloaderCOMMONLIBRARYCODE
Download Yara Rule
| C-Code - Quality: 36% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 32% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF88C086400 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
Download Yara Rule
| C-Code - Quality: 85% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF88C08A4A0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 128memoryfileCOMMON
Download Yara Rule
| C-Code - Quality: 58% |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF88C084898 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 100fileCOMMON
Download Yara Rule
| C-Code - Quality: 16% |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 87% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF88C072A70 Relevance: 6.2, APIs: 1, Strings: 3, Instructions: 159memoryCOMMON
Download Yara Rule
| C-Code - Quality: 50% |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF88C07F0D4 Relevance: 6.0, APIs: 4, Instructions: 43COMMONLIBRARYCODE
Download Yara Rule
| C-Code - Quality: 68% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF88C089F80 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 248pipeCOMMON
Download Yara Rule
| C-Code - Quality: 35% |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF88C074820 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 221libraryCOMMON
Download Yara Rule
| C-Code - Quality: 93% |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF88C080CF8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |